diff --git a/previews/PR235/.documenter-siteinfo.json b/previews/PR235/.documenter-siteinfo.json index 1be3bde29d..058cb0a6a3 100644 --- a/previews/PR235/.documenter-siteinfo.json +++ b/previews/PR235/.documenter-siteinfo.json @@ -1 +1 @@ -{"documenter":{"julia_version":"1.9.4","generation_timestamp":"2024-12-11T14:29:06","documenter_version":"1.3.0"}} \ No newline at end of file +{"documenter":{"julia_version":"1.9.4","generation_timestamp":"2024-12-12T08:20:22","documenter_version":"1.3.0"}} \ No newline at end of file diff --git a/previews/PR235/apidocs/apidocs/index.html b/previews/PR235/apidocs/apidocs/index.html index 0a9b486162..bc52879875 100644 --- a/previews/PR235/apidocs/apidocs/index.html +++ b/previews/PR235/apidocs/apidocs/index.html @@ -1,2 +1,2 @@ -API Documentation · metal-stack
+API Documentation · metal-stack
diff --git a/previews/PR235/development/client_libraries/index.html b/previews/PR235/development/client_libraries/index.html index cd4a8c6f24..a249847427 100644 --- a/previews/PR235/development/client_libraries/index.html +++ b/previews/PR235/development/client_libraries/index.html @@ -1,2 +1,2 @@ -Client Libraries · metal-stack
+Client Libraries · metal-stack
diff --git a/previews/PR235/development/contributing/index.html b/previews/PR235/development/contributing/index.html index 353696f10f..6e2a595add 100644 --- a/previews/PR235/development/contributing/index.html +++ b/previews/PR235/development/contributing/index.html @@ -1,2 +1,2 @@ -Contributing · metal-stack

Contributing

This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on github.com/metal-stack.

The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people.

Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality.

If you want, feel free to propose changes to this document in a pull request.

How Can I Contribute?

Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small.

Pull Requests

The process described here has several goals:

  • Maintain quality
  • Enable a sustainable system to review contributions
  • Enable documented and reproducible addition of contributions
  1. Create a meaningful issue describing the WHY? of your contribution
  2. Create a repository fork within the context of that issue.
  3. Create a Draft Pull Request to the master branch of the target repository.
  4. Develop, document and test your contribution (try not to solve more than one issue in a single pull request)
  5. Ask for merging your contribution by removing the draft marker
  6. If code owners are defined, try to assign the request to a code owner

General Objectives

This section contains language-agnostic topics that all metal-stack projects are trying to follow.

Code Ownership

The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[1].

As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's CODEOWNERS file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging.

Microservices

One major ambition of metal-stack is to follow the idea of microservices. This way, we want to achieve that we can

  • adapt to changes faster than with monolithic architectures,
  • be free of restrictions due to certain choices of technology,
  • leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...).

Programming Languages

We are generally open to write code in any language that fits best to the function of the software. However, we encourage golang to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see 12 Factor). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document.

Artifacts

Artifacts are always produced by a CI process (Github Actions).

Docker images are published on the Github Container Registry of the metal-stack organization.

Binary artifacts or OS images can be uploaded to images.metal-stack.io if necessary.

When building Docker images, please consider our build tool docker-make or the specific docker-make action respectively.

APIs

We are currently making use of Swagger when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using go-swagger. Swagger additionally simplifies the documentation of our APIs.

Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using grpc.

Versioning

Artifacts are versioned by tagging the respective repository with a tag starting with the letter v. After the letter, there stands a valid semantic version.

Documentation

In order to make it easier for others to understand a project, we document general information and usage instructions in a README.md in any project.

In addition to that, we document a microservice in the docs repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software.

Guidelines

This chapter describes general guidelines on how to develop and contribute code for a certain programming language.

Golang

Development follows the official guide to:

Development Decisions

  • Dependency Management by using Go modules
  • Build and Test Automation by using GNU Make.
  • End-user APIs should consider using go-swagger and Go-Restful Technical APIs should consider using grpc

Libraries

metal-stack maintains several libraries that you should utilize in your project in order unify common behavior. Some of these projects are:

Error Handling with Generated Swagger Clients

From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the metal-lib/httperrors. Ensure you are using go-restful >= v2.9.1 and go-restful-openapi >= v0.13.1 (allows default responses with error codes other than 200).

Documentation

We want to share knowledge and keep things simple. If things cannot kept simple we want enable everybody to understand them by:

  • Document in short sentences[4].
  • Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect).
  • Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "<THE WHAT> to <THE TO>").

Python

Development follows the official guide to:

  • Style Guide for Python Code (PEP 8)[5]
    • The use of an IDE like PyCharm helps to write compliant code easily
  • Consider setuptools for packaging
  • If you want to add a Python microservice to the mix, consider pyinstaller on Alpine to achieve small image sizes
+Contributing · metal-stack

Contributing

This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on github.com/metal-stack.

The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people.

Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality.

If you want, feel free to propose changes to this document in a pull request.

How Can I Contribute?

Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small.

Pull Requests

The process described here has several goals:

  • Maintain quality
  • Enable a sustainable system to review contributions
  • Enable documented and reproducible addition of contributions
  1. Create a meaningful issue describing the WHY? of your contribution
  2. Create a repository fork within the context of that issue.
  3. Create a Draft Pull Request to the master branch of the target repository.
  4. Develop, document and test your contribution (try not to solve more than one issue in a single pull request)
  5. Ask for merging your contribution by removing the draft marker
  6. If code owners are defined, try to assign the request to a code owner

General Objectives

This section contains language-agnostic topics that all metal-stack projects are trying to follow.

Code Ownership

The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[1].

As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's CODEOWNERS file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging.

Microservices

One major ambition of metal-stack is to follow the idea of microservices. This way, we want to achieve that we can

  • adapt to changes faster than with monolithic architectures,
  • be free of restrictions due to certain choices of technology,
  • leverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...).

Programming Languages

We are generally open to write code in any language that fits best to the function of the software. However, we encourage golang to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see 12 Factor). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as "libraries" for the rest of this document.

Artifacts

Artifacts are always produced by a CI process (Github Actions).

Docker images are published on the Github Container Registry of the metal-stack organization.

Binary artifacts or OS images can be uploaded to images.metal-stack.io if necessary.

When building Docker images, please consider our build tool docker-make or the specific docker-make action respectively.

APIs

We are currently making use of Swagger when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using go-swagger. Swagger additionally simplifies the documentation of our APIs.

Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using grpc.

Versioning

Artifacts are versioned by tagging the respective repository with a tag starting with the letter v. After the letter, there stands a valid semantic version.

Documentation

In order to make it easier for others to understand a project, we document general information and usage instructions in a README.md in any project.

In addition to that, we document a microservice in the docs repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software.

Guidelines

This chapter describes general guidelines on how to develop and contribute code for a certain programming language.

Golang

Development follows the official guide to:

Development Decisions

  • Dependency Management by using Go modules
  • Build and Test Automation by using GNU Make.
  • End-user APIs should consider using go-swagger and Go-Restful Technical APIs should consider using grpc

Libraries

metal-stack maintains several libraries that you should utilize in your project in order unify common behavior. Some of these projects are:

Error Handling with Generated Swagger Clients

From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the metal-lib/httperrors. Ensure you are using go-restful >= v2.9.1 and go-restful-openapi >= v0.13.1 (allows default responses with error codes other than 200).

Documentation

We want to share knowledge and keep things simple. If things cannot kept simple we want enable everybody to understand them by:

  • Document in short sentences[4].
  • Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect).
  • Explain the WHY. Add a "to" in your documentation line to force yourself to explain the reasonning (e.g. "<THE WHAT> to <THE TO>").

Python

Development follows the official guide to:

  • Style Guide for Python Code (PEP 8)[5]
    • The use of an IDE like PyCharm helps to write compliant code easily
  • Consider setuptools for packaging
  • If you want to add a Python microservice to the mix, consider pyinstaller on Alpine to achieve small image sizes
diff --git a/previews/PR235/development/proposals/MEP1/README/index.html b/previews/PR235/development/proposals/MEP1/README/index.html index b49562599a..8f8e80c562 100644 --- a/previews/PR235/development/proposals/MEP1/README/index.html +++ b/previews/PR235/development/proposals/MEP1/README/index.html @@ -1,2 +1,2 @@ -Distributed Metal Control Plane · metal-stack

Distributed Metal Control Plane

Problem Statement

We face the situation that we argue for running bare metal on premise because this way the customers can control where and how their software and data are processed and stored. On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers).

Running the control plane on Kubernetes has the following benefits:

  • Ease of deployment
  • Get most, if not all, of the required infrastructure services like (probably incomplete):
    • IPs
    • DNS
    • L7-Loadbalancing
    • Storage
    • S3 Backup
    • High Availability

Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well.

Goal

It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go.

Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions.

Possible Solutions

We can think of two different solutions to this vision:

  1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal.
  2. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other.

As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details.

Central/Current setup

Stateful services

Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions.

Affected states:

  • masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences.
  • ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice.
  • vrf ids: they must only be unique in one partition
  • image and size configurations: read often, written seldom, so no high requirements on the storage of these entities.
  • images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images.
  • machine and machine allocation: must be only synchronous in the partition
  • switch: must be only synchronous in the partition
  • nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period.

Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently.

Datastores:

We use three different types of datastores to persist the states of the metal application.

  • rethinkdb is the main datastore for almost all entities managed by metal-api
  • postgresql is used for masterdata and ipam data.
  • nsq uses disk and memory tho store the messages.

Stateless services

These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements.

Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip.

One exception is the metal-console service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup)

Distributed setup

State

In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each.

  • RethinkDB

    We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: Scaling, Sharding and replication. But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future.

  • Postgresql

    Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data.

  • CockroachDB

    Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure Follow the Workload and Geo Partitioning and Replication.

If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability.

A simple setup how this would look like is shown here.

Simple CockroachDB setup

go-ipam was modified in a example PR here: PR 17

API Access

In order to make the metal-api accessible for api users like cloud-api or metalctl as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail.

IMPORTANT The NSQ Message to inform metal-core must end in the correct partition

To provide such a external loadbalancer we have several opportunities:

  • Cloudflare or comparable CDN service.
  • BGP Anycast from every partition

Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, metal-api-router must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses.

Network setup

In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are:

  • Allow https ingress traffic to all metal-api instances.
  • Allow ssh ingress traffic to all metal-console instances.
  • Allow CockroachDB Replication between all partitions.
  • No NSQ traffic from outside required anymore, except we cant solve the topic above.

A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue.

API and Console Access

Therefore we need the metal-api-router:

Working API and Console Access

Deployment

The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers.

Deployment

+Distributed Metal Control Plane · metal-stack

Distributed Metal Control Plane

Problem Statement

We face the situation that we argue for running bare metal on premise because this way the customers can control where and how their software and data are processed and stored. On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers).

Running the control plane on Kubernetes has the following benefits:

  • Ease of deployment
  • Get most, if not all, of the required infrastructure services like (probably incomplete):
    • IPs
    • DNS
    • L7-Loadbalancing
    • Storage
    • S3 Backup
    • High Availability

Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well.

Goal

It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go.

Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions.

Possible Solutions

We can think of two different solutions to this vision:

  1. Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal.
  2. Install the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other.

As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details.

Central/Current setup

Stateful services

Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions.

Affected states:

  • masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences.
  • ipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice.
  • vrf ids: they must only be unique in one partition
  • image and size configurations: read often, written seldom, so no high requirements on the storage of these entities.
  • images: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images.
  • machine and machine allocation: must be only synchronous in the partition
  • switch: must be only synchronous in the partition
  • nsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period.

Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently.

Datastores:

We use three different types of datastores to persist the states of the metal application.

  • rethinkdb is the main datastore for almost all entities managed by metal-api
  • postgresql is used for masterdata and ipam data.
  • nsq uses disk and memory tho store the messages.

Stateless services

These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements.

Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip.

One exception is the metal-console service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See "Network Setup)

Distributed setup

State

In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each.

  • RethinkDB

    We already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: Scaling, Sharding and replication. But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future.

  • Postgresql

    Postgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data.

  • CockroachDB

    Is a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure Follow the Workload and Geo Partitioning and Replication.

If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability.

A simple setup how this would look like is shown here.

Simple CockroachDB setup

go-ipam was modified in a example PR here: PR 17

API Access

In order to make the metal-api accessible for api users like cloud-api or metalctl as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail.

IMPORTANT The NSQ Message to inform metal-core must end in the correct partition

To provide such a external loadbalancer we have several opportunities:

  • Cloudflare or comparable CDN service.
  • BGP Anycast from every partition

Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, metal-api-router must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses.

Network setup

In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are:

  • Allow https ingress traffic to all metal-api instances.
  • Allow ssh ingress traffic to all metal-console instances.
  • Allow CockroachDB Replication between all partitions.
  • No NSQ traffic from outside required anymore, except we cant solve the topic above.

A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue.

API and Console Access

Therefore we need the metal-api-router:

Working API and Console Access

Deployment

The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers.

Deployment

diff --git a/previews/PR235/development/proposals/MEP10/README/index.html b/previews/PR235/development/proposals/MEP10/README/index.html index 3ae74ec454..056482e07b 100644 --- a/previews/PR235/development/proposals/MEP10/README/index.html +++ b/previews/PR235/development/proposals/MEP10/README/index.html @@ -84,4 +84,4 @@ "mgmtVrfEnabled": "true" } } -}

IP forwarding is deactivated on eth0, and no IP Masquerade is configured.

+}

IP forwarding is deactivated on eth0, and no IP Masquerade is configured.

diff --git a/previews/PR235/development/proposals/MEP11/README/index.html b/previews/PR235/development/proposals/MEP11/README/index.html index 921d4a97c9..e36dbccf06 100644 --- a/previews/PR235/development/proposals/MEP11/README/index.html +++ b/previews/PR235/development/proposals/MEP11/README/index.html @@ -1,2 +1,2 @@ -Auditing of metal-stack resources · metal-stack

Auditing of metal-stack resources

Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users.

In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of Meilisearch.

Overview

In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled.

Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id.

Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. To avoid data manipulation the S3 compatible storage will be configured to be read-only.

Whitelisting

To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. Other requests will be passed directly to the next middleware or web service without any further processing.

As we are only interested in mutating endpoints, we ignore all GET requests. The whitelist includes all POST, PUT, PATCH and DELETE endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes:

  • /find
  • /notify
  • /try and /match
  • /capacity
  • /from-hardware

Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the Boot service, which can be interesting to revise the machine lifecycle.

Chunking in Meilisearch

We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time.

To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like 2021-01, 2021-01-01 or 2021-01-01_13.

The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices.

Moving chunks to S3 compatible storage

As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match.

When the backup process gets started, it initiates a Meilisearch dump of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted.

Now we want to remove all indices from Meilisearch, except the most recent one. For this, we get all indices, sort them and delete each index except the most recent one to avoid data loss.

For the actual implementation, we can build upon backup-restore-sidecar. But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar.

S3 compatible storage

The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation.

A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a lifecycle rule.

Affected components

  • metal-api grpc server needs an auditing interceptor
  • metal-api web server needs an auditing filter chain / middleware
  • metal-api needs new command line arguments to configure the auditing
  • mini-lab needs a Meilisearch instance
  • mini-lab may need a local S3 compatible storage
  • we need a sidecar to implement the backup to S3 compatible storage
  • Consider auditing of volume allocations and freeings outside of metal-stack

Alternatives considered

Instead of using Meilisearch we investigated using an immutable database like immudb. But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb.

In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage.

+Auditing of metal-stack resources · metal-stack

Auditing of metal-stack resources

Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users.

In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of Meilisearch.

Overview

In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled.

Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id.

Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. To avoid data manipulation the S3 compatible storage will be configured to be read-only.

Whitelisting

To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. Other requests will be passed directly to the next middleware or web service without any further processing.

As we are only interested in mutating endpoints, we ignore all GET requests. The whitelist includes all POST, PUT, PATCH and DELETE endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes:

  • /find
  • /notify
  • /try and /match
  • /capacity
  • /from-hardware

Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the Boot service, which can be interesting to revise the machine lifecycle.

Chunking in Meilisearch

We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time.

To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like 2021-01, 2021-01-01 or 2021-01-01_13.

The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices.

Moving chunks to S3 compatible storage

As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match.

When the backup process gets started, it initiates a Meilisearch dump of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted.

Now we want to remove all indices from Meilisearch, except the most recent one. For this, we get all indices, sort them and delete each index except the most recent one to avoid data loss.

For the actual implementation, we can build upon backup-restore-sidecar. But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar.

S3 compatible storage

The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation.

A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a lifecycle rule.

Affected components

  • metal-api grpc server needs an auditing interceptor
  • metal-api web server needs an auditing filter chain / middleware
  • metal-api needs new command line arguments to configure the auditing
  • mini-lab needs a Meilisearch instance
  • mini-lab may need a local S3 compatible storage
  • we need a sidecar to implement the backup to S3 compatible storage
  • Consider auditing of volume allocations and freeings outside of metal-stack

Alternatives considered

Instead of using Meilisearch we investigated using an immutable database like immudb. But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb.

In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage.

diff --git a/previews/PR235/development/proposals/MEP12/README/index.html b/previews/PR235/development/proposals/MEP12/README/index.html index 6b83a78088..d67d0ccf8f 100644 --- a/previews/PR235/development/proposals/MEP12/README/index.html +++ b/previews/PR235/development/proposals/MEP12/README/index.html @@ -4,4 +4,4 @@ type MachineAllocation struct { // existing fields are omitted for readability PlacementTags []string `json:"placement_tags" description:"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags"` -} +} diff --git a/previews/PR235/development/proposals/MEP12/partitioning/index.html b/previews/PR235/development/proposals/MEP12/partitioning/index.html index 09cf245101..52f5c17262 100644 --- a/previews/PR235/development/proposals/MEP12/partitioning/index.html +++ b/previews/PR235/development/proposals/MEP12/partitioning/index.html @@ -1,2 +1,2 @@ -Multi-Partition-Layout · metal-stack

marp: true theme: metal-stack paginate: true footer: Gerrit Schwerthelm – x-cellent technologies GmbH — metal-stack Training backgroundImage: url("https://metal-stack.io/images/shape/banner.png") –- <!– _class: cover lead –>

h:200px


<!– _class: cover lead –>

Multi-Partition-Layout


<!– _class: lead _backgroundColor: #1f1f1f _backgroundImage: _footer: "" –> bg contain


<!– _class: lead _backgroundColor: #1f1f1f _backgroundImage: _footer: "" –> bg contain


<style>section { font-size: 30px; }</style>

Multi-Partition-Layout Properties

  • Fully independent locations with own storage and own node networks
  • Clusters can only be created independent in every location
    • Failover mechanism for deployed applications requires duplicated deployments, which can serve independently
    • Failover through BGP
  • If cluster nodes are spread across partitions (not implemented yet), nodes will not be able to reach each other
    • Would require an overlay network for inter-node-communication

<!– _class: cover lead –>

Single-Partition-Layout


<!– _class: lead _backgroundColor: #1f1f1f _backgroundImage: _footer: "" –> bg contain


<style>section { font-size: 30px; }</style>

Single-Partition-Layout Properties

  • Multiple groups of racks at multiple locations but connected to same CLOS topology
  • All racks can connect to the same storage network
  • Nodes in private networks can communicate
  • When creating a cluster, nodes will be randomly spread across the racks
    • Possible improvement of this situation, see MEP-12: Rack Spreading

MEP-12: Rack Spreading

  • Instead of selecting a machine from a machine pool randomly
  • Get all existing machines in the same project and count to which rack they belong
  • Place machine on the rack with the least amount of machines already allocated
  • Best effort only
+Multi-Partition-Layout · metal-stack

marp: true theme: metal-stack paginate: true footer: Gerrit Schwerthelm – x-cellent technologies GmbH — metal-stack Training backgroundImage: url("https://metal-stack.io/images/shape/banner.png") –- <!– _class: cover lead –>

h:200px


<!– _class: cover lead –>

Multi-Partition-Layout


<!– _class: lead _backgroundColor: #1f1f1f _backgroundImage: _footer: "" –> bg contain


<!– _class: lead _backgroundColor: #1f1f1f _backgroundImage: _footer: "" –> bg contain


<style>section { font-size: 30px; }</style>

Multi-Partition-Layout Properties

  • Fully independent locations with own storage and own node networks
  • Clusters can only be created independent in every location
    • Failover mechanism for deployed applications requires duplicated deployments, which can serve independently
    • Failover through BGP
  • If cluster nodes are spread across partitions (not implemented yet), nodes will not be able to reach each other
    • Would require an overlay network for inter-node-communication

<!– _class: cover lead –>

Single-Partition-Layout


<!– _class: lead _backgroundColor: #1f1f1f _backgroundImage: _footer: "" –> bg contain


<style>section { font-size: 30px; }</style>

Single-Partition-Layout Properties

  • Multiple groups of racks at multiple locations but connected to same CLOS topology
  • All racks can connect to the same storage network
  • Nodes in private networks can communicate
  • When creating a cluster, nodes will be randomly spread across the racks
    • Possible improvement of this situation, see MEP-12: Rack Spreading

MEP-12: Rack Spreading

  • Instead of selecting a machine from a machine pool randomly
  • Get all existing machines in the same project and count to which rack they belong
  • Place machine on the rack with the least amount of machines already allocated
  • Best effort only
diff --git a/previews/PR235/development/proposals/MEP14/README/index.html b/previews/PR235/development/proposals/MEP14/README/index.html index a73926f283..133a893cec 100644 --- a/previews/PR235/development/proposals/MEP14/README/index.html +++ b/previews/PR235/development/proposals/MEP14/README/index.html @@ -1,2 +1,2 @@ -Independence from external sources · metal-stack

Independence from external sources

In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints.

So far, the following components have been identified as requiring changes:

  • pixiecore
  • metal-hammer
  • metal-images

More components are likely to be added to the list during processing. For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones.

pixiecore

A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up.

metal-hammer

If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from pool.ntp.org and time.google.com are used.

metal-images

Configurations for the metal-images are different for machines and firewalls.

metalctl

In order to pass DNS and NTP servers to partitions and machines while creating them, the flags dnsservers and ntpservers need to be added.

The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection.

+Independence from external sources · metal-stack

Independence from external sources

In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints.

So far, the following components have been identified as requiring changes:

  • pixiecore
  • metal-hammer
  • metal-images

More components are likely to be added to the list during processing. For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones.

pixiecore

A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up.

metal-hammer

If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from pool.ntp.org and time.google.com are used.

metal-images

Configurations for the metal-images are different for machines and firewalls.

metalctl

In order to pass DNS and NTP servers to partitions and machines while creating them, the flags dnsservers and ntpservers need to be added.

The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection.

diff --git a/previews/PR235/development/proposals/MEP2/README/index.html b/previews/PR235/development/proposals/MEP2/README/index.html index e28cbae688..c20814db1d 100644 --- a/previews/PR235/development/proposals/MEP2/README/index.html +++ b/previews/PR235/development/proposals/MEP2/README/index.html @@ -1,2 +1,2 @@ -Two Factor Authentication · metal-stack
+Two Factor Authentication · metal-stack
diff --git a/previews/PR235/development/proposals/MEP3/README/index.html b/previews/PR235/development/proposals/MEP3/README/index.html index ea4d4577b8..f988bd6e1a 100644 --- a/previews/PR235/development/proposals/MEP3/README/index.html +++ b/previews/PR235/development/proposals/MEP3/README/index.html @@ -1,2 +1,2 @@ -Machine Re-Installation · metal-stack

Machine Re-Installation

In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed.

To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, without actually deleting the data stored on the additional hard disks.

Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios.

  • Storage for the etcd pvs in the seed cluster of every partition. This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes).
  • Storage in customer clusters. This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies.
  • S3 Storage. We have two possibilities to cope with storage:
    • In place update of the OS with a daemonset This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image.
    • metal-api get a machine reinstall endpoint With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do rolling updates. Therefore a additional osupdatestrategy has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach.

If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data.

API and behavior

The API will get an new endpoint "reinstall" this endpoint takes two arguments:

  • machineID
  • image

No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. Once this endpoint was called, the machine will get a reboot signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts:

  • unchanged: PXE boot with metal-hammer
  • changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present
  • changed: if a allocation is present and the allocation has set reinstall: true, wipe disk is only executed for the root disk, all other disks are untouched.
  • unchanged: the specified image is downloaded and burned, /install.sh is executed
  • unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD.
  • unchanged: distribution kernel is booted via kexec

We can see that the allocation requires one additional parameter: reinstall and metal-hammer must check for already existing allocation at an earlier stage.

Components which requires modifications (first guess):

  • metal-hammer:
    • check for allocation present earlier
    • evaluation of reinstall flag set
    • wipe of disks depends on that flag
    • Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. metal-api MUST reject reinstallation if the disk found by PDDA does not have the /etc/metal directory!
  • metal-core:
    • probably nothing
  • metal-api:
    • new endpoint /machine/reinstall
    • add Reinstall bool to data model of allocation
    • make sure to reset Reinstall after reinstallation to prevent endless reinstallation loop
  • metalctl:
    • implement reinstall
  • metal-go:
    • implement reinstall
  • gardener (longterm):
    • add the OSUpgradeStrategy reinstall
+Machine Re-Installation · metal-stack

Machine Re-Installation

In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed.

To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, without actually deleting the data stored on the additional hard disks.

Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios.

  • Storage for the etcd pvs in the seed cluster of every partition. This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes).
  • Storage in customer clusters. This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies.
  • S3 Storage. We have two possibilities to cope with storage:
    • In place update of the OS with a daemonset This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image.
    • metal-api get a machine reinstall endpoint With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do rolling updates. Therefore a additional osupdatestrategy has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach.

If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data.

API and behavior

The API will get an new endpoint "reinstall" this endpoint takes two arguments:

  • machineID
  • image

No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. Once this endpoint was called, the machine will get a reboot signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts:

  • unchanged: PXE boot with metal-hammer
  • changed: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present
  • changed: if a allocation is present and the allocation has set reinstall: true, wipe disk is only executed for the root disk, all other disks are untouched.
  • unchanged: the specified image is downloaded and burned, /install.sh is executed
  • unchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD.
  • unchanged: distribution kernel is booted via kexec

We can see that the allocation requires one additional parameter: reinstall and metal-hammer must check for already existing allocation at an earlier stage.

Components which requires modifications (first guess):

  • metal-hammer:
    • check for allocation present earlier
    • evaluation of reinstall flag set
    • wipe of disks depends on that flag
    • Bonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. metal-api MUST reject reinstallation if the disk found by PDDA does not have the /etc/metal directory!
  • metal-core:
    • probably nothing
  • metal-api:
    • new endpoint /machine/reinstall
    • add Reinstall bool to data model of allocation
    • make sure to reset Reinstall after reinstallation to prevent endless reinstallation loop
  • metalctl:
    • implement reinstall
  • metal-go:
    • implement reinstall
  • gardener (longterm):
    • add the OSUpgradeStrategy reinstall
diff --git a/previews/PR235/development/proposals/MEP4/README/index.html b/previews/PR235/development/proposals/MEP4/README/index.html index 5015cc8898..97714f46d6 100644 --- a/previews/PR235/development/proposals/MEP4/README/index.html +++ b/previews/PR235/development/proposals/MEP4/README/index.html @@ -11,4 +11,4 @@ └─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ● underlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ●
  • The user does not see any machines yet.

    $ metalctl machine ls
  • The user can create a machine.

    $ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86`
  • The machine will now be provisioned.

    $ metalctl machine ls
     ID                                     LAST EVENT      WHEN    AGE      HOSTNAME   PROJECT                                 SIZE            IMAGE                   PARTITION
    -00000000-0000-0000-0000-ac1f6b7befb2   Phoned Home     20s     50d 4h   test       793bb6cd-8b46-479d-9209-0fedca428fe1    c1-xlarge-x86   Ubuntu 20.04 20210415   fra-equ01
  • Warning

    A user cannot list all allocated machines for all projects. The user must always switch project context first and can only view the machines inside this project. Only admins can see all machines at once.

    Scopes for Resources

    The admins / operators of the metal-stack should be able to provide global resources that users are able to use along with their own resources. In particular, users can view and use global resources, but they are not allowed to create, modify or delete them.

    Info

    When a project ID field is empty on a resource, the resource is considered global.

    Where possible, users should be capable of creating their own resource entities.

    ResourceUserGlobal
    File System Layoutyesyes
    Firewallyes
    Firmwareyes
    OS Imageyes
    Machineyes
    Network (Base)yes
    Network (Children)yes
    IPyes
    Partitionyes
    Projectyes
    Project Tokenyes
    Sizeyes
    Switch
    Tenantyes
    Info

    Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed.

    +00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01
    Warning

    A user cannot list all allocated machines for all projects. The user must always switch project context first and can only view the machines inside this project. Only admins can see all machines at once.

    Scopes for Resources

    The admins / operators of the metal-stack should be able to provide global resources that users are able to use along with their own resources. In particular, users can view and use global resources, but they are not allowed to create, modify or delete them.

    Info

    When a project ID field is empty on a resource, the resource is considered global.

    Where possible, users should be capable of creating their own resource entities.

    ResourceUserGlobal
    File System Layoutyesyes
    Firewallyes
    Firmwareyes
    OS Imageyes
    Machineyes
    Network (Base)yes
    Network (Children)yes
    IPyes
    Partitionyes
    Projectyes
    Project Tokenyes
    Sizeyes
    Switch
    Tenantyes
    Info

    Example: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed.

    diff --git a/previews/PR235/development/proposals/MEP5/README/index.html b/previews/PR235/development/proposals/MEP5/README/index.html index 4e4d08c12f..38759180e8 100644 --- a/previews/PR235/development/proposals/MEP5/README/index.html +++ b/previews/PR235/development/proposals/MEP5/README/index.html @@ -1,2 +1,2 @@ -Shared Networks · metal-stack

    Shared Networks

    Why are shared networks needed

    For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service.

    Constraints that need to hold

    • a shared network is usable from all machines that have a firewall in front, that uses it
    • a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future)
    • networks may be marked as shared after network allocation (but there should be no way back from shared to unshared)
    • neither machines nor firewalls may have multiple private, unshared networks configured
    • machines must have a single primary network configured
      • this might be a shared network
      • OR a plain, unshared private network
    • firewalls may participate in multiple shared networks
    • machines can be allocated with a primary network using auto IP allocation or with noauto and a specific IP

    Should shared networks be private

    Alternative 1: If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as shared and produce shared services from this k8s cluster.

    Alternative 2: If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network.

    Together with @majst01 and @Gerrit91 we decided to continue to implement Alternative 1.

    Firewalls accessing a shared network

    Firewalls that access shared networks need to:

    • hide the private network behind an ip address of the shared network if the shared network was configured with nat=true.
    • import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no nat=true was set on the shared VRF, the original machine ips are visible in both communication directions.

    Setup with shared networks and single consumer

    Simple Setup

    Setup with single shared network and multiple consumers

    Advanced Setup

    Getting internet access

    Machines contained in a shared network can access the internet with different scenarios:

    • if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!)
    • if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort
    +Shared Networks · metal-stack

    Shared Networks

    Why are shared networks needed

    For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a "shared network" that is easily accessible. They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service.

    Constraints that need to hold

    • a shared network is usable from all machines that have a firewall in front, that uses it
    • a shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future)
    • networks may be marked as shared after network allocation (but there should be no way back from shared to unshared)
    • neither machines nor firewalls may have multiple private, unshared networks configured
    • machines must have a single primary network configured
      • this might be a shared network
      • OR a plain, unshared private network
    • firewalls may participate in multiple shared networks
    • machines can be allocated with a primary network using auto IP allocation or with noauto and a specific IP

    Should shared networks be private

    Alternative 1: If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as shared and produce shared services from this k8s cluster.

    Alternative 2: If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network.

    Together with @majst01 and @Gerrit91 we decided to continue to implement Alternative 1.

    Firewalls accessing a shared network

    Firewalls that access shared networks need to:

    • hide the private network behind an ip address of the shared network if the shared network was configured with nat=true.
    • import the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no nat=true was set on the shared VRF, the original machine ips are visible in both communication directions.

    Setup with shared networks and single consumer

    Simple Setup

    Setup with single shared network and multiple consumers

    Advanced Setup

    Getting internet access

    Machines contained in a shared network can access the internet with different scenarios:

    • if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!)
    • if they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort
    diff --git a/previews/PR235/development/proposals/MEP6/README/index.html b/previews/PR235/development/proposals/MEP6/README/index.html index a88da0d69c..8d4bffdaff 100644 --- a/previews/PR235/development/proposals/MEP6/README/index.html +++ b/previews/PR235/development/proposals/MEP6/README/index.html @@ -35,4 +35,4 @@ vrfshared: false nat: true shared: true # it's usable from multiple projects -underlay: false

    DMZ firewall

    The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet.

    Application Firewall

    The firewall of application workloads intersects its private network for attached machines and the DMZ network.

    Code Changes / Implications

    Decision

    We decided to follow the second approach with private DMZ networks.

    +underlay: false

    DMZ firewall

    The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet.

    Application Firewall

    The firewall of application workloads intersects its private network for attached machines and the DMZ network.

    Code Changes / Implications

    Decision

    We decided to follow the second approach with private DMZ networks.

    diff --git a/previews/PR235/development/proposals/MEP8/README/index.html b/previews/PR235/development/proposals/MEP8/README/index.html index c62617ab8f..c483ba9ed7 100644 --- a/previews/PR235/development/proposals/MEP8/README/index.html +++ b/previews/PR235/development/proposals/MEP8/README/index.html @@ -364,4 +364,4 @@ - device: "/dev/nvmne0n1" wipeonreinstall: false - device: "/dev/nvmne0n2" - wipeonreinstall: false

    Components which requires modifications

    + wipeonreinstall: false

    Components which requires modifications

    diff --git a/previews/PR235/development/proposals/MEP9/README/index.html b/previews/PR235/development/proposals/MEP9/README/index.html index 55127d9034..13e4bc2b1a 100644 --- a/previews/PR235/development/proposals/MEP9/README/index.html +++ b/previews/PR235/development/proposals/MEP9/README/index.html @@ -10,4 +10,4 @@ Status: Boolean field tailscale: Version: Actual version - ...

    bmc-reverse-proxy

    TODO

    References

    1. WireGuard: Next Generation Secure Network Tunnel
    2. How Tailscale works
    3. Tailscale is officially SOC 2 compliant
    4. Why not Wireguard
    5. Wireguard: Known Limitations
    6. Wireguard: Things That Might Be Accomplished
    7. Headscale: Tailscale control protocol v2
    + ...

    bmc-reverse-proxy

    TODO

    References

    1. WireGuard: Next Generation Secure Network Tunnel
    2. How Tailscale works
    3. Tailscale is officially SOC 2 compliant
    4. Why not Wireguard
    5. Wireguard: Known Limitations
    6. Wireguard: Things That Might Be Accomplished
    7. Headscale: Tailscale control protocol v2
    diff --git a/previews/PR235/development/proposals/index.html b/previews/PR235/development/proposals/index.html index 62ade2b896..fd6d936d1f 100644 --- a/previews/PR235/development/proposals/index.html +++ b/previews/PR235/development/proposals/index.html @@ -1,2 +1,2 @@ -Enhancement Proposals · metal-stack

    Metal Stack Enhancement Proposals (MEPs)

    This section contains proposals which address substantial modifications to metal-stack.

    Every proposal has a short name which starts with MEP followed by an incremental, unique number. Proposals should be raised as pull requests in the docs repository and can be discussed in Github issues.

    The list of proposal and their current state is listed in the table below.

    Possible states are:

    • In Discussion
    • Accepted
    • Declined
    • In Progress
    • Completed
    • Aborted

    Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR.

    NameDescriptionState
    MEP-1Distributed Control Plane DeploymentIn Discussion
    MEP-2Two Factor AuthenticationAborted
    MEP-3Machine Re-Installation to preserve local dataCompleted
    MEP-4Multi-tenancy for the metal-apiIn Discussion
    MEP-5Shared NetworksCompleted
    MEP-6DMZ NetworksCompleted
    MEP-8Configurable FilesystemlayoutCompleted
    MEP-9No Open Ports To the Data CenterCompleted
    MEP-10SONiC SupportCompleted
    MEP-11Auditing of metal-stack resourcesCompleted
    MEP-12Rack SpreadingCompleted
    MEP-14Independence from external sourcesIn Discussion
    +Enhancement Proposals · metal-stack

    Metal Stack Enhancement Proposals (MEPs)

    This section contains proposals which address substantial modifications to metal-stack.

    Every proposal has a short name which starts with MEP followed by an incremental, unique number. Proposals should be raised as pull requests in the docs repository and can be discussed in Github issues.

    The list of proposal and their current state is listed in the table below.

    Possible states are:

    • In Discussion
    • Accepted
    • Declined
    • In Progress
    • Completed
    • Aborted

    Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR.

    NameDescriptionState
    MEP-1Distributed Control Plane DeploymentIn Discussion
    MEP-2Two Factor AuthenticationAborted
    MEP-3Machine Re-Installation to preserve local dataCompleted
    MEP-4Multi-tenancy for the metal-apiIn Discussion
    MEP-5Shared NetworksCompleted
    MEP-6DMZ NetworksCompleted
    MEP-8Configurable FilesystemlayoutCompleted
    MEP-9No Open Ports To the Data CenterCompleted
    MEP-10SONiC SupportCompleted
    MEP-11Auditing of metal-stack resourcesCompleted
    MEP-12Rack SpreadingCompleted
    MEP-14Independence from external sourcesIn Discussion
    diff --git a/previews/PR235/development/roadmap/index.html b/previews/PR235/development/roadmap/index.html index 9cb5e6c9f7..463ce5ee9a 100644 --- a/previews/PR235/development/roadmap/index.html +++ b/previews/PR235/development/roadmap/index.html @@ -1,2 +1,2 @@ -Roadmap · metal-stack

    Roadmap

    A roadmap with short-, mid- and long-term planning will be available soon. For now, there is only a backlog.

    Short-term

    Available soon.

    Mid-term

    Available soon.

    Long-term

    Available soon.

    Backlog

    The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item.

    We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out metal-stack.io for contact information.

    Danger

    By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list.

    • Add metal-stack to Gardener conformance test grid
    • Autoscaler for metal control plane components
    • CI dashboard and public integration testing
    • Cilium as the default CNI for metal-stack on Gardener K8s clusters
    • Improved release and deploy processes (GitOps, Spinnaker, Flux)
    • Machine internet without firewalls
    • metal-stack dashboard (UI)
    • Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises)
    • Partition managed by Kubernetes (with Kubelets joining the control plane cluster)
    • Public offering / demo playground
    • Resource scoping in the metal-api (MEP-4)
    • Service / API tokens (for scoped technical user access)
    +Roadmap · metal-stack

    Roadmap

    A roadmap with short-, mid- and long-term planning will be available soon. For now, there is only a backlog.

    Short-term

    Available soon.

    Mid-term

    Available soon.

    Long-term

    Available soon.

    Backlog

    The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item.

    We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out metal-stack.io for contact information.

    Danger

    By no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be "nice to have". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list.

    • Add metal-stack to Gardener conformance test grid
    • Autoscaler for metal control plane components
    • CI dashboard and public integration testing
    • Cilium as the default CNI for metal-stack on Gardener K8s clusters
    • Improved release and deploy processes (GitOps, Spinnaker, Flux)
    • Machine internet without firewalls
    • metal-stack dashboard (UI)
    • Offer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises)
    • Partition managed by Kubernetes (with Kubelets joining the control plane cluster)
    • Public offering / demo playground
    • Resource scoping in the metal-api (MEP-4)
    • Service / API tokens (for scoped technical user access)
    diff --git a/previews/PR235/external/csi-driver-lvm/CONTRIBUTING/index.html b/previews/PR235/external/csi-driver-lvm/CONTRIBUTING/index.html index 17561a3fdc..34f7d9dd93 100644 --- a/previews/PR235/external/csi-driver-lvm/CONTRIBUTING/index.html +++ b/previews/PR235/external/csi-driver-lvm/CONTRIBUTING/index.html @@ -1,2 +1,2 @@ -Contributing · metal-stack
    +Contributing · metal-stack
    diff --git a/previews/PR235/external/csi-driver-lvm/README/index.html b/previews/PR235/external/csi-driver-lvm/README/index.html index c70b1e4d54..7341c28f0a 100644 --- a/previews/PR235/external/csi-driver-lvm/README/index.html +++ b/previews/PR235/external/csi-driver-lvm/README/index.html @@ -13,4 +13,4 @@ kubectl delete -f examples/csi-pvc.yaml

    Development

    In order to run the integration tests locally, you need to create to loop devices on your host machine. Make sure the loop device mount paths are not used on your system (default path is /dev/loop10{0,1}).

    You can create these loop devices like this:

    for i in 100 101; do fallocate -l 1G loop${i}.img ; sudo losetup /dev/loop${i} loop${i}.img; done
     sudo losetup -a
     # use this for recreation or cleanup
    -# for i in 100 101; do sudo losetup -d /dev/loop${i}; rm -f loop${i}.img; done

    You can then run the tests against a kind cluster, running:

    make test

    To recreate or cleanup the kind cluster:

    make test-cleanup

    Page Tree

    +# for i in 100 101; do sudo losetup -d /dev/loop${i}; rm -f loop${i}.img; done

    You can then run the tests against a kind cluster, running:

    make test

    To recreate or cleanup the kind cluster:

    make test-cleanup

    Page Tree

    diff --git a/previews/PR235/external/firewall-controller/CONTRIBUTING/index.html b/previews/PR235/external/firewall-controller/CONTRIBUTING/index.html index a94b9e4efd..4cd154cbca 100644 --- a/previews/PR235/external/firewall-controller/CONTRIBUTING/index.html +++ b/previews/PR235/external/firewall-controller/CONTRIBUTING/index.html @@ -1,2 +1,2 @@ -Contributing · metal-stack
    +Contributing · metal-stack
    diff --git a/previews/PR235/external/firewall-controller/DEVELOP/index.html b/previews/PR235/external/firewall-controller/DEVELOP/index.html index ff3beb821c..43136b17a7 100644 --- a/previews/PR235/external/firewall-controller/DEVELOP/index.html +++ b/previews/PR235/external/firewall-controller/DEVELOP/index.html @@ -18,4 +18,4 @@ # watch results k describe -n firewall firewall cat nftables.v4 -cat hosts +cat hosts diff --git a/previews/PR235/external/firewall-controller/README/index.html b/previews/PR235/external/firewall-controller/README/index.html index 71198d9233..9e6601af18 100644 --- a/previews/PR235/external/firewall-controller/README/index.html +++ b/previews/PR235/external/firewall-controller/README/index.html @@ -122,4 +122,4 @@ droptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:30 +0000 UTC {"DPT":"650","DST":"1.2.3.4","ID":"12399","IN":"vrf104009","LEN":"40","MAC":"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00","OUT":"vlan179","PREC":"0x00","PROTO":"TCP","RES":"0x00","SPT":"40194","SRC":"2.3.4.5","SYN":"","TOS":"0x00","TTL":"241","URGP":"0","WINDOW":"1024","timestamp":"2020-06-17 13:23:30 +0000 UTC"} droptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:34 +0000 UTC {"DPT":"2362","DST":"1.2.3.4","ID":"44545","IN":"vrf104009","LEN":"40","MAC":"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00","OUT":"","PREC":"0x00","PROTO":"TCP","RES":"0x00","SPT":"40194","SRC":"2.3.4.5","SYN":"","TOS":"0x00","TTL":"242","URGP":"0","WINDOW":"1024","timestamp":"2020-06-17 13:23:34 +0000 UTC"} droptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:10 +0000 UTC {"DPT":"63351","DST":"1.2.3.4","ID":"11855","IN":"vrf104009","LEN":"40","MAC":"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00","OUT":"vlan179","PREC":"0x00","PROTO":"TCP","RES":"0x00","SPT":"54589","SRC":"2.3.4.5","SYN":"","TOS":"0x00","TTL":"245","URGP":"0","WINDOW":"1024","timestamp":"2020-06-17 13:23:10 +0000 UTC"} -droptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:51 +0000 UTC {"DPT":"8002","DST":"1.2.3.4","ID":"17539","IN":"vrf104009","LEN":"40","MAC":"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00","OUT":"","PREC":"0x00","PROTO":"TCP","RES":"0x00","SPT":"47615","SRC":"2.3.4.5","SYN":"","TOS":"0x08","TTL":"239","URGP":"0","WINDOW":"1024","timestamp":"2020-06-17 13:23:51 +0000 UTC"}

    You can forward the droptailer logs to any log aggregation infrastructure you have in place.

    Page Tree

    +droptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:51 +0000 UTC {"DPT":"8002","DST":"1.2.3.4","ID":"17539","IN":"vrf104009","LEN":"40","MAC":"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00","OUT":"","PREC":"0x00","PROTO":"TCP","RES":"0x00","SPT":"47615","SRC":"2.3.4.5","SYN":"","TOS":"0x08","TTL":"239","URGP":"0","WINDOW":"1024","timestamp":"2020-06-17 13:23:51 +0000 UTC"}

    You can forward the droptailer logs to any log aggregation infrastructure you have in place.

    Page Tree

    diff --git a/previews/PR235/external/metalctl/CONTRIBUTING/index.html b/previews/PR235/external/metalctl/CONTRIBUTING/index.html index 2588073a40..7e71164650 100644 --- a/previews/PR235/external/metalctl/CONTRIBUTING/index.html +++ b/previews/PR235/external/metalctl/CONTRIBUTING/index.html @@ -1,2 +1,2 @@ -Contributing · metal-stack
    +Contributing · metal-stack
    diff --git a/previews/PR235/external/metalctl/README/index.html b/previews/PR235/external/metalctl/README/index.html index b91e05664d..69ba8028ad 100644 --- a/previews/PR235/external/metalctl/README/index.html +++ b/previews/PR235/external/metalctl/README/index.html @@ -35,4 +35,4 @@ issuer_url: https://keycloak.somedomain.io custom_scopes: roles,openid,profile,email client_id: my-client-id - client_secret: my-secret

    Available commands

    Full documentation is generated out of the cobra command implementation with:

    metalctl markdown

    generated markdown is here and here

    Development

    For MacOS users, running the tests might throw an error because tests are utilizing go-mpatch in order to manipulate the time.Now function. The patch allows testing with fixed timestamps.

    Instead, MacOS users can utilize the make test-in-docker target to execute the tests.

    Page Tree

    + client_secret: my-secret

    Available commands

    Full documentation is generated out of the cobra command implementation with:

    metalctl markdown

    generated markdown is here and here

    Development

    For MacOS users, running the tests might throw an error because tests are utilizing go-mpatch in order to manipulate the time.Now function. The patch allows testing with fixed timestamps.

    Instead, MacOS users can utilize the make test-in-docker target to execute the tests.

    Page Tree

    diff --git a/previews/PR235/external/metalctl/docs/metalctl/index.html b/previews/PR235/external/metalctl/docs/metalctl/index.html index 8ad8118228..c366035fe7 100644 --- a/previews/PR235/external/metalctl/docs/metalctl/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_audit/index.html b/previews/PR235/external/metalctl/docs/metalctl_audit/index.html index a933f0231d..0341c258b2 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_audit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_audit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_audit_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_audit_describe/index.html index f3bce63b1d..843214fff4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_audit_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_audit_describe/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_audit_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_audit_list/index.html index fb584a52b9..76956f4f4f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_audit_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_audit_list/index.html @@ -38,4 +38,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_completion/index.html b/previews/PR235/external/metalctl/docs/metalctl_completion/index.html index 77bade2243..a7b1806c3f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_completion/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_completion/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_completion_bash/index.html b/previews/PR235/external/metalctl/docs/metalctl_completion_bash/index.html index a6a9f7bca9..371887e6ae 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_completion_bash/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_completion_bash/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_completion_fish/index.html b/previews/PR235/external/metalctl/docs/metalctl_completion_fish/index.html index 8e646621fb..b80eb6915b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_completion_fish/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_completion_fish/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_completion_powershell/index.html b/previews/PR235/external/metalctl/docs/metalctl_completion_powershell/index.html index 5d60c9366c..919551f464 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_completion_powershell/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_completion_powershell/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_completion_zsh/index.html b/previews/PR235/external/metalctl/docs/metalctl_completion_zsh/index.html index 3ca982673b..05ed2a2d4a 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_completion_zsh/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_completion_zsh/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_context/index.html b/previews/PR235/external/metalctl/docs/metalctl_context/index.html index 92a545b7ef..85f7364c91 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_context/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_context/index.html @@ -37,4 +37,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_context_short/index.html b/previews/PR235/external/metalctl/docs/metalctl_context_short/index.html index d355b83aa5..f83e8fbe27 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_context_short/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_context_short/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout/index.html index 83ec71865c..4f8d2ca8f4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_apply/index.html index c8724e6527..3bc59b3a79 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_create/index.html index e3edd7e16f..37cd170526 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_create/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_delete/index.html index fa9198527b..53ef946805 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_describe/index.html index 8c475903ed..32b4b0e794 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_edit/index.html index 4561b5ec8a..769a990556 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_list/index.html index e3d50f11f7..3a0bfffcec 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_list/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_match/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_match/index.html index 50597331ce..95309b4835 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_match/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_match/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_try/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_try/index.html index 068ed81281..7ada762214 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_try/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_try/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_update/index.html index e9d85895d9..cc136805aa 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_filesystemlayout_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firewall/index.html b/previews/PR235/external/metalctl/docs/metalctl_firewall/index.html index bc6f78fff7..c4405c54cd 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firewall/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firewall/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firewall_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_firewall_create/index.html index 89d1f61502..890a2a8789 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firewall_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firewall_create/index.html @@ -109,4 +109,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firewall_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_firewall_describe/index.html index 312f85e4fd..cbcab87ab5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firewall_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firewall_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firewall_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_firewall_list/index.html index e183c7caff..ec968fe4a3 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firewall_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firewall_list/index.html @@ -31,4 +31,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firewall_ssh/index.html b/previews/PR235/external/metalctl/docs/metalctl_firewall_ssh/index.html index c38cdcd05b..4ec1dab7b6 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firewall_ssh/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firewall_ssh/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firmware/index.html b/previews/PR235/external/metalctl/docs/metalctl_firmware/index.html index fa6c0c6f4f..404ceec762 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firmware/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firmware/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firmware_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_firmware_delete/index.html index 092c576e1b..1e4d66867e 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firmware_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firmware_delete/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firmware_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_firmware_list/index.html index 9cadcae76b..edf3b91cea 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firmware_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firmware_list/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firmware_upload/index.html b/previews/PR235/external/metalctl/docs/metalctl_firmware_upload/index.html index d7d48cb920..a61cac6060 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firmware_upload/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firmware_upload/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bios/index.html b/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bios/index.html index 0575b3f943..ea6c8e06ba 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bios/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bios/index.html @@ -24,4 +24,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bmc/index.html b/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bmc/index.html index abdd95803c..b05982ad36 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bmc/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_firmware_upload_bmc/index.html @@ -24,4 +24,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_health/index.html b/previews/PR235/external/metalctl/docs/metalctl_health/index.html index 0f7af6bbb8..3dfb46df6f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_health/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_health/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image/index.html b/previews/PR235/external/metalctl/docs/metalctl_image/index.html index 26ff29ee58..985a1027e9 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_apply/index.html index 72b10d17a4..18a17ffad3 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_create/index.html index 96053f8456..20f6a76477 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_create/index.html @@ -41,4 +41,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_delete/index.html index f76062cc46..880d93fe43 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_describe/index.html index 63c9ae1e39..ac2823d65f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_edit/index.html index 047a2bd77e..098e2415ad 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_list/index.html index fb6de99aa3..6857a6cfc7 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_list/index.html @@ -29,4 +29,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_image_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_image_update/index.html index 5ee011178c..95191e318b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_image_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_image_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_login/index.html b/previews/PR235/external/metalctl/docs/metalctl_login/index.html index bf7416ef6e..fd96750d45 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_login/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_login/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_logout/index.html b/previews/PR235/external/metalctl/docs/metalctl_logout/index.html index ed13d4d826..63e9d0ca51 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_logout/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_logout/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine/index.html index 87f6d4616e..c77f9bc181 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_apply/index.html index dc3ec15c64..e2156f3802 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_console/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_console/index.html index a46593a4e3..ba6866f55d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_console/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_console/index.html @@ -26,4 +26,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_consolepassword/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_consolepassword/index.html index 4fac2a9e81..49744e3268 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_consolepassword/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_consolepassword/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_create/index.html index b606693cac..3d417df61d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_create/index.html @@ -95,4 +95,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_delete/index.html index 1515b86f11..6077a2a9d5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_delete/index.html @@ -37,4 +37,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_describe/index.html index 30668b4d08..1fc1b44b95 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_edit/index.html index 450dd5b5ac..2799414757 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_identify/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_identify/index.html index 7c5d72e412..99cae1f19f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_identify/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_identify/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_identify_off/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_identify_off/index.html index 473531ebc3..9b3d5eac7d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_identify_off/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_identify_off/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_identify_on/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_identify_on/index.html index 7dcd84cad9..aca635e012 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_identify_on/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_identify_on/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi/index.html index a6551342f4..ab132a3880 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi/index.html @@ -44,4 +44,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi_events/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi_events/index.html index 8f4e0137fd..99b18a8be5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi_events/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_ipmi_events/index.html @@ -24,4 +24,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_issues/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_issues/index.html index b80bbc99c3..67f3f820ba 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_issues/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_issues/index.html @@ -47,4 +47,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_issues_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_issues_list/index.html index d12b67424f..c0a77bf09d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_issues_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_issues_list/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_list/index.html index 777c0bba8f..18631fe31b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_list/index.html @@ -44,4 +44,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_lock/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_lock/index.html index 01dde26fd4..19f3bae017 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_lock/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_lock/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_logs/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_logs/index.html index b3aa6a1410..c54811fa18 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_logs/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_logs/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power/index.html index 778ea39e49..dcf89d873d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_bios/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_bios/index.html index 2118d53380..dbb329efe5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_bios/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_bios/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_cycle/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_cycle/index.html index 5940817bfe..3bb15f402b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_cycle/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_cycle/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_disk/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_disk/index.html index 9a6eb00466..65abb9593e 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_disk/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_disk/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_off/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_off/index.html index adf8318f61..2b39bab608 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_off/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_off/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_on/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_on/index.html index 47c89db052..542479920d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_on/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_on/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_pxe/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_pxe/index.html index dcd4cbd60e..10f8690646 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_pxe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_pxe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_power_reset/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_power_reset/index.html index 6086c280af..52ed379115 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_power_reset/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_power_reset/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_reinstall/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_reinstall/index.html index b279e150a9..8ae27043be 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_reinstall/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_reinstall/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_reserve/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_reserve/index.html index b0fe9da235..cd3f72ffe3 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_reserve/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_reserve/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware/index.html index 4d8d7ef23d..caf28ef7be 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bios/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bios/index.html index 254b4e9aa7..59ad60564b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bios/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bios/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bmc/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bmc/index.html index 2523775a7c..e437b3de48 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bmc/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_update-firmware_bmc/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_machine_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_machine_update/index.html index 94009b0a8d..5e2b157b15 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_machine_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_machine_update/index.html @@ -39,4 +39,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_markdown/index.html b/previews/PR235/external/metalctl/docs/metalctl_markdown/index.html index 55bc28a3e2..590aa35f1f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_markdown/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_markdown/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network/index.html b/previews/PR235/external/metalctl/docs/metalctl_network/index.html index 56997403ad..c471176efd 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_allocate/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_allocate/index.html index 1e241ee06a..592c16a922 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_allocate/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_allocate/index.html @@ -28,4 +28,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_apply/index.html index c9928be4a4..34e7faa350 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_create/index.html index 137977c3d1..17eaa93918 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_create/index.html @@ -50,4 +50,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_delete/index.html index 78542b1987..95672ad3ea 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_describe/index.html index d36b23c51c..91f53f918c 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_edit/index.html index d5b83428b0..5896598f91 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_free/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_free/index.html index 98522ed6d3..f9bfc57acf 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_free/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_free/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip/index.html index 03757d12cd..b9549d4931 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_apply/index.html index 22086a9de8..422b0c6999 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_create/index.html index a51973b6af..6da046cfa4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_create/index.html @@ -43,4 +43,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_delete/index.html index 0f5e2cef65..bb1c1fe844 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_describe/index.html index 2366edad79..15c80d13ed 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_edit/index.html index 36487839ba..a9d053fb39 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_issues/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_issues/index.html index 86fd392032..6bd7ef058b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_issues/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_issues/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_list/index.html index 2747e6ea57..b9285b9b3e 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_list/index.html @@ -30,4 +30,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_ip_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_ip_update/index.html index b475d0edc0..6ac7a85622 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_ip_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_ip_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_list/index.html index 1233da5ca9..a10ab59f57 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_list/index.html @@ -33,4 +33,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_network_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_network_update/index.html index 2ad6689b7e..62991cff9b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_network_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_network_update/index.html @@ -45,4 +45,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition/index.html index 5ae45a744a..57b04e509b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_apply/index.html index af3d70d5f8..0bb37c7b5e 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_capacity/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_capacity/index.html index d8a519948e..3117a1282f 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_capacity/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_capacity/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_create/index.html index ddc59795e7..53798ce6b5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_create/index.html @@ -45,4 +45,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_delete/index.html index c27136f39c..125784dae8 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_describe/index.html index 70a1f0cded..19bae55036 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_edit/index.html index 767f9314cb..20cef8d046 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_list/index.html index d77a8e635b..59900eda39 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_list/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_partition_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_partition_update/index.html index d0a36fe5bc..7a5c075df7 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_partition_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_partition_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project/index.html b/previews/PR235/external/metalctl/docs/metalctl_project/index.html index babc010c6c..9d4439e45a 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_apply/index.html index 1fc42d23e4..e758fb6034 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_create/index.html index 0c021a9456..944800c55d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_create/index.html @@ -44,4 +44,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_delete/index.html index 4318ac0fdd..d671edc86b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_describe/index.html index 6c4269781c..d4e2e951f9 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_edit/index.html index 5755d6497c..e1688509dc 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_list/index.html index f694fa572b..f8989acd26 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_list/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_project_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_project_update/index.html index 1d43daa857..486b728591 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_project_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_project_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size/index.html b/previews/PR235/external/metalctl/docs/metalctl_size/index.html index 31f6b0b002..75aa1a58b5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_apply/index.html index c92ddce676..bffca7471e 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_create/index.html index 8837556738..1006ff249a 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_create/index.html @@ -42,4 +42,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_delete/index.html index 98d3b1bd50..eff6b85425 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_describe/index.html index 0f11039688..e9463e3d4b 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_edit/index.html index ffe26fd664..fe414771b0 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint/index.html index 77d9753cae..f2a1264cf9 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_apply/index.html index 8e68a43326..2087e48972 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_create/index.html index 1747611645..21a9a116fa 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_create/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_delete/index.html index 900a658475..2e955fe5fe 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_describe/index.html index 16eca54faf..9cfa5c33c0 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_edit/index.html index 111b9133bf..f960aa3460 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_list/index.html index 6f095d7f6b..af05775c9c 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_list/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_try/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_try/index.html index cbd10500fc..4e7507ab14 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_try/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_try/index.html @@ -23,4 +23,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_update/index.html index 09f93ec67c..f65a54d716 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_imageconstraint_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_list/index.html index e8b63c735e..6ebad9aad5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_list/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation/index.html index aa9a5140f7..af13c0b415 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_apply/index.html index 1059e48d98..39fd6fd4d8 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_create/index.html index 280f22d7a6..1e01cda20c 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_create/index.html @@ -43,4 +43,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_delete/index.html index f484dd8475..4ce7c1036c 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_describe/index.html index 6f7c5ebed7..b7b0d2ec8d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_edit/index.html index 55534a3a81..0fd715218d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_list/index.html index f12344e50c..c7f493f7ee 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_list/index.html @@ -26,4 +26,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_update/index.html index 41512af9e1..6ee0bdaec3 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_update/index.html @@ -40,4 +40,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_usage/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_usage/index.html index 86ac86cad2..a70bc59ece 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_reservation_usage/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_reservation_usage/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_suggest/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_suggest/index.html index 7994f4547f..64de38e335 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_suggest/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_suggest/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_size_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_size_update/index.html index 7b9227721d..56635ae834 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_size_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_size_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch/index.html index 968e2ca7b7..05a7fd15d6 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_connected-machines/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_connected-machines/index.html index 0be5c59428..d3e16f93b7 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_connected-machines/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_connected-machines/index.html @@ -37,4 +37,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_console/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_console/index.html index 92242c5816..4d3a320d69 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_console/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_console/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_delete/index.html index 360e58d045..d344000f88 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_delete/index.html @@ -37,4 +37,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_describe/index.html index b2629653bd..9e994a1da4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_detail/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_detail/index.html index 55edb6aebc..4dacc4a15e 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_detail/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_detail/index.html @@ -27,4 +27,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_edit/index.html index 20239c3805..7c9ae3d6e5 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_list/index.html index 18dad9faca..8cac1b7b71 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_list/index.html @@ -28,4 +28,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_migrate/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_migrate/index.html index 02227725d6..d89d2b18c4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_migrate/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_migrate/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_port/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_port/index.html index 531b1dfa62..4bf180e7a8 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_port/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_port/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_port_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_port_describe/index.html index 283068f0a6..460169a603 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_port_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_port_describe/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_port_down/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_port_down/index.html index 37de45b4a1..c6ee4500db 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_port_down/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_port_down/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_port_up/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_port_up/index.html index 491afd4044..6c2d3d9e11 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_port_up/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_port_up/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_replace/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_replace/index.html index 9105098d12..abf00f64e2 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_replace/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_replace/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_ssh/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_ssh/index.html index c68bc59212..d604207712 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_ssh/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_ssh/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_switch_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_switch_update/index.html index a48e5ed5ad..5d75531f3d 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_switch_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_switch_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant/index.html index 81a098fbd2..cc66201e12 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_apply/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_apply/index.html index 0602a9ce59..552584e96c 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_apply/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_apply/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_create/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_create/index.html index da1f8e2e49..68d0da10a2 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_create/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_create/index.html @@ -44,4 +44,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_delete/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_delete/index.html index 14efbc46a2..d2e11dbfd4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_delete/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_delete/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_describe/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_describe/index.html index 09e2ad40b0..711dbf0a88 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_describe/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_describe/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_edit/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_edit/index.html index 21accc7c4d..4d7c9b0ee6 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_edit/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_edit/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_list/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_list/index.html index 95ec6a58ef..e5ee1544d8 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_list/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_list/index.html @@ -25,4 +25,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_tenant_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_tenant_update/index.html index c9672c8c0e..05c0d6ef02 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_tenant_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_tenant_update/index.html @@ -36,4 +36,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_update/index.html b/previews/PR235/external/metalctl/docs/metalctl_update/index.html index 1cbc8ce220..31f626dfdd 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_update/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_update/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_update_check/index.html b/previews/PR235/external/metalctl/docs/metalctl_update_check/index.html index 5e5ee7328d..b0a1d578d4 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_update_check/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_update_check/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_update_do/index.html b/previews/PR235/external/metalctl/docs/metalctl_update_do/index.html index 5b2f4663f2..81262f8f11 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_update_do/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_update_do/index.html @@ -22,4 +22,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_version/index.html b/previews/PR235/external/metalctl/docs/metalctl_version/index.html index a6a76af9f9..09090e754a 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_version/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_version/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_vpn/index.html b/previews/PR235/external/metalctl/docs/metalctl_vpn/index.html index 5a50b2f051..8cf025378a 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_vpn/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_vpn/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_vpn_key/index.html b/previews/PR235/external/metalctl/docs/metalctl_vpn_key/index.html index daecffcb17..10a9f2d661 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_vpn_key/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_vpn_key/index.html @@ -26,4 +26,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/metalctl/docs/metalctl_whoami/index.html b/previews/PR235/external/metalctl/docs/metalctl_whoami/index.html index 412e1acb58..cfb8025dfe 100644 --- a/previews/PR235/external/metalctl/docs/metalctl_whoami/index.html +++ b/previews/PR235/external/metalctl/docs/metalctl_whoami/index.html @@ -21,4 +21,4 @@ metalctl machine list -o template --template "{{ .id }}:{{ .size.id }}" - --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    + --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)

    SEE ALSO

    diff --git a/previews/PR235/external/mini-lab/CONTRIBUTING/index.html b/previews/PR235/external/mini-lab/CONTRIBUTING/index.html index d03566cc2f..20ac1b9c58 100644 --- a/previews/PR235/external/mini-lab/CONTRIBUTING/index.html +++ b/previews/PR235/external/mini-lab/CONTRIBUTING/index.html @@ -1,2 +1,2 @@ -Contributing · metal-stack
    +Contributing · metal-stack
    diff --git a/previews/PR235/external/mini-lab/README/index.html b/previews/PR235/external/mini-lab/README/index.html index 085447c640..d00ec58f06 100644 --- a/previews/PR235/external/mini-lab/README/index.html +++ b/previews/PR235/external/mini-lab/README/index.html @@ -67,4 +67,4 @@ 2294c949-88f6-5390-8154-fa53d93a3313   Phoned Home 8s 18s fw 00000000-0000-0000-0000-000000000000 v1-small-x86 Firewall 2 Ubuntu 20200730 mini-lab

    Login with user name metal and the console password from

    docker compose run --rm metalctl machine consolepassword e0ab02d2-27cd-5a5e-8efc-080ba80cf258

    To remove the kind cluster, the switches and machines, run:

    make cleanup

    Reinstall machine

    Reinstall a machine with

    docker compose run --rm metalctl machine reinstall \
             --image ubuntu-20.04 \
             e0ab02d2-27cd-5a5e-8efc-080ba80cf258

    Free machine

    Free a machine with make free-machine01 or

    docker compose run --rm metalctl machine rm e0ab02d2-27cd-5a5e-8efc-080ba80cf258

    Flavors

    There are two versions, or flavors, of the mini-lab environment which differ in regards to the NOS running on the leaves:

    In order to start specific flavor, you can define the flavor as follows:

    export MINI_LAB_FLAVOR=sonic
    -make

    Page Tree

    +make

    Page Tree

    diff --git a/previews/PR235/index.html b/previews/PR235/index.html index 185f41b358..45f1737926 100644 --- a/previews/PR235/index.html +++ b/previews/PR235/index.html @@ -1,2 +1,2 @@ -Introduction · metal-stack

    Welcome to the metal-stack docs!

    metal-stack is an open source software that provides an API for provisioning and managing physical servers in the data center. To categorize this product, we use the terms Metal-as-a-Service (MaaS) or bare metal cloud.

    From the perspective of a user, the metal-stack does not feel any different from working with a conventional cloud provider. Users manage their resources (machines, networks and ip addresses, etc.) by themselves, which effectively turns your data center into an elastic cloud infrastructure.

    The major difference to other cloud providers is that compute power and data reside in your own data center.

    Why metal-stack?

    Before we started with our mission to implement the metal-stack, we decided on a couple of key characteristics and constraints that we think are unique in the domain (otherwise we would definitely have chosen an existing solution).

    We hope that the following properties appeal to you as well.

    On-Premise

    Running on-premise gives you data sovereignty and usually a better price / performance ratio than with hyperscalers — especially the larger you grow your environment. Another benefit of running on-premise is an easier connectivity to existing company networks.

    Fast Provisioning

    Provisioning bare metal machines should not feel much different from virtual machines. metal-stack is capable of provisioning servers in less than a minute. The underlying network topology is based on BGP and allows announcing new routes to your host machines in a matter of seconds.

    No-Ops

    Part of the metal-stack runs on dedicated switches in your data center. This way, it is possible to automate server inventorization, permanently reconcile network configuration and automatically manage machine lifecycles. Manual configuration is neither required nor wanted.

    Security

    Our networking approach was designed for highest standards on security. Also, we enforce firewalling on dedicated tenant firewalls before users can establish connections to other networks than their private tenant network. API authentication and authorization is done with the help of OIDC.

    API driven

    The development of metal-stack is strictly API driven and offers self-service to end-users. This approach delivers the highest possible degree of automation, maintainability and performance.

    Ready for Kubernetes

    Not only does the metal-stack run smoothly on Kubernetes (K8s). The major intent of metal-stack has always been to build a scalable machine infrastructure for Kubernetes as a Service (KaaS). In partnership with the open-source project Gardener, we can provision Kubernetes clusters on metal-stack at scale.

    From the perspective of the Gardener, the metal-stack is just another cloud provider. The time savings compared to providing machines and Kubernetes by hand are significant. We actually want to be able to compete with offers of public cloud providers, especially regarding speed and usability.

    Of course, you can use metal-stack only for machine provisioning as well and just put something else on top of your metal infrastructure.

    Open Source

    The metal-stack is open source and free of constraints regarding vendors and third-party products. The stack is completely built on open source products. We have a community actively working on the metal-stack, which can assist you delivering all reasonable features you are gonna need.

    Why Bare Metal?

    Bare metal has several advantages over virtual environments and overcomes several drawbacks of virtual machines. We also listed drawbacks of the bare metal approach. Bare in mind though that it is still possible to virtualize on bare metal environments when you have your stack up and running.

    Virtual Environment Drawbacks

    • Spectre and Meltdown can only be mitigated with a "cluster per tenant" approach
    • Missing isolation of multi-tenant change impacts
    • Licensing restrictions
    • Noisy-neighbors

    Bare Metal Advantages

    • Guaranteed and fastest possible performance (especially disk i/o)
    • Reduced stack depth (Host / VM / Application vs. Host / Container)
      • Reduced attack surface
      • Lower costs, higher performance
      • No VM live-migrations
    • Bigger hardware configurations possible (hypervisors have restrictions, e.g. it is not possible to assign all CPUs to a single VM)

    Bare Metal Drawbacks

    • Hardware defects have direct impact (should be considered by design) and can not be mitigated by live-migration as in virtual environments
    • Capacity planning is more difficult (no resource overbooking possible)
    +Introduction · metal-stack

    Welcome to the metal-stack docs!

    metal-stack is an open source software that provides an API for provisioning and managing physical servers in the data center. To categorize this product, we use the terms Metal-as-a-Service (MaaS) or bare metal cloud.

    From the perspective of a user, the metal-stack does not feel any different from working with a conventional cloud provider. Users manage their resources (machines, networks and ip addresses, etc.) by themselves, which effectively turns your data center into an elastic cloud infrastructure.

    The major difference to other cloud providers is that compute power and data reside in your own data center.

    Why metal-stack?

    Before we started with our mission to implement the metal-stack, we decided on a couple of key characteristics and constraints that we think are unique in the domain (otherwise we would definitely have chosen an existing solution).

    We hope that the following properties appeal to you as well.

    On-Premise

    Running on-premise gives you data sovereignty and usually a better price / performance ratio than with hyperscalers — especially the larger you grow your environment. Another benefit of running on-premise is an easier connectivity to existing company networks.

    Fast Provisioning

    Provisioning bare metal machines should not feel much different from virtual machines. metal-stack is capable of provisioning servers in less than a minute. The underlying network topology is based on BGP and allows announcing new routes to your host machines in a matter of seconds.

    No-Ops

    Part of the metal-stack runs on dedicated switches in your data center. This way, it is possible to automate server inventorization, permanently reconcile network configuration and automatically manage machine lifecycles. Manual configuration is neither required nor wanted.

    Security

    Our networking approach was designed for highest standards on security. Also, we enforce firewalling on dedicated tenant firewalls before users can establish connections to other networks than their private tenant network. API authentication and authorization is done with the help of OIDC.

    API driven

    The development of metal-stack is strictly API driven and offers self-service to end-users. This approach delivers the highest possible degree of automation, maintainability and performance.

    Ready for Kubernetes

    Not only does the metal-stack run smoothly on Kubernetes (K8s). The major intent of metal-stack has always been to build a scalable machine infrastructure for Kubernetes as a Service (KaaS). In partnership with the open-source project Gardener, we can provision Kubernetes clusters on metal-stack at scale.

    From the perspective of the Gardener, the metal-stack is just another cloud provider. The time savings compared to providing machines and Kubernetes by hand are significant. We actually want to be able to compete with offers of public cloud providers, especially regarding speed and usability.

    Of course, you can use metal-stack only for machine provisioning as well and just put something else on top of your metal infrastructure.

    Open Source

    The metal-stack is open source and free of constraints regarding vendors and third-party products. The stack is completely built on open source products. We have a community actively working on the metal-stack, which can assist you delivering all reasonable features you are gonna need.

    Why Bare Metal?

    Bare metal has several advantages over virtual environments and overcomes several drawbacks of virtual machines. We also listed drawbacks of the bare metal approach. Bare in mind though that it is still possible to virtualize on bare metal environments when you have your stack up and running.

    Virtual Environment Drawbacks

    • Spectre and Meltdown can only be mitigated with a "cluster per tenant" approach
    • Missing isolation of multi-tenant change impacts
    • Licensing restrictions
    • Noisy-neighbors

    Bare Metal Advantages

    • Guaranteed and fastest possible performance (especially disk i/o)
    • Reduced stack depth (Host / VM / Application vs. Host / Container)
      • Reduced attack surface
      • Lower costs, higher performance
      • No VM live-migrations
    • Bigger hardware configurations possible (hypervisors have restrictions, e.g. it is not possible to assign all CPUs to a single VM)

    Bare Metal Drawbacks

    • Hardware defects have direct impact (should be considered by design) and can not be mitigated by live-migration as in virtual environments
    • Capacity planning is more difficult (no resource overbooking possible)
    diff --git a/previews/PR235/installation/autonomous-control-plane/index.html b/previews/PR235/installation/autonomous-control-plane/index.html index 28d4aa4fa3..0bbbafde05 100644 --- a/previews/PR235/installation/autonomous-control-plane/index.html +++ b/previews/PR235/installation/autonomous-control-plane/index.html @@ -1,5 +1,5 @@ -Autonomous Control Plane · metal-stack

    Autonomous Control Plane, aka solve the bootstrap problem

    Setting up a metal-stack.io environment in your own datacenter requires a control plane to be present which hosts the metal-stack api. If you plan to spin up kubernetes clusters, either with gardener.cloud or cluster api, the requirement for this control plane raises. The control plane must be running in a kubernetes cluster, which offers at least the following features:

    • Loadbalancing
    • Persistent Storage
    • Access to a object storage for automatic backups of the stateful sets
    • Access to a DNS provider which is supported by one of the dns extensions in use.

    This cluster must also be highly available to prevent complete loss of control over the managed resources in the datacenter. Regular kubernetes updates to apply security fixes and feature updates must be possible in an automated manner.

    The most obvious and simple solution is to use one of the managed kubernetes offerings from another cloud provider.

    But there are use cases, where it is not possible because of network restrictions, or because the company compliances forbid the usage of external datacenter products. For such cases a solution must be found which produces the control plane inside the own datacenter but with reasonable day two operational effort.

    Possible Solutions

    No complete list.

    • vmware and rancher
    • talos
    • 3 physical machines with kubespray

    ...

    All of these solutions add another stack which is probably new to the team which already operates the metal-stack environment.

    TODO: can we provide a list which of the requirements can be solved with all of the alternatives.

    Use your own dogfood

    With metal-stack.io we already have the possibility to create an manage kubernetes cluster with the help of gardener.cloud. Use this stack to create the control plane clusters only. Do not try to create more clusters for other purposes than metal-stack control planes. If this restriction applies, the requirement for a control plane for this metal-stack setup can be minimal.

    This metal-stack setup also requires a control plane to host metal-api and gardener, but this control plane does not have huge resource requirements in terms of cpu, memory and storage. For this initial control plane cluster we could use kind running on a single server which manages the initial metal-stack partitin to host the control plane for the real setup.

    This is a chain of two metal-stack environments.

    Architecture

    A high-level architecture consists of two metal-stack.io environments, one for the control plane, the second one for the production or real environment. It might also be possible to call the initial metal-stack.io environment the metal-stack seed, and the actual production environment the metal-stack shoot.

    We could even use some names for this environments which match better to metal, like needle and nail. So, a needle metal-stack is used to create a nail metal-stack environment.

    metal-stack-chain

    The needle and the nail metal-stack have both a control plane and a set of physical bare metal machines they manage and operate on.

    Needle

    The needle control plane is kept very small and running inside a kind cluster. The physical bare metal machines can be any machines and switches which are supported by metal stack, but can be smaller in terms of cpu, memory and network speed, because these machines must only be capable of running the nail metal stack control plane.

    1. Control Plane

    In the most simple case the needle control plane is based on kind which is running on a machine which was setup manually/partly automated with a debian:12 operating system. This machine provides a decent amount of cpu, memory and storage locally to store all persistent data. The amount of cpus and memory depends on the required size of the expected nail control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point.

    In a typical kind setup, a stateful set would lose the data once the kind cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the kind cluster for the PVCs. With that, kind could be terminated and started again, for example to update and reboot the host os, or update kind itself and the data will persist.

    Example kind configuration for persistent storage on the hosts os:

    kind: Cluster
    +Autonomous Control Plane · metal-stack

    Autonomous Control Plane, aka solve the bootstrap problem

    Setting up a metal-stack.io environment in your own datacenter requires a control plane to be present which hosts the metal-stack api. If you plan to spin up kubernetes clusters, either with gardener.cloud or cluster api, the requirement for this control plane raises. The control plane must be running in a kubernetes cluster, which offers at least the following features:

    • Loadbalancing
    • Persistent Storage
    • Access to a object storage for automatic backups of the stateful sets
    • Access to a DNS provider which is supported by one of the dns extensions in use.

    This cluster must also be highly available to prevent complete loss of control over the managed resources in the datacenter. Regular kubernetes updates to apply security fixes and feature updates must be possible in an automated manner.

    The most obvious and simple solution is to use one of the managed kubernetes offerings from another cloud provider.

    But there are use cases, where it is not possible because of network restrictions, or because the company compliances forbid the usage of external datacenter products. For such cases a solution must be found which produces the control plane inside the own datacenter but with reasonable day two operational effort.

    Possible Solutions

    No complete list.

    • vmware and rancher
    • talos
    • 3 physical machines with kubespray

    ...

    All of these solutions add another stack which is probably new to the team which already operates the metal-stack environment.

    TODO: can we provide a list which of the requirements can be solved with all of the alternatives.

    Use your own dogfood

    With metal-stack.io we already have the possibility to create and manage kubernetes clusters with the help of Gardener. Use this stack to create the control plane clusters only. Do not try to create more clusters for other purposes than metal-stack control planes. If this restriction applies, the requirement for a control plane for this metal-stack setup can be minimal.

    This metal-stack setup also requires a control plane to host metal-api and gardener, but this control plane does not have huge resource requirements in terms of cpu, memory and storage. For this initial control plane cluster we could use kind running on a single server which manages the initial metal-stack partition to host the control plane for the real setup.

    This is a chain of two metal-stack environments.

    Architecture

    A high-level architecture consists of two metal-stack.io environments, one for the control plane, the second one for the production or real environment. It might also be possible to call the initial metal-stack.io environment the metal-stack seed, and the actual production environment the metal-stack shoot.

    We could even use some names for this environments which match better to metal, like needle and nail. So, a needle metal-stack is used to create a nail metal-stack environment.

    metal-stack-chain

    The needle and the nail metal-stack have both a control plane and a set of physical bare metal machines they manage and operate on.

    Needle

    The needle control plane is kept very small and running inside a kind cluster. The physical bare metal machines can be any machines and switches which are supported by metal stack, but can be smaller in terms of cpu, memory and network speed, because these machines must only be capable of running the nail metal stack control plane.

    1. Control Plane

    In the most simple case the needle control plane is based on kind which is running on a machine which was setup manually/partly automated with a debian:12 operating system. This machine provides a decent amount of cpu, memory and storage locally to store all persistent data. The amount of cpus and memory depends on the required size of the expected nail control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point.

    In a typical kind setup, a stateful set would lose the data once the kind cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the kind cluster for the PVCs. With that, kind could be terminated and started again, for example to update and reboot the host os, or update kind itself and the data will persist.

    Example kind configuration for persistent storage on the hosts os:

    kind: Cluster
     apiVersion: kind.x-k8s.io/v1alpha4
     name: needle-control-plane
     nodes:
    @@ -25,4 +25,4 @@
         disk /dev/nvme0n1;
         address 192.168.1.102:7789;
       }
    -}

    TODO: LVM Volumes

    Logical View

    needle-control-plane-ha

    Physical View, minimal ha setup which is only suitable for 1 Seed and 1 Shoot

    needle-rack

    Physical View, bigger ha setup which is spread to two datacenters, capable to create 1 Seed with 3 nodes and 2 Shoots with 3 nodes each and still 2 waiting machines.

    needle-rack-big

    1. Partition

    The partition which is managed by the metal-stack needle can be a simple and small hardware setup but yet capable enough to host the metal-stack nail control plane. It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided.

    A seed must be created which is responsible for hosting the control planes of the shoots in this partition. The amount of shoots should be minimal, most of the time, two shoots, one for hosting gardener and one for metal-stack.

    needle-partition

    1. Network Diagram

    TODO: Where to connect the needle servers

    Open Topics

    • Naming of the metal-stack chain elements, is needle and nail appropriate ?
    • Storage in the needle partition
    • S3 Object storage is considered as provided
    • AirGapped is out of scope for now
    • IP address ranges and families
    • Consider Autonomous Shoots for the needle seed
    • Take a look at: Description of a Microdatacenter
    +}

    TODO: LVM Volumes

    Logical View

    needle-control-plane-ha

    Physical View, minimal ha setup which is only suitable for 1 Seed and 1 Shoot

    needle-rack

    Physical View, bigger ha setup which is spread to two datacenters, capable to create 1 Seed with 3 nodes and 2 Shoots with 3 nodes each and still 2 waiting machines.

    needle-rack-big

    1. Partition

    The partition which is managed by the metal-stack needle can be a simple and small hardware setup but yet capable enough to host the metal-stack nail control plane. It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided.

    A seed must be created which is responsible for hosting the control planes of the shoots in this partition. The amount of shoots should be minimal, most of the time, two shoots, one for hosting gardener and one for metal-stack.

    needle-partition

    1. Network Diagram

    TODO: Where to connect the needle servers

    Nail

    nail is the metal-stack environment which serves for end user production use, the control plane is running in a shoot which in the needle and the seed(s) and shoot(s) for end users are created on the machines provided by this environment. These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the needle management.

    Failure Scenarios

    Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. If more than one fails, the restoration to a working state must be easily possible and well documented.

    We must ensure both. To ensure we have all possible breakages in mind, we collect a list of them here and explain what impact a certain failure have.

    Scenarioexpected outage
    kind cluster gonemanagement of needle infrastructure not possible anymore

    Open Topics

    • Naming of the metal-stack chain elements, is needle and nail appropriate ?
    • Storage in the needle partition
    • S3 Object storage is considered as provided
    • AirGapped is out of scope for now
    • IP address ranges and families
    • Consider Autonomous Shoots for the needle seed
    • Take a look at: Description of a Microdatacenter
    diff --git a/previews/PR235/installation/deployment/index.html b/previews/PR235/installation/deployment/index.html index 56062fc84b..6824399d14 100644 --- a/previews/PR235/installation/deployment/index.html +++ b/previews/PR235/installation/deployment/index.html @@ -314,4 +314,4 @@ mode: Always autoDetectionMethod: interface=lo typha: - enabled: false
  • For your seed cluster you will need to provide the provider secret for metal-stack containing the key metalAPIHMac, which is the API HMAC to grant editor access to the metal-api
  • Checkout our current provider configuration for infrastructure and control-plane before deploying your shoot
  • Tip

    We are officially supported by Gardener dashboard. The dashboard can also help you setting up some of the resources mentioned above.

    + enabled: false
  • For your seed cluster you will need to provide the provider secret for metal-stack containing the key metalAPIHMac, which is the API HMAC to grant editor access to the metal-api
  • Checkout our current provider configuration for infrastructure and control-plane before deploying your shoot
  • Tip

    We are officially supported by Gardener dashboard. The dashboard can also help you setting up some of the resources mentioned above.

    diff --git a/previews/PR235/installation/monitoring/index.html b/previews/PR235/installation/monitoring/index.html index b58647070e..e5ef5af218 100644 --- a/previews/PR235/installation/monitoring/index.html +++ b/previews/PR235/installation/monitoring/index.html @@ -1,2 +1,2 @@ -Monitoring · metal-stack

    Monitoring the metal-stack

    Overview

    Monitoring Stack

    Logging

    Logs are being collected by Promtail and pushed to a Loki instance running in the control plane. Loki is deployed in monolithic mode and with storage type 'filesystem'. You can find all logging related configuration parameters for the control plane in the control plane's logging role.

    In the partitions, Promtail is deployed inside a systemd-managed Docker container. Configuration parameters can be found in the partition's promtail role. Which hosts Promtail collects from can be configured via the prometheus_promtail_targets variable.

    Monitoring

    For monitoring we deploy the kube-prometheus-stack and a Thanos instance in the control plane. Metrics for the control plane are supplied by

    • metal-metrics-exporter
    • rethindb-exporter
    • event-exporter
    • gardener-metrics-exporter

    To query and visualize logs, metrics and alerts we deploy several grafana dashboards to the control plane:

    • grafana-dashboard-alertmanager
    • grafana-dashboard-machine-capacity
    • grafana-dashboard-metal-api
    • grafana-dashboard-rethinkdb
    • grafana-dashboard-sonic-exporter

    and also some gardener related dashboards:

    • grafana-dashboard-gardener-overview
    • grafana-dashboard-shoot-cluster
    • grafana-dashboard-shoot-customizations
    • grafana-dashboard-shoot-details
    • grafana-dashboard-shoot-states

    The following ServiceMonitors are also deployed:

    • gardener-metrics-exporter
    • ipam-db
    • masterdata-api
    • masterdata-db
    • metal-api
    • metal-db
    • rethinkdb-exporter
    • metal-metrics-exporter

    All monitoring related configuration parameters for the control plane can be found in the control plane's monitoring role.

    Partition metrics are supplied by

    • node-exporter
    • blackbox-exporter
    • ipmi-exporter
    • sonic-exporter
    • metal-core
    • frr-exporter

    and scraped by Prometheus. For each of these exporters, the target hosts can be defined by

    • prometheus_node_exporter_targets
    • prometheus_blackbox_exporter_targets
    • prometheus_frr_exporter_targets
    • prometheus_sonic_exporter_targets
    • prometheus_metal_core_targets
    • prometheus_frr_exporter_targets

    Alerting

    In addition to Grafana, alerts can optionally be sent to a Slack channel. For this to work, at least a valid monitoring_slack_api_url and a monitoring_slack_notification_channel must be specified. For further configuration parameters refer to the monitoring role. Alerting rules are defined in the rules directory of the partition's prometheus role.

    +Monitoring · metal-stack

    Monitoring the metal-stack

    Overview

    Monitoring Stack

    Logging

    Logs are being collected by Promtail and pushed to a Loki instance running in the control plane. Loki is deployed in monolithic mode and with storage type 'filesystem'. You can find all logging related configuration parameters for the control plane in the control plane's logging role.

    In the partitions, Promtail is deployed inside a systemd-managed Docker container. Configuration parameters can be found in the partition's promtail role. Which hosts Promtail collects from can be configured via the prometheus_promtail_targets variable.

    Monitoring

    For monitoring we deploy the kube-prometheus-stack and a Thanos instance in the control plane. Metrics for the control plane are supplied by

    • metal-metrics-exporter
    • rethindb-exporter
    • event-exporter
    • gardener-metrics-exporter

    To query and visualize logs, metrics and alerts we deploy several grafana dashboards to the control plane:

    • grafana-dashboard-alertmanager
    • grafana-dashboard-machine-capacity
    • grafana-dashboard-metal-api
    • grafana-dashboard-rethinkdb
    • grafana-dashboard-sonic-exporter

    and also some gardener related dashboards:

    • grafana-dashboard-gardener-overview
    • grafana-dashboard-shoot-cluster
    • grafana-dashboard-shoot-customizations
    • grafana-dashboard-shoot-details
    • grafana-dashboard-shoot-states

    The following ServiceMonitors are also deployed:

    • gardener-metrics-exporter
    • ipam-db
    • masterdata-api
    • masterdata-db
    • metal-api
    • metal-db
    • rethinkdb-exporter
    • metal-metrics-exporter

    All monitoring related configuration parameters for the control plane can be found in the control plane's monitoring role.

    Partition metrics are supplied by

    • node-exporter
    • blackbox-exporter
    • ipmi-exporter
    • sonic-exporter
    • metal-core
    • frr-exporter

    and scraped by Prometheus. For each of these exporters, the target hosts can be defined by

    • prometheus_node_exporter_targets
    • prometheus_blackbox_exporter_targets
    • prometheus_frr_exporter_targets
    • prometheus_sonic_exporter_targets
    • prometheus_metal_core_targets
    • prometheus_frr_exporter_targets

    Alerting

    In addition to Grafana, alerts can optionally be sent to a Slack channel. For this to work, at least a valid monitoring_slack_api_url and a monitoring_slack_notification_channel must be specified. For further configuration parameters refer to the monitoring role. Alerting rules are defined in the rules directory of the partition's prometheus role.

    diff --git a/previews/PR235/installation/troubleshoot/index.html b/previews/PR235/installation/troubleshoot/index.html index ee36cdf351..950576d5a8 100644 --- a/previews/PR235/installation/troubleshoot/index.html +++ b/previews/PR235/installation/troubleshoot/index.html @@ -32,4 +32,4 @@ deploy-control-plane | PLAY RECAP ********************************************************************* deploy-control-plane | localhost : ok=29 changed=4 unreachable=0 failed=1 skipped=7 rescued=0 ignored=0 deploy-control-plane | -deploy-control-plane exited with code 2

    Some home routers have a security feature that prevents DNS Servers to resolve anything in the router's local IP range (DNS-Rebind-Protection).

    You need to add an exception for nip.io in your router configuration or add 127.0.0.1 api.172.17.0.1.nip.io to your /etc/hosts.

    FritzBox

    Home Network -> Network -> Network Settings -> Additional Settings -> DNS Rebind Protection -> Host name exceptions -> nip.io

    Operations

    Fixing Machine Issues

    The metalctl machine issues command gives you an overview over machines in your metal-stack environment that are in an unusual state.

    Tip

    Machines that are known not to function properly, should be locked through metalctl machine lock and annotated with a description of the problem. This way, you can mark machine for replacement without being in danger of having a user allocating the faulty machine.

    In the following sections, you can look up the machine issues that are returned by metalctl and find out how to deal with them properly.

    no-event-container

    Every machine in the metal-stack database usually has a corresponding event container where provisioning events are stored. This database entity gets created lazily as soon as a machine is registered by the metal-hammer or a provisioning event for the machine arrives at the metal-api.

    When there is no event container, this means that the machine has never registered nor received a provisioning event. As an operator you should evaluate why this machine is not booting into the metal-hammer.

    This issue is special in a way that it prevents other issues from being evaluated for this machine because the issue calculation usually requires information from the machine event container.

    no-partition

    When a machine has no partition, the metal-hammer has not yet registered the machine at the metal-api. Instead, the machine was created through metal-stack's event machinery, which does not have a lot of information about a machine (e.g. a PXE boot event was reported from the pixiecore), or just by the metal-bmc which discovered the machine through DHCP.

    This can usually happen on the very first boot of a machine and the machine's hardware is not supported by metal-stack, leading to the metal-bmc being unable to report BMC details to the metal-api (a metal-bmc report sets the partition id of a machine) and the metal-hammer not finishing the machine registration phase.

    To resolve this issue, you need to identify the machine in your metal-stack partition that emits PXE boot events and find the reason why it is not properly booting into the metal-hammer. The console logs of this machine should enable you to find out the root cause.

    liveliness-dead

    For machines without an allocation, the metal-hammer consistently reports whether a machine is still being responsive or not. When the liveliness is Dead, there were no events received from this machine for longer than ~5 minutes.

    Reasons for this can be:

    Info

    In order to minimize maintenance overhead, a machine which is dead for longer than an hour will be rebooted through the metal-api.

    In case you want to prevent this action from happening for a machine, you can lock the machine through metalctl machine lock.

    If the machine is dead for a long time and you are sure that it will never come back, you can clean up the machine through metalctl machine rm --remove-from-database.

    liveliness-unknown

    For machines that are allocated by a user, the ownership has gone over to this user and as an operator you cannot access the machine anymore. This makes it harder to detect whether a machine is in a healthy state or not. Typically, all official metal-stack OS images deploy an LLDP daemon, that consistently emits alive messages. These messages are caught by the metal-core and turned into a Phoned Home event. Internally, the metal-api uses these events as an indicator to decide whether the machine is still responsive or not.

    When the LLDP daemon stopped sending packages, the reasons are identical to those of dead machines. However, it's not possible anymore to decide whether the user is responsible for reaching this state or not.

    In most of the cases, there is not much that can be done from the operator's perspective. You will need to wait for the user to report an issue with the machine. When you do support, you can use this issue type to quickly identify this machine.

    liveliness-not-available

    This is more of a theoretical issue. When the machine liveliness is not available check that the Kubernetes CronJob in the metal-stack control plane for evaluating the machine liveliness is running regularly and not containing error logs. Make the machine boot into the metal-hammer and this issue should not appear.

    failed-machine-reclaim

    If a machine remains in the Phoned Home state without having an allocation, this indicates that the metal-bmc was not able to put the machine back into PXE boot mode after metalctl machine rm. The machine is still running the operating system and it does not return back into the allocatable machine pool. Effectively, you lost a machine in your environment and no-one pays for it. Therefore, you should resolve this issue as soon as possible.

    In bad scenarios, when the machine was a firewall, the machine can still reach the internet through the PXE boot network and also attract traffic, which it cannot route anymore inside the tenant VRF. This can cause traffic loss inside a tenant network.

    In most of the cases, it should be sufficient to run another metalctl machine rm on this machine in order to retry booting into PXE mode. If this still does not succeed, you can boot the machine into the BIOS and manually and change the boot order to PXE boot. This should force booting the metal-hammer again and add the machine back into your pool of allocatable machines.

    For further reference, see metal-api#145.

    crashloop

    Under bad circumstances, a machine diverges from its typical machine lifecycle. When this happens, the internal state-machine of the metal-api detects that the machine reboots unexpectedly during the provisioning phase. It is likely that the machine has entered a crash loop where it PXE boots again and again without the machine ever becoming usable.

    Reasons for this can be:

    Please also consider console logs of the machine for investigating the issue.

    The incomplete cycle count is reset as soon as the machine reaches Phoned Home state or there is a Planned Reboot of the machine (planned reboot is also done by the metal-hammer once a day in order to reboot with the latest version).

    last-event-error

    The machine had an error during the provisioning lifecycle recently or events are arriving out of order at the metal-api. This can be an interesting hint for the operator that something during machine provisioning went wrong. You can look at the error through metalctl machine describe or metalctl machine logs.

    This error will disappear after a certain time period from machine issues. You can still look up the error as described above.

    asn-not-unique

    This issue was introduced by a bug in earlier versions of metal-stack and was fixed in PR105

    To resolve the issue, you need to recreate the firewalls that use the same ASN.

    bmc-without-mac

    The metal-bmc is responsible to report connection data for the machine's BMC.

    If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.

    bmc-without-ip

    The metal-bmc is responsible to report connection data for the machine's BMC.

    If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.

    bmc-no-distinct-ip

    The metal-bmc is responsible to report connection data for the machine's BMC.

    When there is no distinct IP address for the BMC, it can be that an orphaned machine used this IP in the past. In this case, you need to clean up the orphaned machine through metalctl machine rm --remove-from-database.

    bmc-info-outdated

    The metal-bmc is responsible to report bmc details for the machine's BMC.

    When the metal-bmc was not able to fetch the bmc info for longer than 20 minutes, something is wrong with the BMC configuration of the machine. This can be caused by one of the following reasons:

    In either case, please check the logs for the given machine UUID on the metal-bmc for further details. Also check that the metal-bmc is configured to only consider BMC IPs in the range they are configured from the DHCP server in the partition. This prevents grabbing unrelated BMCs.

    A machine has registered with a different UUID after reboot

    metal-stack heavily relies on steady machine UUIDs as the UUID is the primary key of the machine entity in the metal-api.

    For further reference also see metal-stack/metal-hammer#52.

    Reasons

    There are some scenarios (can be vendor-specific), which can cause a machine UUID to change over time, e.g.:

    Solution

    1. After five minutes, the orphaned machine UUID will be marked dead (💀) because machine events will be sent only to the most recent UUID
    2. Identify the dead machine through metalctl machine ls
    3. Remove the dead machine forcefully with metalctl machine rm --remove-from-database --yes-i-really-mean-it <uuid>

    Fixing Switch Issues

    switch-sync-failing

    For your network infrastructure it is key to adapt to new configuration. In case this sync process fails for more than 10 minutes, it is likely to require manual investigation.

    Depending on your switch operating system, the error sources might differ a lot. Try to connect to your switch using the console or ssh and investigate the logs. Check if the hard drive is full.

    Switch Replacement and Migration

    There are two mechanisms to replace an existing switch with a new one, both of which will transfer existing VRF configuration and machine connections from one switch to another. Due to the redundance of the CLOS topology, a switch replacement can be performed without downtime.

    Replacing a Switch

    If the new switch should have the same ID as the old one you should perform a switch replacement. To find detailed information about the procedure of a switch replacement use metalctl switch replace --help. Basically, what you need to do is mark the switch for replacement via metalctl switch replace, then physically replace the switch with the new one and configure it. The last step is to deploy metal-core on the switch. Once metal-core registers the new switch at the metal-api, the old switches configuration and machine connections will be transferred to the new one. Note that the replacement only works if the new switch has the same ID as the old one. Otherwise metal-core will simply register a new switch and leave the old one untouched.

    Migrating from one Switch to another

    If the new switch should not or cannot have the same ID as the old one, then the switch migrate command can be used to achieve the same result as a switch replacement. Perform the following steps:

    1. Leave the old switch in place.
    2. Install the new switch in the rack without connecting it to any machines yet.
    3. Adjust the metal-stack deployment in the same way as for a switch replacement.
    4. Deploy metal-core on the new switch and wait for it to register at the metal-api. Once the switch is registered it will be listed when you run metalctl switch ls.
    5. Run metalctl switch migrate <old-switch-id> <new-switch-id>.
    6. Disconnect all machines from the old switch and connect them to the new one.

    In between steps 5 and 6 there is a mismatch between the switch-machine-connections known to the metal-api and the real connections. Since the metal-api learns about the connections from what a machine reports during registration, a machine registration that occurs in between steps 5 and 6 will result in a condition that looks somewhat broken. The metal-api will think that a machine is connected to three switches. This, however, should not cause any problems. Just move on to step 6 and delete the old switch from the metal-api afterwards. If the case just described really occurs, then metalctl switch delete <old-switch-id> will throw an error, because deleting a switch with existing machine connections might be dangerous. If, apart from that, the migration was successful, then the old switch can be safely deleted with metalctl switch delete <old-switch-id> --force.

    Preconditions for Migration and Replacement

    An invariant that must be satisfied throughout is that the switch ports a machine is connected to must match, i.e. a machine connected to Ethernet0 on switch 1 must be connected to Ethernet0 on switch 2 etc. Furthermore, the breakout configurations of both switches must match and the new switch must contain at least all of the old switch's interfaces.

    Migrating from Cumulus to Edgecore SONiC

    Both migration and replacement can be used to move from Cumulus to Edgecore SONiC (or vice versa). Migrating to or from Broadcom SONiC or mixing Broadcom SONiC with Cumulus or Edgecore SONiC is not supported.

    +deploy-control-plane exited with code 2

    Some home routers have a security feature that prevents DNS Servers to resolve anything in the router's local IP range (DNS-Rebind-Protection).

    You need to add an exception for nip.io in your router configuration or add 127.0.0.1 api.172.17.0.1.nip.io to your /etc/hosts.

    FritzBox

    Home Network -> Network -> Network Settings -> Additional Settings -> DNS Rebind Protection -> Host name exceptions -> nip.io

    Operations

    Fixing Machine Issues

    The metalctl machine issues command gives you an overview over machines in your metal-stack environment that are in an unusual state.

    Tip

    Machines that are known not to function properly, should be locked through metalctl machine lock and annotated with a description of the problem. This way, you can mark machine for replacement without being in danger of having a user allocating the faulty machine.

    In the following sections, you can look up the machine issues that are returned by metalctl and find out how to deal with them properly.

    no-event-container

    Every machine in the metal-stack database usually has a corresponding event container where provisioning events are stored. This database entity gets created lazily as soon as a machine is registered by the metal-hammer or a provisioning event for the machine arrives at the metal-api.

    When there is no event container, this means that the machine has never registered nor received a provisioning event. As an operator you should evaluate why this machine is not booting into the metal-hammer.

    This issue is special in a way that it prevents other issues from being evaluated for this machine because the issue calculation usually requires information from the machine event container.

    no-partition

    When a machine has no partition, the metal-hammer has not yet registered the machine at the metal-api. Instead, the machine was created through metal-stack's event machinery, which does not have a lot of information about a machine (e.g. a PXE boot event was reported from the pixiecore), or just by the metal-bmc which discovered the machine through DHCP.

    This can usually happen on the very first boot of a machine and the machine's hardware is not supported by metal-stack, leading to the metal-bmc being unable to report BMC details to the metal-api (a metal-bmc report sets the partition id of a machine) and the metal-hammer not finishing the machine registration phase.

    To resolve this issue, you need to identify the machine in your metal-stack partition that emits PXE boot events and find the reason why it is not properly booting into the metal-hammer. The console logs of this machine should enable you to find out the root cause.

    liveliness-dead

    For machines without an allocation, the metal-hammer consistently reports whether a machine is still being responsive or not. When the liveliness is Dead, there were no events received from this machine for longer than ~5 minutes.

    Reasons for this can be:

    Info

    In order to minimize maintenance overhead, a machine which is dead for longer than an hour will be rebooted through the metal-api.

    In case you want to prevent this action from happening for a machine, you can lock the machine through metalctl machine lock.

    If the machine is dead for a long time and you are sure that it will never come back, you can clean up the machine through metalctl machine rm --remove-from-database.

    liveliness-unknown

    For machines that are allocated by a user, the ownership has gone over to this user and as an operator you cannot access the machine anymore. This makes it harder to detect whether a machine is in a healthy state or not. Typically, all official metal-stack OS images deploy an LLDP daemon, that consistently emits alive messages. These messages are caught by the metal-core and turned into a Phoned Home event. Internally, the metal-api uses these events as an indicator to decide whether the machine is still responsive or not.

    When the LLDP daemon stopped sending packages, the reasons are identical to those of dead machines. However, it's not possible anymore to decide whether the user is responsible for reaching this state or not.

    In most of the cases, there is not much that can be done from the operator's perspective. You will need to wait for the user to report an issue with the machine. When you do support, you can use this issue type to quickly identify this machine.

    liveliness-not-available

    This is more of a theoretical issue. When the machine liveliness is not available check that the Kubernetes CronJob in the metal-stack control plane for evaluating the machine liveliness is running regularly and not containing error logs. Make the machine boot into the metal-hammer and this issue should not appear.

    failed-machine-reclaim

    If a machine remains in the Phoned Home state without having an allocation, this indicates that the metal-bmc was not able to put the machine back into PXE boot mode after metalctl machine rm. The machine is still running the operating system and it does not return back into the allocatable machine pool. Effectively, you lost a machine in your environment and no-one pays for it. Therefore, you should resolve this issue as soon as possible.

    In bad scenarios, when the machine was a firewall, the machine can still reach the internet through the PXE boot network and also attract traffic, which it cannot route anymore inside the tenant VRF. This can cause traffic loss inside a tenant network.

    In most of the cases, it should be sufficient to run another metalctl machine rm on this machine in order to retry booting into PXE mode. If this still does not succeed, you can boot the machine into the BIOS and manually and change the boot order to PXE boot. This should force booting the metal-hammer again and add the machine back into your pool of allocatable machines.

    For further reference, see metal-api#145.

    crashloop

    Under bad circumstances, a machine diverges from its typical machine lifecycle. When this happens, the internal state-machine of the metal-api detects that the machine reboots unexpectedly during the provisioning phase. It is likely that the machine has entered a crash loop where it PXE boots again and again without the machine ever becoming usable.

    Reasons for this can be:

    Please also consider console logs of the machine for investigating the issue.

    The incomplete cycle count is reset as soon as the machine reaches Phoned Home state or there is a Planned Reboot of the machine (planned reboot is also done by the metal-hammer once a day in order to reboot with the latest version).

    last-event-error

    The machine had an error during the provisioning lifecycle recently or events are arriving out of order at the metal-api. This can be an interesting hint for the operator that something during machine provisioning went wrong. You can look at the error through metalctl machine describe or metalctl machine logs.

    This error will disappear after a certain time period from machine issues. You can still look up the error as described above.

    asn-not-unique

    This issue was introduced by a bug in earlier versions of metal-stack and was fixed in PR105

    To resolve the issue, you need to recreate the firewalls that use the same ASN.

    bmc-without-mac

    The metal-bmc is responsible to report connection data for the machine's BMC.

    If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.

    bmc-without-ip

    The metal-bmc is responsible to report connection data for the machine's BMC.

    If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.

    bmc-no-distinct-ip

    The metal-bmc is responsible to report connection data for the machine's BMC.

    When there is no distinct IP address for the BMC, it can be that an orphaned machine used this IP in the past. In this case, you need to clean up the orphaned machine through metalctl machine rm --remove-from-database.

    bmc-info-outdated

    The metal-bmc is responsible to report bmc details for the machine's BMC.

    When the metal-bmc was not able to fetch the bmc info for longer than 20 minutes, something is wrong with the BMC configuration of the machine. This can be caused by one of the following reasons:

    In either case, please check the logs for the given machine UUID on the metal-bmc for further details. Also check that the metal-bmc is configured to only consider BMC IPs in the range they are configured from the DHCP server in the partition. This prevents grabbing unrelated BMCs.

    A machine has registered with a different UUID after reboot

    metal-stack heavily relies on steady machine UUIDs as the UUID is the primary key of the machine entity in the metal-api.

    For further reference also see metal-stack/metal-hammer#52.

    Reasons

    There are some scenarios (can be vendor-specific), which can cause a machine UUID to change over time, e.g.:

    Solution

    1. After five minutes, the orphaned machine UUID will be marked dead (💀) because machine events will be sent only to the most recent UUID
    2. Identify the dead machine through metalctl machine ls
    3. Remove the dead machine forcefully with metalctl machine rm --remove-from-database --yes-i-really-mean-it <uuid>

    Fixing Switch Issues

    switch-sync-failing

    For your network infrastructure it is key to adapt to new configuration. In case this sync process fails for more than 10 minutes, it is likely to require manual investigation.

    Depending on your switch operating system, the error sources might differ a lot. Try to connect to your switch using the console or ssh and investigate the logs. Check if the hard drive is full.

    Switch Replacement and Migration

    There are two mechanisms to replace an existing switch with a new one, both of which will transfer existing VRF configuration and machine connections from one switch to another. Due to the redundance of the CLOS topology, a switch replacement can be performed without downtime.

    Replacing a Switch

    If the new switch should have the same ID as the old one you should perform a switch replacement. To find detailed information about the procedure of a switch replacement use metalctl switch replace --help. Basically, what you need to do is mark the switch for replacement via metalctl switch replace, then physically replace the switch with the new one and configure it. The last step is to deploy metal-core on the switch. Once metal-core registers the new switch at the metal-api, the old switches configuration and machine connections will be transferred to the new one. Note that the replacement only works if the new switch has the same ID as the old one. Otherwise metal-core will simply register a new switch and leave the old one untouched.

    Migrating from one Switch to another

    If the new switch should not or cannot have the same ID as the old one, then the switch migrate command can be used to achieve the same result as a switch replacement. Perform the following steps:

    1. Leave the old switch in place.
    2. Install the new switch in the rack without connecting it to any machines yet.
    3. Adjust the metal-stack deployment in the same way as for a switch replacement.
    4. Deploy metal-core on the new switch and wait for it to register at the metal-api. Once the switch is registered it will be listed when you run metalctl switch ls.
    5. Run metalctl switch migrate <old-switch-id> <new-switch-id>.
    6. Disconnect all machines from the old switch and connect them to the new one.

    In between steps 5 and 6 there is a mismatch between the switch-machine-connections known to the metal-api and the real connections. Since the metal-api learns about the connections from what a machine reports during registration, a machine registration that occurs in between steps 5 and 6 will result in a condition that looks somewhat broken. The metal-api will think that a machine is connected to three switches. This, however, should not cause any problems. Just move on to step 6 and delete the old switch from the metal-api afterwards. If the case just described really occurs, then metalctl switch delete <old-switch-id> will throw an error, because deleting a switch with existing machine connections might be dangerous. If, apart from that, the migration was successful, then the old switch can be safely deleted with metalctl switch delete <old-switch-id> --force.

    Preconditions for Migration and Replacement

    An invariant that must be satisfied throughout is that the switch ports a machine is connected to must match, i.e. a machine connected to Ethernet0 on switch 1 must be connected to Ethernet0 on switch 2 etc. Furthermore, the breakout configurations of both switches must match and the new switch must contain at least all of the old switch's interfaces.

    Migrating from Cumulus to Edgecore SONiC

    Both migration and replacement can be used to move from Cumulus to Edgecore SONiC (or vice versa). Migrating to or from Broadcom SONiC or mixing Broadcom SONiC with Cumulus or Edgecore SONiC is not supported.

    diff --git a/previews/PR235/installation/updates/index.html b/previews/PR235/installation/updates/index.html index 3897261728..52926c8d78 100644 --- a/previews/PR235/installation/updates/index.html +++ b/previews/PR235/installation/updates/index.html @@ -1,2 +1,2 @@ -Releases and Updates · metal-stack

    Releases and Updates

    Your are currently reading the documentation for the metal-stack master release.

    Releases and integration tests are published through our release repository. You can also find the release notes for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes.

    A release is created in the following way:

    • Individual repository maintainers within the metal-stack Github Org can publish a release of their component.
    • This release is automatically pushed to the develop branch of the release repository by the metal-robot.
    • The push triggers a small release integration test through the mini-lab.
    • To contribute components that are not directly part of the release vector, a pull request must be made against the develop branch of the release repository. Release maintainers may push directly to the develop branch.
    • The release maintainers can /freeze the develop branch, effectively stopping the metal-robot from pushing component releases to this branch.
    • The develop branch is tagged by a release maintainer with a -rc.x suffix to create a release candidate.
    • The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests.
    • If the integration tests pass, the PR of the develop branch must be approved by at least two release maintainers.
    • A release is created via Github releases, including all release notes, with a tag on the main branch.

    If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too.

    Update Policy

    For new features and breaking changes we create a new minor release of metal-stack. For every minor release we present excerpts of the changes in a corresponding blog article published on metal-stack.io.

    It is not strictly necessary to cycle through the patch releases if you depend on the pure metal-stack components. However, it is important to go through all the patch releases and apply all required actions from the release notes. Therefore, we recommend to just install every patch release one by one in order to minimize possible problems during the update process.

    In case you depend on the Gardener integration, especially when using metal-stack roles for deploying Gardener, we strongly recommend installing every patch release version. We increment our Gardener dependency version by version following the Gardener update policy. Jumping versions may lead to severe problems with the installation and should only be done if you really know what you are doing.

    Info

    If you use the Gardener integration of metal-stack do not skip any patch releases. You may skip patch releases if you depend on metal-stack only, but we recommend to just deploy every patch release one by one for the best possible upgrade experience.

    +Releases and Updates · metal-stack

    Releases and Updates

    Your are currently reading the documentation for the metal-stack master release.

    Releases and integration tests are published through our release repository. You can also find the release notes for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes.

    A release is created in the following way:

    • Individual repository maintainers within the metal-stack Github Org can publish a release of their component.
    • This release is automatically pushed to the develop branch of the release repository by the metal-robot.
    • The push triggers a small release integration test through the mini-lab.
    • To contribute components that are not directly part of the release vector, a pull request must be made against the develop branch of the release repository. Release maintainers may push directly to the develop branch.
    • The release maintainers can /freeze the develop branch, effectively stopping the metal-robot from pushing component releases to this branch.
    • The develop branch is tagged by a release maintainer with a -rc.x suffix to create a release candidate.
    • The release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests.
    • If the integration tests pass, the PR of the develop branch must be approved by at least two release maintainers.
    • A release is created via Github releases, including all release notes, with a tag on the main branch.

    If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too.

    Update Policy

    For new features and breaking changes we create a new minor release of metal-stack. For every minor release we present excerpts of the changes in a corresponding blog article published on metal-stack.io.

    It is not strictly necessary to cycle through the patch releases if you depend on the pure metal-stack components. However, it is important to go through all the patch releases and apply all required actions from the release notes. Therefore, we recommend to just install every patch release one by one in order to minimize possible problems during the update process.

    In case you depend on the Gardener integration, especially when using metal-stack roles for deploying Gardener, we strongly recommend installing every patch release version. We increment our Gardener dependency version by version following the Gardener update policy. Jumping versions may lead to severe problems with the installation and should only be done if you really know what you are doing.

    Info

    If you use the Gardener integration of metal-stack do not skip any patch releases. You may skip patch releases if you depend on metal-stack only, but we recommend to just deploy every patch release one by one for the best possible upgrade experience.

    diff --git a/previews/PR235/objects.inv b/previews/PR235/objects.inv index 87f0e6615a..0d562c7c20 100644 Binary files a/previews/PR235/objects.inv and b/previews/PR235/objects.inv differ diff --git a/previews/PR235/overview/architecture/index.html b/previews/PR235/overview/architecture/index.html index 1e59a35dca..f026f6b488 100644 --- a/previews/PR235/overview/architecture/index.html +++ b/previews/PR235/overview/architecture/index.html @@ -1,4 +1,4 @@ Architecture · metal-stack

    Architecture

    The metal-stack is a compound of microservices predominantly written in Golang.

    This page gives you an overview over which microservices exist, how they communicate with each other and where they are deployed.

    Target Deployment Platforms

    For our environments, we chose to deploy the metal-stack into a Kubernetes cluster. This means that also our entire installation was developed for metal-stack being run on Kubernetes. Running applications on Kubernetes gives you a lot of benefits regarding ease-of-deployment, scalability, reliability and so on.

    However, very early we decided that we do not want to depend on technical Kubernetes functionality with our software (i.e. we did not implement the stack "kube-native" by using controllers and Kubernetes CRDs and things like that). With the following paragraph we want to point out the reasoning behind this "philosophical" decision that may sound conservative at first glance. But not relying on Kubernetes technology:

    • Makes deployments of the stack without Kubernetes theoretically possible.
      • We believe that cloud providers should be able to act beneath Kubernetes
      • This way it is possible to use metal-stack for providing your own Kubernetes offering without relying on Kubernetes yourself (breaks the chicken-egg problem)
    • Follows an important claim in microservice development: "Be agnostic to your choice of technology"
      • For applications that are purely made for being run on Kubernetes, it does not matter to rely on this technology (we even do the same a lot with our applications that integrate the metal-stack with Gardener) but as soon as you start using things like the underlying reconciliation abilities (which admittedly are fanstatic) you are locking your code into a certain technology
      • We don't know what comes after Kubernetes but we believe that a cloud offering should have the potential to survive a choice of technology
      • By this decision we ensured that we can migrate the stack to another future technology and survive the change

    One more word towards determining the location for your metal control plane: It is not strictly required to run the control plane inside the same data center as your servers. It even makes sense not to do so because this way you can place your control plane and your servers into a different failure domains, which makes your installation more robust to data center meltdown. Externally hosting the control plane brings you up and running quickly plus having the advantage of higher security through geo-distribution.

    Metal Control Plane

    The foundation of the metal-stack is what we call the metal control plane.

    The control plane contains a couple of essential microservices for the metal-stack including:

    • metal-api The API to manage control plane resources like machines, switches, operating system images, machine sizes, networks, IP addresses and more. The exposed API is an old-fashioned REST API with different authentication methods. The metal-api stores the state of these entities in a RethinkDB database. The metal-api also has its own IP address management (go-ipam), which writes IP address and network allocations into a PostgreSQL backend.
    • masterdata-api Manages tenant and project entities, which can be described as entities used for company-specific resource separation and grouping. Having these "higher level entities" managed by a separate microservice was a design choice that allows to re-use the information by other microservices without having them to know the metal-api at all. The masterdata gets persisted in a dedicated PostgreSQL database.
    • metal-console Provides access for users to a machine's serial console via SSH. It can be seen as an optional component.
    • nsq A message queuing system (not developed by the metal-stack) used for decoupling microservices and distributing tasks.

    The following figure shows the relationships between these microservices:

    Metal Control Plane

    Figure 1: The metal control plane deployed in a Kubernetes environment with an ingress-controller exposing additional services via service exposal.

    Some notes on this picture:

    • Users can access the metal-api with the CLI client called metalctl.
    • You can programmatically access the metal-api with client libraries (e.g. metal-go).
    • Our databases are wrapped in a specially built backup-restore-sidecar, which is consistently backing up the databases in external blob storage.
    • The metal-api can be scaled out using replicas when being deployed in Kubernetes.

    Partitions

    A partition is our term for describing hardware in the data center controlled by the metal-stack with all the hardware participating in the same network topology. Being in the same network topology causes the hardware inside a partition to build a failure domain. Even though the network topology for running the metal-stack is required to be redundant by design, you should consider setting up multiple partitions. With multiple partitions it is possible for users to maintain availability of their applications by spreading them across the partitions. Installing partitions in multiple data centers would be even better in regards of fail-safe application performance, which would even tolerate the meltdown of a data center.

    Tip

    In our setups, we encode the name of a region and a zone name into our partition names. However, we do not have dedicated entities for regions and zones in our APIs.

    A region is a geographic area in which data centers are located.

    Zones are geographic locations in a region usually in different fire compartments. Regions can consist of several zones.

    A zone can consist of several partitions. Usually, a partition spans a rack or a group of racks.

    We strongly advise to group your hardware into racks that are specifically assembled for running metal-stack. When using modular rack design, the amount of compute resources of a partition can easily be extended by adding more racks to your partition.

    Info

    The hardware that we currently support to be placed inside a partition is described in the hardware document.

    Info

    How large you can grow your partitions and how the network topology inside a partition looks like is described in the networking document.

    The metal-stack has microservices running on the leaf switches in a partition. For this reason, your leaf switches are required to run a Linux distribution that you have full access to. Additionally, there are a servers not added to the pool of user-allocatable machines, which are instead required for running metal-stack and we call them management servers. We also call the entirety of switches inside a partition the switch plane.

    The microservices running inside a partition are:

    • metal-hammer (runs on a server when not allocated by user, often referred to as discovery image) An initrd, which is booted up in PXE mode, preparing and registering a machine. When a user allocates a machine, the metal-hammer will install the target operating system on this machine and kexec into the new operating system kernel.
    • metal-core (runs on leaf switches) Dynamically configures the leaf switch from information provided by the metal-api. It also proxies requests from the metal-hammer to the metal-api including publishment of machine lifecycle events and machine registration requests.
    • pixiecore (preferably runs on management servers, forked by metal-stack) Provides the capability of PXE booting servers in the PXE boot network.
    • metal-bmc (runs on management servers) Reports the ip addresses that are leased to ipmi devices together with their machine uuids to the metal-api. This provides machine discovery in the partition machines and keeps all IPMI interface access data up-to-date. Also forwards metal-console requests to the actual machine, allowing user access to the machine's serial console. Furthermore it processes firmware updates and power on/off, led on/off, boot order changes.

    Partition

    Figure 2: Simplified illustration of services running inside a partition.

    Some notes on this picture:

    • This figure is slightly simplified. The switch plane consists of spine switches, exit routers, management firewalls and a bastion router with more software components deployed on these entities. Please refer to the networking document to see the full overview over the switch plane.
    • The image-cache is an optional component consisting of multiple services to allow caching images from the public image store inside a partition. This brings increased download performance on machine allocation and increases independence of a partition on the internet connection.

    Complete View

    The following figure shows several partitions connected to a single metal control plane. Of course, it is also possible to have multiple metal control planes, which can be useful for staging.

    metal-stack

    Figure 3: Reduced view on the communication between the metal control plane and multiple partitions.

    Some notes on this picture:

    • By design, a partition only has very few ports open for incoming-connections from the internet. This contributes to a smaller attack surface and higher security of your infrastructure.
    • With the help of NSQ, it is not required to have connections from the metal control plane to the metal-core. The metal-core instances register at the message bus and can then consume partition-specific topics, e.g. when a machine deletion gets issued by a user.

    Machine Provisioning Sequence

    The following sequence diagram illustrates some of the main principles of the machine provisioning lifecycle.

    provisioning sequence

    Figure 4: Sequence diagram of the machine provisioning sequence.

    Here is a video showing a screen capture of a machine's serial console while running the metal-hammer in "wait mode". Then, a user allocates the machine and the metal-hammer installs the target operating system and the machine boots into the new operating system kernel via the kexec system call.

    -

    Offline Resilience

    It is possible to use metal-stack without any external network dependencies by integrating your own DNS and NTP configuration into the stack. This feature is great for workloads requiring strong independence and reliability. Even in case of an internet connection failure, your infrastructure remains operational. Existing machines do not encounter any downtime as well as new machines can be provisioned. All you need to have in place is a DNS and NTP server configured and accessible for metal-stack.

    NTP servers need to be configured on the pixiecore and the metal-hammer microservices. This can be achieved by providing a list of NTP servers with the following Ansible variable through metal-roles:

    pixiecore_metal_hammer_ntp_servers: []

    In the background, the pixiecore is taking the NTP servers and passing it via the MetalConfig to the metal-hammer. When booting bare-metal servers, the metal-hammer needs to configure NTP servers. It recognises the ones from the MetalConfig and configures itself accordingly. If no NTP servers are passed along, the following standard servers are used:

    • 0.de.pool.ntp.org
    • 1.de.pool.ntp.org
    • 2.de.pool.ntp.org

    Moreover, machine and firewall images need to be configured with your custom DNS and NTP servers. The customisation can be made via the fields ntp_servers an dns_servers and specifying a list of servers in the creation request for the machine or firewall.

    Within a partition default values for DNS and NTP servers can be configured. They are applied to all machines and firewalls within this partition, but can be replaced by specifying different ones inside the machine allocation request.

    Thus, for creating a partition as well as a machine or a firewall, the flags dnsservers and ntpservers can be provided within the metalctl command.

    In order to be fully offline resilient, make sure to check out metal-image-cache-sync. This component provides copies of metal-images, metal-kernel and metal-hammer.

    This feature is related to MEP14.

    +

    Offline Resilience

    It is possible to use metal-stack without any external network dependencies by integrating your own DNS and NTP configuration into the stack. This feature is great for workloads requiring strong independence and reliability. Even in case of an internet connection failure, your infrastructure remains operational. Existing machines do not encounter any downtime as well as new machines can be provisioned. All you need to have in place is a DNS and NTP server configured and accessible for metal-stack.

    NTP servers need to be configured on the pixiecore and the metal-hammer microservices. This can be achieved by providing a list of NTP servers with the following Ansible variable through metal-roles:

    pixiecore_metal_hammer_ntp_servers: []

    In the background, the pixiecore is taking the NTP servers and passing it via the MetalConfig to the metal-hammer. When booting bare-metal servers, the metal-hammer needs to configure NTP servers. It recognises the ones from the MetalConfig and configures itself accordingly. If no NTP servers are passed along, the following standard servers are used:

    Moreover, machine and firewall images need to be configured with your custom DNS and NTP servers. The customisation can be made via the fields ntp_servers an dns_servers and specifying a list of servers in the creation request for the machine or firewall.

    Within a partition default values for DNS and NTP servers can be configured. They are applied to all machines and firewalls within this partition, but can be replaced by specifying different ones inside the machine allocation request.

    Thus, for creating a partition as well as a machine or a firewall, the flags dnsservers and ntpservers can be provided within the metalctl command.

    In order to be fully offline resilient, make sure to check out metal-image-cache-sync. This component provides copies of metal-images, metal-kernel and metal-hammer.

    This feature is related to MEP14.

    diff --git a/previews/PR235/overview/comparison/index.html b/previews/PR235/overview/comparison/index.html index cc08dd321f..40a00c649e 100644 --- a/previews/PR235/overview/comparison/index.html +++ b/previews/PR235/overview/comparison/index.html @@ -1,2 +1,2 @@ -Comparison · metal-stack

    Comparison with Commercial Solutions

    As metal-stack is the foundation to build Kubernetes clusters on premise on bare metal, there are several commercial solutions available which offer management of Kubernetes. In this document we describe the differences between some of the most popular solutions. It´s is not a complete list.

    Comparison between Gardener on Metal Stack and Openshift running on VMWare.

    Gardener

    Gardener is a Kubernetes cluster manager to organize a fleet of Kubernetes clusters at scale. It is designed to scale to thousands of clusters at a variety of IaaS Providers regardless where - in the cloud or on premise, virtualized or bare metal. It not only manages the creation and deletion of Kubernetes clusters, it also takes care of updating or upgrading Kubernetes and the operating system of the involved worker nodes in a automatic manner. Gardener is designed cloud-native and as such, it defines clusters, workers and all other components as Kubernetes resources (like pods and deployments) and reconciles these resources to the desired state.

    Kubernetes

    Kubernetes is the de facto open-source standard for container scheduling and orchestration in the data center.

    Openshift

    A fork of Kubernetes with proprietary addons, created by RedHat. For all details see: https://en.wikipedia.org/wiki/OpenShift.

    metal-stack

    Is an IaaS provider for bare metal focused to create Kubernetes cluster on premise. Gardener support is built in.

    VMWare

    The most used virtualization technology in the enterprise data centers.

    Comparison of Gardener on Metal Stack vs. Openshift on VMWare

    FeatureGardener on Metal StackOpenshift on VMWare
    Container Runtimedocker, containerd, gvisorcri-o
    Host Operating SystemUbuntu, Debian , also see OSRHEL, Fedora-Core
    Network PluginsCalico, Cilium(soon)Openshift SDN
    StorageLocal NVME, Lightbits NVMEoTCP, all CSI compatible Solutions, also see StorageCSI compatible
    LoadbalancingBGP built inrequires extra HW like F5, VMWare NSX
    IO at Native SpeedPods run on bare metalall IO must go through the Hypervisor
    Hard MultitenancyWorkers, firewall and load balancers are dedicated for every cluster on bare metalShared virtualization hosts, shared load balancers
    UIGardener DashboardOpenshift Console
    Multi-cluster managementYes (through Gardener)Requires extra licences SW: Redhat Advanced Cluster Manager
    Automatic Kubernetes UpdatesYesYes
    Automatic Worker Nodes UpdatesYesYes
    Supported IaaS ProvidersGCP, AWS, Azure, Alibaba, Openstack, VMWare, metal-stack and moreGCP, AWS, Azure Openstack, VMWare
    Monitoring / Logging StackGrafana/Loki, Kibana/ElasticKibana/Elastic
    GitOPSTool of choice via Helm InstallOpenshift GitOPS
    Container Registryall public accessible registries, private deployed registry of choiceall public accessible registries, in cluster registry
    CI/CDTool of choice via Helm InstallJenkins
    SecurityK8s control plane isolated from tenant, PSP enabled by defaultStrong cluster defaults
    CNCF Kubernetes certifiedYes (Gardener)Yes
    Local developmentminikube, kindminishift
    Proprietary extensionsNoDeploymentConfig and others
    kubectl accessYesYes
    +Comparison · metal-stack

    Comparison with Commercial Solutions

    As metal-stack is the foundation to build Kubernetes clusters on premise on bare metal, there are several commercial solutions available which offer management of Kubernetes. In this document we describe the differences between some of the most popular solutions. It´s is not a complete list.

    Comparison between Gardener on Metal Stack and Openshift running on VMWare.

    Gardener

    Gardener is a Kubernetes cluster manager to organize a fleet of Kubernetes clusters at scale. It is designed to scale to thousands of clusters at a variety of IaaS Providers regardless where - in the cloud or on premise, virtualized or bare metal. It not only manages the creation and deletion of Kubernetes clusters, it also takes care of updating or upgrading Kubernetes and the operating system of the involved worker nodes in a automatic manner. Gardener is designed cloud-native and as such, it defines clusters, workers and all other components as Kubernetes resources (like pods and deployments) and reconciles these resources to the desired state.

    Kubernetes

    Kubernetes is the de facto open-source standard for container scheduling and orchestration in the data center.

    Openshift

    A fork of Kubernetes with proprietary addons, created by RedHat. For all details see: https://en.wikipedia.org/wiki/OpenShift.

    metal-stack

    Is an IaaS provider for bare metal focused to create Kubernetes cluster on premise. Gardener support is built in.

    VMWare

    The most used virtualization technology in the enterprise data centers.

    Comparison of Gardener on Metal Stack vs. Openshift on VMWare

    FeatureGardener on Metal StackOpenshift on VMWare
    Container Runtimedocker, containerd, gvisorcri-o
    Host Operating SystemUbuntu, Debian , also see OSRHEL, Fedora-Core
    Network PluginsCalico, Cilium(soon)Openshift SDN
    StorageLocal NVME, Lightbits NVMEoTCP, all CSI compatible Solutions, also see StorageCSI compatible
    LoadbalancingBGP built inrequires extra HW like F5, VMWare NSX
    IO at Native SpeedPods run on bare metalall IO must go through the Hypervisor
    Hard MultitenancyWorkers, firewall and load balancers are dedicated for every cluster on bare metalShared virtualization hosts, shared load balancers
    UIGardener DashboardOpenshift Console
    Multi-cluster managementYes (through Gardener)Requires extra licences SW: Redhat Advanced Cluster Manager
    Automatic Kubernetes UpdatesYesYes
    Automatic Worker Nodes UpdatesYesYes
    Supported IaaS ProvidersGCP, AWS, Azure, Alibaba, Openstack, VMWare, metal-stack and moreGCP, AWS, Azure Openstack, VMWare
    Monitoring / Logging StackGrafana/Loki, Kibana/ElasticKibana/Elastic
    GitOPSTool of choice via Helm InstallOpenshift GitOPS
    Container Registryall public accessible registries, private deployed registry of choiceall public accessible registries, in cluster registry
    CI/CDTool of choice via Helm InstallJenkins
    SecurityK8s control plane isolated from tenant, PSP enabled by defaultStrong cluster defaults
    CNCF Kubernetes certifiedYes (Gardener)Yes
    Local developmentminikube, kindminishift
    Proprietary extensionsNoDeploymentConfig and others
    kubectl accessYesYes
    diff --git a/previews/PR235/overview/gpu-support/index.html b/previews/PR235/overview/gpu-support/index.html index d50278eba2..865fe8efb9 100644 --- a/previews/PR235/overview/gpu-support/index.html +++ b/previews/PR235/overview/gpu-support/index.html @@ -20,4 +20,4 @@ memory: 263802860Ki nvidia.com/gpu: 1 pods: 510 -...

    With this basic installation, the worker node is ready to process GPU workloads.

    Warning

    However, there is a caveat - only one 'Pod' can access the GPU. If this is all you need, no additional configuration is required. On the other hand, if you are planning to deploy multiple applications that require GPU support, and there are not that many GPUs available, you will need to configure the gpu-operator to allow the GPU to be shared between multiple Pods.

    There are several approaches to sharing GPUs, please consult the official Nvidia documentation for further reference.

    https://developer.nvidia.com/blog/improving-gpu-utilization-in-kubernetes https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-operator-mig.html https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-sharing.html

    With this, happy AI processing.

    +...

    With this basic installation, the worker node is ready to process GPU workloads.

    Warning

    However, there is a caveat - only one 'Pod' can access the GPU. If this is all you need, no additional configuration is required. On the other hand, if you are planning to deploy multiple applications that require GPU support, and there are not that many GPUs available, you will need to configure the gpu-operator to allow the GPU to be shared between multiple Pods.

    There are several approaches to sharing GPUs, please consult the official Nvidia documentation for further reference.

    https://developer.nvidia.com/blog/improving-gpu-utilization-in-kubernetes https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-operator-mig.html https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-sharing.html

    With this, happy AI processing.

    diff --git a/previews/PR235/overview/hardware/index.html b/previews/PR235/overview/hardware/index.html index 63447f4027..073a28b2d4 100644 --- a/previews/PR235/overview/hardware/index.html +++ b/previews/PR235/overview/hardware/index.html @@ -1,2 +1,2 @@ -Hardware Support · metal-stack

    Hardware Support

    In order to keep the automation and maintenance overhead small, we strongly advise against building highly heterogeneous environments with metal-stack. Having a lot of different vendors and server models in your partitions will heavily increase the time and effort for introducing metal-stack in your infrastructure. From experience we can tell that the interfaces for automating hardware provisioning are usually inconsistent between vendors and even between server models of the same vendor. Therefore, we encourage adopters to start off with only a small amount of machine types. If you want to be on the safe side, you should consider buying the hardware that we officially support.

    We came up with a repository called go-hal, which includes the interface required for metal-stack to support a machine vendor. If you plan to implement support for new vendors, please check out this repository and contribute back your efforts in order to make the community benefit from extended vendor support as well.

    Servers

    The following server types are officially supported and verified by the metal-stack project:

    VendorSeriesModelBoard TypeStatus
    SupermicroBig-TwinSYS-2029BT-HNRX11DPT-Bstable
    SupermicroBig-TwinSYS-220BT-HNTRX12DPT-B6stable
    SupermicroSuperServerSSG-5019D8-TR12PX11SDV-8C-TP8Fstable
    SupermicroSuperServer2029UZ-TN20R25MX11DPUstable
    SupermicroSuperServerSYS-621C-TN12RX13DDW-Astable
    SupermicroMicrocloud5039MD8-H8TNRX11SDD-8C-Fstable
    SupermicroMicrocloudSYS-531MC-H8TNRX13SCD-Fstable
    SupermicroMicrocloud3015MR-H8TNRH13SRD-Fcoming soon
    LenovoThinkSystemSD530alpha

    Other server series and models might work but were not reported to us.

    GPUs

    The following GPU types are officially supported and verified by the metal-stack project:

    VendorModelStatus
    NVIDIARTX 6000stable
    NVIDIAH100stable

    Other GPU models might work but were not reported to us. For a detailed description howto use GPU support in a kubernetes cluster please check this documentation

    Network Cards

    The following network cards are officially supported and verified by the metal-stack project for usage in servers:

    VendorSeriesModelStatus
    IntelXXV710DA2 DualPort 2x25G SFP28stable
    IntelE810DA2 DualPort 2x25G SFP28stable
    IntelE810CQDA2 DualPort 2x100G SFP28stable
    MellanoxConnectX-5MCX512A-ACAT 2x25G SFP28stable

    Switches

    The following switch types are officially supported and verified by the metal-stack project:

    VendorSeriesModelOSStatus
    Edge-CoreAS7700 SeriesAS7712-32XCumulus 3.7.13stable
    Edge-CoreAS7700 SeriesAS7726-32XCumulus 4.1.1stable
    Edge-CoreAS7700 SeriesAS7712-32XEdgecore SONiCstable
    Edge-CoreAS7700 SeriesAS7726-32XEdgecore SONiCstable

    Other switch series and models might work but were not reported to us.

    Warning

    On our switches we run SONiC. The metal-core writes network configuration specifically implemented for this operating system. Please also consider running SONiC on your switches if you do not want to run into any issues with networking.

    Our previous support for Cumulus Linux will come to an end.

    Of course, contributions for supporting other switch vendors and operating systems are highly appreciated.

    Portable metal-stack Setup DIY

    A minimal physical hardware setup may contain at least the following components:

    Warning

    This setup should work as the components are very similar to the currently supported ones but it's currently untested.

    #VendorSeriesModelFunction
    2xEdge-CoreAS5500 SeriesAS5512-54x (10G)Leaf / Exit switches
    1xSupermicroMicrocloudSYS-5039MA16-H12RFTUsable machines
    1xTeltonikaRouterRUTXR1Front router for internet and out-of-band access to servers and switches

    Besides that, a 6HE rack with 1000mm depth and a portable LTE modem is needed.

    This MVP will yield in 12 usable machines, one of them will be reserved as management server.

    +Hardware Support · metal-stack

    Hardware Support

    In order to keep the automation and maintenance overhead small, we strongly advise against building highly heterogeneous environments with metal-stack. Having a lot of different vendors and server models in your partitions will heavily increase the time and effort for introducing metal-stack in your infrastructure. From experience we can tell that the interfaces for automating hardware provisioning are usually inconsistent between vendors and even between server models of the same vendor. Therefore, we encourage adopters to start off with only a small amount of machine types. If you want to be on the safe side, you should consider buying the hardware that we officially support.

    We came up with a repository called go-hal, which includes the interface required for metal-stack to support a machine vendor. If you plan to implement support for new vendors, please check out this repository and contribute back your efforts in order to make the community benefit from extended vendor support as well.

    Servers

    The following server types are officially supported and verified by the metal-stack project:

    VendorSeriesModelBoard TypeStatus
    SupermicroBig-TwinSYS-2029BT-HNRX11DPT-Bstable
    SupermicroBig-TwinSYS-220BT-HNTRX12DPT-B6stable
    SupermicroSuperServerSSG-5019D8-TR12PX11SDV-8C-TP8Fstable
    SupermicroSuperServer2029UZ-TN20R25MX11DPUstable
    SupermicroSuperServerSYS-621C-TN12RX13DDW-Astable
    SupermicroMicrocloud5039MD8-H8TNRX11SDD-8C-Fstable
    SupermicroMicrocloudSYS-531MC-H8TNRX13SCD-Fstable
    SupermicroMicrocloud3015MR-H8TNRH13SRD-Fcoming soon
    LenovoThinkSystemSD530alpha

    Other server series and models might work but were not reported to us.

    GPUs

    The following GPU types are officially supported and verified by the metal-stack project:

    VendorModelStatus
    NVIDIARTX 6000stable
    NVIDIAH100stable

    Other GPU models might work but were not reported to us. For a detailed description howto use GPU support in a kubernetes cluster please check this documentation

    Network Cards

    The following network cards are officially supported and verified by the metal-stack project for usage in servers:

    VendorSeriesModelStatus
    IntelXXV710DA2 DualPort 2x25G SFP28stable
    IntelE810DA2 DualPort 2x25G SFP28stable
    IntelE810CQDA2 DualPort 2x100G SFP28stable
    MellanoxConnectX-5MCX512A-ACAT 2x25G SFP28stable

    Switches

    The following switch types are officially supported and verified by the metal-stack project:

    VendorSeriesModelOSStatus
    Edge-CoreAS7700 SeriesAS7712-32XCumulus 3.7.13stable
    Edge-CoreAS7700 SeriesAS7726-32XCumulus 4.1.1stable
    Edge-CoreAS7700 SeriesAS7712-32XEdgecore SONiCstable
    Edge-CoreAS7700 SeriesAS7726-32XEdgecore SONiCstable

    Other switch series and models might work but were not reported to us.

    Warning

    On our switches we run SONiC. The metal-core writes network configuration specifically implemented for this operating system. Please also consider running SONiC on your switches if you do not want to run into any issues with networking.

    Our previous support for Cumulus Linux will come to an end.

    Of course, contributions for supporting other switch vendors and operating systems are highly appreciated.

    Portable metal-stack Setup DIY

    A minimal physical hardware setup may contain at least the following components:

    Warning

    This setup should work as the components are very similar to the currently supported ones but it's currently untested.

    #VendorSeriesModelFunction
    2xEdge-CoreAS5500 SeriesAS5512-54x (10G)Leaf / Exit switches
    1xSupermicroMicrocloudSYS-5039MA16-H12RFTUsable machines
    1xTeltonikaRouterRUTXR1Front router for internet and out-of-band access to servers and switches

    Besides that, a 6HE rack with 1000mm depth and a portable LTE modem is needed.

    This MVP will yield in 12 usable machines, one of them will be reserved as management server.

    diff --git a/previews/PR235/overview/isolated-kubernetes/index.html b/previews/PR235/overview/isolated-kubernetes/index.html index 551e8a95d5..0a7a27f169 100644 --- a/previews/PR235/overview/isolated-kubernetes/index.html +++ b/previews/PR235/overview/isolated-kubernetes/index.html @@ -168,4 +168,4 @@ State PolicyDeploymentState `json:"state"` // Message describe why the state changed Message string `json:"message,omitempty"` -}

    Cloud Controller Manager

    This component was adopted to allow to be started without a default network specified. This was actually always the internet network and if no ip address was specified in the Service Type LoadBalancer, one ip was allocated from this default network. For isolated clusters this is not provided and a cluster user must always specify this ip to get a working load balancer.

    OCI Mirror

    The OCI Mirror is a new application which acts as a scheduled job that pulls a given list of container images and pushes them to a private registry (which will then serve as the private registry mirror). The detailed description can be read on the project website.

    +}

    Cloud Controller Manager

    This component was adopted to allow to be started without a default network specified. This was actually always the internet network and if no ip address was specified in the Service Type LoadBalancer, one ip was allocated from this default network. For isolated clusters this is not provided and a cluster user must always specify this ip to get a working load balancer.

    OCI Mirror

    The OCI Mirror is a new application which acts as a scheduled job that pulls a given list of container images and pushes them to a private registry (which will then serve as the private registry mirror). The detailed description can be read on the project website.

    diff --git a/previews/PR235/overview/kubernetes/index.html b/previews/PR235/overview/kubernetes/index.html index 5313020dcd..660ae3e9b1 100644 --- a/previews/PR235/overview/kubernetes/index.html +++ b/previews/PR235/overview/kubernetes/index.html @@ -1,2 +1,2 @@ -Kubernetes Integration · metal-stack

    Kubernetes Integration

    With the help of the Gardener project, metal-stack can be used for spinning up Kubernetes clusters quickly and reliably on bare metal machines.

    To make this happen, we implemented a couple of components, which are described here.

    metal-ccm

    CCM stands for cloud-controller-manager and is the bridge between Kubernetes and a cloud-provider.

    We implemented the cloud provider interface in the metal-ccm repository. With the help of the cloud-controller-controller we provide metal-stack-specific properties for Kubernetes clusters, e.g. load balancer configuration through MetalLB or node properties.

    firewall-controller

    To make the firewalls created with metal-stack easily configurable through Kubernetes resources, we add our firewall-controller to the firewall image. The controller watches special CRDs, enabling users to manage:

    • nftables rules
    • Intrusion-detection with suricata
    • network metric collection

    Please check out the guide on how to use it.

    Gardener components

    There are some Gardener resources that need be reconciled when you act as a cloud provider for the Gardener. This section briefly describes the controllers implemented for deploying Kubernetes clusters through Gardener.

    If you want to learn how to deploy metal-stack with Gardener, please check out the installation section.

    gardener-extension-provider-metal

    The gardener-extension-provider-metal contains of a set of webhooks and controllers for reconciling or mutating Gardener-specific resources.

    The project also contains a validator for metal-type Gardener resources, which you should also deploy in case you want to use metal-stack in combination with Gardener.

    os-metal-extension

    Due to the reason we use ignition in our operating system images for userdata, we had to provide an own extension controller for metal-stack, which you can find at Github in the os-metal-extension repository.

    machine-controller-manager-provider-metal

    Worker nodes are managed through Gardener's machine-controller-manager (MCM). The MCM allows out-of-tree provider implementation via sidecar, which is what we implemented in the machine-controller-manager-provider-metal repository.

    +Kubernetes Integration · metal-stack

    Kubernetes Integration

    With the help of the Gardener project, metal-stack can be used for spinning up Kubernetes clusters quickly and reliably on bare metal machines.

    To make this happen, we implemented a couple of components, which are described here.

    metal-ccm

    CCM stands for cloud-controller-manager and is the bridge between Kubernetes and a cloud-provider.

    We implemented the cloud provider interface in the metal-ccm repository. With the help of the cloud-controller-controller we provide metal-stack-specific properties for Kubernetes clusters, e.g. load balancer configuration through MetalLB or node properties.

    firewall-controller

    To make the firewalls created with metal-stack easily configurable through Kubernetes resources, we add our firewall-controller to the firewall image. The controller watches special CRDs, enabling users to manage:

    • nftables rules
    • Intrusion-detection with suricata
    • network metric collection

    Please check out the guide on how to use it.

    Gardener components

    There are some Gardener resources that need be reconciled when you act as a cloud provider for the Gardener. This section briefly describes the controllers implemented for deploying Kubernetes clusters through Gardener.

    If you want to learn how to deploy metal-stack with Gardener, please check out the installation section.

    gardener-extension-provider-metal

    The gardener-extension-provider-metal contains of a set of webhooks and controllers for reconciling or mutating Gardener-specific resources.

    The project also contains a validator for metal-type Gardener resources, which you should also deploy in case you want to use metal-stack in combination with Gardener.

    os-metal-extension

    Due to the reason we use ignition in our operating system images for userdata, we had to provide an own extension controller for metal-stack, which you can find at Github in the os-metal-extension repository.

    machine-controller-manager-provider-metal

    Worker nodes are managed through Gardener's machine-controller-manager (MCM). The MCM allows out-of-tree provider implementation via sidecar, which is what we implemented in the machine-controller-manager-provider-metal repository.

    diff --git a/previews/PR235/overview/networking/index.html b/previews/PR235/overview/networking/index.html index 79d69fcbaf..4e9ab7f90e 100644 --- a/previews/PR235/overview/networking/index.html +++ b/previews/PR235/overview/networking/index.html @@ -351,4 +351,4 @@ iface swp1 mtu 9000 bridge-access 4000 -# [...]

    Listing 14: VLAN access setup for bare metal server facing ports on leaves.

    Once a bare metal server is provisioned it is deconfigured from PXE VLAN vlan4000 to avoid accidental or unwanted provisioning.

    During provisioning bare metal servers get internet access via the management network of the exit switches. This is because the exit switches are announced as DHCP gateway to the DHCP clients.

    Management Network

    To manage network switches beside the out-of-band system console access a further management access is required. For this purpose the concept of Management VRF is applied. The Management VRF is a subset of VRF. It provides a separation between out-of-band management network and the in-band data plane network by introducing another routing table mgmt. SONiC supports eth0 to be used as the management interface.

    To enable and use the Management VRF all switches have to be connected via their eth0 interface to a management-switch. The management switch is connected to a management server. All access is established from within the management server. Logins to the switch are set into the Management VRF context once the Management VRF is enabled.

    +# [...]

    Listing 14: VLAN access setup for bare metal server facing ports on leaves.

    Once a bare metal server is provisioned it is deconfigured from PXE VLAN vlan4000 to avoid accidental or unwanted provisioning.

    During provisioning bare metal servers get internet access via the management network of the exit switches. This is because the exit switches are announced as DHCP gateway to the DHCP clients.

    Management Network

    To manage network switches beside the out-of-band system console access a further management access is required. For this purpose the concept of Management VRF is applied. The Management VRF is a subset of VRF. It provides a separation between out-of-band management network and the in-band data plane network by introducing another routing table mgmt. SONiC supports eth0 to be used as the management interface.

    To enable and use the Management VRF all switches have to be connected via their eth0 interface to a management-switch. The management switch is connected to a management server. All access is established from within the management server. Logins to the switch are set into the Management VRF context once the Management VRF is enabled.

    diff --git a/previews/PR235/overview/os/index.html b/previews/PR235/overview/os/index.html index a0b7c8dcfe..2a5f36ad21 100644 --- a/previews/PR235/overview/os/index.html +++ b/previews/PR235/overview/os/index.html @@ -1,2 +1,2 @@ -Operating Systems · metal-stack

    Operating Systems

    Our operating system images are built on regular basis from the metal-images repository.

    All images are hosted on GKE at images.metal-stack.io. Feel free to use this as a mirror for your metal-stack partitions if you want. The metal-stack developers continuously have an eye on the supported images. They are updated regularly and scanned for vulnerabilities.

    Supported OS Images

    The operating system images that we build are trimmed down to their bare essentials for serving as Kubernetes worker nodes. Small image sizes make machine provisioning blazingly fast.

    The supported images for worker nodes currently are:

    PlatformDistributionVersion
    LinuxDebian11
    LinuxUbuntu22.04

    The supported images for firewalls are:

    PlatformDistributionVersionBased On
    LinuxUbuntu322.04

    Building Your Own Images

    It is fully possible to build your own operating system images and provide them through the metal-stack.

    There are some conventions though that you need to follow in order to make your image installable through the metal-hammer. You should understand the machine provisioning sequence before starting to write your own images.

    1. Images need to be compressed to a tarball using the lz4 compression algorithm
    2. An md5 checksum file with the same name as the image archive needs to be provided in the download path along with the actual os image
    3. A packages.txt containing the packages contained in the OS image should be provided in the download path (not strictly required)
    4. Consider semantic image versioning, which we use in our algorithms to select latest images (e.g. os-major.minor.patch ➡️ ubuntu-19.10.20191018)
    5. Consider installing packages used by the metal-stack infrastructure
      • FRR to enable routing-to-the-host in our network topology
      • go-lldpd to enable checking if the machine is still alive after user allocation
      • ignition for enabling users to run user-specific initialization instructions before bootup. It's pretty small in size, which is why we use it. However, you are free to use other cloud instance initialization tools if you want to.
    6. You have to provide an install.sh script, which applies user-specific configuration in the installed image
      • This script should consume parameters from the install.yaml file that the metal-hammer writes to /etc/metal/install.yaml
      • Please check this contract between image and the metal-hammer here
    7. For the time being, your image must be able to support kexec into the new operating system kernel, the kexec command is issued by the metal-hammer after running the install.sh. We do this because kexec is much faster than rebooting a machine.
    8. We recommend building images from Dockerfiles as it is done in metal-images repository.
    Info

    Building own operating system images is an advanced topic. When you have just started with metal-stack, we recommend using the public operating system images first.

    +Operating Systems · metal-stack

    Operating Systems

    Our operating system images are built on regular basis from the metal-images repository.

    All images are hosted on GKE at images.metal-stack.io. Feel free to use this as a mirror for your metal-stack partitions if you want. The metal-stack developers continuously have an eye on the supported images. They are updated regularly and scanned for vulnerabilities.

    Supported OS Images

    The operating system images that we build are trimmed down to their bare essentials for serving as Kubernetes worker nodes. Small image sizes make machine provisioning blazingly fast.

    The supported images for worker nodes currently are:

    PlatformDistributionVersion
    LinuxDebian11
    LinuxUbuntu22.04

    The supported images for firewalls are:

    PlatformDistributionVersionBased On
    LinuxUbuntu322.04

    Building Your Own Images

    It is fully possible to build your own operating system images and provide them through the metal-stack.

    There are some conventions though that you need to follow in order to make your image installable through the metal-hammer. You should understand the machine provisioning sequence before starting to write your own images.

    1. Images need to be compressed to a tarball using the lz4 compression algorithm
    2. An md5 checksum file with the same name as the image archive needs to be provided in the download path along with the actual os image
    3. A packages.txt containing the packages contained in the OS image should be provided in the download path (not strictly required)
    4. Consider semantic image versioning, which we use in our algorithms to select latest images (e.g. os-major.minor.patch ➡️ ubuntu-19.10.20191018)
    5. Consider installing packages used by the metal-stack infrastructure
      • FRR to enable routing-to-the-host in our network topology
      • go-lldpd to enable checking if the machine is still alive after user allocation
      • ignition for enabling users to run user-specific initialization instructions before bootup. It's pretty small in size, which is why we use it. However, you are free to use other cloud instance initialization tools if you want to.
    6. You have to provide an install.sh script, which applies user-specific configuration in the installed image
      • This script should consume parameters from the install.yaml file that the metal-hammer writes to /etc/metal/install.yaml
      • Please check this contract between image and the metal-hammer here
    7. For the time being, your image must be able to support kexec into the new operating system kernel, the kexec command is issued by the metal-hammer after running the install.sh. We do this because kexec is much faster than rebooting a machine.
    8. We recommend building images from Dockerfiles as it is done in metal-images repository.
    Info

    Building own operating system images is an advanced topic. When you have just started with metal-stack, we recommend using the public operating system images first.

    diff --git a/previews/PR235/overview/storage/index.html b/previews/PR235/overview/storage/index.html index 128759b743..7fac54c16c 100644 --- a/previews/PR235/overview/storage/index.html +++ b/previews/PR235/overview/storage/index.html @@ -9,4 +9,4 @@ resources: requests: storage: 100Mi - storageClassName: csi-lvm-sc-linear

    The solution does not provide cloud-storage or whatsoever, but it improves the user's accessibility of local storage on bare-metal machines through Kubernetes. Check out the driver's documentation here.

    + storageClassName: csi-lvm-sc-linear

    The solution does not provide cloud-storage or whatsoever, but it improves the user's accessibility of local storage on bare-metal machines through Kubernetes. Check out the driver's documentation here.

    diff --git a/previews/PR235/quickstart/index.html b/previews/PR235/quickstart/index.html index d5e3eeb35b..2d2e8afcc8 100644 --- a/previews/PR235/quickstart/index.html +++ b/previews/PR235/quickstart/index.html @@ -1,2 +1,2 @@ -Quickstart · metal-stack

    Getting Started

    Before starting to buy any hardware, you should try out the metal-stack on your notebook and familiarize with the software.

    For this, we made the mini-lab.

    The mini-lab is a fully virtual setup of metal-stack and is supposed to be run locally on a single machine. For this reason, the setup was slightly simplified in comparison to full-blown setups on real hardware. However, the lab should help to understand all ideas behind the metal-stack.

    Get your hands dirty and follow the guide on how to get on with the mini-lab here.

    +Quickstart · metal-stack

    Getting Started

    Before starting to buy any hardware, you should try out the metal-stack on your notebook and familiarize with the software.

    For this, we made the mini-lab.

    The mini-lab is a fully virtual setup of metal-stack and is supposed to be run locally on a single machine. For this reason, the setup was slightly simplified in comparison to full-blown setups on real hardware. However, the lab should help to understand all ideas behind the metal-stack.

    Get your hands dirty and follow the guide on how to get on with the mini-lab here.

    diff --git a/previews/PR235/search_index.js b/previews/PR235/search_index.js index 44f77cd29f..7305e84f50 100644 --- a/previews/PR235/search_index.js +++ b/previews/PR235/search_index.js @@ -1,3 +1,3 @@ var documenterSearchIndex = {"docs": -[{"location":"external/metalctl/docs/metalctl_network_edit/#metalctl-network-edit","page":"metalctl network edit","title":"metalctl network edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":"edit the network through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":"metalctl network edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/#Options","page":"metalctl network edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/#Options-inherited-from-parent-commands","page":"metalctl network edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/#SEE-ALSO","page":"metalctl network edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":"metalctl network\t - manage network entities","category":"page"},{"location":"installation/autonomous-control-plane/#Autonomous-Control-Plane,-aka-solve-the-bootstrap-problem","page":"Autonomous Control Plane","title":"Autonomous Control Plane, aka solve the bootstrap problem","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Setting up a metal-stack.io environment in your own datacenter requires a control plane to be present which hosts the metal-stack api. If you plan to spin up kubernetes clusters, either with gardener.cloud or cluster api, the requirement for this control plane raises. The control plane must be running in a kubernetes cluster, which offers at least the following features:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Loadbalancing\nPersistent Storage\nAccess to a object storage for automatic backups of the stateful sets\nAccess to a DNS provider which is supported by one of the dns extensions in use.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"This cluster must also be highly available to prevent complete loss of control over the managed resources in the datacenter. Regular kubernetes updates to apply security fixes and feature updates must be possible in an automated manner.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The most obvious and simple solution is to use one of the managed kubernetes offerings from another cloud provider.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"But there are use cases, where it is not possible because of network restrictions, or because the company compliances forbid the usage of external datacenter products. For such cases a solution must be found which produces the control plane inside the own datacenter but with reasonable day two operational effort.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Pages = [\"autonomous-control-plane.md\"]\nDepth = 5","category":"page"},{"location":"installation/autonomous-control-plane/#Possible-Solutions","page":"Autonomous Control Plane","title":"Possible Solutions","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"No complete list.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"vmware and rancher\ntalos\n3 physical machines with kubespray","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"...","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"All of these solutions add another stack which is probably new to the team which already operates the metal-stack environment.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"TODO: can we provide a list which of the requirements can be solved with all of the alternatives.","category":"page"},{"location":"installation/autonomous-control-plane/#Use-your-own-dogfood","page":"Autonomous Control Plane","title":"Use your own dogfood","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"With metal-stack.io we already have the possibility to create an manage kubernetes cluster with the help of gardener.cloud. Use this stack to create the control plane clusters only. Do not try to create more clusters for other purposes than metal-stack control planes. If this restriction applies, the requirement for a control plane for this metal-stack setup can be minimal.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"This metal-stack setup also requires a control plane to host metal-api and gardener, but this control plane does not have huge resource requirements in terms of cpu, memory and storage. For this initial control plane cluster we could use kind running on a single server which manages the initial metal-stack partitin to host the control plane for the real setup.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"This is a chain of two metal-stack environments.","category":"page"},{"location":"installation/autonomous-control-plane/#Architecture","page":"Autonomous Control Plane","title":"Architecture","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"A high-level architecture consists of two metal-stack.io environments, one for the control plane, the second one for the production or real environment. It might also be possible to call the initial metal-stack.io environment the metal-stack seed, and the actual production environment the metal-stack shoot.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"We could even use some names for this environments which match better to metal, like needle and nail. So, a needle metal-stack is used to create a nail metal-stack environment.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: metal-stack-chain)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The needle and the nail metal-stack have both a control plane and a set of physical bare metal machines they manage and operate on.","category":"page"},{"location":"installation/autonomous-control-plane/#Needle","page":"Autonomous Control Plane","title":"Needle","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The needle control plane is kept very small and running inside a kind cluster. The physical bare metal machines can be any machines and switches which are supported by metal stack, but can be smaller in terms of cpu, memory and network speed, because these machines must only be capable of running the nail metal stack control plane.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Control Plane","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"In the most simple case the needle control plane is based on kind which is running on a machine which was setup manually/partly automated with a debian:12 operating system. This machine provides a decent amount of cpu, memory and storage locally to store all persistent data. The amount of cpus and memory depends on the required size of the expected nail control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"In a typical kind setup, a stateful set would lose the data once the kind cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the kind cluster for the PVCs. With that, kind could be terminated and started again, for example to update and reboot the host os, or update kind itself and the data will persist.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Example kind configuration for persistent storage on the hosts os:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"kind: Cluster\napiVersion: kind.x-k8s.io/v1alpha4\nname: needle-control-plane\nnodes:\n- role: control-plane\n # add a mount from /path/to/my/files on the host to /files on the node\n extraMounts:\n - hostPath: /path/to/my/files\n containerPath: /files\n","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"As mentioned before, kind is used to host the needle control plane. For a gardener managed kubernetes setup, metal-stack and gardener will be deployed into this cluster. This deployment can be done by a gitlab runner which is running on this machine. The mini-lab will be used as a base for this deployment. The current development of gardener-in-minilab must be extended to host all required extensions to make this a working metal stack control plane which can manage the machines in the attached bare metal setup.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"A second kind cluster is started on this machine to host services which are required to complete the service. A non-complete list would be:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"PowerDNS to server as a DNS Server for all dns entries which needs to be created in the needle, like api.needle.metal-stack.local, gardener-api.needle.metal-stack.local and the dns entries for the api servers of the create kubernetes clusters.\nNTP\nMonitoring for the needle partition ?\nOptional: Container Registry to host all metal-stack and gardener containers\nOptional: Letsencrypt boulder as a certificate authority\n...","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-control-plane)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"1.1. Control Plane High Availability","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Running the needle control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Given that we provide part of the local storage of the server as backing storage for the stateful sets in the kind cluster, the data stored on the server itself must be synced to a second server in some way.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Here comes DRBD into play, this is a linux kernel module which can be configured to mirror one or more local block devices to another server connected over tcp. With the help of pacemaker a coordinated failover of resources running on top of filesystems created on such replicated drbd devices, a high available stateful server pair is possible. It is also possible to prevent split brain if both servers have a out-of-band management build in with power off capability. DRBD can also be configured to sync storage between WAN links with a higher latency by using a async mechanism.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Sample drbd configuration:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"resource needle-control-plane {\n meta-disk internal;\n device /dev/drbd0;\n syncer {\n verify-alg sha1;\n }\n net {\n allow-two-primaries;\n }\n on needle1 {\n disk /dev/nvme0n1;\n address 192.168.1.101:7789;\n }\n on needle2 {\n disk /dev/nvme0n1;\n address 192.168.1.102:7789;\n }\n}","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"TODO: LVM Volumes","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Logical View","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-control-plane-ha)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Physical View, minimal ha setup which is only suitable for 1 Seed and 1 Shoot","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-rack)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Physical View, bigger ha setup which is spread to two datacenters, capable to create 1 Seed with 3 nodes and 2 Shoots with 3 nodes each and still 2 waiting machines.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-rack-big)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Partition","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The partition which is managed by the metal-stack needle can be a simple and small hardware setup but yet capable enough to host the metal-stack nail control plane. It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"A seed must be created which is responsible for hosting the control planes of the shoots in this partition. The amount of shoots should be minimal, most of the time, two shoots, one for hosting gardener and one for metal-stack.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-partition)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Network Diagram","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"TODO: Where to connect the needle servers","category":"page"},{"location":"installation/autonomous-control-plane/#Open-Topics","page":"Autonomous Control Plane","title":"Open Topics","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Naming of the metal-stack chain elements, is needle and nail appropriate ?\nStorage in the needle partition\nMinIO DirectPV –> new to me, dont know exactly how this works, looks interesting\nlightOS\nDiskomator –> Crazy\nthe needle server as initiator, maybe also replicated with drbd ?\nNVMEoTCP Howto\nNVMEoTCP Howto\nStorage Appliance like Synology\nS3 Object storage is considered as provided\nAirGapped is out of scope for now\nIP address ranges and families\nConsider Autonomous Shoots for the needle seed\nTake a look at: Description of a Microdatacenter","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#metalctl-filesystemlayout-list","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"list all filesystemlayouts","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"metalctl filesystemlayout list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#Options","page":"metalctl filesystemlayout list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#SEE-ALSO","page":"metalctl filesystemlayout list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"development/proposals/MEP10/README/#SONiC-Support","page":"SONiC Support","title":"SONiC Support","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a different network operating system is necessary.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"One of the remaining big players is SONiC, which Microsoft created to scale the network of Azure. It's an open-source project and is now part of the Linux Foundation.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"For a general introduction to SONiC, please follow the Architecture official documentation.","category":"page"},{"location":"development/proposals/MEP10/README/#ConfigDB","page":"SONiC Support","title":"ConfigDB","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"On a cold start, the content of /etc/sonic/config_db.json will be loaded into the Redis database CONFIG_DB, and both contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by the frr configuration files. The SONiC community is working to remove this exception, but no release date is known.","category":"page"},{"location":"development/proposals/MEP10/README/#BGP-Configuration","page":"SONiC Support","title":"BGP Configuration","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set the configuration variable docker_routing_config_mode to split to prevent SONiC from overwriting our configuration files created by metal-core. But by using the split mode, the integrated configuration mode of frr is deactivated, and we have to write our BGP configuration to the daemon-specific files bgp.conf, staticd.conf, and zebra.conf instead to frr.conf.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"elif [ \"$CONFIG_TYPE\" == \"split\" ]; then\n echo \"no service integrated-vtysh-config\" > /etc/frr/vtysh.conf\n rm -f /etc/frr/frr.conf","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Reference: docker-init","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration:","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == \"unified\" %}\n[program:vtysh_b]\ncommand=/usr/bin/vtysh -b","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Reference: supervisord.conf","category":"page"},{"location":"development/proposals/MEP10/README/#Non-BGP-Configuration","page":"SONiC Support","title":"Non-BGP Configuration","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces:","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"config replace \nthe Mgmt Framework\nthe SONiC restapi","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the Mgmt Framework doesn't start anymore for several months, and a potential fix is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Using config replace would reduce the complexity in the metal-core codebase because we don't have to determine the actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC that contains the PR Yang support for VXLAN, and we must provide the whole new startup configuration to prevent unwanted deconfiguration.","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-Loopback-interface-and-activate-VXLAN","page":"SONiC Support","title":"Configure Loopback interface and activate VXLAN","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"LOOPBACK_INTERFACE\": {\n \"Loopback0\": {},\n \"Loopback0|\": {}\n },\n \"VXLAN_TUNNEL\": {\n \"vtep\": {\n \"src_ip\": \"\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-MTU","page":"SONiC Support","title":"Configure MTU","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"PORT\": {\n \"Ethernet0\": {\n \"mtu\": \"9000\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-PXE-Vlan","page":"SONiC Support","title":"Configure PXE Vlan","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"VLAN\": {\n \"Vlan4000\": {\n \"vlanid\": \"4000\"\n }\n },\n \"VLAN_INTERFACE\": {\n \"Vlan4000\": {},\n \"Vlan4000|\": {}\n },\n \"VLAN_MEMBER\": {\n \"Vlan4000|\": {\n \"tagging_mode\": \"untagged\"\n }\n },\n \"VXLAN_TUNNEL_MAP\": {\n \"vtep|map_104000_Vlan4000\": {\n \"vlan\": \"Vlan4000\",\n \"vni\": \"104000\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-VRF","page":"SONiC Support","title":"Configure VRF","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"INTERFACE\": {\n \"Ethernet0\": {\n \"vrf_name\": \"vrf104001\"\n }\n },\n \"VLAN\": {\n \"Vlan4001\": {\n \"vlanid\": \"4001\"\n }\n },\n \"VLAN_INTERFACE\": {\n \"Vlan4001\": {\n \"vrf_name\": \"vrf104001\"\n }\n },\n \"VRF\": {\n \"vrf104001\": {\n \"vni\": \"104001\"\n }\n },\n \"VXLAN_TUNNEL_MAP\": {\n \"vtep|map_104001_Vlan4001\": {\n \"vlan\": \"Vlan4001\",\n \"vni\": \"104001\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#DHCP-Relay","page":"SONiC Support","title":"DHCP Relay","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"The DHCP relay container only starts if DEVICE_METADATA.localhost.type is equal to ToRRouter.","category":"page"},{"location":"development/proposals/MEP10/README/#LLDP","page":"SONiC Support","title":"LLDP","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"# Get the port alias. If None or empty string, use port name instead\nport_alias = port_table_dict.get(\"alias\")\nif not port_alias:\n self.log_info(\"Unable to retrieve port alias for port '{}'. Using port name instead.\".format(port_name))\n port_alias = port_name\n\nlldpcli_cmd = \"lldpcli configure ports {0} lldp portidsubtype local {1}\".format(port_name, port_alias)","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Reference: lldpmgr","category":"page"},{"location":"development/proposals/MEP10/README/#Mgmt-Interface","page":"SONiC Support","title":"Mgmt Interface","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"The mgmt interface is eth0. To configure a static IP address and activate the Mgmt VRF, use:","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"MGMT_INTERFACE\": {\n \"eth0|\": {\n \"gwaddr\": \"\"\n }\n },\n \"MGMT_VRF_CONFIG\": {\n \"vrf_global\": {\n \"mgmtVrfEnabled\": \"true\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"IP forwarding is deactivated on eth0, and no IP Masquerade is configured.","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#metalctl-update-check","page":"metalctl update check","title":"metalctl update check","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":"check for update of the program","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":"metalctl update check [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#Options","page":"metalctl update check","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":" -h, --help help for check","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#Options-inherited-from-parent-commands","page":"metalctl update check","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#SEE-ALSO","page":"metalctl update check","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":"metalctl update\t - update the program","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#metalctl-tenant","page":"metalctl tenant","title":"metalctl tenant","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":"manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#Synopsis","page":"metalctl tenant","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":"a tenant belongs to a tenant and groups together entities in metal-stack.","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#Options","page":"metalctl tenant","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":" -h, --help help for tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#Options-inherited-from-parent-commands","page":"metalctl tenant","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#SEE-ALSO","page":"metalctl tenant","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl tenant apply\t - applies one or more tenants from a given file\nmetalctl tenant create\t - creates the tenant\nmetalctl tenant delete\t - deletes the tenant\nmetalctl tenant describe\t - describes the tenant\nmetalctl tenant edit\t - edit the tenant through an editor and update\nmetalctl tenant list\t - list all tenants\nmetalctl tenant update\t - updates the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#metalctl-switch","page":"metalctl switch","title":"metalctl switch","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":"manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#Synopsis","page":"metalctl switch","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":"switch are the leaf switches in the data center that are controlled by metal-stack.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#Options","page":"metalctl switch","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":" -h, --help help for switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#Options-inherited-from-parent-commands","page":"metalctl switch","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#SEE-ALSO","page":"metalctl switch","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl switch connected-machines\t - shows switches with their connected machines\nmetalctl switch console\t - connect to the switch console\nmetalctl switch delete\t - deletes the switch\nmetalctl switch describe\t - describes the switch\nmetalctl switch detail\t - switch details\nmetalctl switch edit\t - edit the switch through an editor and update\nmetalctl switch list\t - list all switches\nmetalctl switch migrate\t - migrate machine connections and other configuration from one switch to another\nmetalctl switch port\t - sets the given switch port state up or down\nmetalctl switch replace\t - put a leaf switch into replace mode in preparation for physical replacement. For a description of the steps involved see the long help.\nmetalctl switch ssh\t - connect to the switch via ssh\nmetalctl switch update\t - updates the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#metalctl-audit-describe","page":"metalctl audit describe","title":"metalctl audit describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":"describes the audit trace","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":"metalctl audit describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#Options","page":"metalctl audit describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":" -h, --help help for describe\n --phase string phase of the audit trace. One of [request, response, single, error, opened, closed] (default \"response\")\n --prettify-body attempts to interpret the body as json and prettifies it","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#Options-inherited-from-parent-commands","page":"metalctl audit describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#SEE-ALSO","page":"metalctl audit describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":"metalctl audit\t - manage audit trace entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#metalctl-network-free","page":"metalctl network free","title":"metalctl network free","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":"free a network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":"metalctl network free [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#Options","page":"metalctl network free","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":" -h, --help help for free","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#Options-inherited-from-parent-commands","page":"metalctl network free","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#SEE-ALSO","page":"metalctl network free","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#metalctl-size-imageconstraint-describe","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"describes the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"metalctl size imageconstraint describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#Options","page":"metalctl size imageconstraint describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#SEE-ALSO","page":"metalctl size imageconstraint describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#metalctl-machine-consolepassword","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"fetch the consolepassword for a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"metalctl machine consolepassword [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#Options","page":"metalctl machine consolepassword","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":" -h, --help help for consolepassword\n --reason string a short description why access to the consolepassword is required","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#Options-inherited-from-parent-commands","page":"metalctl machine consolepassword","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#SEE-ALSO","page":"metalctl machine consolepassword","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#metalctl-machine-power-bios","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"boot a machine into BIOS","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#Synopsis","page":"metalctl machine power bios","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"the machine will boot into bios. (machine does not reboot automatically)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"metalctl machine power bios [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#Options","page":"metalctl machine power bios","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":" -h, --help help for bios","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#Options-inherited-from-parent-commands","page":"metalctl machine power bios","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#SEE-ALSO","page":"metalctl machine power bios","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"installation/updates/#Releases-and-Updates","page":"Releases and Updates","title":"Releases and Updates","text":"","category":"section"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"using Docs\n\nversion = releaseVersion()\n\nt = raw\"\"\"\nYour are currently reading the documentation for the metal-stack `%s` release.\n\"\"\"\n\nmarkdownTemplate(t, version)","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"Releases and integration tests are published through our release repository. You can also find the release notes for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"A release is created in the following way:","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"Individual repository maintainers within the metal-stack Github Org can publish a release of their component.\nThis release is automatically pushed to the develop branch of the release repository by the metal-robot.\nThe push triggers a small release integration test through the mini-lab.\nTo contribute components that are not directly part of the release vector, a pull request must be made against the develop branch of the release repository. Release maintainers may push directly to the develop branch.\nThe release maintainers can /freeze the develop branch, effectively stopping the metal-robot from pushing component releases to this branch.\nThe develop branch is tagged by a release maintainer with a -rc.x suffix to create a release candidate.\nThe release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests.\nIf the integration tests pass, the PR of the develop branch must be approved by at least two release maintainers.\nA release is created via Github releases, including all release notes, with a tag on the main branch.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too.","category":"page"},{"location":"installation/updates/#Update-Policy","page":"Releases and Updates","title":"Update Policy","text":"","category":"section"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"For new features and breaking changes we create a new minor release of metal-stack. For every minor release we present excerpts of the changes in a corresponding blog article published on metal-stack.io.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"It is not strictly necessary to cycle through the patch releases if you depend on the pure metal-stack components. However, it is important to go through all the patch releases and apply all required actions from the release notes. Therefore, we recommend to just install every patch release one by one in order to minimize possible problems during the update process.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"In case you depend on the Gardener integration, especially when using metal-stack roles for deploying Gardener, we strongly recommend installing every patch release version. We increment our Gardener dependency version by version following the Gardener update policy. Jumping versions may lead to severe problems with the installation and should only be done if you really know what you are doing.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"info: Info\nIf you use the Gardener integration of metal-stack do not skip any patch releases. You may skip patch releases if you depend on metal-stack only, but we recommend to just deploy every patch release one by one for the best possible upgrade experience.","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#metalctl-vpn-key","page":"metalctl vpn key","title":"metalctl vpn key","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"create an auth key","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Synopsis","page":"metalctl vpn key","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"create an auth key to connect to VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"metalctl vpn key [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Examples","page":"metalctl vpn key","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"auth key for tailscale can be created by this command:\nmetalctl vpn key \\\n\t-- project cluster01\n","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Options","page":"metalctl vpn key","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":" --ephemeral create an ephemeral key (default true)\n -h, --help help for key\n --project string project ID for which auth key should be created","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Options-inherited-from-parent-commands","page":"metalctl vpn key","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#SEE-ALSO","page":"metalctl vpn key","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"metalctl vpn\t - access VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#metalctl-network-ip-edit","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"edit the ip through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"metalctl network ip edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#Options","page":"metalctl network ip edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#Options-inherited-from-parent-commands","page":"metalctl network ip edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#SEE-ALSO","page":"metalctl network ip edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#metalctl-machine-identify-on","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"power on the machine chassis identify LED","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#Synopsis","page":"metalctl machine identify on","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"set the machine chassis identify LED to on state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"metalctl machine identify on [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#Options","page":"metalctl machine identify on","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":" -d, --description string description of the reason for chassis identify LED turn-on.\n -h, --help help for on","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#Options-inherited-from-parent-commands","page":"metalctl machine identify on","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#SEE-ALSO","page":"metalctl machine identify on","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"metalctl machine identify\t - manage machine chassis identify LED power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#metalctl-machine-update","page":"metalctl machine update","title":"metalctl machine update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":"updates the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":"metalctl machine update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#Options","page":"metalctl machine update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":" --add-tags strings tags to be added to the machine [optional]\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description of the machine [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine update -f -\n $ # or via file\n $ metalctl machine update -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --remove-tags strings tags to be removed from the machine [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#Options-inherited-from-parent-commands","page":"metalctl machine update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#SEE-ALSO","page":"metalctl machine update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#metalctl-tenant-describe","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"describes the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"metalctl tenant describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#Options","page":"metalctl tenant describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#Options-inherited-from-parent-commands","page":"metalctl tenant describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#SEE-ALSO","page":"metalctl tenant describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#metalctl-machine-issues","page":"metalctl machine issues","title":"metalctl machine issues","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"display machines which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#Synopsis","page":"metalctl machine issues","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"display machines which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"Meaning of the emojis:","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"🚧 Machine is reserved. Reserved machines are not considered for random allocation until the reservation flag is removed. 🔒 Machine is locked. Locked machines can not be deleted until the lock is removed. 💀 Machine is dead. The metal-api does not receive any events from this machine. ❗ Machine has a last event error. The machine has recently encountered an error during the provisioning lifecycle. ❓ Machine is in unknown condition. The metal-api does not receive phoned home events anymore or has never booted successfully. ⭕ Machine is in a provisioning crash loop. Flag can be reset through an API-triggered reboot or when the machine reaches the phoned home state. 🚑 Machine reclaim has failed. The machine was deleted but it is not going back into the available machine pool. 🛡 Machine is connected to our VPN, ssh access only possible via this VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"metalctl machine issues [] [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#Options","page":"metalctl machine issues","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":" --bmc-address string bmc ipmi address (needs to include port) to filter [optional]\n --bmc-mac string bmc mac address to filter [optional]\n --board-part-number string fru board part number to filter [optional]\n -h, --help help for issues\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional]\n --mac string mac to filter [optional]\n --manufacturer string fru manufacturer to filter [optional]\n --name string allocation name to filter [optional]\n --network-destination-prefixes string network destination prefixes to filter [optional]\n --network-ids string network ids to filter [optional]\n --network-ips string network ips to filter [optional]\n --omit strings issue types to omit [optional]\n --only strings issue types to include [optional]\n --partition string partition to filter [optional]\n --product-part-number string fru product part number to filter [optional]\n --product-serial string fru product serial to filter [optional]\n --project string allocation project to filter [optional]\n --rack string rack to filter [optional]\n --role string allocation role to filter [optional]\n --severity string issue severity to include [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|bios|bmc|event|id|liveliness|partition|project|rack|size|when\n --state string state to filter [optional]\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#Options-inherited-from-parent-commands","page":"metalctl machine issues","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#SEE-ALSO","page":"metalctl machine issues","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"metalctl machine\t - manage machine entities\nmetalctl machine issues list\t - list all machine issues that the metal-api can evaluate","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#metalctl-switch-port","page":"metalctl switch port","title":"metalctl switch port","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":"sets the given switch port state up or down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#Options","page":"metalctl switch port","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":" -h, --help help for port\n --port string the port to be changed.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#Options-inherited-from-parent-commands","page":"metalctl switch port","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#SEE-ALSO","page":"metalctl switch port","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":"metalctl switch\t - manage switch entities\nmetalctl switch port describe\t - gets the given switch port state\nmetalctl switch port down\t - sets the given switch port state down\nmetalctl switch port up\t - sets the given switch port state up","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#metalctl-switch-port-describe","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"gets the given switch port state","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#Synopsis","page":"metalctl switch port describe","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"shows the current actual and desired state of the port of the given switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"metalctl switch port describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#Options","page":"metalctl switch port describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#Options-inherited-from-parent-commands","page":"metalctl switch port describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --port string the port to be changed.\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#SEE-ALSO","page":"metalctl switch port describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"metalctl switch port\t - sets the given switch port state up or down","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#metalctl-tenant-update","page":"metalctl tenant update","title":"metalctl tenant update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":"updates the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":"metalctl tenant update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#Options","page":"metalctl tenant update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant update -f -\n $ # or via file\n $ metalctl tenant update -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#Options-inherited-from-parent-commands","page":"metalctl tenant update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#SEE-ALSO","page":"metalctl tenant update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/csi-driver-lvm/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/csi-driver-lvm/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#metalctl-logout","page":"metalctl logout","title":"metalctl logout","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":"logout user from OIDC SSO session","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":"metalctl logout [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#Options","page":"metalctl logout","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":" -h, --help help for logout","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#Options-inherited-from-parent-commands","page":"metalctl logout","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#SEE-ALSO","page":"metalctl logout","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#metalctl-partition-delete","page":"metalctl partition delete","title":"metalctl partition delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":"deletes the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":"metalctl partition delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#Options","page":"metalctl partition delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition delete -f -\n $ # or via file\n $ metalctl partition delete -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#Options-inherited-from-parent-commands","page":"metalctl partition delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#SEE-ALSO","page":"metalctl partition delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#metalctl-project-create","page":"metalctl project create","title":"metalctl project create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":"creates the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":"metalctl project create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#Options","page":"metalctl project create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":" --annotation strings add initial annotation, must be in the form of key=value, can be given multiple times to add multiple annotations, e.g. --annotation key=value --annotation foo=bar\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --cluster-quota int32 cluster quota\n --description string description of the project.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project create -f -\n $ # or via file\n $ metalctl project create -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --ip-quota int32 ip quota\n --label strings add initial label, can be given multiple times to add multiple labels, e.g. --label=foo --label=bar\n --machine-quota int32 machine quota\n --name string name of the project, max 10 characters.\n --skip-security-prompts skips security prompt for bulk operations\n --tenant string create project for given tenant\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#Options-inherited-from-parent-commands","page":"metalctl project create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#SEE-ALSO","page":"metalctl project create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":"metalctl project\t - manage project entities","category":"page"},{"location":"overview/isolated-kubernetes/#Isolated-Kubernetes-Clusters","page":"Isolated Kubernetes","title":"Isolated Kubernetes Clusters","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Pages = [\"isolated-kubernetes.md\"]\nDepth = 5","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Some customers have the need to run their workloads in a very restricted environment. These restrictions are driven by regulatory requirements in some industries such as finance, healthcare, energy and more. Regulatory requirements often mandate that the workload must not be exposed to the public internet, nor is capable to reach the public internet in any case.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"For this purpose we implemented a possibility to start Kubernetes clusters in such a manner. This is referred to as cluster isolation.","category":"page"},{"location":"overview/isolated-kubernetes/#Design-Choices","page":"Isolated Kubernetes","title":"Design Choices","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"When talking about highly secure Kubernetes environments people often raise the term \"Air Gapped Cluster\". This would mean that no physical connection exists between the Kubernetes control plane and the Kubernetes worker nodes with the outside world. This requirement exists in extreme environments such as ships, moon bases or nuclear plants. The effort to produce this in a completely automated manner is extremely challenging.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"We decided to follow a different approach which is more practical, still very secure but much simpler to implement and operate. The solution we created is called \"Isolated Cluster\" which means that there are still physical connections between the Kubernetes cluster, but guarded to prohibit malicious traffic. It is also not possible to enable malicious traffic by accident, e.g. if a cluster user configures network policies or load balancers to untrusted environments.","category":"page"},{"location":"overview/isolated-kubernetes/#Network-Design","page":"Isolated Kubernetes","title":"Network Design","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"In order to be able to restrict ingress and egress internet traffic, but still make it possible to create a working Kubernetes cluster we implemented the following network design.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"All strictly required container images are mirrored to a registry which is only accessible from the Kubernetes clusters.\nDNS and NTP servers are produced alongside the registry.\nThe containerd configuration on every worker node is configured to pull all of the strictly required container images from this private registry mirror.\nDNS and NTP configuration is also adopted to use the DNS and NTP servers on this private environment.\nA list of networks which are allowed to reach is managed, this list reflects the networks of the cloud provider and is not modifiable by the cluster user. This list usually contains the internet prefixes of the provider and one or more RFC address ranges.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"(Image: Network Design)","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Users are advised to attach an additional network to the Kubernetes cluster in order to be able to pull container images for the application workloads from private registries.","category":"page"},{"location":"overview/isolated-kubernetes/#Strictly-Required-Container-Images","page":"Isolated Kubernetes","title":"Strictly Required Container Images","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"In general the creation of a Kubernetes cluster requires the ability to pull container images for several applications which are necessary to make a machine a Kubernetes worker node. To mention the most important:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Kubelet: the main controller on each worker node to manage the workload\nCNI (Container Network Interface): controller and daemon set to setup and run the container networking\nCSI (Container Storage Interface): controller and daemon set to setup and run the container storage\nCoreDNS: DNS for containers\nMetalLB: Service Type LoadBalancer Implementation\nnode-exporter and metrics-server: Monitoring for the worker node\nMetal-Stack Addons: for firewall and auditing events","category":"page"},{"location":"overview/isolated-kubernetes/#Flavors","page":"Isolated Kubernetes","title":"Flavors","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"With the introduction of Isolated Kubernetes Clusters, cluster users must decide upon cluster creation which type of isolation he needs for his workload. There are three different flavours available:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Internet access baseline: This is the default cluster creation mode, which does not change any aspects of network and registry access.\nInternet access forbidden: No internet access is possible, neither ingress nor egress.\nInternet access restricted: No internet access is possible, neither ingress nor egress, but can be enabled by the cluster user.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Please see the detailed description of these flavors below.","category":"page"},{"location":"overview/isolated-kubernetes/#Cluster-Wide-Network-Policies-CWNP","page":"Isolated Kubernetes","title":"Cluster Wide Network Policies CWNP","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"To restrict which egress traffic is allowed, Custom Resources ClusterWideNetworkPolicy are deployed and can be deployed by the cluster user. The set of deployed CWNPs differs between baseline and forbidden/restricted.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"baseline CWNPs:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Rule Name Destination Purpose\nallow-to-http 0.0.0.0/0 egress via http\nallow-to-https 0.0.0.0/0 egress via https\nallow-to-apiserver IP of the Kubernetes API Server on the control plane API Server communication of kubelet and other controllers\nallow-to-dns IP of the Google DNS Servers DNS resolution from the Kubernetes worker nodes and containers\nallow-to-ntp IP of the Cloudflare NTP Servers Time synchronization\nallow-to-storage network of the container storage persistent volumes with the cni driver\nallow-to-vpn IP of the vpn endpoint on the control plane allow communication from the api server to the kubelet for container logs and container exec","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"forbidden and restricted CWNPs:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Rule Name Destination Purpose\nallow-to-apiserver IP of the Kubernetes API Server on the control plane API Server communication of kubelet and other controllers\nallow-to-dns IP of the private DNS Server DNS resolution from the Kubernetes worker nodes and containers\nallow-to-ntp IP of the private NTP Server Time synchronization\nallow-to-registry IP of the private Registry Mirror Pulling strictly required container images\nallow-to-storage network of the container storage persistent volumes with the cni driver\nallow-to-vpn IP of the vpn endpoint on the control plane allow communication from the api server to the kubelet for container logs and container exec","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"All of these CWNPs are managed by the gardener-extension-provider-metal, every manual modification will be reverted immediately.","category":"page"},{"location":"overview/isolated-kubernetes/#Internet-Access-Baseline","page":"Isolated Kubernetes","title":"Internet Access Baseline","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This is the default configuration of a Kubernetes cluster, egress traffic is controlled by multiple CWNPs (ClusterWideNetworkPolicy), ingress traffic is possible by deploying a Service Type LoadBalancer. The cluster user can add additional CWNPs without any restrictions and is responsible for them.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Container images can be pulled from any reachable container registry. The containerd is not reconfigured to point to our private registry mirror.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"DNS and NTP are configured to internet DNS resolvers and NTP servers.","category":"page"},{"location":"overview/isolated-kubernetes/#Internet-Access-Forbidden","page":"Isolated Kubernetes","title":"Internet Access Forbidden","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This configuration can only be achieved by creating a new Kubernetes cluster, it is not possible to modify a existing cluster (with internet access baseline or restricted) to this configuration. It is also required to specify the most recent version of Kubernetes, older versions of Kubernetes are not supported.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Every network access modification triggered by a cluster user, either by adding or modifying CWNPs or adding a Service Type LoadBalancer, is validated against the list of allowed networks.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"containerd is configured so that all required images are pulled from the private registry mirror. This registry contains only the strictly required images, therefore no additional (workload) images can be pulled from public registries.","category":"page"},{"location":"overview/isolated-kubernetes/#Egress-traffic","page":"Isolated Kubernetes","title":"Egress traffic","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Egress traffic is only allowed to the private registry mirror and the DNS and NTP servers. Additional CWNPs can be added to reach destinations in the internal networks if specified. If a CWNP was created which points to a destination outside of the allowed networks, the CWNP will still be present but stays in the status ignored.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"> kubectl get clusterwidenetworkpolicies.metal-stack.io\nNAME STATUS MESSAGE\nallow-to-apiserver deployed\nallow-to-dns deployed\nallow-to-ntp deployed\nallow-to-registry deployed\nallow-to-storage deployed\nallow-to-vpn deployed\nallow-to-google ignored ingress/egress does not match allowed networks","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Also an event is created which describes why the CWNP was ignored:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"> kubectl get events\n5s Warning ForbiddenCIDR clusterwidenetworkpolicy/allow-to-google address:\"8.8.8.8/32\" is outside of the allowed network range:\"10.0.0.0/8,100.64.0.0/10,212.34.83.0/27\", ignoring","category":"page"},{"location":"overview/isolated-kubernetes/#Ingress-traffic","page":"Isolated Kubernetes","title":"Ingress traffic","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Ingress traffic is only allowed from the internal networks if specified. To specify the address where the Service Type LoadBalancer is listening to, the cluster user must use one of his statically acquired ip addresses. Of course, this ip address is only considered if it is contained in the list of allowed networks. Then this ip address must be configured in the service:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"apiVersion: v1\nkind: Service\nspec:\n type: LoadBalancer\n loadBalancerIP: 10.1.1.1 # ip from the internal network","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"By default, no ip address will be automatically selected for such clusters and the ip of the service will stay in pending mode until the ip was specified as shown above.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"> kubectl get svc\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nexample-service LoadBalancer 10.244.75.171 443:32179/TCP 4s\n\n> kubectl get events\n8s Warning AllocationFailed service/example-service Failed to allocate IP for \"default/example-service\": no available IPs\n3s Warning SyncLoadBalancerFailed service/example-service Error syncing load balancer: failed to ensure load balancer: no default network for ip acquisition specified, acquire an ip for your cluster's project and specify it directly in \"spec.loadBalancerIP\"","category":"page"},{"location":"overview/isolated-kubernetes/#Internet-Access-Restricted","page":"Isolated Kubernetes","title":"Internet Access Restricted","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This configuration can only be achieved by creating a new Kubernetes cluster, it is not possible to modify a existing cluster (with internet access baseline or forbidden) to this configuration. It is also required to specify the most recent version of Kubernetes, older versions of Kubernetes are not supported.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The same default CWNPs are deployed and the container images are pulled from the private registry. Also DNS and NTP are configured to use the private DNS and NTP servers. The only difference to the forbidden mode is that CWNPs and Service Type LoadBalancers can be created without the restriction that only allowed networks are allowed.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Pulling container images is theoretically possible if a cluster user creates a CWNP which allows network access to an external registry. But most container registries serve the container images from large CDN networks, which have a lot of ip addresses. Simply adding the ip address of docker.io is therefore not sufficient.","category":"page"},{"location":"overview/isolated-kubernetes/#Application-Container-Images","page":"Isolated Kubernetes","title":"Application Container Images","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"In order to deploy application containers into a cluster with Internet Access forbidden a private registry must be provided. This private registry must be located in the list of allowed networks. The DNS name of the registry must resolve in the public DNS servers. The registry must be secured with a TLS certificate that is also valid with the CA certificates from the worker node, e.g. vanilla debian ca-certificates.","category":"page"},{"location":"overview/isolated-kubernetes/#Implementation","page":"Isolated Kubernetes","title":"Implementation","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"To achieve this functionality modifications have been implemented in various components in metal-stack, this includes:","category":"page"},{"location":"overview/isolated-kubernetes/#Gardener-Extension-Provider-Metal","page":"Isolated Kubernetes","title":"Gardener Extension Provider Metal","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The ControlPlane API is adopted to enable a user to configure a shoot with the internet access type forbidden or restricted. The CloudProfile can now be extended to carry the list of allowed networks, the dns and ntp servers, the registry with the mirrored registries.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"ControlPlane:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"// ControlPlaneConfig contains configuration settings for the control plane.\ntype ControlPlaneConfig struct {\n metav1.TypeMeta\n\n // NetworkAccessType defines how the cluster can reach external networks.\n // +optional\n NetworkAccessType *NetworkAccessType\n}\ntype (\n // NetworkAccessType defines how a cluster is capable of accessing external networks\n NetworkAccessType string\n)\n\nconst (\n // NetworkAccessBaseline allows the cluster to access external networks in a baseline manner\n NetworkAccessBaseline = NetworkAccessType(\"baseline\")\n // NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations.\n // Therefore registries, dns and ntp destinations must be specified in the cloud-profile accordingly.\n // If this is not the case, restricting the access must not be possible.\n // Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry.\n // customers can define own rules to access external networks as in the baseline.\n // Service type LoadBalancers are also not restricted.\n NetworkAccessRestricted = NetworkAccessType(\"restricted\")\n // NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks.\n // which are outside of a given list of allowed networks. This is enforced by the firewall.\n // Service type LoadBalancers are also not possible to open a service ip which is not in the list of allowed networks.\n // This is also enforced by the firewall.\n NetworkAccessForbidden = NetworkAccessType(\"forbidden\")\n)","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"A sample Shoot Spec:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"---\napiVersion: core.gardener.cloud/v1beta1\nkind: Shoot\nmetadata:\n name: isolated\n namespace: sample\nspec:\n provider:\n type: metal\n controlPlaneConfig:\n networkAccessType: forbidden\n...","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"CloudProfile:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"type NetworkIsolation struct {\n // AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters.\n AllowedNetworks AllowedNetworks\n // DNSServers\n DNSServers []string\n // NTPServers\n NTPServers []string\n // The registry which serves the images required to create a shoot.\n RegistryMirrors []RegistryMirror\n}\n\n// AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters.\ntype AllowedNetworks struct {\n // Ingress defines a list of networks which are allowed for incoming traffic like service type LoadBalancer\n // to allow all you must specify 0.0.0.0/0 or ::/0\n Ingress []string\n // Egress defines a list of networks which are allowed for outgoing traffic\n // to allow all you must specify 0.0.0.0/0 or ::/0\n Egress []string\n}\n\ntype RegistryMirror struct {\n // Name describes this server\n Name string\n // Endpoint is typically the url of the registry in the form https://hostname\n Endpoint string\n // IP is the ipv4 or ipv6 address of this server\n IP string\n // Port at which port the service is reachable\n Port int32\n // This Registry Mirror mirrors the following registries\n MirrorOf []string \n}","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"A sample configuration in the CloudProfile would look like:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":" network-isolation:\n allowedNetworks:\n egress:\n - 1.2.3.0/24 # Internet CIDR of the Provider\n - 100.64.0.0/10\n - 10.0.0.0/8\n ingress:\n - 100.64.0.0/10\n dnsServers:\n - \"1.2.3.1\"\n - \"1.2.3.2\"\n - \"1.2.3.3\"\n ntpServers:\n - \"1.2.3.1\"\n - \"1.2.3.2\"\n - \"1.2.3.3\"\n registryMirrors:\n - name: test registry\n endpoint: https://some.private.registry\n ip: \"1.2.3.4\"\n port: 443\n mirrorOf:\n - \"docker.io\"\n - \"quay.io\"\n - \"eu.gcr.io\"\n - \"ghcr.io\"\n - \"registry.k8s.io\"","category":"page"},{"location":"overview/isolated-kubernetes/#OS-Metal-Extension","page":"Isolated Kubernetes","title":"OS Metal Extension","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Based on the configuration of a cluster the configuration of the containerd must be changed to pull images from the private registry mirror. If a cluster is either configured with restricted or forbidden, the configuration of containerd will be created as such:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"config.toml","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"# Generated by os-extension-metal\nversion = 2\nimports = [\"/etc/containerd/conf.d/*.toml\"]\n\ndisabled_plugins = []\n[plugins.\"io.containerd.grpc.v1.cri\".registry]\n config_path = \"/etc/containerd/certs.d\"","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"And for every registry mirror an additional certs.d/$HOST/hosts.yaml will be created. This is in line with Gardener's containerd Registry Configuration.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"# certs.d/docker.io/hosts.yaml\n\nserver = \"https://docker.io\"\n[host.\"https://some.private.registry\"]\n capabilities = [\"pull\", \"resolve\"]","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"DNS and NTP must also be adopted according to the configuration in the CloudProfile.","category":"page"},{"location":"overview/isolated-kubernetes/#Firewall-Controller-Manager-and-Firewall-Controller","page":"Isolated Kubernetes","title":"Firewall Controller Manager and Firewall Controller","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The Firewall Controller Manager has extended the FirewallSpec to configure the Firewall Controller which must enforce the restrictions regarding allowed networks.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"// FirewallSpec defines parameters for the firewall creation along with configuration for the firewall-controller.\ntype FirewallSpec struct {\n // AllowedNetworks defines which networks are allowed to connect to, and allow incoming traffic from.\n // Is enforced with NetworkAccessForbidden.\n // The node network is always allowed.\n AllowedNetworks AllowedNetworks `json:\"allowedNetworks,omitempty\"`\n}\n\n// AllowedNetworks is a list of networks which are allowed to connect when NetworkAccessType is NetworkAccessForbidden.\ntype AllowedNetworks struct {\n // Ingress defines a list of cidrs which are allowed for incoming traffic like service type LoadBalancer\n Ingress []string `json:\"ingress,omitempty\"`\n // Egress defines a list of cidrs which are allowed for outgoing traffic\n Egress []string `json:\"egress,omitempty\"`\n}","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Also the ClusterwideNetworkPolicy in the Firewall Controller was changed to show the deployment status of a CWNP.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"\ntype ClusterwideNetworkPolicy struct {\n metav1.TypeMeta `json:\",inline\"`\n metav1.ObjectMeta `json:\"metadata,omitempty\"` \n\n Spec PolicySpec `json:\"spec,omitempty\"`\n Status PolicyStatus `json:\"status,omitempty\"`\n}\n\n// PolicyDeploymentState describes the state of a CWNP deployment\ntype PolicyDeploymentState string\n\nconst (\n // PolicyDeploymentStateDeployed the CWNP was deployed to a native nftable rule\n PolicyDeploymentStateDeployed = PolicyDeploymentState(\"deployed\")\n // PolicyDeploymentStateIgnored the CWNP was not deployed to a native nftable rule because it is outside of the allowed networks\n PolicyDeploymentStateIgnored = PolicyDeploymentState(\"ignored\")\n)\n\n// PolicyStatus defines the observed state for CWNP resource\ntype PolicyStatus struct {\n // FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule.\n // Key is either MatchName or MatchPattern\n // +optional\n FQDNState FQDNState `json:\"fqdn_state,omitempty\"` \n // State of the CWNP, can be either deployed or ignored\n State PolicyDeploymentState `json:\"state\"` \n // Message describe why the state changed\n Message string `json:\"message,omitempty\"`\n}","category":"page"},{"location":"overview/isolated-kubernetes/#Cloud-Controller-Manager","page":"Isolated Kubernetes","title":"Cloud Controller Manager","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This component was adopted to allow to be started without a default network specified. This was actually always the internet network and if no ip address was specified in the Service Type LoadBalancer, one ip was allocated from this default network. For isolated clusters this is not provided and a cluster user must always specify this ip to get a working load balancer.","category":"page"},{"location":"overview/isolated-kubernetes/#OCI-Mirror","page":"Isolated Kubernetes","title":"OCI Mirror","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The OCI Mirror is a new application which acts as a scheduled job that pulls a given list of container images and pushes them to a private registry (which will then serve as the private registry mirror). The detailed description can be read on the project website.","category":"page"},{"location":"overview/isolated-kubernetes/#Related-Pull-Requests","page":"Isolated Kubernetes","title":"Related Pull Requests","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Gardener Extension Provider\nFirewall Controller Manager\nFirewall Controller\nOS Metal Extension\nMetal Cloud Controller Manager\nMetal Networker\nMetal Images\nOCI Mirror","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#metalctl-partition","page":"metalctl partition","title":"metalctl partition","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":"manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#Synopsis","page":"metalctl partition","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":"a partition is a failure domain in the data center.","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#Options","page":"metalctl partition","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":" -h, --help help for partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#Options-inherited-from-parent-commands","page":"metalctl partition","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#SEE-ALSO","page":"metalctl partition","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl partition apply\t - applies one or more partitions from a given file\nmetalctl partition capacity\t - show partition capacity\nmetalctl partition create\t - creates the partition\nmetalctl partition delete\t - deletes the partition\nmetalctl partition describe\t - describes the partition\nmetalctl partition edit\t - edit the partition through an editor and update\nmetalctl partition list\t - list all partitions\nmetalctl partition update\t - updates the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#metalctl-filesystemlayout-apply","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"applies one or more filesystemlayouts from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"metalctl filesystemlayout apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#Options","page":"metalctl filesystemlayout apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout apply -f -\n $ # or via file\n $ metalctl filesystemlayout apply -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#SEE-ALSO","page":"metalctl filesystemlayout apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#metalctl-switch-connected-machines","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"shows switches with their connected machines","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"metalctl switch connected-machines [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#Examples","page":"metalctl switch connected-machines","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"The command will show the machines connected to the switch ports.\n\nCan also be used with -o template in order to generate CSV-style output:\n\n$ metalctl switch connected-machines -o template --template '{{ $machines := .machines }}{{ range .switches }}{{ $switch := . }}{{ range .connections }}{{ $switch.id }},{{ $switch.rack_id }},{{ .nic.name }},{{ .machine_id }},{{ (index $machines .machine_id).ipmi.fru.product_serial }}{{ printf \"\\n\" }}{{ end }}{{ end }}'\nr01leaf01,swp1,f78cc340-e5e8-48ed-8fe7-2336c1e2ded2,\nr01leaf01,swp2,44e3a522-5f48-4f3c-9188-41025f9e401e,\n...\n","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#Options","page":"metalctl switch connected-machines","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":" -h, --help help for connected-machines\n --id string ID of the switch.\n --machine-id string The id of the connected machine, ignores size flag if set.\n --name string Name of the switch.\n --os-vendor string OS vendor of this switch.\n --os-version string OS version of this switch.\n --partition string Partition of this switch.\n --rack string Rack of this switch.\n --size string Size of the connected machines.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#Options-inherited-from-parent-commands","page":"metalctl switch connected-machines","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#SEE-ALSO","page":"metalctl switch connected-machines","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#metalctl-filesystemlayout-create","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"creates the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"metalctl filesystemlayout create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#Options","page":"metalctl filesystemlayout create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout create -f -\n $ # or via file\n $ metalctl filesystemlayout create -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#SEE-ALSO","page":"metalctl filesystemlayout create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#metalctl-project-delete","page":"metalctl project delete","title":"metalctl project delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":"deletes the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":"metalctl project delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#Options","page":"metalctl project delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project delete -f -\n $ # or via file\n $ metalctl project delete -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#Options-inherited-from-parent-commands","page":"metalctl project delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#SEE-ALSO","page":"metalctl project delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#metalctl-image-apply","page":"metalctl image apply","title":"metalctl image apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":"applies one or more images from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":"metalctl image apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#Options","page":"metalctl image apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image apply -f -\n $ # or via file\n $ metalctl image apply -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#Options-inherited-from-parent-commands","page":"metalctl image apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#SEE-ALSO","page":"metalctl image apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#metalctl-network-list","page":"metalctl network list","title":"metalctl network list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":"list all networks","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":"metalctl network list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#Options","page":"metalctl network list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":" --destination-prefixes strings destination prefixes to filter, use it like: --destination-prefixes prefix1,prefix2.\n -h, --help help for list\n --id string ID to filter [optional]\n --name string name to filter [optional]\n --nat nat to filter [optional]\n --parent string parent network to filter [optional]\n --partition string partition to filter [optional]\n --prefixes strings prefixes to filter, use it like: --prefixes prefix1,prefix2.\n --privatesuper privatesuper to filter [optional]\n --project string project to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name|partition|project\n --underlay underlay to filter [optional]\n --vrf int vrf to filter [optional]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#Options-inherited-from-parent-commands","page":"metalctl network list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#SEE-ALSO","page":"metalctl network list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":"metalctl network\t - manage network entities","category":"page"},{"location":"development/proposals/MEP5/README/#Shared-Networks","page":"Shared Networks","title":"Shared Networks","text":"","category":"section"},{"location":"development/proposals/MEP5/README/#Why-are-shared-networks-needed","page":"Shared Networks","title":"Why are shared networks needed","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a \"shared network\" that is easily accessible. They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service.","category":"page"},{"location":"development/proposals/MEP5/README/#Constraints-that-need-to-hold","page":"Shared Networks","title":"Constraints that need to hold","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"a shared network is usable from all machines that have a firewall in front, that uses it\na shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future)\nnetworks may be marked as shared after network allocation (but there should be no way back from shared to unshared)\nneither machines nor firewalls may have multiple private, unshared networks configured\nmachines must have a single primary network configured\nthis might be a shared network\nOR a plain, unshared private network\nfirewalls may participate in multiple shared networks\nmachines can be allocated with a primary network using auto IP allocation or with noauto and a specific IP","category":"page"},{"location":"development/proposals/MEP5/README/#Should-shared-networks-be-private","page":"Shared Networks","title":"Should shared networks be private","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Alternative 1: If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as shared and produce shared services from this k8s cluster.","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Alternative 2: If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network.","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Together with @majst01 and @Gerrit91 we decided to continue to implement Alternative 1.","category":"page"},{"location":"development/proposals/MEP5/README/#Firewalls-accessing-a-shared-network","page":"Shared Networks","title":"Firewalls accessing a shared network","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Firewalls that access shared networks need to:","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"hide the private network behind an ip address of the shared network if the shared network was configured with nat=true.\nimport the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no nat=true was set on the shared VRF, the original machine ips are visible in both communication directions.","category":"page"},{"location":"development/proposals/MEP5/README/#Setup-with-shared-networks-and-single-consumer","page":"Shared Networks","title":"Setup with shared networks and single consumer","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"(Image: Simple Setup)","category":"page"},{"location":"development/proposals/MEP5/README/#Setup-with-single-shared-network-and-multiple-consumers","page":"Shared Networks","title":"Setup with single shared network and multiple consumers","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"(Image: Advanced Setup)","category":"page"},{"location":"development/proposals/MEP5/README/#Getting-internet-access","page":"Shared Networks","title":"Getting internet access","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Machines contained in a shared network can access the internet with different scenarios:","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!)\nif they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#metalctl-tenant-delete","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"deletes the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"metalctl tenant delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#Options","page":"metalctl tenant delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant delete -f -\n $ # or via file\n $ metalctl tenant delete -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#Options-inherited-from-parent-commands","page":"metalctl tenant delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#SEE-ALSO","page":"metalctl tenant delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/firewall-controller/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/firewall-controller/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#metalctl-network-ip-create","page":"metalctl network ip create","title":"metalctl network ip create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":"creates the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":"metalctl network ip create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#Options","page":"metalctl network ip create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string description of the IP to allocate. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip create -f -\n $ # or via file\n $ metalctl ip create -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --ipaddress string a specific ip address to allocate. [optional]\n -n, --name string name of the IP to allocate. [optional]\n --network string network from where the IP should be allocated.\n --project string project for which the IP should be allocated.\n --skip-security-prompts skips security prompt for bulk operations\n --tags strings tags to attach to the IP.\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --type string type of the IP to allocate: ephemeral|static [optional] (default \"ephemeral\")","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#Options-inherited-from-parent-commands","page":"metalctl network ip create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#SEE-ALSO","page":"metalctl network ip create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#metalctl-size-reservation-edit","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"edit the reservation through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"metalctl size reservation edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#Options","page":"metalctl size reservation edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#Options-inherited-from-parent-commands","page":"metalctl size reservation edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#SEE-ALSO","page":"metalctl size reservation edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#metalctl-health","page":"metalctl health","title":"metalctl health","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":"shows the server health","category":"page"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":"metalctl health [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#Options","page":"metalctl health","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":" -h, --help help for health","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#Options-inherited-from-parent-commands","page":"metalctl health","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#SEE-ALSO","page":"metalctl health","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#metalctl-firmware-upload","page":"metalctl firmware upload","title":"metalctl firmware upload","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":"upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#Options","page":"metalctl firmware upload","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":" -h, --help help for upload","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#Options-inherited-from-parent-commands","page":"metalctl firmware upload","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#SEE-ALSO","page":"metalctl firmware upload","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":"metalctl firmware\t - manage firmwares\nmetalctl firmware upload bios\t - upload a BIOS firmware\nmetalctl firmware upload bmc\t - upload a BMC firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#metalctl-switch-detail","page":"metalctl switch detail","title":"metalctl switch detail","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":"switch details","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":"metalctl switch detail [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#Options","page":"metalctl switch detail","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":" -h, --help help for detail\n --id string ID of the switch.\n --name string Name of the switch.\n --os-vendor string OS vendor of this switch.\n --os-version string OS version of this switch.\n --partition string Partition of this switch.\n --rack string Rack of this switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#Options-inherited-from-parent-commands","page":"metalctl switch detail","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#SEE-ALSO","page":"metalctl switch detail","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#metalctl-switch-edit","page":"metalctl switch edit","title":"metalctl switch edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":"edit the switch through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":"metalctl switch edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#Options","page":"metalctl switch edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#Options-inherited-from-parent-commands","page":"metalctl switch edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#SEE-ALSO","page":"metalctl switch edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/metalctl/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#metalctl-update","page":"metalctl update","title":"metalctl update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":"update the program","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#Options","page":"metalctl update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":" -h, --help help for update","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#Options-inherited-from-parent-commands","page":"metalctl update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#SEE-ALSO","page":"metalctl update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl update check\t - check for update of the program\nmetalctl update do\t - do the update of the program","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#metalctl-switch-replace","page":"metalctl switch replace","title":"metalctl switch replace","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"put a leaf switch into replace mode in preparation for physical replacement. For a description of the steps involved see the long help.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#Synopsis","page":"metalctl switch replace","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"Put a leaf switch into replace mode in preparation for physical replacement","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"Operational steps to replace a switch:","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"Put the switch that needs to be replaced in replace mode with this command\nReplace the switch MAC address in the metal-stack deployment configuration\nMake sure that interfaces on the new switch do not get connected to the PXE-bridge immediately by setting the interfaces list of the respective leaf switch to [] in the metal-stack deployment configuration\nDeploy the management servers so that the dhcp servers will serve the right address and DHCP options to the new switch\nReplace the switch physically. Be careful to ensure that the cabling mirrors the remaining leaf exactly because the new switch information will be cloned from the remaining switch! Also make sure to have console access to the switch so you can start and monitor the install process\nIf the switch is not in onie install mode but already has an operating system installed, put it into install mode with \"sudo onie-select -i -f -v\" and reboot it. Now the switch should be provisioned with a management IP from a management server, install itself with the right software image and receive license and ssh keys through ZTP. You can check whether that process has completed successfully with the command \"sudo ztp -s\". The ZTP state should be disabled and the result should be success.\nDeploy the switch plane and metal-core through metal-stack deployment CI job\nThe switch will now register with its metal-api, and the metal-core service will receive the cloned interface and routing information. You can verify successful switch replacement by checking the interface and BGP configuration, and checking the switch status with \"metalctl switch ls -o wide\"; it should now be operational again","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"metalctl switch replace [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#Options","page":"metalctl switch replace","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":" -h, --help help for replace","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#Options-inherited-from-parent-commands","page":"metalctl switch replace","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#SEE-ALSO","page":"metalctl switch replace","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#metalctl-tenant-create","page":"metalctl tenant create","title":"metalctl tenant create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":"creates the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":"metalctl tenant create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#Options","page":"metalctl tenant create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":" --annotations strings add initial annotations, must be in the form of key=value, can be given multiple times to add multiple annotations, e.g. --annotation key=value --annotation foo=bar\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --cluster-quota int32 cluster quota\n --description string description of the tenant.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant create -f -\n $ # or via file\n $ metalctl tenant create -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string id of the tenant, max 10 characters.\n --ip-quota int32 ip quota\n --labels strings add initial label, can be given multiple times to add multiple labels, e.g. --label=foo --label=bar\n --machine-quota int32 machine quota\n --name string name of the tenant, max 10 characters.\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#Options-inherited-from-parent-commands","page":"metalctl tenant create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#SEE-ALSO","page":"metalctl tenant create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"development/contributing/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on github.com/metal-stack.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"If you want, feel free to propose changes to this document in a pull request.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Pages = [\"contributing.md\"]\nDepth = 5","category":"page"},{"location":"development/contributing/#How-Can-I-Contribute?","page":"Contributing","title":"How Can I Contribute?","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small.","category":"page"},{"location":"development/contributing/#Pull-Requests","page":"Contributing","title":"Pull Requests","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"The process described here has several goals:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Maintain quality\nEnable a sustainable system to review contributions\nEnable documented and reproducible addition of contributions","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Create a meaningful issue describing the WHY? of your contribution\nCreate a repository fork within the context of that issue.\nCreate a Draft Pull Request to the master branch of the target repository.\nDevelop, document and test your contribution (try not to solve more than one issue in a single pull request)\nAsk for merging your contribution by removing the draft marker\nIf code owners are defined, try to assign the request to a code owner","category":"page"},{"location":"development/contributing/#General-Objectives","page":"Contributing","title":"General Objectives","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"This section contains language-agnostic topics that all metal-stack projects are trying to follow.","category":"page"},{"location":"development/contributing/#Code-Ownership","page":"Contributing","title":"Code Ownership","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[1].","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's CODEOWNERS file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging.","category":"page"},{"location":"development/contributing/#Microservices","page":"Contributing","title":"Microservices","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"One major ambition of metal-stack is to follow the idea of microservices. This way, we want to achieve that we can","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"adapt to changes faster than with monolithic architectures,\nbe free of restrictions due to certain choices of technology,\nleverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...).","category":"page"},{"location":"development/contributing/#Programming-Languages","page":"Contributing","title":"Programming Languages","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"We are generally open to write code in any language that fits best to the function of the software. However, we encourage golang to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see 12 Factor). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as \"libraries\" for the rest of this document.","category":"page"},{"location":"development/contributing/#Artifacts","page":"Contributing","title":"Artifacts","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Artifacts are always produced by a CI process (Github Actions).","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Docker images are published on the Github Container Registry of the metal-stack organization.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Binary artifacts or OS images can be uploaded to images.metal-stack.io if necessary.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"When building Docker images, please consider our build tool docker-make or the specific docker-make action respectively.","category":"page"},{"location":"development/contributing/#APIs","page":"Contributing","title":"APIs","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"We are currently making use of Swagger when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using go-swagger. Swagger additionally simplifies the documentation of our APIs.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using grpc.","category":"page"},{"location":"development/contributing/#Versioning","page":"Contributing","title":"Versioning","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Artifacts are versioned by tagging the respective repository with a tag starting with the letter v. After the letter, there stands a valid semantic version.","category":"page"},{"location":"development/contributing/#Documentation","page":"Contributing","title":"Documentation","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"In order to make it easier for others to understand a project, we document general information and usage instructions in a README.md in any project.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"In addition to that, we document a microservice in the docs repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software.","category":"page"},{"location":"development/contributing/#Guidelines","page":"Contributing","title":"Guidelines","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"This chapter describes general guidelines on how to develop and contribute code for a certain programming language.","category":"page"},{"location":"development/contributing/#Golang","page":"Contributing","title":"Golang","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Development follows the official guide to:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Write clear, idiomatic Go code[2]\nLearn from mistakes that must not be repeated[3]\nApply appropriate names to your artifacts:\nhttps://go.dev/talks/2014/names.slide\nhttps://go.dev/blog/package-names\nhttps://go.dev/doc/effective_go#names\nEnable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation.","category":"page"},{"location":"development/contributing/#Development-Decisions","page":"Contributing","title":"Development Decisions","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Dependency Management by using Go modules\nBuild and Test Automation by using GNU Make.\nEnd-user APIs should consider using go-swagger and Go-Restful Technical APIs should consider using grpc","category":"page"},{"location":"development/contributing/#Libraries","page":"Contributing","title":"Libraries","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"metal-stack maintains several libraries that you should utilize in your project in order unify common behavior. Some of these projects are:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"metal-go\nmetal-lib","category":"page"},{"location":"development/contributing/#Error-Handling-with-Generated-Swagger-Clients","page":"Contributing","title":"Error Handling with Generated Swagger Clients","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the metal-lib/httperrors. Ensure you are using go-restful >= v2.9.1 and go-restful-openapi >= v0.13.1 (allows default responses with error codes other than 200).","category":"page"},{"location":"development/contributing/#Documentation-2","page":"Contributing","title":"Documentation","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"We want to share knowledge and keep things simple. If things cannot kept simple we want enable everybody to understand them by:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Document in short sentences[4].\nDo not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect).\nExplain the WHY. Add a \"to\" in your documentation line to force yourself to explain the reasonning (e.g. \" to \").","category":"page"},{"location":"development/contributing/#Python","page":"Contributing","title":"Python","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Development follows the official guide to:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Style Guide for Python Code (PEP 8)[5]\nThe use of an IDE like PyCharm helps to write compliant code easily\nConsider setuptools for packaging\nIf you want to add a Python microservice to the mix, consider pyinstaller on Alpine to achieve small image sizes","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[1]: https://martinfowler.com/bliki/CodeOwnership.html","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[2]: https://go.dev/doc/effective_go","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[3]: https://github.com/golang/go/wiki/CodeReviewComments","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[4]: https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[5]: https://www.python.org/dev/peps/pep-0008/","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#metalctl-machine-lock","page":"metalctl machine lock","title":"metalctl machine lock","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"lock a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#Synopsis","page":"metalctl machine lock","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"when a machine is locked, it can not be destroyed, to destroy a machine you must first remove the lock from that machine with –remove","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"metalctl machine lock [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#Options","page":"metalctl machine lock","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":" -d, --description string description of the reason for the lock.\n -h, --help help for lock\n -r, --remove remove the lock.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#Options-inherited-from-parent-commands","page":"metalctl machine lock","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#SEE-ALSO","page":"metalctl machine lock","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#metalctl-machine-issues-list","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"list all machine issues that the metal-api can evaluate","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"metalctl machine issues list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#Options","page":"metalctl machine issues list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: id|severity","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#Options-inherited-from-parent-commands","page":"metalctl machine issues list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#SEE-ALSO","page":"metalctl machine issues list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"metalctl machine issues\t - display machines which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#metalctl-machine-delete","page":"metalctl machine delete","title":"metalctl machine delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"deletes the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#Synopsis","page":"metalctl machine delete","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"delete a machine and destroy all data stored on the local disks. Once destroyed it is back for usage by other projects. A destroyed machine can not restored anymore","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"metalctl machine delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#Options","page":"metalctl machine delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine delete -f -\n $ # or via file\n $ metalctl machine delete -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --remove-from-database remove given machine from the database, is only required for maintenance reasons [optional] (admin only).\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#Options-inherited-from-parent-commands","page":"metalctl machine delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#SEE-ALSO","page":"metalctl machine delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"development/proposals/MEP1/README/#Distributed-Metal-Control-Plane","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"","category":"section"},{"location":"development/proposals/MEP1/README/#Problem-Statement","page":"Distributed Metal Control Plane","title":"Problem Statement","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"We face the situation that we argue for running bare metal on premise because this way the customers can control where and how their software and data are processed and stored. On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers).","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Running the control plane on Kubernetes has the following benefits:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Ease of deployment\nGet most, if not all, of the required infrastructure services like (probably incomplete):\nIPs\nDNS\nL7-Loadbalancing\nStorage\nS3 Backup\nHigh Availability","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well.","category":"page"},{"location":"development/proposals/MEP1/README/#Goal","page":"Distributed Metal Control Plane","title":"Goal","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions.","category":"page"},{"location":"development/proposals/MEP1/README/#Possible-Solutions","page":"Distributed Metal Control Plane","title":"Possible Solutions","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"We can think of two different solutions to this vision:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal.\nInstall the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details.","category":"page"},{"location":"development/proposals/MEP1/README/#Central/Current-setup","page":"Distributed Metal Control Plane","title":"Central/Current setup","text":"","category":"section"},{"location":"development/proposals/MEP1/README/#Stateful-services","page":"Distributed Metal Control Plane","title":"Stateful services","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Affected states:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences.\nipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice.\nvrf ids: they must only be unique in one partition\nimage and size configurations: read often, written seldom, so no high requirements on the storage of these entities.\nimages: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images.\nmachine and machine allocation: must be only synchronous in the partition\nswitch: must be only synchronous in the partition\nnsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Datastores:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"We use three different types of datastores to persist the states of the metal application.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"rethinkdb is the main datastore for almost all entities managed by metal-api\npostgresql is used for masterdata and ipam data.\nnsq uses disk and memory tho store the messages.","category":"page"},{"location":"development/proposals/MEP1/README/#Stateless-services","page":"Distributed Metal Control Plane","title":"Stateless services","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"One exception is the metal-console service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See \"Network Setup)","category":"page"},{"location":"development/proposals/MEP1/README/#Distributed-setup","page":"Distributed Metal Control Plane","title":"Distributed setup","text":"","category":"section"},{"location":"development/proposals/MEP1/README/#State","page":"Distributed Metal Control Plane","title":"State","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"RethinkDB\nWe already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: Scaling, Sharding and replication. But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future.\nPostgresql\nPostgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data.\nCockroachDB\nIs a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure Follow the Workload and Geo Partitioning and Replication.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"A simple setup how this would look like is shown here.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: Simple CockroachDB setup)","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"go-ipam was modified in a example PR here: PR 17","category":"page"},{"location":"development/proposals/MEP1/README/#API-Access","page":"Distributed Metal Control Plane","title":"API Access","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"In order to make the metal-api accessible for api users like cloud-api or metalctl as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"IMPORTANT The NSQ Message to inform metal-core must end in the correct partition","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"To provide such a external loadbalancer we have several opportunities:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Cloudflare or comparable CDN service.\nBGP Anycast from every partition","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, metal-api-router must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses.","category":"page"},{"location":"development/proposals/MEP1/README/#Network-setup","page":"Distributed Metal Control Plane","title":"Network setup","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Allow https ingress traffic to all metal-api instances.\nAllow ssh ingress traffic to all metal-console instances.\nAllow CockroachDB Replication between all partitions.\nNo NSQ traffic from outside required anymore, except we cant solve the topic above.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: API and Console Access)","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Therefore we need the metal-api-router:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: Working API and Console Access)","category":"page"},{"location":"development/proposals/MEP1/README/#Deployment","page":"Distributed Metal Control Plane","title":"Deployment","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: Deployment)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"marp: true theme: metal-stack paginate: true footer: Gerrit Schwerthelm – x-cellent technologies GmbH — metal-stack Training backgroundImage: url(\"https://metal-stack.io/images/shape/banner.png\") –- ","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"(Image: h:200px)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Multi-Partition-Layout","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":" (Image: bg contain)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":" (Image: bg contain)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Multi-Partition-Layout-Properties","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout Properties","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"Fully independent locations with own storage and own node networks\nClusters can only be created independent in every location\nFailover mechanism for deployed applications requires duplicated deployments, which can serve independently\nFailover through BGP\nIf cluster nodes are spread across partitions (not implemented yet), nodes will not be able to reach each other\nWould require an overlay network for inter-node-communication","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Single-Partition-Layout","page":"Multi-Partition-Layout","title":"Single-Partition-Layout","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":" (Image: bg contain)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Single-Partition-Layout-Properties","page":"Multi-Partition-Layout","title":"Single-Partition-Layout Properties","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"Multiple groups of racks at multiple locations but connected to same CLOS topology\nAll racks can connect to the same storage network\nNodes in private networks can communicate\nWhen creating a cluster, nodes will be randomly spread across the racks\nPossible improvement of this situation, see MEP-12: Rack Spreading","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#MEP-12:-Rack-Spreading","page":"Multi-Partition-Layout","title":"MEP-12: Rack Spreading","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"Instead of selecting a machine from a machine pool randomly\nGet all existing machines in the same project and count to which rack they belong\nPlace machine on the rack with the least amount of machines already allocated\nBest effort only","category":"page"},{"location":"overview/hardware/#Hardware-Support","page":"Hardware Support","title":"Hardware Support","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"In order to keep the automation and maintenance overhead small, we strongly advise against building highly heterogeneous environments with metal-stack. Having a lot of different vendors and server models in your partitions will heavily increase the time and effort for introducing metal-stack in your infrastructure. From experience we can tell that the interfaces for automating hardware provisioning are usually inconsistent between vendors and even between server models of the same vendor. Therefore, we encourage adopters to start off with only a small amount of machine types. If you want to be on the safe side, you should consider buying the hardware that we officially support.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"We came up with a repository called go-hal, which includes the interface required for metal-stack to support a machine vendor. If you plan to implement support for new vendors, please check out this repository and contribute back your efforts in order to make the community benefit from extended vendor support as well.","category":"page"},{"location":"overview/hardware/#Servers","page":"Hardware Support","title":"Servers","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following server types are officially supported and verified by the metal-stack project:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Series Model Board Type Status\nSupermicro Big-Twin SYS-2029BT-HNR X11DPT-B stable\nSupermicro Big-Twin SYS-220BT-HNTR X12DPT-B6 stable\nSupermicro SuperServer SSG-5019D8-TR12P X11SDV-8C-TP8F stable\nSupermicro SuperServer 2029UZ-TN20R25M X11DPU stable\nSupermicro SuperServer SYS-621C-TN12R X13DDW-A stable\nSupermicro Microcloud 5039MD8-H8TNR X11SDD-8C-F stable\nSupermicro Microcloud SYS-531MC-H8TNR X13SCD-F stable\nSupermicro Microcloud 3015MR-H8TNR H13SRD-F coming soon\nLenovo ThinkSystem SD530 alpha","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Other server series and models might work but were not reported to us.","category":"page"},{"location":"overview/hardware/#GPUs","page":"Hardware Support","title":"GPUs","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following GPU types are officially supported and verified by the metal-stack project:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Model Status\nNVIDIA RTX 6000 stable\nNVIDIA H100 stable","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Other GPU models might work but were not reported to us. For a detailed description howto use GPU support in a kubernetes cluster please check this documentation","category":"page"},{"location":"overview/hardware/#Network-Cards","page":"Hardware Support","title":"Network Cards","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following network cards are officially supported and verified by the metal-stack project for usage in servers:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Series Model Status\nIntel XXV710 DA2 DualPort 2x25G SFP28 stable\nIntel E810 DA2 DualPort 2x25G SFP28 stable\nIntel E810 CQDA2 DualPort 2x100G SFP28 stable\nMellanox ConnectX-5 MCX512A-ACAT 2x25G SFP28 stable","category":"page"},{"location":"overview/hardware/#Switches","page":"Hardware Support","title":"Switches","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following switch types are officially supported and verified by the metal-stack project:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Series Model OS Status\nEdge-Core AS7700 Series AS7712-32X Cumulus 3.7.13 stable\nEdge-Core AS7700 Series AS7726-32X Cumulus 4.1.1 stable\nEdge-Core AS7700 Series AS7712-32X Edgecore SONiC stable\nEdge-Core AS7700 Series AS7726-32X Edgecore SONiC stable","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Other switch series and models might work but were not reported to us.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"warning: Warning\nOn our switches we run SONiC. The metal-core writes network configuration specifically implemented for this operating system. Please also consider running SONiC on your switches if you do not want to run into any issues with networking.Our previous support for Cumulus Linux will come to an end.Of course, contributions for supporting other switch vendors and operating systems are highly appreciated.","category":"page"},{"location":"overview/hardware/#Portable-metal-stack-Setup-DIY","page":"Hardware Support","title":"Portable metal-stack Setup DIY","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"A minimal physical hardware setup may contain at least the following components:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"warning: Warning\nThis setup should work as the components are very similar to the currently supported ones but it's currently untested.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"# Vendor Series Model Function\n2x Edge-Core AS5500 Series AS5512-54x (10G) Leaf / Exit switches\n1x Supermicro Microcloud SYS-5039MA16-H12RFT Usable machines\n1x Teltonika Router RUTXR1 Front router for internet and out-of-band access to servers and switches","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Besides that, a 6HE rack with 1000mm depth and a portable LTE modem is needed.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"This MVP will yield in 12 usable machines, one of them will be reserved as management server.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#metalctl-machine-update-firmware-bmc","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"update a machine BMC","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#Synopsis","page":"metalctl machine update-firmware bmc","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"the machine BMC will be updated to given revision. If revision flag is not specified an update plan will be printed instead.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"metalctl machine update-firmware bmc [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#Options","page":"metalctl machine update-firmware bmc","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":" --description string the reason why the BMC should be updated\n -h, --help help for bmc\n --revision string the BMC revision","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#Options-inherited-from-parent-commands","page":"metalctl machine update-firmware bmc","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#SEE-ALSO","page":"metalctl machine update-firmware bmc","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"metalctl machine update-firmware\t - update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#metalctl-size-imageconstraint-try","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"try if size and image can be allocated","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"metalctl size imageconstraint try [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#Options","page":"metalctl size imageconstraint try","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":" -h, --help help for try\n --image string image to check if allocaltion is possible\n --size string size to check if allocaltion is possible","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint try","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#SEE-ALSO","page":"metalctl size imageconstraint try","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#metalctl-audit","page":"metalctl audit","title":"metalctl audit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":"manage audit trace entities","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#Synopsis","page":"metalctl audit","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":"show audit traces of the api. feature must be enabled on server-side.","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#Options","page":"metalctl audit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":" -h, --help help for audit","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#Options-inherited-from-parent-commands","page":"metalctl audit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#SEE-ALSO","page":"metalctl audit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl audit describe\t - describes the audit trace\nmetalctl audit list\t - list all audit traces","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#metalctl-audit-list","page":"metalctl audit list","title":"metalctl audit list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":"list all audit traces","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":"metalctl audit list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#Options","page":"metalctl audit list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":" --component string component of the audit trace.\n --detail string detail of the audit trace. An HTTP method, unary or stream\n --error string error of the audit trace.\n --forwarded-for string forwarded for of the audit trace.\n --from string start of range of the audit traces. e.g. 1h, 10m, 2006-01-02 15:04:05 (default \"1h\")\n -h, --help help for list\n --limit int limit the number of audit traces. (default 100)\n --path string api path of the audit trace.\n --phase string phase of the audit trace. One of [request, response, single, error, opened, closed]\n -q, --query string filters audit trace body payloads for the given text.\n --remote-addr string remote address of the audit trace.\n --request-id string request id of the audit trace.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: path|tenant|timestamp|user\n --status-code int32 HTTP status code of the audit trace.\n --tenant string tenant of the audit trace.\n --to string end of range of the audit traces. e.g. 1h, 10m, 2006-01-02 15:04:05\n --type string type of the audit trace. One of [http, grpc, event].\n --user string user of the audit trace.","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#Options-inherited-from-parent-commands","page":"metalctl audit list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#SEE-ALSO","page":"metalctl audit list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":"metalctl audit\t - manage audit trace entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#metalctl-machine-power-reset","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"power reset a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#Synopsis","page":"metalctl machine power reset","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"(hard) reset the machine power.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"metalctl machine power reset [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#Options","page":"metalctl machine power reset","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":" -h, --help help for reset","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#Options-inherited-from-parent-commands","page":"metalctl machine power reset","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#SEE-ALSO","page":"metalctl machine power reset","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"development/proposals/MEP3/README/#Machine-Re-Installation","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"","category":"section"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, without actually deleting the data stored on the additional hard disks.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"Storage for the etcd pvs in the seed cluster of every partition. This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes).\nStorage in customer clusters. This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies.\nS3 Storage. We have two possibilities to cope with storage:\nIn place update of the OS with a daemonset This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image.\nmetal-api get a machine reinstall endpoint With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do rolling updates. Therefore a additional osupdatestrategy has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data.","category":"page"},{"location":"development/proposals/MEP3/README/#API-and-behavior","page":"Machine Re-Installation","title":"API and behavior","text":"","category":"section"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"The API will get an new endpoint \"reinstall\" this endpoint takes two arguments:","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"machineID\nimage","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. Once this endpoint was called, the machine will get a reboot signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts:","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"unchanged: PXE boot with metal-hammer\nchanged: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present\nchanged: if a allocation is present and the allocation has set reinstall: true, wipe disk is only executed for the root disk, all other disks are untouched.\nunchanged: the specified image is downloaded and burned, /install.sh is executed\nunchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD.\nunchanged: distribution kernel is booted via kexec","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"We can see that the allocation requires one additional parameter: reinstall and metal-hammer must check for already existing allocation at an earlier stage.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"Components which requires modifications (first guess):","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"metal-hammer:\ncheck for allocation present earlier\nevaluation of reinstall flag set\nwipe of disks depends on that flag\nBonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. metal-api MUST reject reinstallation if the disk found by PDDA does not have the /etc/metal directory!\nmetal-core:\nprobably nothing\nmetal-api:\nnew endpoint /machine/reinstall\nadd Reinstall bool to data model of allocation\nmake sure to reset Reinstall after reinstallation to prevent endless reinstallation loop\nmetalctl:\nimplement reinstall\nmetal-go:\nimplement reinstall\ngardener (longterm):\nadd the OSUpgradeStrategy reinstall","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#metalctl-machine-create","page":"metalctl machine create","title":"metalctl machine create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"creates the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"metalctl machine create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#Examples","page":"metalctl machine create","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"machine create can be done in two different ways:\n\n- default with automatic allocation:\n\n\tmetalctl machine create \\\n\t\t--hostname worker01 \\\n\t\t--name worker \\\n\t\t--image ubuntu-18.04 \\ # query available with: metalctl image list\n\t\t--size t1-small-x86 \\ # query available with: metalctl size list\n\t\t--partition test \\ # query available with: metalctl partition list\n\t\t--project cluster01 \\\n\t\t--sshpublickey \"@~/.ssh/id_rsa.pub\"\n\n- for metal administration with reserved machines:\n\n\treserve a machine you want to allocate:\n\n\tmetalctl machine reserve 00000000-0000-0000-0000-0cc47ae54694 --description \"blocked for maintenance\"\n\n\tallocate this machine:\n\n\tmetalctl machine create \\\n\t\t--hostname worker01 \\\n\t\t--name worker \\\n\t\t--image ubuntu-18.04 \\ # query available with: metalctl image list\n\t\t--project cluster01 \\\n\t\t--sshpublickey \"@~/.ssh/id_rsa.pub\" \\\n\t\t--id 00000000-0000-0000-0000-0cc47ae54694\n\nafter you do not want to use this machine exclusive, remove the reservation:\n\nmetalctl machine reserve 00000000-0000-0000-0000-0cc47ae54694 --remove\n\nOnce created the machine installation can not be modified anymore.\n","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#Options","page":"metalctl machine create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the machine to create. [optional]\n --dnsservers strings dns servers to add to the machine or firewall. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine create -f -\n $ # or via file\n $ metalctl machine create -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n --filesystemlayout string Filesystemlayout to use during machine installation. [optional]\n -h, --help help for create\n -H, --hostname string Hostname of the machine. [required]\n -I, --id string ID of a specific machine to allocate, if given, size and partition are ignored. Need to be set to reserved (--reserve) state before.\n -i, --image string OS Image to install. [required]\n --ips strings Sets the machine's IP address. Usage: [--ips[=IPV4-ADDRESS[,IPV4-ADDRESS]...]]...\n IPV4-ADDRESS specifies the IPv4 address to add.\n It can only be used in conjunction with --networks.\n -n, --name string Name of the machine. [optional]\n --networks strings Adds a network. Usage: [--networks NETWORK[:MODE][,NETWORK[:MODE]]...]...\n NETWORK specifies the name or id of an existing network.\n MODE cane be omitted or one of:\n \tauto\tIP address is automatically acquired from the given network\n \tnoauto\tIP address for the given network must be provided via --ips\n --ntpservers strings ntp servers to add to the machine or firewall. [optional]\n -S, --partition string partition/datacenter where the machine is created. [required, except for reserved machines]\n -P, --project string Project where the machine should belong to. [required]\n -s, --size string Size of the machine. [required, except for reserved machines]\n --skip-security-prompts skips security prompt for bulk operations\n -p, --sshpublickey string SSH public key for access via ssh and console. [optional]\n Can be either the public key as string, or pointing to the public key file to use e.g.: \"@~/.ssh/id_rsa.pub\".\n If ~/.ssh/[id_ed25519.pub | id_rsa.pub | id_dsa.pub] is present it will be picked as default, matching the first one in this order.\n --tags strings tags to add to the machine, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --userdata string cloud-init.io compatible userdata. [optional]\n Can be either the userdata as string, or pointing to the userdata file to use e.g.: \"@/tmp/userdata.cfg\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#Options-inherited-from-parent-commands","page":"metalctl machine create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#SEE-ALSO","page":"metalctl machine create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"installation/monitoring/#Monitoring-the-metal-stack","page":"Monitoring","title":"Monitoring the metal-stack","text":"","category":"section"},{"location":"installation/monitoring/#Overview","page":"Monitoring","title":"Overview","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"(Image: Monitoring Stack)","category":"page"},{"location":"installation/monitoring/#Logging","page":"Monitoring","title":"Logging","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"Logs are being collected by Promtail and pushed to a Loki instance running in the control plane. Loki is deployed in monolithic mode and with storage type 'filesystem'. You can find all logging related configuration parameters for the control plane in the control plane's logging role.","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"In the partitions, Promtail is deployed inside a systemd-managed Docker container. Configuration parameters can be found in the partition's promtail role. Which hosts Promtail collects from can be configured via the prometheus_promtail_targets variable.","category":"page"},{"location":"installation/monitoring/#Monitoring","page":"Monitoring","title":"Monitoring","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"For monitoring we deploy the kube-prometheus-stack and a Thanos instance in the control plane. Metrics for the control plane are supplied by","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"metal-metrics-exporter\nrethindb-exporter\nevent-exporter\ngardener-metrics-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"To query and visualize logs, metrics and alerts we deploy several grafana dashboards to the control plane:","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"grafana-dashboard-alertmanager\ngrafana-dashboard-machine-capacity\ngrafana-dashboard-metal-api\ngrafana-dashboard-rethinkdb\ngrafana-dashboard-sonic-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"and also some gardener related dashboards:","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"grafana-dashboard-gardener-overview\ngrafana-dashboard-shoot-cluster\ngrafana-dashboard-shoot-customizations\ngrafana-dashboard-shoot-details\ngrafana-dashboard-shoot-states","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"The following ServiceMonitors are also deployed:","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"gardener-metrics-exporter\nipam-db\nmasterdata-api\nmasterdata-db\nmetal-api\nmetal-db\nrethinkdb-exporter\nmetal-metrics-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"All monitoring related configuration parameters for the control plane can be found in the control plane's monitoring role.","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"Partition metrics are supplied by","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"node-exporter\nblackbox-exporter\nipmi-exporter\nsonic-exporter\nmetal-core\nfrr-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"and scraped by Prometheus. For each of these exporters, the target hosts can be defined by","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"prometheus_node_exporter_targets\nprometheus_blackbox_exporter_targets\nprometheus_frr_exporter_targets\nprometheus_sonic_exporter_targets\nprometheus_metal_core_targets\nprometheus_frr_exporter_targets","category":"page"},{"location":"installation/monitoring/#Alerting","page":"Monitoring","title":"Alerting","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"In addition to Grafana, alerts can optionally be sent to a Slack channel. For this to work, at least a valid monitoring_slack_api_url and a monitoring_slack_notification_channel must be specified. For further configuration parameters refer to the monitoring role. Alerting rules are defined in the rules directory of the partition's prometheus role.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#metalctl-machine-reserve","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"reserve a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#Synopsis","page":"metalctl machine reserve","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"reserve a machine for exclusive usage, this machine will no longer be picked by other allocations. This is useful for maintenance of the machine or testing. After the reservation is not needed anymore, the reservation should be removed with –remove.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"metalctl machine reserve [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#Options","page":"metalctl machine reserve","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":" -d, --description string description of the reason for the reservation.\n -h, --help help for reserve\n -r, --remove remove the reservation.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#Options-inherited-from-parent-commands","page":"metalctl machine reserve","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#SEE-ALSO","page":"metalctl machine reserve","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#metalctl-completion-bash","page":"metalctl completion bash","title":"metalctl completion bash","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"Generate the autocompletion script for bash","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Synopsis","page":"metalctl completion bash","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"Generate the autocompletion script for the bash shell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"source <(metalctl completion bash)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"To load completions for every new session, execute once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Linux:","page":"metalctl completion bash","title":"Linux:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion bash > /etc/bash_completion.d/metalctl","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#macOS:","page":"metalctl completion bash","title":"macOS:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion bash > $(brew --prefix)/etc/bash_completion.d/metalctl","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"You will need to start a new shell for this setup to take effect.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion bash","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Options","page":"metalctl completion bash","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":" -h, --help help for bash\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Options-inherited-from-parent-commands","page":"metalctl completion bash","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#SEE-ALSO","page":"metalctl completion bash","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#metalctl-machine-power-on","page":"metalctl machine power on","title":"metalctl machine power on","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"power on a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#Synopsis","page":"metalctl machine power on","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"set the machine to power on state, if the machine already was on nothing happens.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"metalctl machine power on [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#Options","page":"metalctl machine power on","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":" -h, --help help for on","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#Options-inherited-from-parent-commands","page":"metalctl machine power on","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#SEE-ALSO","page":"metalctl machine power on","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#metalctl-firmware","page":"metalctl firmware","title":"metalctl firmware","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":"manage firmwares","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#Synopsis","page":"metalctl firmware","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":"list, upload and remove firmwares.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#Options","page":"metalctl firmware","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":" -h, --help help for firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#Options-inherited-from-parent-commands","page":"metalctl firmware","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#SEE-ALSO","page":"metalctl firmware","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl firmware delete\t - delete a firmware\nmetalctl firmware list\t - list firmwares\nmetalctl firmware upload\t - upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#metalctl-filesystemlayout-edit","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"edit the filesystemlayout through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"metalctl filesystemlayout edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#Options","page":"metalctl filesystemlayout edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#SEE-ALSO","page":"metalctl filesystemlayout edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#metalctl-firmware-delete","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"delete a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#Synopsis","page":"metalctl firmware delete","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"deletes the specified firmware.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"metalctl firmware delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#Options","page":"metalctl firmware delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":" --board string the board type (required)\n -h, --help help for delete\n --kind string the firmware kind [bmc|bios] (required)\n --revision string the firmware revision (required)\n --vendor string the vendor (required)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#Options-inherited-from-parent-commands","page":"metalctl firmware delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#SEE-ALSO","page":"metalctl firmware delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"metalctl firmware\t - manage firmwares","category":"page"},{"location":"overview/gpu-support/#GPU-Support","page":"GPU Support","title":"GPU Support","text":"","category":"section"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"Pages = [\"gpu-support.md\"]\nDepth = 5","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"For workloads which require the assistance of GPUs, support for GPUs in bare metal servers was added to metal-stack.io v0.18.0.","category":"page"},{"location":"overview/gpu-support/#GPU-Operator-installation","page":"GPU Support","title":"GPU Operator installation","text":"","category":"section"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"With the nvidia image a worker has basic GPU support. This means that the required kernel driver, the containerd shim and the required containerd configuration are already installed and configured.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"To enable Pods that require GPU support to be scheduled on a worker node with a GPU, a `gpu-operator' must be installed. This has to be done by the cluster owner after the cluster is up and running.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"The simplest way to install this operator is as follows:","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"helm repo add nvidia https://helm.ngc.nvidia.com/nvidia\nhelm repo update\n\nkubectl create ns gpu-operator\nkubectl label --overwrite ns gpu-operator pod-security.kubernetes.io/enforce=privileged\n\nhelm install --wait \\\n --generate-name \\\n --namespace gpu-operator \\\n --create-namespace \\\n nvidia/gpu-operator \\\n --set driver.enabled=false \\\n --set toolkit.enabled=false","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"After that kubectl describe node must show the gpu in the capacity like so:","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"...\nCapacity:\n cpu: 64\n ephemeral-storage: 100205640Ki\n hugepages-1Gi: 0\n hugepages-2Mi: 0\n memory: 263802860Ki\n nvidia.com/gpu: 1\n pods: 510\n...","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"With this basic installation, the worker node is ready to process GPU workloads.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"warning: Warning\nHowever, there is a caveat - only one 'Pod' can access the GPU. If this is all you need, no additional configuration is required. On the other hand, if you are planning to deploy multiple applications that require GPU support, and there are not that many GPUs available, you will need to configure the gpu-operator to allow the GPU to be shared between multiple Pods.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"There are several approaches to sharing GPUs, please consult the official Nvidia documentation for further reference.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"https://developer.nvidia.com/blog/improving-gpu-utilization-in-kubernetes https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-operator-mig.html https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-sharing.html","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"With this, happy AI processing.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#metalctl-completion-powershell","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"Generate the autocompletion script for powershell","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#Synopsis","page":"metalctl completion powershell","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"Generate the autocompletion script for powershell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"metalctl completion powershell | Out-String | Invoke-Expression","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"To load completions for every new session, add the output of the above command to your powershell profile.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"metalctl completion powershell [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#Options","page":"metalctl completion powershell","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":" -h, --help help for powershell\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#Options-inherited-from-parent-commands","page":"metalctl completion powershell","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#SEE-ALSO","page":"metalctl completion powershell","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#metalctl-size-list","page":"metalctl size list","title":"metalctl size list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":"list all sizes","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":"metalctl size list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#Options","page":"metalctl size list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#Options-inherited-from-parent-commands","page":"metalctl size list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#SEE-ALSO","page":"metalctl size list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#metalctl-size-imageconstraint","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#Synopsis","page":"metalctl size imageconstraint","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"if a size has specific requirements regarding the images which must fulfill certain constraints, this can be configured here.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#Options","page":"metalctl size imageconstraint","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":" -h, --help help for imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#SEE-ALSO","page":"metalctl size imageconstraint","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"metalctl size\t - manage size entities\nmetalctl size imageconstraint apply\t - applies one or more imageconstraints from a given file\nmetalctl size imageconstraint create\t - creates the imageconstraint\nmetalctl size imageconstraint delete\t - deletes the imageconstraint\nmetalctl size imageconstraint describe\t - describes the imageconstraint\nmetalctl size imageconstraint edit\t - edit the imageconstraint through an editor and update\nmetalctl size imageconstraint list\t - list all imageconstraints\nmetalctl size imageconstraint try\t - try if size and image can be allocated\nmetalctl size imageconstraint update\t - updates the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#metalctl-size","page":"metalctl size","title":"metalctl size","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":"manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#Synopsis","page":"metalctl size","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":"a size matches a machine in terms of cpu cores, ram and storage.","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#Options","page":"metalctl size","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":" -h, --help help for size","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#Options-inherited-from-parent-commands","page":"metalctl size","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#SEE-ALSO","page":"metalctl size","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl size apply\t - applies one or more sizes from a given file\nmetalctl size create\t - creates the size\nmetalctl size delete\t - deletes the size\nmetalctl size describe\t - describes the size\nmetalctl size edit\t - edit the size through an editor and update\nmetalctl size imageconstraint\t - manage imageconstraint entities\nmetalctl size list\t - list all sizes\nmetalctl size reservation\t - manage reservation entities\nmetalctl size suggest\t - suggest size from a given machine id\nmetalctl size update\t - updates the size","category":"page"},{"location":"overview/os/#Operating-Systems","page":"Operating Systems","title":"Operating Systems","text":"","category":"section"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Our operating system images are built on regular basis from the metal-images repository.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"All images are hosted on GKE at images.metal-stack.io. Feel free to use this as a mirror for your metal-stack partitions if you want. The metal-stack developers continuously have an eye on the supported images. They are updated regularly and scanned for vulnerabilities.","category":"page"},{"location":"overview/os/#Supported-OS-Images","page":"Operating Systems","title":"Supported OS Images","text":"","category":"section"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"The operating system images that we build are trimmed down to their bare essentials for serving as Kubernetes worker nodes. Small image sizes make machine provisioning blazingly fast.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"The supported images for worker nodes currently are:","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Platform Distribution Version\nLinux Debian 11\nLinux Ubuntu 22.04","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"The supported images for firewalls are:","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Platform Distribution Version Based On\nLinux Ubuntu 3 22.04","category":"page"},{"location":"overview/os/#Building-Your-Own-Images","page":"Operating Systems","title":"Building Your Own Images","text":"","category":"section"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"It is fully possible to build your own operating system images and provide them through the metal-stack.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"There are some conventions though that you need to follow in order to make your image installable through the metal-hammer. You should understand the machine provisioning sequence before starting to write your own images.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Images need to be compressed to a tarball using the lz4 compression algorithm\nAn md5 checksum file with the same name as the image archive needs to be provided in the download path along with the actual os image\nA packages.txt containing the packages contained in the OS image should be provided in the download path (not strictly required)\nConsider semantic image versioning, which we use in our algorithms to select latest images (e.g. os-major.minor.patch ➡️ ubuntu-19.10.20191018)\nConsider installing packages used by the metal-stack infrastructure\nFRR to enable routing-to-the-host in our network topology\ngo-lldpd to enable checking if the machine is still alive after user allocation\nignition for enabling users to run user-specific initialization instructions before bootup. It's pretty small in size, which is why we use it. However, you are free to use other cloud instance initialization tools if you want to.\nYou have to provide an install.sh script, which applies user-specific configuration in the installed image\nThis script should consume parameters from the install.yaml file that the metal-hammer writes to /etc/metal/install.yaml\nPlease check this contract between image and the metal-hammer here\nFor the time being, your image must be able to support kexec into the new operating system kernel, the kexec command is issued by the metal-hammer after running the install.sh. We do this because kexec is much faster than rebooting a machine.\nWe recommend building images from Dockerfiles as it is done in metal-images repository.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"info: Info\nBuilding own operating system images is an advanced topic. When you have just started with metal-stack, we recommend using the public operating system images first.","category":"page"},{"location":"external/metalctl/README/#metalctl","page":"metalctl","title":"metalctl","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl is the command line client to access the metal-api.","category":"page"},{"location":"external/metalctl/README/#Installation","page":"metalctl","title":"Installation","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Download locations:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl-linux-amd64\nmetalctl-darwin-amd64\nmetalctl-darwin-arm64\nmetalctl-windows-amd64","category":"page"},{"location":"external/metalctl/README/#Installation-on-Linux","page":"metalctl","title":"Installation on Linux","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-linux-amd64\nchmod +x metalctl-linux-amd64\nsudo mv metalctl-linux-amd64 /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/#Installation-on-MacOS","page":"metalctl","title":"Installation on MacOS","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"For x86 based Macs:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-darwin-amd64\nchmod +x metalctl-darwin-amd64\nsudo mv metalctl-darwin-amd64 /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"For Apple Silicon (M1) based Macs:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-darwin-arm64\nchmod +x metalctl-darwin-arm64\nsudo mv metalctl-darwin-arm64 /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/#Installation-on-Windows","page":"metalctl","title":"Installation on Windows","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-windows-amd64\ncopy metalctl-windows-amd64 metalctl.exe","category":"page"},{"location":"external/metalctl/README/#metalctl-update","page":"metalctl","title":"metalctl update","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"In order to keep your local metalctl installation up to date, you can update the binary like this:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl update check\nlatest version:v0.8.3 from:2020-08-13T11:55:14Z\nlocal version:v0.8.2 from:2020-08-12T09:27:39Z\nmetalctl is not up to date\n\nmetalctl update do\n# a download with progress bar starts and replaces the binary. If the binary has root permissions please execute\nsudo metalctl update do\n# instead","category":"page"},{"location":"external/metalctl/README/#Built-from-project","page":"metalctl","title":"Built from project","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"make\nsudo ln -sf $(pwd)/bin/metalctl /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/#Configuration","page":"metalctl","title":"Configuration","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Set up auto-completion for metalctl, e.g. add to your ~/.bashrc:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"source <(metalctl completion bash)","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Set up metalctl config, by first creating the config folder (mkdir -p ~/.metalctl), then set the values according to your installation in ~/.metalctl/config.yaml:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"---\ncurrent: prod\ncontexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://dex.metal-stack.io/dex\n client_id: metal_client\n client_secret: 456\n hmac: YOUR_HMAC","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Optional you can specify issuer_type: generic if you use other issuers as Dex, e.g. Keycloak (this will request scopes openid,profile,email):","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"contexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://keycloak.somedomain.io\n issuer_type: generic\n client_id: my-client-id\n client_secret: my-secret","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"If you must specify special scopes for your issuer, you can use custom_scopes:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"contexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://keycloak.somedomain.io\n custom_scopes: roles,openid,profile,email\n client_id: my-client-id\n client_secret: my-secret","category":"page"},{"location":"external/metalctl/README/#Available-commands","page":"metalctl","title":"Available commands","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Full documentation is generated out of the cobra command implementation with:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl markdown","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"generated markdown is here and here","category":"page"},{"location":"external/metalctl/README/#Development","page":"metalctl","title":"Development","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"For MacOS users, running the tests might throw an error because tests are utilizing go-mpatch in order to manipulate the time.Now function. The patch allows testing with fixed timestamps.","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Instead, MacOS users can utilize the make test-in-docker target to execute the tests.","category":"page"},{"location":"external/metalctl/README/#Page-Tree","page":"metalctl","title":"Page Tree","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#metalctl-network-ip","page":"metalctl network ip","title":"metalctl network ip","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":"manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#Synopsis","page":"metalctl network ip","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":"an ip address can be attached to a machine or firewall such that network traffic can be routed to these servers.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#Options","page":"metalctl network ip","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":" -h, --help help for ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#Options-inherited-from-parent-commands","page":"metalctl network ip","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#SEE-ALSO","page":"metalctl network ip","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":"metalctl network\t - manage network entities\nmetalctl network ip apply\t - applies one or more ips from a given file\nmetalctl network ip create\t - creates the ip\nmetalctl network ip delete\t - deletes the ip\nmetalctl network ip describe\t - describes the ip\nmetalctl network ip edit\t - edit the ip through an editor and update\nmetalctl network ip issues\t - display ips which are in a potential bad state\nmetalctl network ip list\t - list all ips\nmetalctl network ip update\t - updates the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#metalctl-firewall-create","page":"metalctl firewall create","title":"metalctl firewall create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":"creates the firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":"metalctl firewall create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#Options","page":"metalctl firewall create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the firewall to create. [optional]\n --dnsservers strings dns servers to add to the machine or firewall. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl firewall describe firewall-1 -o yaml > firewall.yaml\n $ vi firewall.yaml\n $ # either via stdin\n $ cat firewall.yaml | metalctl firewall create -f -\n $ # or via file\n $ metalctl firewall create -f firewall.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n --filesystemlayout string Filesystemlayout to use during machine installation. [optional]\n --firewall-rules-file string firewall rules specified in a yaml file\n \n Example:\n \n $ metalctl firewall create ..mandatory args.. --firewall-rules-file rules.yaml\n \n rules.yaml\n ---\n egress:\n - comment: allow outgoing https\n ports:\n - 443\n protocol: TCP\n to:\n - 0.0.0.0/0\n - comment: allow outgoing dns via tcp\n ports:\n - 53\n protocol: TCP\n to:\n - 0.0.0.0/0\n - comment: allow outgoing dns and ntp via udp\n ports:\n - 53\n - 123\n protocol: UDP\n to:\n - 0.0.0.0/0\n ingress:\n - comment: allow incoming ssh only to one ip\n ports:\n - 22\n protocol: TCP\n from:\n - 0.0.0.0/0\n - 1.2.3.4/32\n to:\n - 212.34.83.19/32\n - comment: allow incoming https to all targets\n ports:\n - 80\n - 433\n protocol: TCP\n from:\n - 0.0.0.0/0\n \n \n -h, --help help for create\n -H, --hostname string Hostname of the firewall. [required]\n -I, --id string ID of a specific firewall to allocate, if given, size and partition are ignored. Need to be set to reserved (--reserve) state before.\n -i, --image string OS Image to install. [required]\n --ips strings Sets the firewall's IP address. Usage: [--ips[=IPV4-ADDRESS[,IPV4-ADDRESS]...]]...\n IPV4-ADDRESS specifies the IPv4 address to add.\n It can only be used in conjunction with --networks.\n -n, --name string Name of the firewall. [optional]\n --networks strings Adds network(s). Usage: --networks NETWORK[:MODE][,NETWORK[:MODE]]... [--networks NETWORK[:MODE][,\n NETWORK[:MODE]]...]...\n NETWORK specifies the id of an existing network.\n MODE can be omitted or one of:\n \tauto\tIP address is automatically acquired from the given network\n \tnoauto\tNo automatic IP address acquisition\n --ntpservers strings ntp servers to add to the machine or firewall. [optional]\n -S, --partition string partition/datacenter where the firewall is created. [required, except for reserved machines]\n -P, --project string Project where the firewall should belong to. [required]\n -s, --size string Size of the firewall. [required, except for reserved machines]\n --skip-security-prompts skips security prompt for bulk operations\n -p, --sshpublickey string SSH public key for access via ssh and console. [optional]\n Can be either the public key as string, or pointing to the public key file to use e.g.: \"@~/.ssh/id_rsa.pub\".\n If ~/.ssh/[id_ed25519.pub | id_rsa.pub | id_dsa.pub] is present it will be picked as default, matching the first one in this order.\n --tags strings tags to add to the firewall, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --userdata string cloud-init.io compatible userdata. [optional]\n Can be either the userdata as string, or pointing to the userdata file to use e.g.: \"@/tmp/userdata.cfg\".","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#Options-inherited-from-parent-commands","page":"metalctl firewall create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#SEE-ALSO","page":"metalctl firewall create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#metalctl-filesystemlayout-match","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"check if a machine satisfies all disk requirements of a given filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"metalctl filesystemlayout match [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#Options","page":"metalctl filesystemlayout match","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":" --filesystemlayout string filesystemlayout id to check against [required]\n -h, --help help for match\n --machine string machine id to check for match [required]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout match","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#SEE-ALSO","page":"metalctl filesystemlayout match","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#metalctl-filesystemlayout-delete","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"deletes the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"metalctl filesystemlayout delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#Options","page":"metalctl filesystemlayout delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout delete -f -\n $ # or via file\n $ metalctl filesystemlayout delete -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#SEE-ALSO","page":"metalctl filesystemlayout delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#metalctl-network-ip-update","page":"metalctl network ip update","title":"metalctl network ip update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":"updates the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":"metalctl network ip update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#Options","page":"metalctl network ip update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip update -f -\n $ # or via file\n $ metalctl ip update -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#Options-inherited-from-parent-commands","page":"metalctl network ip update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#SEE-ALSO","page":"metalctl network ip update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#metalctl-size-describe","page":"metalctl size describe","title":"metalctl size describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":"describes the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":"metalctl size describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#Options","page":"metalctl size describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#Options-inherited-from-parent-commands","page":"metalctl size describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#SEE-ALSO","page":"metalctl size describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#metalctl-tenant-apply","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"applies one or more tenants from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"metalctl tenant apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#Options","page":"metalctl tenant apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant apply -f -\n $ # or via file\n $ metalctl tenant apply -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#Options-inherited-from-parent-commands","page":"metalctl tenant apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#SEE-ALSO","page":"metalctl tenant apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#metalctl-machine-power-off","page":"metalctl machine power off","title":"metalctl machine power off","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"power off a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#Synopsis","page":"metalctl machine power off","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"set the machine to power off state, if the machine already was off nothing happens. It will usually take some time to power off the machine, depending on the machine type. Power on will therefore not work if the machine is in the powering off phase.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"metalctl machine power off [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#Options","page":"metalctl machine power off","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":" -h, --help help for off","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#Options-inherited-from-parent-commands","page":"metalctl machine power off","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#SEE-ALSO","page":"metalctl machine power off","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#metalctl-project-describe","page":"metalctl project describe","title":"metalctl project describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":"describes the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":"metalctl project describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#Options","page":"metalctl project describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#Options-inherited-from-parent-commands","page":"metalctl project describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#SEE-ALSO","page":"metalctl project describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#metalctl-machine-logs","page":"metalctl machine logs","title":"metalctl machine logs","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":"display machine provisioning logs","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":"metalctl machine logs [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#Options","page":"metalctl machine logs","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":" -h, --help help for logs\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional] (default 168h0m0s)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#Options-inherited-from-parent-commands","page":"metalctl machine logs","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#SEE-ALSO","page":"metalctl machine logs","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#metalctl-machine-power-cycle","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"power cycle a machine (graceful shutdown)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#Synopsis","page":"metalctl machine power cycle","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"(soft) cycle the machine power.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"metalctl machine power cycle [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#Options","page":"metalctl machine power cycle","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":" -h, --help help for cycle","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#Options-inherited-from-parent-commands","page":"metalctl machine power cycle","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#SEE-ALSO","page":"metalctl machine power cycle","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#metalctl-image","page":"metalctl image","title":"metalctl image","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":"manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#Synopsis","page":"metalctl image","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":"os images available to be installed on machines.","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#Options","page":"metalctl image","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":" -h, --help help for image","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#Options-inherited-from-parent-commands","page":"metalctl image","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#SEE-ALSO","page":"metalctl image","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl image apply\t - applies one or more images from a given file\nmetalctl image create\t - creates the image\nmetalctl image delete\t - deletes the image\nmetalctl image describe\t - describes the image\nmetalctl image edit\t - edit the image through an editor and update\nmetalctl image list\t - list all images\nmetalctl image update\t - updates the image","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#metalctl-machine-console","page":"metalctl machine console","title":"metalctl machine console","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"console access to a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#Synopsis","page":"metalctl machine console","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"console access to a machine, machine must be created with a ssh public key, authentication is done with your private key. In case the machine did not register properly a direct ipmi console access is available via the –ipmi flag. This is only for administrative access.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"metalctl machine console [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#Options","page":"metalctl machine console","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":" --admin authenticate as admin (admin only).\n -h, --help help for console\n --ipmi use ipmitool with direct network access (admin only).\n --ipmipassword string overwrite ipmi password (admin only).\n --ipmiuser string overwrite ipmi user (admin only).\n -i, --sshidentity string SSH key file, if not given the default ssh key will be used if present [optional].","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#Options-inherited-from-parent-commands","page":"metalctl machine console","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#SEE-ALSO","page":"metalctl machine console","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#metalctl-project","page":"metalctl project","title":"metalctl project","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":"manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#Synopsis","page":"metalctl project","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":"a project belongs to a tenant and groups together entities in metal-stack.","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#Options","page":"metalctl project","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":" -h, --help help for project","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#Options-inherited-from-parent-commands","page":"metalctl project","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#SEE-ALSO","page":"metalctl project","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl project apply\t - applies one or more projects from a given file\nmetalctl project create\t - creates the project\nmetalctl project delete\t - deletes the project\nmetalctl project describe\t - describes the project\nmetalctl project edit\t - edit the project through an editor and update\nmetalctl project list\t - list all projects\nmetalctl project update\t - updates the project","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#metalctl-image-list","page":"metalctl image list","title":"metalctl image list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":"list all images","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":"metalctl image list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#Options","page":"metalctl image list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":" --classification string Classification of this image.\n --features string Features of this image.\n -h, --help help for list\n --id string ID of the image.\n --name string Name of the image.\n --os string OS derivate of this image.\n --show-usage show from how many allocated machines every image is used\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: classification|description|expiration|id|name\n --version string Version of this image.","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#Options-inherited-from-parent-commands","page":"metalctl image list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#SEE-ALSO","page":"metalctl image list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#metalctl-partition-update","page":"metalctl partition update","title":"metalctl partition update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":"updates the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":"metalctl partition update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#Options","page":"metalctl partition update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition update -f -\n $ # or via file\n $ metalctl partition update -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#Options-inherited-from-parent-commands","page":"metalctl partition update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#SEE-ALSO","page":"metalctl partition update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#metalctl-project-edit","page":"metalctl project edit","title":"metalctl project edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":"edit the project through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":"metalctl project edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#Options","page":"metalctl project edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#Options-inherited-from-parent-commands","page":"metalctl project edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#SEE-ALSO","page":"metalctl project edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":"metalctl project\t - manage project entities","category":"page"},{"location":"installation/troubleshoot/#Troubleshoot","page":"Troubleshoot","title":"Troubleshoot","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This document summarizes help when something goes wrong and provides advice on debugging the metal-stack in certain situations.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Of course, it is also advisable to check out the issues on the Github projects for help.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If you still can't find a solution to your problem, please reach out to us and our community. We have a public Slack Channel to discuss problems, but you can also reach us via mail. Check out metal-stack.io for contact information.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Pages = [\"troubleshoot.md\"]\nDepth = 5","category":"page"},{"location":"installation/troubleshoot/#Deployment","page":"Troubleshoot","title":"Deployment","text":"","category":"section"},{"location":"installation/troubleshoot/#Ansible-fails-when-the-metal-control-plane-helm-chart-gets-applied","page":"Troubleshoot","title":"Ansible fails when the metal control plane helm chart gets applied","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"There can be many reasons for this. Since you are deploying the metal control plane into a Kubernetes cluster, the first step should be to install kubectl and check the pods in your cluster. Depending on the metal-stack version and Kubernetes cluster, your control-plane should look something like this after the deployment (this is in a Kind cluster):","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"kubectl get pod -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\ningress-nginx nginx-ingress-controller-56966f7dc7-khfp9 1/1 Running 0 2m34s\nkube-system coredns-66bff467f8-grn7q 1/1 Running 0 2m34s\nkube-system coredns-66bff467f8-n7n77 1/1 Running 0 2m34s\nkube-system etcd-kind-control-plane 1/1 Running 0 2m42s\nkube-system kindnet-4dv7m 1/1 Running 0 2m34s\nkube-system kube-apiserver-kind-control-plane 1/1 Running 0 2m42s\nkube-system kube-controller-manager-kind-control-plane 1/1 Running 0 2m42s\nkube-system kube-proxy-jz7kp 1/1 Running 0 2m34s\nkube-system kube-scheduler-kind-control-plane 1/1 Running 0 2m42s\nlocal-path-storage local-path-provisioner-bd4bb6b75-cwfb7 1/1 Running 0 2m34s\nmetal-control-plane ipam-db-0 2/2 Running 0 2m31s\nmetal-control-plane masterdata-api-6dd4b54db5-rwk45 1/1 Running 0 33s\nmetal-control-plane masterdata-db-0 2/2 Running 0 2m29s\nmetal-control-plane metal-api-998cb46c4-jj2tt 1/1 Running 0 33s\nmetal-control-plane metal-api-initdb-r9sc6 0/1 Completed 0 2m24s\nmetal-control-plane metal-api-liveliness-1590479940-brhc7 0/1 Completed 0 6s\nmetal-control-plane metal-console-7955cbb7d7-p6hxp 1/1 Running 0 33s\nmetal-control-plane metal-db-0 2/2 Running 0 2m34s\nmetal-control-plane nsq-lookupd-5b4ccbfb64-n6prg 1/1 Running 0 2m34s\nmetal-control-plane nsqd-6cd87f69c4-vtn9k 2/2 Running 0 2m33s","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If there are any failing pods, investigate those and look into container logs. This information should point you to the place where the deployment goes wrong.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"info: Info\nSometimes, you see a helm errors like \"no deployed releases\" or something like this. When a helm chart fails after the first deployment it could be that you have a chart installation still pending. Also, the control plane helm chart uses pre- and post-hooks, which creates jobs that helm expects to be completed before attempting another deployment. Delete the helm chart (use Helm 3) with helm delete -n metal-control-plane metal-control-plane and delete the jobs in the metal-control-plane namespace before retrying the deployment.","category":"page"},{"location":"installation/troubleshoot/#In-the-mini-lab-the-control-plane-deployment-fails-because-my-system-can't-resolve-api.172.17.0.1.nip.io","page":"Troubleshoot","title":"In the mini-lab the control-plane deployment fails because my system can't resolve api.172.17.0.1.nip.io","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The control-plane deployment returns an error like this:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"deploy-control-plane | fatal: [localhost]: FAILED! => changed=false\ndeploy-control-plane | attempts: 60\ndeploy-control-plane | content: ''\ndeploy-control-plane | elapsed: 0\ndeploy-control-plane | msg: 'Status code was -1 and not [200]: Request failed: '\ndeploy-control-plane | redirected: false\ndeploy-control-plane | status: -1\ndeploy-control-plane | url: http://api.172.17.0.1.nip.io:8080/metal/v1/health\ndeploy-control-plane |\ndeploy-control-plane | PLAY RECAP *********************************************************************\ndeploy-control-plane | localhost : ok=29 changed=4 unreachable=0 failed=1 skipped=7 rescued=0 ignored=0\ndeploy-control-plane |\ndeploy-control-plane exited with code 2","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Some home routers have a security feature that prevents DNS Servers to resolve anything in the router's local IP range (DNS-Rebind-Protection).","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"You need to add an exception for nip.io in your router configuration or add 127.0.0.1 api.172.17.0.1.nip.io to your /etc/hosts.","category":"page"},{"location":"installation/troubleshoot/#FritzBox","page":"Troubleshoot","title":"FritzBox","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Home Network -> Network -> Network Settings -> Additional Settings -> DNS Rebind Protection -> Host name exceptions -> nip.io","category":"page"},{"location":"installation/troubleshoot/#Operations","page":"Troubleshoot","title":"Operations","text":"","category":"section"},{"location":"installation/troubleshoot/#Fixing-Machine-Issues","page":"Troubleshoot","title":"Fixing Machine Issues","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metalctl machine issues command gives you an overview over machines in your metal-stack environment that are in an unusual state.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"tip: Tip\nMachines that are known not to function properly, should be locked through metalctl machine lock and annotated with a description of the problem. This way, you can mark machine for replacement without being in danger of having a user allocating the faulty machine.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In the following sections, you can look up the machine issues that are returned by metalctl and find out how to deal with them properly.","category":"page"},{"location":"installation/troubleshoot/#no-event-container","page":"Troubleshoot","title":"no-event-container","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Every machine in the metal-stack database usually has a corresponding event container where provisioning events are stored. This database entity gets created lazily as soon as a machine is registered by the metal-hammer or a provisioning event for the machine arrives at the metal-api.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When there is no event container, this means that the machine has never registered nor received a provisioning event. As an operator you should evaluate why this machine is not booting into the metal-hammer.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This issue is special in a way that it prevents other issues from being evaluated for this machine because the issue calculation usually requires information from the machine event container.","category":"page"},{"location":"installation/troubleshoot/#no-partition","page":"Troubleshoot","title":"no-partition","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When a machine has no partition, the metal-hammer has not yet registered the machine at the metal-api. Instead, the machine was created through metal-stack's event machinery, which does not have a lot of information about a machine (e.g. a PXE boot event was reported from the pixiecore), or just by the metal-bmc which discovered the machine through DHCP.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This can usually happen on the very first boot of a machine and the machine's hardware is not supported by metal-stack, leading to the metal-bmc being unable to report BMC details to the metal-api (a metal-bmc report sets the partition id of a machine) and the metal-hammer not finishing the machine registration phase.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"To resolve this issue, you need to identify the machine in your metal-stack partition that emits PXE boot events and find the reason why it is not properly booting into the metal-hammer. The console logs of this machine should enable you to find out the root cause.","category":"page"},{"location":"installation/troubleshoot/#liveliness-dead","page":"Troubleshoot","title":"liveliness-dead","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For machines without an allocation, the metal-hammer consistently reports whether a machine is still being responsive or not. When the liveliness is Dead, there were no events received from this machine for longer than ~5 minutes.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Reasons for this can be:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The network connection between the partition and metal-stack control plane is interrupted\nThe machine was removed from your data center\nThe machine has changed its UUID metal-hammer#52\nThe machine is turned off\nThe machine hangs / freezes\nThe machine booted to BIOS or UEFI shell and does not try to PXE boot again\nThe issue only appears temporarily\nThe machine takes longer than 5 minutes for the reboot\nThe machine is performing a firmware upgrade, which usually takes longer than 5 minutes to succeed","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"info: Info\nIn order to minimize maintenance overhead, a machine which is dead for longer than an hour will be rebooted through the metal-api.In case you want to prevent this action from happening for a machine, you can lock the machine through metalctl machine lock.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If the machine is dead for a long time and you are sure that it will never come back, you can clean up the machine through metalctl machine rm --remove-from-database.","category":"page"},{"location":"installation/troubleshoot/#liveliness-unknown","page":"Troubleshoot","title":"liveliness-unknown","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For machines that are allocated by a user, the ownership has gone over to this user and as an operator you cannot access the machine anymore. This makes it harder to detect whether a machine is in a healthy state or not. Typically, all official metal-stack OS images deploy an LLDP daemon, that consistently emits alive messages. These messages are caught by the metal-core and turned into a Phoned Home event. Internally, the metal-api uses these events as an indicator to decide whether the machine is still responsive or not.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When the LLDP daemon stopped sending packages, the reasons are identical to those of dead machines. However, it's not possible anymore to decide whether the user is responsible for reaching this state or not.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In most of the cases, there is not much that can be done from the operator's perspective. You will need to wait for the user to report an issue with the machine. When you do support, you can use this issue type to quickly identify this machine.","category":"page"},{"location":"installation/troubleshoot/#liveliness-not-available","page":"Troubleshoot","title":"liveliness-not-available","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This is more of a theoretical issue. When the machine liveliness is not available check that the Kubernetes CronJob in the metal-stack control plane for evaluating the machine liveliness is running regularly and not containing error logs. Make the machine boot into the metal-hammer and this issue should not appear.","category":"page"},{"location":"installation/troubleshoot/#failed-machine-reclaim","page":"Troubleshoot","title":"failed-machine-reclaim","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If a machine remains in the Phoned Home state without having an allocation, this indicates that the metal-bmc was not able to put the machine back into PXE boot mode after metalctl machine rm. The machine is still running the operating system and it does not return back into the allocatable machine pool. Effectively, you lost a machine in your environment and no-one pays for it. Therefore, you should resolve this issue as soon as possible.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In bad scenarios, when the machine was a firewall, the machine can still reach the internet through the PXE boot network and also attract traffic, which it cannot route anymore inside the tenant VRF. This can cause traffic loss inside a tenant network.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In most of the cases, it should be sufficient to run another metalctl machine rm on this machine in order to retry booting into PXE mode. If this still does not succeed, you can boot the machine into the BIOS and manually and change the boot order to PXE boot. This should force booting the metal-hammer again and add the machine back into your pool of allocatable machines.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For further reference, see metal-api#145.","category":"page"},{"location":"installation/troubleshoot/#crashloop","page":"Troubleshoot","title":"crashloop","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Under bad circumstances, a machine diverges from its typical machine lifecycle. When this happens, the internal state-machine of the metal-api detects that the machine reboots unexpectedly during the provisioning phase. It is likely that the machine has entered a crash loop where it PXE boots again and again without the machine ever becoming usable.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Reasons for this can be:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The machine's hardware is not supported and the metal-hammer crashes during the machine discovery\nThe machine registration fails through the metal-hammer because an orphaned / dead machine is still present in the metal-api's data base. The machine is connected to the same switch ports that were used by the orphaned machine. In this case, you should clean up the orphaned machine through metalctl machine rm --remove-from-database.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Please also consider console logs of the machine for investigating the issue.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The incomplete cycle count is reset as soon as the machine reaches Phoned Home state or there is a Planned Reboot of the machine (planned reboot is also done by the metal-hammer once a day in order to reboot with the latest version).","category":"page"},{"location":"installation/troubleshoot/#last-event-error","page":"Troubleshoot","title":"last-event-error","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The machine had an error during the provisioning lifecycle recently or events are arriving out of order at the metal-api. This can be an interesting hint for the operator that something during machine provisioning went wrong. You can look at the error through metalctl machine describe or metalctl machine logs.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This error will disappear after a certain time period from machine issues. You can still look up the error as described above.","category":"page"},{"location":"installation/troubleshoot/#asn-not-unique","page":"Troubleshoot","title":"asn-not-unique","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This issue was introduced by a bug in earlier versions of metal-stack and was fixed in PR105","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"To resolve the issue, you need to recreate the firewalls that use the same ASN.","category":"page"},{"location":"installation/troubleshoot/#bmc-without-mac","page":"Troubleshoot","title":"bmc-without-mac","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report connection data for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.","category":"page"},{"location":"installation/troubleshoot/#bmc-without-ip","page":"Troubleshoot","title":"bmc-without-ip","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report connection data for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.","category":"page"},{"location":"installation/troubleshoot/#bmc-no-distinct-ip","page":"Troubleshoot","title":"bmc-no-distinct-ip","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report connection data for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When there is no distinct IP address for the BMC, it can be that an orphaned machine used this IP in the past. In this case, you need to clean up the orphaned machine through metalctl machine rm --remove-from-database.","category":"page"},{"location":"installation/troubleshoot/#bmc-info-outdated","page":"Troubleshoot","title":"bmc-info-outdated","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report bmc details for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When the metal-bmc was not able to fetch the bmc info for longer than 20 minutes, something is wrong with the BMC configuration of the machine. This can be caused by one of the following reasons:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Wrong password for the root user is configured in the BMC\nip address of the BMC is either wrong or not present\nthe device on the given ip address is not a machine, maybe a switch or a management component which is not managed by the metal-api","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In either case, please check the logs for the given machine UUID on the metal-bmc for further details. Also check that the metal-bmc is configured to only consider BMC IPs in the range they are configured from the DHCP server in the partition. This prevents grabbing unrelated BMCs.","category":"page"},{"location":"installation/troubleshoot/#A-machine-has-registered-with-a-different-UUID-after-reboot","page":"Troubleshoot","title":"A machine has registered with a different UUID after reboot","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"metal-stack heavily relies on steady machine UUIDs as the UUID is the primary key of the machine entity in the metal-api.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For further reference also see metal-stack/metal-hammer#52.","category":"page"},{"location":"installation/troubleshoot/#Reasons","page":"Troubleshoot","title":"Reasons","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"There are some scenarios (can be vendor-specific), which can cause a machine UUID to change over time, e.g.:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When the UUID partly contains of a network card's mac address, it can happen when:\nExchanging network cards\nDisabling network cards through BIOS\nChanging the UUID through vendor-specific CLI tool","category":"page"},{"location":"installation/troubleshoot/#Solution","page":"Troubleshoot","title":"Solution","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"After five minutes, the orphaned machine UUID will be marked dead (💀) because machine events will be sent only to the most recent UUID\nIdentify the dead machine through metalctl machine ls\nRemove the dead machine forcefully with metalctl machine rm --remove-from-database --yes-i-really-mean-it ","category":"page"},{"location":"installation/troubleshoot/#Fixing-Switch-Issues","page":"Troubleshoot","title":"Fixing Switch Issues","text":"","category":"section"},{"location":"installation/troubleshoot/#switch-sync-failing","page":"Troubleshoot","title":"switch-sync-failing","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For your network infrastructure it is key to adapt to new configuration. In case this sync process fails for more than 10 minutes, it is likely to require manual investigation.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Depending on your switch operating system, the error sources might differ a lot. Try to connect to your switch using the console or ssh and investigate the logs. Check if the hard drive is full.","category":"page"},{"location":"installation/troubleshoot/#Switch-Replacement-and-Migration","page":"Troubleshoot","title":"Switch Replacement and Migration","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"There are two mechanisms to replace an existing switch with a new one, both of which will transfer existing VRF configuration and machine connections from one switch to another. Due to the redundance of the CLOS topology, a switch replacement can be performed without downtime.","category":"page"},{"location":"installation/troubleshoot/#Replacing-a-Switch","page":"Troubleshoot","title":"Replacing a Switch","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If the new switch should have the same ID as the old one you should perform a switch replacement. To find detailed information about the procedure of a switch replacement use metalctl switch replace --help. Basically, what you need to do is mark the switch for replacement via metalctl switch replace, then physically replace the switch with the new one and configure it. The last step is to deploy metal-core on the switch. Once metal-core registers the new switch at the metal-api, the old switches configuration and machine connections will be transferred to the new one. Note that the replacement only works if the new switch has the same ID as the old one. Otherwise metal-core will simply register a new switch and leave the old one untouched.","category":"page"},{"location":"installation/troubleshoot/#Migrating-from-one-Switch-to-another","page":"Troubleshoot","title":"Migrating from one Switch to another","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If the new switch should not or cannot have the same ID as the old one, then the switch migrate command can be used to achieve the same result as a switch replacement. Perform the following steps:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Leave the old switch in place.\nInstall the new switch in the rack without connecting it to any machines yet.\nAdjust the metal-stack deployment in the same way as for a switch replacement.\nDeploy metal-core on the new switch and wait for it to register at the metal-api. Once the switch is registered it will be listed when you run metalctl switch ls.\nRun metalctl switch migrate .\nDisconnect all machines from the old switch and connect them to the new one.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In between steps 5 and 6 there is a mismatch between the switch-machine-connections known to the metal-api and the real connections. Since the metal-api learns about the connections from what a machine reports during registration, a machine registration that occurs in between steps 5 and 6 will result in a condition that looks somewhat broken. The metal-api will think that a machine is connected to three switches. This, however, should not cause any problems. Just move on to step 6 and delete the old switch from the metal-api afterwards. If the case just described really occurs, then metalctl switch delete will throw an error, because deleting a switch with existing machine connections might be dangerous. If, apart from that, the migration was successful, then the old switch can be safely deleted with metalctl switch delete --force.","category":"page"},{"location":"installation/troubleshoot/#Preconditions-for-Migration-and-Replacement","page":"Troubleshoot","title":"Preconditions for Migration and Replacement","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"An invariant that must be satisfied throughout is that the switch ports a machine is connected to must match, i.e. a machine connected to Ethernet0 on switch 1 must be connected to Ethernet0 on switch 2 etc. Furthermore, the breakout configurations of both switches must match and the new switch must contain at least all of the old switch's interfaces.","category":"page"},{"location":"installation/troubleshoot/#Migrating-from-Cumulus-to-Edgecore-SONiC","page":"Troubleshoot","title":"Migrating from Cumulus to Edgecore SONiC","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Both migration and replacement can be used to move from Cumulus to Edgecore SONiC (or vice versa). Migrating to or from Broadcom SONiC or mixing Broadcom SONiC with Cumulus or Edgecore SONiC is not supported.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#metalctl-network-ip-delete","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"deletes the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"metalctl network ip delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#Options","page":"metalctl network ip delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip delete -f -\n $ # or via file\n $ metalctl ip delete -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#Options-inherited-from-parent-commands","page":"metalctl network ip delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#SEE-ALSO","page":"metalctl network ip delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#metalctl-network-ip-describe","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"describes the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"metalctl network ip describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#Options","page":"metalctl network ip describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#Options-inherited-from-parent-commands","page":"metalctl network ip describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#SEE-ALSO","page":"metalctl network ip describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"development/proposals/#Metal-Stack-Enhancement-Proposals-(MEPs)","page":"Enhancement Proposals","title":"Metal Stack Enhancement Proposals (MEPs)","text":"","category":"section"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"This section contains proposals which address substantial modifications to metal-stack.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Every proposal has a short name which starts with MEP followed by an incremental, unique number. Proposals should be raised as pull requests in the docs repository and can be discussed in Github issues.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"The list of proposal and their current state is listed in the table below.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Possible states are:","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"In Discussion\nAccepted\nDeclined\nIn Progress\nCompleted\nAborted","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Name Description State\nMEP-1 Distributed Control Plane Deployment In Discussion\nMEP-2 Two Factor Authentication Aborted\nMEP-3 Machine Re-Installation to preserve local data Completed\nMEP-4 Multi-tenancy for the metal-api In Discussion\nMEP-5 Shared Networks Completed\nMEP-6 DMZ Networks Completed\nMEP-8 Configurable Filesystemlayout Completed\nMEP-9 No Open Ports To the Data Center Completed\nMEP-10 SONiC Support Completed\nMEP-11 Auditing of metal-stack resources Completed\nMEP-12 Rack Spreading Completed\nMEP-14 Independence from external sources In Discussion","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#metalctl-image-delete","page":"metalctl image delete","title":"metalctl image delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":"deletes the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":"metalctl image delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#Options","page":"metalctl image delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image delete -f -\n $ # or via file\n $ metalctl image delete -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#Options-inherited-from-parent-commands","page":"metalctl image delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#SEE-ALSO","page":"metalctl image delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#metalctl-markdown","page":"metalctl markdown","title":"metalctl markdown","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":"create markdown documentation","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":"metalctl markdown [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#Options","page":"metalctl markdown","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":" -h, --help help for markdown","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#Options-inherited-from-parent-commands","page":"metalctl markdown","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#SEE-ALSO","page":"metalctl markdown","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#metalctl-size-create","page":"metalctl size create","title":"metalctl size create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":"creates the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":"metalctl size create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#Options","page":"metalctl size create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the size. [required]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size create -f -\n $ # or via file\n $ metalctl size create -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string ID of the size. [required]\n --max int min value of given size constraint type. [required]\n --min int min value of given size constraint type. [required]\n -n, --name string Name of the size. [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --type string type of constraints. [required]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#Options-inherited-from-parent-commands","page":"metalctl size create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#SEE-ALSO","page":"metalctl size create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#metalctl-firewall-describe","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"describes the firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"metalctl firewall describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#Options","page":"metalctl firewall describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#Options-inherited-from-parent-commands","page":"metalctl firewall describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#SEE-ALSO","page":"metalctl firewall describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"development/roadmap/#Roadmap","page":"Roadmap","title":"Roadmap","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"A roadmap with short-, mid- and long-term planning will be available soon. For now, there is only a backlog.","category":"page"},{"location":"development/roadmap/#Short-term","page":"Roadmap","title":"Short-term","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Available soon.","category":"page"},{"location":"development/roadmap/#Mid-term","page":"Roadmap","title":"Mid-term","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Available soon.","category":"page"},{"location":"development/roadmap/#Long-term","page":"Roadmap","title":"Long-term","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Available soon.","category":"page"},{"location":"development/roadmap/#Backlog","page":"Roadmap","title":"Backlog","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item.","category":"page"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out metal-stack.io for contact information.","category":"page"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"danger: Danger\nBy no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be \"nice to have\". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list.","category":"page"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Add metal-stack to Gardener conformance test grid\nAutoscaler for metal control plane components\nCI dashboard and public integration testing\nCilium as the default CNI for metal-stack on Gardener K8s clusters\nImproved release and deploy processes (GitOps, Spinnaker, Flux)\nMachine internet without firewalls\nmetal-stack dashboard (UI)\nOffer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises)\nPartition managed by Kubernetes (with Kubelets joining the control plane cluster)\nPublic offering / demo playground\nResource scoping in the metal-api (MEP-4)\nService / API tokens (for scoped technical user access)","category":"page"},{"location":"external/firewall-controller/DEVELOP/#Develop-Setup","page":"Develop Setup","title":"Develop Setup","text":"","category":"section"},{"location":"external/firewall-controller/DEVELOP/","page":"Develop Setup","title":"Develop Setup","text":"download kubebuilder\ndownload kustomize from kustomize\ninit project and run kubebuilder\nkubebuilder init --domain metal-stack.io\nkubebuilder create api --group firewall --version v1 --kind Network\nrun test\nexport KUBEBUILDER_ASSETS=/usr/local/kubebuilder/bin # path-to-kubebuilder/bin\nmake test","category":"page"},{"location":"external/firewall-controller/DEVELOP/#Testing-locally","page":"Develop Setup","title":"Testing locally","text":"","category":"section"},{"location":"external/firewall-controller/DEVELOP/","page":"Develop Setup","title":"Develop Setup","text":"# make binary\nmake\n\n# start the controller\nbin/firewall-controller --hosts-file ./hosts --enable-signature-check=false --enable-IDS=false\n\n# install kind (k8s in docker)\n\n# create a local kind cluster\nkind create cluster\n\n# deploy manifests\nk apply -f deploy\n\n# watch results\nk describe -n firewall firewall\ncat nftables.v4\ncat hosts","category":"page"},{"location":"development/proposals/MEP11/README/#Auditing-of-metal-stack-resources","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of Meilisearch.","category":"page"},{"location":"development/proposals/MEP11/README/#Overview","page":"Auditing of metal-stack resources","title":"Overview","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. To avoid data manipulation the S3 compatible storage will be configured to be read-only.","category":"page"},{"location":"development/proposals/MEP11/README/#Whitelisting","page":"Auditing of metal-stack resources","title":"Whitelisting","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. Other requests will be passed directly to the next middleware or web service without any further processing.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"As we are only interested in mutating endpoints, we ignore all GET requests. The whitelist includes all POST, PUT, PATCH and DELETE endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes:","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"/find\n/notify\n/try and /match\n/capacity\n/from-hardware","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the Boot service, which can be interesting to revise the machine lifecycle.","category":"page"},{"location":"development/proposals/MEP11/README/#Chunking-in-Meilisearch","page":"Auditing of metal-stack resources","title":"Chunking in Meilisearch","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like 2021-01, 2021-01-01 or 2021-01-01_13.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices.","category":"page"},{"location":"development/proposals/MEP11/README/#Moving-chunks-to-S3-compatible-storage","page":"Auditing of metal-stack resources","title":"Moving chunks to S3 compatible storage","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"When the backup process gets started, it initiates a Meilisearch dump of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Now we want to remove all indices from Meilisearch, except the most recent one. For this, we get all indices, sort them and delete each index except the most recent one to avoid data loss.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"For the actual implementation, we can build upon backup-restore-sidecar. But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar.","category":"page"},{"location":"development/proposals/MEP11/README/#S3-compatible-storage","page":"Auditing of metal-stack resources","title":"S3 compatible storage","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a lifecycle rule.","category":"page"},{"location":"development/proposals/MEP11/README/#Affected-components","page":"Auditing of metal-stack resources","title":"Affected components","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"metal-api grpc server needs an auditing interceptor\nmetal-api web server needs an auditing filter chain / middleware\nmetal-api needs new command line arguments to configure the auditing\nmini-lab needs a Meilisearch instance\nmini-lab may need a local S3 compatible storage\nwe need a sidecar to implement the backup to S3 compatible storage\nConsider auditing of volume allocations and freeings outside of metal-stack","category":"page"},{"location":"development/proposals/MEP11/README/#Alternatives-considered","page":"Auditing of metal-stack resources","title":"Alternatives considered","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Instead of using Meilisearch we investigated using an immutable database like immudb. But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage.","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#metalctl-firewall","page":"metalctl firewall","title":"metalctl firewall","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":"manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#Synopsis","page":"metalctl firewall","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":"firewalls are used to establish network connectivity between metal-stack networks. firewalls are similar to machines but are managed by the provider. almost every command of the machine command subset works on firewalls, too.","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#Options","page":"metalctl firewall","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":" -h, --help help for firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#Options-inherited-from-parent-commands","page":"metalctl firewall","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#SEE-ALSO","page":"metalctl firewall","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl firewall create\t - creates the firewall\nmetalctl firewall describe\t - describes the firewall\nmetalctl firewall list\t - list all firewalls\nmetalctl firewall ssh\t - SSH to a firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#metalctl-update-do","page":"metalctl update do","title":"metalctl update do","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":"do the update of the program","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":"metalctl update do [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#Options","page":"metalctl update do","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":" -h, --help help for do\n -v, --version string the version to update to, by default updates to the supported version, use \"latest\" to update to latest version","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#Options-inherited-from-parent-commands","page":"metalctl update do","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#SEE-ALSO","page":"metalctl update do","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":"metalctl update\t - update the program","category":"page"},{"location":"development/client_libraries/#Client-Libraries","page":"Client Libraries","title":"Client Libraries","text":"","category":"section"},{"location":"development/client_libraries/","page":"Client Libraries","title":"Client Libraries","text":"Our public-facing APIs are built on swagger, which allows you generating API clients in all sorts of programming languages.","category":"page"},{"location":"development/client_libraries/","page":"Client Libraries","title":"Client Libraries","text":"For the metal-api we officially support the following client libraries:","category":"page"},{"location":"development/client_libraries/","page":"Client Libraries","title":"Client Libraries","text":"metal-go\nmetal-python","category":"page"},{"location":"development/proposals/MEP9/README/#No-Open-Ports-To-the-Data-Center","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Our metal-stack partitions typically have open ports for metal-stack native services, these are:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"SSH port on the firewalls\nbmc-reverse-proxy for serial console access through the metal-console","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Therefore, we want to get rid off these open ports to reduce the attack surface to the data center.","category":"page"},{"location":"development/proposals/MEP9/README/#Requirements","page":"No Open Ports To the Data Center","title":"Requirements","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Access to firewall SSH only via VPN\nEasy to update VPN components","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition.","category":"page"},{"location":"development/proposals/MEP9/README/#High-Level-Design","page":"No Open Ports To the Data Center","title":"High Level Design","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Simplified drawing showing old vs. new architecture.","category":"page"},{"location":"development/proposals/MEP9/README/#Concerns","page":"No Open Ports To the Data Center","title":"Concerns","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"There's few concerns when using WireGuard for implementing VPN:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version.\nCoordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself.\nHeadscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency.","category":"page"},{"location":"development/proposals/MEP9/README/#Solutions-to-concerns","page":"No Open Ports To the Data Center","title":"Solutions to concerns","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Tailscale node software is using userspace implementation of WireGuard – wireguard-go. One of the options is to inject Tailscale client into metalctl. And make it available as metalctl vpn or similar command. It should be possible to do as tailscale node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update metalctl to use VPN functionality.\nWould it be a considerable risk? We could look into wg-dynamic project to cover this problem.\nAt the moment, repository looks well maintained and the metal-stack team already contributes to it.","category":"page"},{"location":"development/proposals/MEP9/README/#Implementation-Details","page":"No Open Ports To the Data Center","title":"Implementation Details","text":"","category":"section"},{"location":"development/proposals/MEP9/README/#metal-roles","page":"No Open Ports To the Data Center","title":"metal-roles","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metal-roles will be responsible for deployment of headscale server(via new headscale role). It also should provide sufficient config to metal-api so it establishes connection with headscale gRPC server.","category":"page"},{"location":"development/proposals/MEP9/README/#New-metalctl-commands","page":"No Open Ports To the Data Center","title":"New metalctl commands","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl will be responsible for client-side implementation of this MEP. Specifically, it's by using metalctl user expected to connect to firewalls.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl vpn – section for VPN related commands:\nmetalctl vpn get key [vpn name] --namespace [namespace name] – returns auth key to be used with tailscale client for establishing connection.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Extend metalctl firewall:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl firewall ssh [ID] – connect to firewall via SSH.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Extend metalctl machine:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl machine ssh [ID] – connect to machine via SSH.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl will be able to connect to firewall and machines by running tailscale in container.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-api","page":"No Open Ports To the Data Center","title":"metal-api","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Updates to metal-api should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Two new flags should be introduced to connect metal-api to headscale gRPC server:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"headscale-addr – specifies address of Headscale grpc API.\nheadscale-api-key – specifies temporary API key to connect to Headscale. It should be replaced and then rotated by metal-api.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"If metal-api initialized with headscale connection it should automatically join all created firewalls to VPN.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Add new endpoint, that will be used by metalctl to connect to VPN:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"/v1/vpn GET – requests auth key from headscale server.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-hammer","page":"No Open Ports To the Data Center","title":"metal-hammer","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metal-hammer acts as an intermediary for machine configuration between metal-api and machine's image. Specifically it writes to /etc/metal/install.yaml file, data from which later will be used by image's install.sh file.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"To implement VPN support we have to add authentication key and VPN server address to install.yaml file. This key will be used to join machine to a VPN.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-images","page":"No Open Ports To the Data Center","title":"metal-images","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Images install.sh script have to be updated to work with authentication key and VPN server address, provided in install.yaml file. If this key is present, machine should connect to VPN.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-networker","page":"No Open Ports To the Data Center","title":"metal-networker","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metal-networker also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface.","category":"page"},{"location":"development/proposals/MEP9/README/#firewall-controller","page":"No Open Ports To the Data Center","title":"firewall-controller","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"firewall-controller have to monitor changes in Firewall resource and keep tailscaled version up-to-date.","category":"page"},{"location":"development/proposals/MEP9/README/#Resources","page":"No Open Ports To the Data Center","title":"Resources","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Update Firewall resource to include desired/actual tailscale version:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Firewall:\n Spec:\n tailscale:\n Version: Minimal version\n ...\n Status:\n ...\n VPN:\n Status: Boolean field\n tailscale:\n Version: Actual version\n ...","category":"page"},{"location":"development/proposals/MEP9/README/#bmc-reverse-proxy","page":"No Open Ports To the Data Center","title":"bmc-reverse-proxy","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"TODO","category":"page"},{"location":"development/proposals/MEP9/README/#References","page":"No Open Ports To the Data Center","title":"References","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"WireGuard: Next Generation Secure Network Tunnel\nHow Tailscale works\nTailscale is officially SOC 2 compliant\nWhy not Wireguard\nWireguard: Known Limitations\nWireguard: Things That Might Be Accomplished\nHeadscale: Tailscale control protocol v2","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#metalctl-machine-identify-off","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"power off the machine chassis identify LED","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#Synopsis","page":"metalctl machine identify off","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"set the machine chassis identify LED to off state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"metalctl machine identify off [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#Options","page":"metalctl machine identify off","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":" -d, --description string description of the reason for chassis identify LED turn-off. (default \"Triggered by metalctl\")\n -h, --help help for off","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#Options-inherited-from-parent-commands","page":"metalctl machine identify off","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#SEE-ALSO","page":"metalctl machine identify off","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"metalctl machine identify\t - manage machine chassis identify LED power","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#metalctl-partition-capacity","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"show partition capacity","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"metalctl partition capacity [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#Options","page":"metalctl partition capacity","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":" -h, --help help for capacity\n --id string filter on partition id. [optional]\n --project-id string consider project-specific counts, e.g. size reservations. [optional]\n --size string filter on size id. [optional]\n --sort-by strings order by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#Options-inherited-from-parent-commands","page":"metalctl partition capacity","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#SEE-ALSO","page":"metalctl partition capacity","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#metalctl-switch-migrate","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"migrate machine connections and other configuration from one switch to another","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"metalctl switch migrate [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#Options","page":"metalctl switch migrate","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":" -h, --help help for migrate","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#Options-inherited-from-parent-commands","page":"metalctl switch migrate","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#SEE-ALSO","page":"metalctl switch migrate","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"overview/comparison/#Comparison-with-Commercial-Solutions","page":"Comparison","title":"Comparison with Commercial Solutions","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"As metal-stack is the foundation to build Kubernetes clusters on premise on bare metal, there are several commercial solutions available which offer management of Kubernetes. In this document we describe the differences between some of the most popular solutions. It´s is not a complete list.","category":"page"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Pages = [\"comparison.md\"]\nDepth = 5","category":"page"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Comparison between Gardener on Metal Stack and Openshift running on VMWare.","category":"page"},{"location":"overview/comparison/#Gardener","page":"Comparison","title":"Gardener","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Gardener is a Kubernetes cluster manager to organize a fleet of Kubernetes clusters at scale. It is designed to scale to thousands of clusters at a variety of IaaS Providers regardless where - in the cloud or on premise, virtualized or bare metal. It not only manages the creation and deletion of Kubernetes clusters, it also takes care of updating or upgrading Kubernetes and the operating system of the involved worker nodes in a automatic manner. Gardener is designed cloud-native and as such, it defines clusters, workers and all other components as Kubernetes resources (like pods and deployments) and reconciles these resources to the desired state.","category":"page"},{"location":"overview/comparison/#Kubernetes","page":"Comparison","title":"Kubernetes","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Kubernetes is the de facto open-source standard for container scheduling and orchestration in the data center.","category":"page"},{"location":"overview/comparison/#Openshift","page":"Comparison","title":"Openshift","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"A fork of Kubernetes with proprietary addons, created by RedHat. For all details see: https://en.wikipedia.org/wiki/OpenShift.","category":"page"},{"location":"overview/comparison/#metal-stack","page":"Comparison","title":"metal-stack","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Is an IaaS provider for bare metal focused to create Kubernetes cluster on premise. Gardener support is built in.","category":"page"},{"location":"overview/comparison/#VMWare","page":"Comparison","title":"VMWare","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"The most used virtualization technology in the enterprise data centers.","category":"page"},{"location":"overview/comparison/#Comparison-of-Gardener-on-Metal-Stack-vs.-Openshift-on-VMWare","page":"Comparison","title":"Comparison of Gardener on Metal Stack vs. Openshift on VMWare","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Feature Gardener on Metal Stack Openshift on VMWare\nContainer Runtime docker, containerd, gvisor cri-o\nHost Operating System Ubuntu, Debian , also see OS RHEL, Fedora-Core\nNetwork Plugins Calico, Cilium(soon) Openshift SDN\nStorage Local NVME, Lightbits NVMEoTCP, all CSI compatible Solutions, also see Storage CSI compatible\nLoadbalancing BGP built in requires extra HW like F5, VMWare NSX\nIO at Native Speed Pods run on bare metal all IO must go through the Hypervisor\nHard Multitenancy Workers, firewall and load balancers are dedicated for every cluster on bare metal Shared virtualization hosts, shared load balancers\nUI Gardener Dashboard Openshift Console\nMulti-cluster management Yes (through Gardener) Requires extra licences SW: Redhat Advanced Cluster Manager\nAutomatic Kubernetes Updates Yes Yes\nAutomatic Worker Nodes Updates Yes Yes\nSupported IaaS Providers GCP, AWS, Azure, Alibaba, Openstack, VMWare, metal-stack and more GCP, AWS, Azure Openstack, VMWare\nMonitoring / Logging Stack Grafana/Loki, Kibana/Elastic Kibana/Elastic\nGitOPS Tool of choice via Helm Install Openshift GitOPS\nContainer Registry all public accessible registries, private deployed registry of choice all public accessible registries, in cluster registry\nCI/CD Tool of choice via Helm Install Jenkins\nSecurity K8s control plane isolated from tenant, PSP enabled by default Strong cluster defaults\nCNCF Kubernetes certified Yes (Gardener) Yes\nLocal development minikube, kind minishift\nProprietary extensions No DeploymentConfig and others\nkubectl access Yes Yes","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#metalctl-project-apply","page":"metalctl project apply","title":"metalctl project apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":"applies one or more projects from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":"metalctl project apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#Options","page":"metalctl project apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project apply -f -\n $ # or via file\n $ metalctl project apply -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#Options-inherited-from-parent-commands","page":"metalctl project apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#SEE-ALSO","page":"metalctl project apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#metalctl-firewall-ssh","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"SSH to a firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#Synopsis","page":"metalctl firewall ssh","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"SSH to a firewall via VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"metalctl firewall ssh [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#Options","page":"metalctl firewall ssh","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":" -h, --help help for ssh\n -i, --identity string specify identity file to SSH to the firewall like: -i path/to/id_rsa (default \"~/.ssh/id_rsa\")","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#Options-inherited-from-parent-commands","page":"metalctl firewall ssh","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#SEE-ALSO","page":"metalctl firewall ssh","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#metalctl-image-edit","page":"metalctl image edit","title":"metalctl image edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":"edit the image through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":"metalctl image edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#Options","page":"metalctl image edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#Options-inherited-from-parent-commands","page":"metalctl image edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#SEE-ALSO","page":"metalctl image edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#metalctl-machine-power-disk","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"boot a machine from disk","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#Synopsis","page":"metalctl machine power disk","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"the machine will boot from disk. (machine does not reboot automatically)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"metalctl machine power disk [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#Options","page":"metalctl machine power disk","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":" -h, --help help for disk","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#Options-inherited-from-parent-commands","page":"metalctl machine power disk","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#SEE-ALSO","page":"metalctl machine power disk","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#metalctl-image-describe","page":"metalctl image describe","title":"metalctl image describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":"describes the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":"metalctl image describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#Options","page":"metalctl image describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#Options-inherited-from-parent-commands","page":"metalctl image describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#SEE-ALSO","page":"metalctl image describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#metalctl-partition-list","page":"metalctl partition list","title":"metalctl partition list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":"list all partitions","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":"metalctl partition list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#Options","page":"metalctl partition list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#Options-inherited-from-parent-commands","page":"metalctl partition list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#SEE-ALSO","page":"metalctl partition list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#metalctl-filesystemlayout-describe","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"describes the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"metalctl filesystemlayout describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#Options","page":"metalctl filesystemlayout describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#SEE-ALSO","page":"metalctl filesystemlayout describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#metalctl-partition-apply","page":"metalctl partition apply","title":"metalctl partition apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":"applies one or more partitions from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":"metalctl partition apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#Options","page":"metalctl partition apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition apply -f -\n $ # or via file\n $ metalctl partition apply -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#Options-inherited-from-parent-commands","page":"metalctl partition apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#SEE-ALSO","page":"metalctl partition apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#metalctl-firewall-list","page":"metalctl firewall list","title":"metalctl firewall list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":"list all firewalls","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":"metalctl firewall list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#Options","page":"metalctl firewall list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":" -h, --help help for list\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --mac string mac to filter [optional]\n --name string allocation name to filter [optional]\n --partition string partition to filter [optional]\n --project string allocation project to filter [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|event|id|image|liveliness|partition|project|size|when\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#Options-inherited-from-parent-commands","page":"metalctl firewall list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#SEE-ALSO","page":"metalctl firewall list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#metalctl-project-list","page":"metalctl project list","title":"metalctl project list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":"list all projects","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":"metalctl project list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#Options","page":"metalctl project list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":" -h, --help help for list\n --id string ID of the project.\n --name string Name of the project.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name|tenant\n --tenant string tenant of this project.","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#Options-inherited-from-parent-commands","page":"metalctl project list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#SEE-ALSO","page":"metalctl project list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#metalctl-switch-console","page":"metalctl switch console","title":"metalctl switch console","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"connect to the switch console","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#Synopsis","page":"metalctl switch console","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"this requires a network connectivity to the ip address of the console server this switch is connected to.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"metalctl switch console [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#Options","page":"metalctl switch console","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":" -h, --help help for console","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#Options-inherited-from-parent-commands","page":"metalctl switch console","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#SEE-ALSO","page":"metalctl switch console","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#metalctl-size-imageconstraint-list","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"list all imageconstraints","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"metalctl size imageconstraint list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#Options","page":"metalctl size imageconstraint list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#SEE-ALSO","page":"metalctl size imageconstraint list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#metalctl-machine-power-pxe","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"boot a machine from PXE","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#Synopsis","page":"metalctl machine power pxe","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"the machine will boot from PXE. (machine does not reboot automatically)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"metalctl machine power pxe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#Options","page":"metalctl machine power pxe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":" -h, --help help for pxe","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#Options-inherited-from-parent-commands","page":"metalctl machine power pxe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#SEE-ALSO","page":"metalctl machine power pxe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#metalctl-size-reservation-create","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"creates the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"metalctl size reservation create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#Options","page":"metalctl size reservation create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":" --amount int32 the amount to associate with this reservation\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description to associate with this reservation\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation create -f -\n $ # or via file\n $ metalctl reservation create -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string the id to associate with this reservation\n --labels strings the labels to associate with this reservation\n --partitions strings the partition ids to associate with this reservation\n --project string the project id to associate with this reservation\n --size string the size id to associate with this reservation\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#Options-inherited-from-parent-commands","page":"metalctl size reservation create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#SEE-ALSO","page":"metalctl size reservation create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#metalctl-partition-describe","page":"metalctl partition describe","title":"metalctl partition describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":"describes the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":"metalctl partition describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#Options","page":"metalctl partition describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#Options-inherited-from-parent-commands","page":"metalctl partition describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#SEE-ALSO","page":"metalctl partition describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#metalctl-machine-edit","page":"metalctl machine edit","title":"metalctl machine edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":"edit the machine through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":"metalctl machine edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#Options","page":"metalctl machine edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#Options-inherited-from-parent-commands","page":"metalctl machine edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#SEE-ALSO","page":"metalctl machine edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#metalctl-network-allocate","page":"metalctl network allocate","title":"metalctl network allocate","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":"allocate a network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":"metalctl network allocate [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#Options","page":"metalctl network allocate","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":" -d, --description string description of the network to create. [optional]\n --dmz use this private network as dmz. [optional]\n -h, --help help for allocate\n --labels strings labels for this network. [optional]\n -n, --name string name of the network to create. [required]\n --partition string partition where this network should exist. [required]\n --project string partition where this network should exist. [required]\n --shared shared allows usage of this private network from other networks","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#Options-inherited-from-parent-commands","page":"metalctl network allocate","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#SEE-ALSO","page":"metalctl network allocate","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":"metalctl network\t - manage network entities","category":"page"},{"location":"development/proposals/MEP8/README/#Configurable-Filesystem-layout-for-Machine-Allocation","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation.","category":"page"},{"location":"development/proposals/MEP8/README/#API-and-behavior","page":"Configurable Filesystem layout for Machine Allocation","title":"API and behavior","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The API will get a new endpoint filesystemlayoutsto create/update/delete a set of available filesystemlayouts.","category":"page"},{"location":"development/proposals/MEP8/README/#Constraints","page":"Configurable Filesystem layout for Machine Allocation","title":"Constraints","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every filesystemlayout defines constraints which specifies for which combination of sizes and images this layout should be used by default. The specified constraints over all filesystemlayouts therefore must be collision free, to be more specific, there must be exactly one layout outcome for every possible combination of sizes and images.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The size constraint must be a list of the exact size ids, the image constraint must be a map of os to semver compatible version constraint. For example:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"debian: \">= 10.20210101\" or debian: \"< 10.20210101\"","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The general form of a image constraint is a map from os to versionconstraint where:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"os must match the first part of the image without the version. versionconstraint must be the comparator, a space and the version, or simply * to match all versions of this os. The comparator must be one of: \"=\", \"!=\", \">\", \"<\", \">=\", \"=>\", \"<=\", \"=<\", \"~\", \"~>\", \"^\"","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"It must also be possible to have a filesystemlayout in development or for other special purposes, which can be specified during the machine allocation. To have such a layout, both constraints sizes and imagesmust be empty list.","category":"page"},{"location":"development/proposals/MEP8/README/#Reinstall","page":"Configurable Filesystem layout for Machine Allocation","title":"Reinstall","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties primarydisk and ospartition. Both fields are not required anymore because the logic is now shifted to the filesystemlayout definition. If Disk.WipeOnReinstall is set to true, this disk will be wiped, default is false and is preserved.","category":"page"},{"location":"development/proposals/MEP8/README/#Handling-of-s2-xlarge-machines","page":"Configurable Filesystem layout for Machine Allocation","title":"Handling of s2-xlarge machines","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"These machines are a bit special compared to our c1-* machines because they have rotating hard disks for the mass storage purpose. The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd* disks. Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"This is not possible with the current approach, but we figured out that the SATA-DOM is always /dev/sde. So we can create a special filesystemlayout where the installations is made on this disk.","category":"page"},{"location":"development/proposals/MEP8/README/#Possible-Filesystemlayout-hierarchies","page":"Configurable Filesystem layout for Machine Allocation","title":"Possible Filesystemlayout hierarchies","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. It also depends on the disks available on the server.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The current approach implements the following hierarchies:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"(Image: filesystems)","category":"page"},{"location":"development/proposals/MEP8/README/#Implementation","page":"Configurable Filesystem layout for Machine Allocation","title":"Implementation","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"// FilesystemLayout to be created on the given machine\ntype FilesystemLayout struct {\n // ID unique layout identifier\n ID string\n // Description is human readable\n Description string\n // Filesystems to create on the server\n Filesystems []Filesystem\n // Disks to configure in the server with their partitions\n Disks []Disk\n // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto\n Raid []Raid\n // VolumeGroups to create\n VolumeGroups []VolumeGroup\n // LogicalVolumes to create on top of VolumeGroups\n LogicalVolumes []LogicalVolume\n // Constraints which must match to select this Layout\n Constraints FilesystemLayoutConstraints\n}\n\ntype FilesystemLayoutConstraints struct {\n // Sizes defines the list of sizes this layout applies to\n Sizes []string\n // Images defines a map from os to versionconstraint\n // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts\n Images map[string]string\n}\n\ntype RaidLevel string\ntype Format string\ntype GPTType string\n\n// Filesystem defines a single filesystem to be mounted\ntype Filesystem struct {\n // Path defines the mountpoint, if nil, it will not be mounted\n Path *string\n // Device where the filesystem is created on, must be the full device path seen by the OS\n Device string\n // Format is the type of filesystem should be created\n Format Format\n // Label is optional enhances readability\n Label *string\n // MountOptions which might be required\n MountOptions []string\n // CreateOptions during filesystem creation\n CreateOptions []string\n}\n\n// Disk represents a single block device visible from the OS, required\ntype Disk struct {\n // Device is the full device path\n Device string\n // Partitions to create on this device\n Partitions []Partition\n // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens\n // during fresh install all disks are wiped\n WipeOnReinstall bool\n}\n\n// Raid is optional, if given the devices must match.\n// TODO inherit GPTType from underlay device ?\ntype Raid struct {\n // ArrayName of the raid device, most often this will be /dev/md0 and so forth\n ArrayName string\n // Devices the devices to form a raid device\n Devices []Device\n // Level the raidlevel to use, can be one of 0,1,5,10 \n // TODO what should be support\n Level RaidLevel\n // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition\n CreateOptions []string\n // Spares defaults to 0\n Spares int\n}\n\n\n// VolumeGroup is optional, if given the devices must match.\ntype VolumeGroup struct {\n // Name of the volumegroup without the /dev prefix\n Name string\n // Devices the devices to form a volumegroup device\n Devices []string\n // Tags to attach to the volumegroup\n Tags []string\n}\n\n// LogicalVolume is a block devices created with lvm on top of a volumegroup\ntype LogicalVolume struct {\n // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname\n Name string\n // VolumeGroup the name of the volumegroup\n VolumeGroup string\n // Size of this LV in mebibytes (MiB)\n Size uint64\n // LVMType can be either striped or raid1\n LVMType LVMType\n}\n\n// Partition is a single partition on a device, only GPT partition types are supported\ntype Partition struct {\n // Number of this partition, will be added to the device once partitioned\n Number int\n // Label to enhance readability\n Label *string\n // Size given in MebiBytes (MiB)\n // if \"0\" is given the rest of the device will be used, this requires Number to be the highest in this partition\n Size string\n // GPTType defines the GPT partition type\n GPTType *GPTType\n}\n\nconst (\n // VFAT is used for the UEFI boot partition\n VFAT = Format(\"vfat\")\n // EXT3 is usually only used for /boot\n EXT3 = Format(\"ext3\")\n // EXT4 is the default fs\n EXT4 = Format(\"ext4\")\n // SWAP is for the swap partition\n SWAP = Format(\"swap\")\n // None\n NONE = Format(\"none\")\n\n // GPTBoot EFI Boot Partition\n GPTBoot = GPTType(\"ef00\")\n // GPTLinux Linux Partition\n GPTLinux = GPTType(\"8300\")\n // GPTLinuxRaid Linux Raid Partition\n GPTLinuxRaid = GPTType(\"fd00\")\n // GPTLinux Linux Partition\n GPTLinuxLVM = GPTType(\"8e00\")\n\n // LVMTypeLinear append across all physical volumes\n LVMTypeLinear = LVMType(\"linear\")\n // LVMTypeStriped stripe across all physical volumes\n LVMTypeStriped = LVMType(\"striped\")\n // LVMTypeStripe mirror with raid across all physical volumes\n LVMTypeRaid1 = LVMType(\"raid1\")\n)","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"Example metalctl outputs:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"$ metalctl filesystemlayouts ls\nID DESCRIPTION SIZES IMAGES\ndefault default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7\nceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04\nfirewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2\nstorage storage fs layout s3-large-x86 centos >=7\ns3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2\ndefault-devel devel fs layout ","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The default layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: default\nconstraints:\n sizes:\n - c1-large-x86\n - c1-xlarge-x86\n images:\n debian: \">=10\"\n ubuntu: \">=20.04\"\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sda1\"\n format: \"vfat\"\n options: \"-F 32\"\n label: \"efi\" # required to be compatible with old images\n - path: \"/\"\n device: \"/dev/sda2\"\n format: \"ext4\"\n label: \"root\" # required to be compatible with old images\n - path: \"/var/lib\"\n device: \"/dev/sda3\"\n format: \"ext4\"\n label: \"varlib\" # required to be compatible with old images\n - path: \"/tmp\"\n device: \"tmpfs\"\n format: \"tmpfs\"\n mountoptions: [\"defaults\",\"noatime\",\"nosuid\",\"nodev\",\"noexec\",\"mode=1777\",\"size=512M\"]\ndisks:\n - device: \"/dev/sda\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTBoot\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinux\n - number: 3\n label: \"varlib\"\n size: 0 # to end of partition\n type: GPTLinux","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The firewall layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: firewall\nconstraints:\n sizes:\n - c1-large-x86\n - c1-xlarge-x86\n images:\n firewall: \">=2\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sda1\"\n format: \"vfat\"\n options: \"-F 32\"\n - path: \"/\"\n device: \"/dev/sda2\"\n format: \"ext4\"\n - path: \"/var\"\n device: \"/dev/nvme0n1p1\"\n format: \"ext4\"\ndisks:\n - device: \"/dev/sda\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTBoot\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinux\n - device: \"/dev/nvme0n1\"\n wipe: true\n partitions:\n - number: 1\n label: \"var\"\n size: 0\n type: GPTLinux","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The storage layout will be used for the storage servers, which must have mirrored boot disks.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: storage\nconstraints:\n sizes:\n - s3-large-x86\n images:\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/md1\"\n format: \"vfat\"\n options: \"-F32\"\n - path: \"/\"\n device: \"/dev/md2\"\n format: \"ext4\"\ndisks:\n - device: \"/dev/sda\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTLinuxRaid\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinuxRaid\n - device: \"/dev/sdb\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTLinuxRaid\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinuxRaid\nraid:\n - name: \"/dev/md1\"\n level: 1\n devices:\n - \"/dev/sda1\"\n - \"/dev/sdb1\"\n options: \"--metadata=1.0\"\n - name: \"/dev/md2\"\n level: 1\n devices:\n - \"/dev/sda2\"\n - \"/dev/sdb2\"\n options: \"--metadata=1.0\"","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The s3-storage layout matches the special situation on the s2-xlarge machines.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: s3-storage\nconstraints:\n sizes:\n - c1-large-x86\n - s2-xlarge-x86\n images:\n debian: \">=10\"\n ubuntu: \">=20.04\"\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sde1\"\n format: \"vfat\"\n options: \"-F 32\"\n - path: \"/\"\n device: \"/dev/sde2\"\n format: \"ext4\"\n - path: \"/var/lib\"\n device: \"/dev/sde3\"\n format: \"ext4\"\ndisks:\n - device: \"/dev/sde\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTBoot\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinux\n - number: 3\n label: \"varlib\"\n size: 0 # to end of partition\n type: GPTLinux","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"A sample lvm layout which puts /var/lib as stripe on the nvme device","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: lvm\ndescription: \"lvm layout\"\nconstraints:\n size:\n - s2-xlarge-x86\n images:\n debian: \">=10\"\n ubuntu: \">=20.04\"\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sda1\"\n format: \"vfat\"\n createoptions: \n - \"-F 32\"\n label: \"efi\"\n - path: \"/\"\n device: \"/dev/sda2\"\n format: \"ext4\"\n label: \"root\"\n - path: \"/var/lib\"\n device: \"/dev/vg00/varlib\"\n format: \"ext4\"\n label: \"varlib\"\n - path: \"/tmp\"\n device: \"tmpfs\"\n format: \"tmpfs\"\n mountoptions: [\"defaults\",\"noatime\",\"nosuid\",\"nodev\",\"noexec\",\"mode=1777\",\"size=512M\"]\nvolumegroups:\n - name: \"vg00\"\n devices:\n - \"/dev/nvmne0n1\"\n - \"/dev/nvmne0n2\"\nlogicalvolumes:\n - name: \"varlib\"\n volumegroup: \"vg00\"\n size: 200\n lvmtype: \"striped\"\ndisks:\n - device: \"/dev/sda\"\n wipeonreinstall: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n gpttype: \"ef00\"\n - number: 2\n label: \"root\"\n size: 5000\n gpttype: \"8300\"\n - device: \"/dev/nvmne0n1\"\n wipeonreinstall: false\n - device: \"/dev/nvmne0n2\"\n wipeonreinstall: false","category":"page"},{"location":"development/proposals/MEP8/README/#Components-which-requires-modifications","page":"Configurable Filesystem layout for Machine Allocation","title":"Components which requires modifications","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"metal-hammer:\nchange implementation from build in hard coded logic\nmove logic to create fstab from install.sh to metal-hammer\nmetal-api:\nnew endpoint filesystemlayouts\nadd optional spec of filesystemlayout during allocation with validation if given filesystemlayout is possible on given size.\nadd allocation.filesystemlayout in the response, based on either the specified filesystemlayout or the calculated one.\nimplement filesystemlayouts validation for:\nmatching to disks in the size\nno overlapping with the sizes/imagefilter specified in filesystemlayouts\nall devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices)\nmetalctl:\nimplement filesystemlayouts\nmetal-go:\nadopt api changes\nmetal-images:\ninstall mdadm for raid support","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#metalctl-network-update","page":"metalctl network update","title":"metalctl network update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":"updates the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":"metalctl network update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#Options","page":"metalctl network update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":" --add-destinationprefixes strings destination prefixes to be added to the network [optional]\n --add-prefixes strings prefixes to be added to the network [optional]\n --additional-announcable-cidrs strings list of cidrs which are added to the route maps per tenant private network, these are typically pod- and service cidrs, can only be set in a supernetwork\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description of the network [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network update -f -\n $ # or via file\n $ metalctl network update -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --labels strings the labels of the network, must be in the form of key=value, use it like: --labels \"key1=value1,key2=value2\". [optional]\n --name string the name of the network [optional]\n --remove-destinationprefixes strings destination prefixes to be removed from the network [optional]\n --remove-prefixes strings prefixes to be removed from the network [optional]\n --shared marks a network as shared or not [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#Options-inherited-from-parent-commands","page":"metalctl network update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#SEE-ALSO","page":"metalctl network update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#metalctl-size-edit","page":"metalctl size edit","title":"metalctl size edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":"edit the size through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":"metalctl size edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#Options","page":"metalctl size edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#Options-inherited-from-parent-commands","page":"metalctl size edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#SEE-ALSO","page":"metalctl size edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#metalctl-size-imageconstraint-delete","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"deletes the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"metalctl size imageconstraint delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#Options","page":"metalctl size imageconstraint delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint delete -f -\n $ # or via file\n $ metalctl imageconstraint delete -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#SEE-ALSO","page":"metalctl size imageconstraint delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"development/proposals/MEP12/README/#Rack-Spreading","page":"Rack Spreading","title":"Rack Spreading","text":"","category":"section"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Spreading a group of machines across racks can enhance availability for scenarios like a rack loosing power or a chassis meltdown.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with PR490.","category":"page"},{"location":"development/proposals/MEP12/README/#Placement-Strategy","page":"Rack Spreading","title":"Placement Strategy","text":"","category":"section"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project).","category":"page"},{"location":"development/proposals/MEP12/README/#API","page":"Rack Spreading","title":"API","text":"","category":"section"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"// service/v1/machine.go\n\ntype MachineAllocation struct {\n // existing fields are omitted for readability\n PlacementTags []string `json:\"placement_tags\" description:\"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags\"`\n}","category":"page"},{"location":"external/mini-lab/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/mini-lab/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#metalctl-completion","page":"metalctl completion","title":"metalctl completion","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":"Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#Synopsis","page":"metalctl completion","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":"Generate the autocompletion script for metalctl for the specified shell. See each sub-command's help for details on how to use the generated script.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#Options","page":"metalctl completion","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":" -h, --help help for completion","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#Options-inherited-from-parent-commands","page":"metalctl completion","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#SEE-ALSO","page":"metalctl completion","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl completion bash\t - Generate the autocompletion script for bash\nmetalctl completion fish\t - Generate the autocompletion script for fish\nmetalctl completion powershell\t - Generate the autocompletion script for powershell\nmetalctl completion zsh\t - Generate the autocompletion script for zsh","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#metalctl-network-ip-list","page":"metalctl network ip list","title":"metalctl network ip list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":"list all ips","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":"metalctl network ip list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#Options","page":"metalctl network ip list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":" -h, --help help for list\n --ipaddress string ipaddress to filter [optional]\n --machineid string machineid to filter [optional]\n --name string name to filter [optional]\n --network string network to filter [optional]\n --prefix string prefix to filter [optional]\n --project string project to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|description|id|ipaddress|name|network|type\n --tags strings tags to filter [optional]\n --type string type to filter [optional]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#Options-inherited-from-parent-commands","page":"metalctl network ip list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#SEE-ALSO","page":"metalctl network ip list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#metalctl-size-update","page":"metalctl size update","title":"metalctl size update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":"updates the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":"metalctl size update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#Options","page":"metalctl size update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size update -f -\n $ # or via file\n $ metalctl size update -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#Options-inherited-from-parent-commands","page":"metalctl size update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#SEE-ALSO","page":"metalctl size update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#metalctl-network-create","page":"metalctl network create","title":"metalctl network create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":"creates the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":"metalctl network create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#Options","page":"metalctl network create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":" --additional-announcable-cidrs strings list of cidrs which are added to the route maps per tenant private network, these are typically pod- and service cidrs, can only be set in a supernetwork\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string description of the network to create. [optional]\n --destination-prefixes strings destination prefixes in this network.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network create -f -\n $ # or via file\n $ metalctl network create -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string id of the network to create. [optional]\n --labels strings add initial labels, must be in the form of key=value, use it like: --labels \"key1=value1,key2=value2\".\n -n, --name string name of the network to create. [optional]\n --nat set nat flag of network, if set to true, traffic from this network will be natted.\n -p, --partition string partition where this network should exist.\n --prefixes strings prefixes in this network.\n --privatesuper set private super flag of network, if set to true, this network is used to start machines there.\n --project string project of the network to create. [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --underlay set underlay flag of network, if set to true, this is used to transport underlay network traffic\n --vrf int vrf of this network\n --vrfshared vrf shared allows multiple networks to share a vrf","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#Options-inherited-from-parent-commands","page":"metalctl network create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#SEE-ALSO","page":"metalctl network create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#metalctl-size-reservation-update","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"updates the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"metalctl size reservation update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#Options","page":"metalctl size reservation update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":" --amount int32 the amount to associate with this reservation\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description to associate with this reservation\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation update -f -\n $ # or via file\n $ metalctl reservation update -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --labels strings the labels to associate with this reservation\n --partitions strings the partition ids to associate with this reservation\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#Options-inherited-from-parent-commands","page":"metalctl size reservation update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#SEE-ALSO","page":"metalctl size reservation update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#metalctl-filesystemlayout-update","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"updates the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"metalctl filesystemlayout update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#Options","page":"metalctl filesystemlayout update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout update -f -\n $ # or via file\n $ metalctl filesystemlayout update -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#SEE-ALSO","page":"metalctl filesystemlayout update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#metalctl-machine-reinstall","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"reinstalls an already allocated machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#Synopsis","page":"metalctl machine reinstall","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"reinstalls an already allocated machine. If it is not yet allocated, nothing happens, otherwise only the machine's primary disk is wiped and the new image will subsequently be installed on that device","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"metalctl machine reinstall [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#Options","page":"metalctl machine reinstall","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":" -d, --description string description of the reinstallation. [optional]\n -h, --help help for reinstall\n --image string id of the image to get installed. [required]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#Options-inherited-from-parent-commands","page":"metalctl machine reinstall","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#SEE-ALSO","page":"metalctl machine reinstall","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#metalctl-network","page":"metalctl network","title":"metalctl network","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":"manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#Synopsis","page":"metalctl network","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":"networks can be attached to a machine or firewall such that they can communicate with each other.","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#Options","page":"metalctl network","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":" -h, --help help for network","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#Options-inherited-from-parent-commands","page":"metalctl network","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#SEE-ALSO","page":"metalctl network","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl network allocate\t - allocate a network\nmetalctl network apply\t - applies one or more networks from a given file\nmetalctl network create\t - creates the network\nmetalctl network delete\t - deletes the network\nmetalctl network describe\t - describes the network\nmetalctl network edit\t - edit the network through an editor and update\nmetalctl network free\t - free a network\nmetalctl network ip\t - manage ip entities\nmetalctl network list\t - list all networks\nmetalctl network update\t - updates the network","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#metalctl-size-delete","page":"metalctl size delete","title":"metalctl size delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":"deletes the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":"metalctl size delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#Options","page":"metalctl size delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size delete -f -\n $ # or via file\n $ metalctl size delete -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#Options-inherited-from-parent-commands","page":"metalctl size delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#SEE-ALSO","page":"metalctl size delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#metalctl-completion-fish","page":"metalctl completion fish","title":"metalctl completion fish","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"Generate the autocompletion script for fish","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#Synopsis","page":"metalctl completion fish","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"Generate the autocompletion script for the fish shell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion fish | source","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"To load completions for every new session, execute once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion fish > ~/.config/fish/completions/metalctl.fish","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"You will need to start a new shell for this setup to take effect.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion fish [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#Options","page":"metalctl completion fish","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":" -h, --help help for fish\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#Options-inherited-from-parent-commands","page":"metalctl completion fish","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#SEE-ALSO","page":"metalctl completion fish","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#metalctl-size-imageconstraint-edit","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"edit the imageconstraint through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"metalctl size imageconstraint edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#Options","page":"metalctl size imageconstraint edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#SEE-ALSO","page":"metalctl size imageconstraint edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#metalctl-machine-ipmi","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#Synopsis","page":"metalctl machine ipmi","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"Meaning of the emojis:","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"🚧 Machine is reserved. Reserved machines are not considered for random allocation until the reservation flag is removed. 🔒 Machine is locked. Locked machines can not be deleted until the lock is removed. 💀 Machine is dead. The metal-api does not receive any events from this machine. ❗ Machine has a last event error. The machine has recently encountered an error during the provisioning lifecycle. ❓ Machine is in unknown condition. The metal-api does not receive phoned home events anymore or has never booted successfully. ⭕ Machine is in a provisioning crash loop. Flag can be reset through an API-triggered reboot or when the machine reaches the phoned home state. 🚑 Machine reclaim has failed. The machine was deleted but it is not going back into the available machine pool. 🛡 Machine is connected to our VPN, ssh access only possible via this VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"metalctl machine ipmi [] [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#Options","page":"metalctl machine ipmi","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":" --bmc-address string bmc ipmi address (needs to include port) to filter [optional]\n --bmc-mac string bmc mac address to filter [optional]\n --board-part-number string fru board part number to filter [optional]\n -h, --help help for ipmi\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional] (default 1h0m0s)\n --mac string mac to filter [optional]\n --manufacturer string fru manufacturer to filter [optional]\n --name string allocation name to filter [optional]\n --network-destination-prefixes string network destination prefixes to filter [optional]\n --network-ids string network ids to filter [optional]\n --network-ips string network ips to filter [optional]\n --partition string partition to filter [optional]\n --product-part-number string fru product part number to filter [optional]\n --product-serial string fru product serial to filter [optional]\n --project string allocation project to filter [optional]\n --rack string rack to filter [optional]\n --role string allocation role to filter [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|bios|bmc|event|id|liveliness|partition|project|rack|size|when\n --state string state to filter [optional]\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#Options-inherited-from-parent-commands","page":"metalctl machine ipmi","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#SEE-ALSO","page":"metalctl machine ipmi","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"metalctl machine\t - manage machine entities\nmetalctl machine ipmi events\t - display machine hardware events","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#metalctl-size-reservation-apply","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"applies one or more reservations from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"metalctl size reservation apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#Options","page":"metalctl size reservation apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation apply -f -\n $ # or via file\n $ metalctl reservation apply -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#Options-inherited-from-parent-commands","page":"metalctl size reservation apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#SEE-ALSO","page":"metalctl size reservation apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#metalctl-whoami","page":"metalctl whoami","title":"metalctl whoami","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"shows current user","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#Synopsis","page":"metalctl whoami","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"shows the current user, that will be used to authenticate commands.","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"metalctl whoami [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#Options","page":"metalctl whoami","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":" -h, --help help for whoami","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#Options-inherited-from-parent-commands","page":"metalctl whoami","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#SEE-ALSO","page":"metalctl whoami","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#metalctl-machine-power","page":"metalctl machine power","title":"metalctl machine power","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":"manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#Options","page":"metalctl machine power","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":" -h, --help help for power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#Options-inherited-from-parent-commands","page":"metalctl machine power","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#SEE-ALSO","page":"metalctl machine power","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":"metalctl machine\t - manage machine entities\nmetalctl machine power bios\t - boot a machine into BIOS\nmetalctl machine power cycle\t - power cycle a machine (graceful shutdown)\nmetalctl machine power disk\t - boot a machine from disk\nmetalctl machine power off\t - power off a machine\nmetalctl machine power on\t - power on a machine\nmetalctl machine power pxe\t - boot a machine from PXE\nmetalctl machine power reset\t - power reset a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#metalctl-machine-ipmi-events","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"display machine hardware events","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"metalctl machine ipmi events [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#Options","page":"metalctl machine ipmi events","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":" -h, --help help for events\n --ipmipassword string overwrite ipmi password (admin only).\n --ipmiuser string overwrite ipmi user (admin only).\n -n, --last string show last log entries. (default \"10\")","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#Options-inherited-from-parent-commands","page":"metalctl machine ipmi events","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#SEE-ALSO","page":"metalctl machine ipmi events","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"metalctl machine ipmi\t - display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#metalctl-filesystemlayout-try","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"try to detect a filesystem by given size and image","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"metalctl filesystemlayout try [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#Options","page":"metalctl filesystemlayout try","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":" -h, --help help for try\n --image string image to try\n --size string size to try","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout try","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#SEE-ALSO","page":"metalctl filesystemlayout try","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"overview/kubernetes/#Kubernetes-Integration","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"With the help of the Gardener project, metal-stack can be used for spinning up Kubernetes clusters quickly and reliably on bare metal machines.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"To make this happen, we implemented a couple of components, which are described here.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Pages = [\"kubernetes.md\"]\nDepth = 5","category":"page"},{"location":"overview/kubernetes/#metal-ccm","page":"Kubernetes Integration","title":"metal-ccm","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"CCM stands for cloud-controller-manager and is the bridge between Kubernetes and a cloud-provider.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"We implemented the cloud provider interface in the metal-ccm repository. With the help of the cloud-controller-controller we provide metal-stack-specific properties for Kubernetes clusters, e.g. load balancer configuration through MetalLB or node properties.","category":"page"},{"location":"overview/kubernetes/#firewall-controller","page":"Kubernetes Integration","title":"firewall-controller","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"To make the firewalls created with metal-stack easily configurable through Kubernetes resources, we add our firewall-controller to the firewall image. The controller watches special CRDs, enabling users to manage:","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"nftables rules\nIntrusion-detection with suricata\nnetwork metric collection","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Please check out the guide on how to use it.","category":"page"},{"location":"overview/kubernetes/#Gardener-components","page":"Kubernetes Integration","title":"Gardener components","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"There are some Gardener resources that need be reconciled when you act as a cloud provider for the Gardener. This section briefly describes the controllers implemented for deploying Kubernetes clusters through Gardener.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"If you want to learn how to deploy metal-stack with Gardener, please check out the installation section.","category":"page"},{"location":"overview/kubernetes/#gardener-extension-provider-metal","page":"Kubernetes Integration","title":"gardener-extension-provider-metal","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"The gardener-extension-provider-metal contains of a set of webhooks and controllers for reconciling or mutating Gardener-specific resources.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"The project also contains a validator for metal-type Gardener resources, which you should also deploy in case you want to use metal-stack in combination with Gardener.","category":"page"},{"location":"overview/kubernetes/#os-metal-extension","page":"Kubernetes Integration","title":"os-metal-extension","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Due to the reason we use ignition in our operating system images for userdata, we had to provide an own extension controller for metal-stack, which you can find at Github in the os-metal-extension repository.","category":"page"},{"location":"overview/kubernetes/#machine-controller-manager-provider-metal","page":"Kubernetes Integration","title":"machine-controller-manager-provider-metal","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Worker nodes are managed through Gardener's machine-controller-manager (MCM). The MCM allows out-of-tree provider implementation via sidecar, which is what we implemented in the machine-controller-manager-provider-metal repository.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#metalctl-network-apply","page":"metalctl network apply","title":"metalctl network apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":"applies one or more networks from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":"metalctl network apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#Options","page":"metalctl network apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network apply -f -\n $ # or via file\n $ metalctl network apply -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#Options-inherited-from-parent-commands","page":"metalctl network apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#SEE-ALSO","page":"metalctl network apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#metalctl-switch-update","page":"metalctl switch update","title":"metalctl switch update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":"updates the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":"metalctl switch update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#Options","page":"metalctl switch update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl switch describe switch-1 -o yaml > switch.yaml\n $ vi switch.yaml\n $ # either via stdin\n $ cat switch.yaml | metalctl switch update -f -\n $ # or via file\n $ metalctl switch update -f switch.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#Options-inherited-from-parent-commands","page":"metalctl switch update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#SEE-ALSO","page":"metalctl switch update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#metalctl-context","page":"metalctl context","title":"metalctl context","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"manage metalctl context","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Synopsis","page":"metalctl context","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"context defines the backend to which metalctl talks to. You can switch back and forth with \"-\"","category":"page"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"metalctl context [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Examples","page":"metalctl context","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"\n~/.metalctl/config.yaml\n---\ncurrent: prod\ncontexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://dex.metal-stack.io/dex\n client_id: metal_client\n client_secret: 456\n dev:\n url: https://api.metal-stack.dev/metal\n issuer_url: https://dex.metal-stack.dev/dex\n client_id: metal_client\n client_secret: 123\n...\n","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Options","page":"metalctl context","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":" -h, --help help for context","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Options-inherited-from-parent-commands","page":"metalctl context","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#SEE-ALSO","page":"metalctl context","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl context short\t - only show the default context name","category":"page"},{"location":"overview/storage/#Storage","page":"Storage","title":"Storage","text":"","category":"section"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"When working with bare-metal servers, providing cloud storage is a challenge. With physical machines there is no opportunity that a hypervisor can mount storage devices into the servers and thus, we have to implement other mechanisms that are capable of dynamically mounting storage onto the machines.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"In the meantime, we have started to integrate third-party solutions into our metal-stack landscape. They help us to provide modern, well-integrated and scalable storage solutions to our end-users.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"Pages = [\"persistent_storage.md\"]\nDepth = 5","category":"page"},{"location":"overview/storage/#Lightbits-Labs-NVMe-over-TCP-Storage-Integration","page":"Storage","title":"Lightbits Labs NVMe over TCP Storage Integration","text":"","category":"section"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"Lightbits Labs offers a proprietary implementation of persistent storage using NVMe over TCP. The solution has some very superior traits that fit very well to metal-stack. The strongest advantages are:","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"High performance\nBuilt-in multi-tenant capabilities\nConfigurable compression and replication factors","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"We are maintaining an open source integration for running LightOS in our Gardener cluster provisioning. You can enable it through the controller registration of the gardener-extension-provider-metal.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"With the integration in place, the extension-provider deploys a duros-controller along with a Duros Storage CRD into the seed's shoot namespace. The duros-controller takes care of creating projects and managing credentials at the Lightbits Duros API. It also provides storage classes as configured in the extension-provider's controller registration to the customer's shoot cluster such that users can start consuming the Lightbits storage immediately.","category":"page"},{"location":"overview/storage/#Simple-Node-Local-Storage-with-csi-driver-lvm","page":"Storage","title":"Simple Node Local Storage with csi-driver-lvm","text":"","category":"section"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"If you wish to quickly start off with cluster provisioning without caring so much about complex cloud storage solutions, we recommend using a small storage driver we wrote called csi-driver-lvm. It provides a storage class that manages node-local storage through LVM.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"A definition of a PVC can look like this:","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: csi-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 100Mi\n storageClassName: csi-lvm-sc-linear","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"The solution does not provide cloud-storage or whatsoever, but it improves the user's accessibility of local storage on bare-metal machines through Kubernetes. Check out the driver's documentation here.","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#metalctl-partition-edit","page":"metalctl partition edit","title":"metalctl partition edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":"edit the partition through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":"metalctl partition edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#Options","page":"metalctl partition edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#Options-inherited-from-parent-commands","page":"metalctl partition edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#SEE-ALSO","page":"metalctl partition edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#metalctl-machine-identify","page":"metalctl machine identify","title":"metalctl machine identify","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":"manage machine chassis identify LED power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#Options","page":"metalctl machine identify","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":" -h, --help help for identify","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#Options-inherited-from-parent-commands","page":"metalctl machine identify","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#SEE-ALSO","page":"metalctl machine identify","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":"metalctl machine\t - manage machine entities\nmetalctl machine identify off\t - power off the machine chassis identify LED\nmetalctl machine identify on\t - power on the machine chassis identify LED","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#metalctl-partition-create","page":"metalctl partition create","title":"metalctl partition create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":"creates the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":"metalctl partition create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#Options","page":"metalctl partition create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --cmdline string kernel commandline for the metal-hammer in the partition. [required]\n -d, --description string Description of the partition. [required]\n --dnsservers string dns servers for the machines and firewalls in the partition. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition create -f -\n $ # or via file\n $ metalctl partition create -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string ID of the partition. [required]\n --imageurl string initrd for the metal-hammer in the partition. [required]\n --kernelurl string kernel url for the metal-hammer in the partition. [required]\n --mgmtserver string management server address in the partition. [required]\n -n, --name string Name of the partition. [optional]\n --ntpservers string ntp servers for the machines and firewalls in the partition. [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#Options-inherited-from-parent-commands","page":"metalctl partition create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#SEE-ALSO","page":"metalctl partition create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#metalctl-filesystemlayout","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#Synopsis","page":"metalctl filesystemlayout","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"a filesystemlayout is a specification how the disks in a machine are partitioned, formatted and mounted.","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#Options","page":"metalctl filesystemlayout","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":" -h, --help help for filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#SEE-ALSO","page":"metalctl filesystemlayout","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl filesystemlayout apply\t - applies one or more filesystemlayouts from a given file\nmetalctl filesystemlayout create\t - creates the filesystemlayout\nmetalctl filesystemlayout delete\t - deletes the filesystemlayout\nmetalctl filesystemlayout describe\t - describes the filesystemlayout\nmetalctl filesystemlayout edit\t - edit the filesystemlayout through an editor and update\nmetalctl filesystemlayout list\t - list all filesystemlayouts\nmetalctl filesystemlayout match\t - check if a machine satisfies all disk requirements of a given filesystemlayout\nmetalctl filesystemlayout try\t - try to detect a filesystem by given size and image\nmetalctl filesystemlayout update\t - updates the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#metalctl-size-imageconstraint-apply","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"applies one or more imageconstraints from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"metalctl size imageconstraint apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#Options","page":"metalctl size imageconstraint apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint apply -f -\n $ # or via file\n $ metalctl imageconstraint apply -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#SEE-ALSO","page":"metalctl size imageconstraint apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl/#metalctl","page":"metalctl","title":"metalctl","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl/","page":"metalctl","title":"metalctl","text":"a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl/#Options","page":"metalctl","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl/","page":"metalctl","title":"metalctl","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n -h, --help help for metalctl\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl/#SEE-ALSO","page":"metalctl","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl/","page":"metalctl","title":"metalctl","text":"metalctl audit\t - manage audit trace entities\nmetalctl completion\t - Generate the autocompletion script for the specified shell\nmetalctl context\t - manage metalctl context\nmetalctl filesystemlayout\t - manage filesystemlayout entities\nmetalctl firewall\t - manage firewall entities\nmetalctl firmware\t - manage firmwares\nmetalctl health\t - shows the server health\nmetalctl image\t - manage image entities\nmetalctl login\t - login user and receive token\nmetalctl logout\t - logout user from OIDC SSO session\nmetalctl machine\t - manage machine entities\nmetalctl markdown\t - create markdown documentation\nmetalctl network\t - manage network entities\nmetalctl partition\t - manage partition entities\nmetalctl project\t - manage project entities\nmetalctl size\t - manage size entities\nmetalctl switch\t - manage switch entities\nmetalctl tenant\t - manage tenant entities\nmetalctl update\t - update the program\nmetalctl version\t - print the client and server version information\nmetalctl vpn\t - access VPN\nmetalctl whoami\t - shows current user","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#metalctl-size-reservation-delete","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"deletes the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"metalctl size reservation delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#Options","page":"metalctl size reservation delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation delete -f -\n $ # or via file\n $ metalctl reservation delete -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#Options-inherited-from-parent-commands","page":"metalctl size reservation delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#SEE-ALSO","page":"metalctl size reservation delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"overview/architecture/#Architecture","page":"Architecture","title":"Architecture","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The metal-stack is a compound of microservices predominantly written in Golang.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"This page gives you an overview over which microservices exist, how they communicate with each other and where they are deployed.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Pages = [\"architecture.md\"]\nDepth = 5","category":"page"},{"location":"overview/architecture/#Target-Deployment-Platforms","page":"Architecture","title":"Target Deployment Platforms","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"For our environments, we chose to deploy the metal-stack into a Kubernetes cluster. This means that also our entire installation was developed for metal-stack being run on Kubernetes. Running applications on Kubernetes gives you a lot of benefits regarding ease-of-deployment, scalability, reliability and so on.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"However, very early we decided that we do not want to depend on technical Kubernetes functionality with our software (i.e. we did not implement the stack \"kube-native\" by using controllers and Kubernetes CRDs and things like that). With the following paragraph we want to point out the reasoning behind this \"philosophical\" decision that may sound conservative at first glance. But not relying on Kubernetes technology:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Makes deployments of the stack without Kubernetes theoretically possible.\nWe believe that cloud providers should be able to act beneath Kubernetes\nThis way it is possible to use metal-stack for providing your own Kubernetes offering without relying on Kubernetes yourself (breaks the chicken-egg problem)\nFollows an important claim in microservice development: \"Be agnostic to your choice of technology\"\nFor applications that are purely made for being run on Kubernetes, it does not matter to rely on this technology (we even do the same a lot with our applications that integrate the metal-stack with Gardener) but as soon as you start using things like the underlying reconciliation abilities (which admittedly are fanstatic) you are locking your code into a certain technology\nWe don't know what comes after Kubernetes but we believe that a cloud offering should have the potential to survive a choice of technology\nBy this decision we ensured that we can migrate the stack to another future technology and survive the change","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"One more word towards determining the location for your metal control plane: It is not strictly required to run the control plane inside the same data center as your servers. It even makes sense not to do so because this way you can place your control plane and your servers into a different failure domains, which makes your installation more robust to data center meltdown. Externally hosting the control plane brings you up and running quickly plus having the advantage of higher security through geo-distribution.","category":"page"},{"location":"overview/architecture/#Metal-Control-Plane","page":"Architecture","title":"Metal Control Plane","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The foundation of the metal-stack is what we call the metal control plane.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The control plane contains a couple of essential microservices for the metal-stack including:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"metal-api The API to manage control plane resources like machines, switches, operating system images, machine sizes, networks, IP addresses and more. The exposed API is an old-fashioned REST API with different authentication methods. The metal-api stores the state of these entities in a RethinkDB database. The metal-api also has its own IP address management (go-ipam), which writes IP address and network allocations into a PostgreSQL backend.\nmasterdata-api Manages tenant and project entities, which can be described as entities used for company-specific resource separation and grouping. Having these \"higher level entities\" managed by a separate microservice was a design choice that allows to re-use the information by other microservices without having them to know the metal-api at all. The masterdata gets persisted in a dedicated PostgreSQL database.\nmetal-console Provides access for users to a machine's serial console via SSH. It can be seen as an optional component.\nnsq A message queuing system (not developed by the metal-stack) used for decoupling microservices and distributing tasks.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The following figure shows the relationships between these microservices:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: Metal Control Plane)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 1: The metal control plane deployed in a Kubernetes environment with an ingress-controller exposing additional services via service exposal.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Some notes on this picture:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Users can access the metal-api with the CLI client called metalctl.\nYou can programmatically access the metal-api with client libraries (e.g. metal-go).\nOur databases are wrapped in a specially built backup-restore-sidecar, which is consistently backing up the databases in external blob storage.\nThe metal-api can be scaled out using replicas when being deployed in Kubernetes.","category":"page"},{"location":"overview/architecture/#Partitions","page":"Architecture","title":"Partitions","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"A partition is our term for describing hardware in the data center controlled by the metal-stack with all the hardware participating in the same network topology. Being in the same network topology causes the hardware inside a partition to build a failure domain. Even though the network topology for running the metal-stack is required to be redundant by design, you should consider setting up multiple partitions. With multiple partitions it is possible for users to maintain availability of their applications by spreading them across the partitions. Installing partitions in multiple data centers would be even better in regards of fail-safe application performance, which would even tolerate the meltdown of a data center.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"tip: Tip\nIn our setups, we encode the name of a region and a zone name into our partition names. However, we do not have dedicated entities for regions and zones in our APIs.A region is a geographic area in which data centers are located.Zones are geographic locations in a region usually in different fire compartments. Regions can consist of several zones.A zone can consist of several partitions. Usually, a partition spans a rack or a group of racks.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"We strongly advise to group your hardware into racks that are specifically assembled for running metal-stack. When using modular rack design, the amount of compute resources of a partition can easily be extended by adding more racks to your partition.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"info: Info\nThe hardware that we currently support to be placed inside a partition is described in the hardware document.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"info: Info\nHow large you can grow your partitions and how the network topology inside a partition looks like is described in the networking document.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The metal-stack has microservices running on the leaf switches in a partition. For this reason, your leaf switches are required to run a Linux distribution that you have full access to. Additionally, there are a servers not added to the pool of user-allocatable machines, which are instead required for running metal-stack and we call them management servers. We also call the entirety of switches inside a partition the switch plane.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The microservices running inside a partition are:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"metal-hammer (runs on a server when not allocated by user, often referred to as discovery image) An initrd, which is booted up in PXE mode, preparing and registering a machine. When a user allocates a machine, the metal-hammer will install the target operating system on this machine and kexec into the new operating system kernel.\nmetal-core (runs on leaf switches) Dynamically configures the leaf switch from information provided by the metal-api. It also proxies requests from the metal-hammer to the metal-api including publishment of machine lifecycle events and machine registration requests.\npixiecore (preferably runs on management servers, forked by metal-stack) Provides the capability of PXE booting servers in the PXE boot network.\nmetal-bmc (runs on management servers) Reports the ip addresses that are leased to ipmi devices together with their machine uuids to the metal-api. This provides machine discovery in the partition machines and keeps all IPMI interface access data up-to-date. Also forwards metal-console requests to the actual machine, allowing user access to the machine's serial console. Furthermore it processes firmware updates and power on/off, led on/off, boot order changes.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: Partition)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 2: Simplified illustration of services running inside a partition.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Some notes on this picture:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"This figure is slightly simplified. The switch plane consists of spine switches, exit routers, management firewalls and a bastion router with more software components deployed on these entities. Please refer to the networking document to see the full overview over the switch plane.\nThe image-cache is an optional component consisting of multiple services to allow caching images from the public image store inside a partition. This brings increased download performance on machine allocation and increases independence of a partition on the internet connection.","category":"page"},{"location":"overview/architecture/#Complete-View","page":"Architecture","title":"Complete View","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The following figure shows several partitions connected to a single metal control plane. Of course, it is also possible to have multiple metal control planes, which can be useful for staging.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: metal-stack)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 3: Reduced view on the communication between the metal control plane and multiple partitions.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Some notes on this picture:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"By design, a partition only has very few ports open for incoming-connections from the internet. This contributes to a smaller attack surface and higher security of your infrastructure.\nWith the help of NSQ, it is not required to have connections from the metal control plane to the metal-core. The metal-core instances register at the message bus and can then consume partition-specific topics, e.g. when a machine deletion gets issued by a user.","category":"page"},{"location":"overview/architecture/#Machine-Provisioning-Sequence","page":"Architecture","title":"Machine Provisioning Sequence","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The following sequence diagram illustrates some of the main principles of the machine provisioning lifecycle.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: provisioning sequence)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 4: Sequence diagram of the machine provisioning sequence.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Here is a video showing a screen capture of a machine's serial console while running the metal-hammer in \"wait mode\". Then, a user allocates the machine and the metal-hammer installs the target operating system and the machine boots into the new operating system kernel via the kexec system call.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"
    \n\n
    ","category":"page"},{"location":"overview/architecture/#Offline-Resilience","page":"Architecture","title":"Offline Resilience","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"It is possible to use metal-stack without any external network dependencies by integrating your own DNS and NTP configuration into the stack. This feature is great for workloads requiring strong independence and reliability. Even in case of an internet connection failure, your infrastructure remains operational. Existing machines do not encounter any downtime as well as new machines can be provisioned. All you need to have in place is a DNS and NTP server configured and accessible for metal-stack.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"NTP servers need to be configured on the pixiecore and the metal-hammer microservices. This can be achieved by providing a list of NTP servers with the following Ansible variable through metal-roles:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"pixiecore_metal_hammer_ntp_servers: []","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"In the background, the pixiecore is taking the NTP servers and passing it via the MetalConfig to the metal-hammer. When booting bare-metal servers, the metal-hammer needs to configure NTP servers. It recognises the ones from the MetalConfig and configures itself accordingly. If no NTP servers are passed along, the following standard servers are used:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"0.de.pool.ntp.org\n1.de.pool.ntp.org\n2.de.pool.ntp.org","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Moreover, machine and firewall images need to be configured with your custom DNS and NTP servers. The customisation can be made via the fields ntp_servers an dns_servers and specifying a list of servers in the creation request for the machine or firewall.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Within a partition default values for DNS and NTP servers can be configured. They are applied to all machines and firewalls within this partition, but can be replaced by specifying different ones inside the machine allocation request.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Thus, for creating a partition as well as a machine or a firewall, the flags dnsservers and ntpservers can be provided within the metalctl command.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"In order to be fully offline resilient, make sure to check out metal-image-cache-sync. This component provides copies of metal-images, metal-kernel and metal-hammer.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"This feature is related to MEP14.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#metalctl-machine-update-firmware-bios","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"update a machine BIOS","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#Synopsis","page":"metalctl machine update-firmware bios","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"the machine BIOS will be updated to given revision. If revision flag is not specified an update plan will be printed instead.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"metalctl machine update-firmware bios [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#Options","page":"metalctl machine update-firmware bios","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":" --description string the reason why the BIOS should be updated\n -h, --help help for bios\n --revision string the BIOS revision","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#Options-inherited-from-parent-commands","page":"metalctl machine update-firmware bios","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#SEE-ALSO","page":"metalctl machine update-firmware bios","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"metalctl machine update-firmware\t - update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#metalctl-switch-delete","page":"metalctl switch delete","title":"metalctl switch delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":"deletes the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":"metalctl switch delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#Options","page":"metalctl switch delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl switch describe switch-1 -o yaml > switch.yaml\n $ vi switch.yaml\n $ # either via stdin\n $ cat switch.yaml | metalctl switch delete -f -\n $ # or via file\n $ metalctl switch delete -f switch.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n --force forcefully delete the switch accepting the risk that it still has machines connected to it\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#Options-inherited-from-parent-commands","page":"metalctl switch delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#SEE-ALSO","page":"metalctl switch delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#metalctl-size-imageconstraint-create","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"creates the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"metalctl size imageconstraint create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#Options","page":"metalctl size imageconstraint create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint create -f -\n $ # or via file\n $ metalctl imageconstraint create -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#SEE-ALSO","page":"metalctl size imageconstraint create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#metalctl-network-ip-issues","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"display ips which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"metalctl network ip issues [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#Options","page":"metalctl network ip issues","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":" -h, --help help for issues","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#Options-inherited-from-parent-commands","page":"metalctl network ip issues","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#SEE-ALSO","page":"metalctl network ip issues","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#metalctl-version","page":"metalctl version","title":"metalctl version","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":"print the client and server version information","category":"page"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":"metalctl version [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#Options","page":"metalctl version","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":" -h, --help help for version","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#Options-inherited-from-parent-commands","page":"metalctl version","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#SEE-ALSO","page":"metalctl version","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#metalctl-tenant-edit","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"edit the tenant through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"metalctl tenant edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#Options","page":"metalctl tenant edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#Options-inherited-from-parent-commands","page":"metalctl tenant edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#SEE-ALSO","page":"metalctl tenant edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#metalctl-size-apply","page":"metalctl size apply","title":"metalctl size apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":"applies one or more sizes from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":"metalctl size apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#Options","page":"metalctl size apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size apply -f -\n $ # or via file\n $ metalctl size apply -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#Options-inherited-from-parent-commands","page":"metalctl size apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#SEE-ALSO","page":"metalctl size apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#metalctl-size-imageconstraint-update","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"updates the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"metalctl size imageconstraint update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#Options","page":"metalctl size imageconstraint update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint update -f -\n $ # or via file\n $ metalctl imageconstraint update -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#SEE-ALSO","page":"metalctl size imageconstraint update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/firewall-controller/README/#Firewall-Controller","page":"firewall-controller","title":"Firewall Controller","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"This controller is installed on a bare-metal firewall in front of several kubernetes worker nodes and responsible to reconcile a ClusterwideNetworkPolicy to nftables rules to control access to and from the kubernetes cluster. It allows also to control the traffic rate going through, to limit network resources for restricted usage scenarios. Nftable and node metrics are exposed with the nftables-exporter and node-exporter, the ips are visible as service and endpoint from the kubernetes cluster.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Additional an IDS is managed on the firewall to detect known network anomalies. suricata is used for this purpose. Right now, only basic statistics about the amount of scanned packets is reported. In a future release, access to all alarms will be provided.","category":"page"},{"location":"external/firewall-controller/README/#Architecture","page":"firewall-controller","title":"Architecture","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"(Image: Architecture)","category":"page"},{"location":"external/firewall-controller/README/#Automatically-generated-ingress-rules","page":"firewall-controller","title":"Automatically generated ingress rules","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"For every Service of type LoadBalancer in the cluster, the corresponding ingress rules will be automatically generated.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"If loadBalancerSourceRanges is not specified, incomig traffic to this service will be allowed for any source ip addresses.","category":"page"},{"location":"external/firewall-controller/README/#Configuration","page":"firewall-controller","title":"Configuration","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Firewall Controller is configured with 2 CRDs: firewalls.metal-stack.io and clusterwidenetworkpolicies.metal-stack.io. Both are namespaced and must reside in the firewall namespace. The firewalls CRD is typically written from the gardener-extension-provider-metal, the clusterwidenetworkpolicy should be provided by the deployment of your application.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Example Firewall CRD:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"apiVersion: metal-stack.io/v1\nkind: Firewall\nmetadata:\n namespace: firewall\n name: firewall\nspec:\n # Interval of reconciliation if nftables rules and network traffic accounting\n interval: 10s\n # Ratelimits specify on which physical interface, which maximum rate of traffic is allowed\n ratelimits:\n # The name of the interface visible with ip link show\n - interface: vrf104009\n # The maximum rate in MBits/s\n rate: 10\n # Internalprefixes defines a list of prefixes where the traffic going to, or coming from is considered internal, e.g. not leaving into external networks\n # given the architecture picture above this would be:\n internalprefixes:\n - \"1.2.3.0/24\n - \"172.17.0.0/16\"\n - \"10.0.0.0/8\"","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Example ClusterwideNetworkPolicy:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"apiVersion: metal-stack.io/v1\nkind: ClusterwideNetworkPolicy\nmetadata:\n namespace: firewall\n name: clusterwidenetworkpolicy-sample\nspec:\n egress:\n - to:\n - cidr: 1.1.0.0/24\n except:\n - 1.1.1.0/16\n - cidr: 8.8.8.8/32\n ports:\n - protocol: UDP\n port: 53\n - protocol: TCP\n port: 53","category":"page"},{"location":"external/firewall-controller/README/#Status","page":"firewall-controller","title":"Status","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Once the firewall-controller is running, it will report several statistics to the Firewall CRD Status: This can be inspected by running:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"kubectl describe -n firewall firewall","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"The output would look like:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Status:\n Last Run: 2020-06-17T13:18:58Z\n Stats:\n # Network traffic in bytes separated into external and internal in/out/total\n Devices:\n External:\n In: 91696\n Out: 34600\n Total: 0\n Internal:\n In: 0\n Out: 0\n Total: 2678671\n # IDS Statistics by interface\n Idsstats:\n vrf104009:\n Drop: 1992\n Invalidchecksums: 0\n Packets: 4997276\n # nftable rule statistics by rule name\n Rules:\n Accept:\n BGP unnumbered:\n Counter:\n Bytes: 0\n Packets: 0\n SSH incoming connections:\n Counter:\n Bytes: 936\n Packets: 16\n accept established connections:\n Counter:\n Bytes: 21211168\n Packets: 39785\n accept icmp:\n Counter:\n Bytes: 0\n Packets: 0\n accept traffic for k8s service kube-system/vpn-shoot:\n Counter:\n Bytes: 360\n Packets: 6\n Drop:\n drop invalid packets:\n Counter:\n Bytes: 52\n Packets: 1\n drop invalid packets from forwarding to prevent malicious activity:\n Counter:\n Bytes: 0\n Packets: 0\n drop invalid packets to prevent malicious activity:\n Counter:\n Bytes: 0\n Packets: 0\n drop packets with invalid ct state:\n Counter:\n Bytes: 0\n Packets: 0\n drop ping floods:\n Counter:\n Bytes: 0\n Packets: 0\n Other:\n block bgp forward to machines:\n Counter:\n Bytes: 0\n Packets: 0\n count and log dropped packets:\n Counter:\n Bytes: 2528\n Packets: 51\n snat (networkid: internet):\n Counter:\n Bytes: 36960\n Packets: 486","category":"page"},{"location":"external/firewall-controller/README/#Prometheus-integration","page":"firewall-controller","title":"Prometheus integration","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"There are two exporters running on the firewall to report essential metrics from this machine:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"node-exporter for machine specific metrics like cpu, ram and disk usage, see node-exporter for details.\nnftables-exporter for nftables metrics, see nftables-exporter","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Both exporters are exposed as services:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"kubectl get svc -n firewall\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nnftables-exporter ClusterIP None 9630/TCP 13h\nnode-exporter ClusterIP None 9100/TCP 13h","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"These services are in front of virtual endpoints:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"kubectl get ep -n firewall\nNAME ENDPOINTS AGE\nnftables-exporter 10.3.164.1:9630 13h\nnode-exporter 10.3.164.1:9100 13h","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"You can scrape these services in you prometheus installation to get the metrics.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"To check you can run:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"curl nftables-exporter.firewall.svc.cluster.local:9630/metrics\ncurl node-exporter.firewall.svc.cluster.local:9100/metrics","category":"page"},{"location":"external/firewall-controller/README/#Firewall-Logs","page":"firewall-controller","title":"Firewall Logs","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"It is also possible to tail for the dropped packets with the following command (install stern from stern ):","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"stern -n firewall drop","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"The output will look like:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:27 +0000 UTC {\"DPT\":\"4000\",\"DST\":\"1.2.3.4\",\"ID\":\"54321\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"vlan179\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"38464\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"236\",\"URGP\":\"0\",\"WINDOW\":\"65535\",\"timestamp\":\"2020-06-17 13:23:27 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:34 +0000 UTC {\"DPT\":\"2362\",\"DST\":\"1.2.3.4\",\"ID\":\"44545\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"40194\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"242\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:34 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:30 +0000 UTC {\"DPT\":\"650\",\"DST\":\"1.2.3.4\",\"ID\":\"12399\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"vlan179\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"40194\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"241\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:30 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:34 +0000 UTC {\"DPT\":\"2362\",\"DST\":\"1.2.3.4\",\"ID\":\"44545\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"40194\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"242\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:34 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:10 +0000 UTC {\"DPT\":\"63351\",\"DST\":\"1.2.3.4\",\"ID\":\"11855\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"vlan179\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"54589\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"245\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:10 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:51 +0000 UTC {\"DPT\":\"8002\",\"DST\":\"1.2.3.4\",\"ID\":\"17539\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"47615\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x08\",\"TTL\":\"239\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:51 +0000 UTC\"}","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"You can forward the droptailer logs to any log aggregation infrastructure you have in place.","category":"page"},{"location":"external/firewall-controller/README/#Page-Tree","page":"firewall-controller","title":"Page Tree","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#metalctl-tenant-list","page":"metalctl tenant list","title":"metalctl tenant list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":"list all tenants","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":"metalctl tenant list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#Options","page":"metalctl tenant list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":" --annotations strings annotations\n -h, --help help for list\n --id string ID of the tenant.\n --name string Name of the tenant.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#Options-inherited-from-parent-commands","page":"metalctl tenant list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#SEE-ALSO","page":"metalctl tenant list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#metalctl-machine","page":"metalctl machine","title":"metalctl machine","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":"manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#Synopsis","page":"metalctl machine","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":"a machine is a bare metal server provisioned through metal-stack that is intended to run user workload.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#Options","page":"metalctl machine","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":" -h, --help help for machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#Options-inherited-from-parent-commands","page":"metalctl machine","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#SEE-ALSO","page":"metalctl machine","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl machine apply\t - applies one or more machines from a given file\nmetalctl machine console\t - console access to a machine\nmetalctl machine consolepassword\t - fetch the consolepassword for a machine\nmetalctl machine create\t - creates the machine\nmetalctl machine delete\t - deletes the machine\nmetalctl machine describe\t - describes the machine\nmetalctl machine edit\t - edit the machine through an editor and update\nmetalctl machine identify\t - manage machine chassis identify LED power\nmetalctl machine ipmi\t - display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.\nmetalctl machine issues\t - display machines which are in a potential bad state\nmetalctl machine list\t - list all machines\nmetalctl machine lock\t - lock a machine\nmetalctl machine logs\t - display machine provisioning logs\nmetalctl machine power\t - manage machine power\nmetalctl machine reinstall\t - reinstalls an already allocated machine\nmetalctl machine reserve\t - reserve a machine\nmetalctl machine update\t - updates the machine\nmetalctl machine update-firmware\t - update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#metalctl-machine-describe","page":"metalctl machine describe","title":"metalctl machine describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":"describes the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":"metalctl machine describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#Options","page":"metalctl machine describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#Options-inherited-from-parent-commands","page":"metalctl machine describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#SEE-ALSO","page":"metalctl machine describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"installation/deployment/#Deploying-metal-stack","page":"Installation","title":"Deploying metal-stack","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We are bootstrapping the metal control plane as well as our partitions with Ansible through CI.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In order to build up your deployment, we recommend to make use of the same Ansible roles that we are using by ourselves in order to deploy the metal-stack. You can find them in the repository called metal-roles.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In order to wrap up deployment dependencies there is a special deployment base image hosted on GitHub that you can use for running the deployment. Using this Docker image eliminates a lot of moving parts in the deployment and should keep the footprints on your system fairly small and maintainable.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This document will from now on assume that you want to use our Ansible deployment roles for setting up metal-stack. We will also use the deployment base image, so you should also have Docker installed. It is in the nature of software deployments to differ from site to site, company to company, user to user. Therefore, we can only describe you the way of how the deployment works for us. It is up to you to tweak the deployment described in this document to your requirements.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Pages = [\"deployment.md\"]\nDepth = 5","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"warning: Warning\nProbably you need to learn writing Ansible playbooks if you want to be able to deploy the metal-stack as presented in this documentation. However, even when starting without any knowledge about Ansible it should be possible to follow these docs. In case you need further explanations regarding Ansible please refer to docs.ansible.com.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"info: Info\nIf you do not want to use Ansible for deployment, you need to come up with a deployment mechanism by yourself. However, you will probably be able to re-use some of our contents from our metal-roles repository, e.g. the Helm chart for deploying the metal control plane.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nYou can use the mini-lab as a template project for your own deployment. It uses the same approach as described in this document.","category":"page"},{"location":"installation/deployment/#Metal-Control-Plane-Deployment","page":"Installation","title":"Metal Control Plane Deployment","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nFor metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision here.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Let's start off with a fresh folder for your deployment:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"mkdir -p metal-stack-deployment\ncd metal-stack-deployment","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"At the end of this section we are gonna end up with the following files and folder structures:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":".\n├── ansible.cfg\n├── deploy_metal_control_plane.yaml\n├── files\n│   └── certs\n│      ├── ca-config.json\n│      ├── ca-csr.json\n│      ├── metal-api-grpc\n│      │   ├── client.json\n│      │   ├── server.json\n│      ├── masterdata-api\n│      │   ├── client.json\n│      │   ├── server.json\n│      └── roll_certs.sh\n├── inventories\n│   ├── control-plane.yaml\n│   └── group_vars\n│      ├── all\n│      │   └── images.yaml\n│      └── control-plane\n│        ├── common.yaml\n│         └── metal.yml\n├── generate_role_requirements.yaml\n└── roles\n └── ingress-controller\n └── tasks\n └── main.yaml","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"You can already define the inventories/group_vars/all/images.yaml file. It contains the metal-stack version you are gonna deploy:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"using Docs\n\nt = \"\"\"\n```yaml\n---\nmetal_stack_release_version: %s\n```\n\"\"\"\n\nmarkdownTemplate(t, releaseVersion())","category":"page"},{"location":"installation/deployment/#Releases-and-Ansible-Role-Dependencies","page":"Installation","title":"Releases and Ansible Role Dependencies","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"As metal-stack consists of many microservices all having individual versions, we have come up with a releases repository. It contains a YAML file (we often call it release vector) describing the fitting versions of all components for every release of metal-stack.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Ansible role dependencies are also part of a metal-stack release. Therefore, we will now write up a playbook, which dynamically renders a requirements.yaml file from the ansible-roles defined in the release repository. The requirements.yaml can then be used to resolve the actual role dependencies through Ansible Galaxy. Define the following playbook in generate_role_requirements.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\n- name: generate requirements.yaml\n hosts: control-plane\n connection: local\n gather_facts: false\n vars:\n release_vector_url: \"https://raw.githubusercontent.com/metal-stack/releases/{{ metal_stack_release_version }}/release.yaml\"\n tasks:\n - name: download release vector\n uri:\n url: \"{{ release_vector_url }}\"\n return_content: yes\n register: release_vector\n\n - name: write requirements.yaml from release vector\n copy:\n dest: \"{{ playbook_dir }}/requirements.yaml\"\n content: |\n {% for role_name, role_params in (release_vector.content | from_yaml).get('ansible-roles').items() %}\n - src: {{ role_params.get('repository') }}\n name: {{ role_name }}\n version: {{ hostvars[inventory_hostname][role_name | lower | replace('-', '_') + '_version'] | default(role_params.get('version'), true) }}\n {% endfor %}","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This playbook will always be run before the actual metal-stack deployment and provide you with the proper versions of the Ansible role dependencies.","category":"page"},{"location":"installation/deployment/#Inventory","page":"Installation","title":"Inventory","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Then, there will be an inventory for the control plane deployment in inventories/control-plane.yaml that adds the localhost to the control-plane host group:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\ncontrol-plane:\n hosts:\n localhost:\n ansible_python_interpreter: \"{{ ansible_playbook_python }}\"","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We do this since we are deploying to Kubernetes and do not need to SSH-connect to any hosts for the deployment (which is what Ansible typically does). This inventory is also necessary to pick up the variables inside inventories/group_vars/control-plane during the deployment.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We recommend using the following ansible.cfg:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"[defaults]\nretry_files_enabled = false\nforce_color = true\nhost_key_checking = false\nstdout_callback = yaml\njinja2_native = true\ntransport = ssh\ntimeout = 30\nforce_valid_group_names = ignore\n\n[ssh_connection]\nretries=3\nssh_executable = /usr/bin/ssh","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Most of the properties in there are up to taste, but make sure you enable the Jinja2 native environment as this is needed for some of our roles in certain cases.","category":"page"},{"location":"installation/deployment/#Control-Plane-Playbook","page":"Installation","title":"Control Plane Playbook","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Next, we will define the actual deployment playbook in a file called deploy_metal_control_plane.yaml. You can start with the following lines:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\n- name: Deploy Control Plane\n hosts: control-plane\n connection: local\n gather_facts: no\n vars:\n setup_yaml:\n - url: https://raw.githubusercontent.com/metal-stack/releases/{{ metal_stack_release_version }}/release.yaml\n meta_var: metal_stack_release\n roles:\n - name: ansible-common\n tags: always\n - name: ingress-controller\n tags: ingress-controller\n - name: metal-roles/control-plane/roles/prepare\n tags: prepare\n - name: metal-roles/control-plane/roles/nsq\n tags: nsq\n - name: metal-roles/control-plane/roles/metal-db\n tags: metal-db\n - name: metal-roles/control-plane/roles/ipam-db\n tags: ipam-db\n - name: metal-roles/control-plane/roles/masterdata-db\n tags: masterdata-db\n - name: metal-roles/control-plane/roles/metal\n tags: metal","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Basically, this playbook does the following:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Include all the modules, filter plugins, etc. of ansible-common into the play\nDeploys an ingress-controller into your cluster\nDeploys the metal-stack by\nRunning preparation tasks\nDeploying NSQ\nDeploying the rethinkdb database for the metal-api (wrapped in a backup-restore-sidecar),\nDeploying the postgres database for go-ipam (wrapped in a backup-restore-sidecar)\nDeploying the postgres database for the masterdata-api (wrapped in a backup-restore-sidecar)\nApplying the metal control plane helm chart","category":"page"},{"location":"installation/deployment/#Setup-an-ingress-controller","page":"Installation","title":"Setup an ingress-controller","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"As a next step you have to add a task for deploying an ingress-controller into your cluster. nginx-ingress is what we use. If you want to use another ingress-controller, you need to parametrize the metal roles carefully. When you just use ingress-nginx, make sure to also deploy it to the default namespace ingress-nginx.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This is how your roles/ingress-controller/tasks/main.yaml could look like:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"- name: Deploy ingress-controller\n include_role:\n name: ansible-common/roles/helm-chart\n vars:\n helm_repo: \"https://helm.nginx.com/stable\"\n helm_chart: nginx-ingress\n helm_release_name: nginx-ingress\n helm_target_namespace: ingress-nginx","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nThe ansible-common repository contains very general roles and modules that you can also use when extending your deployment further.","category":"page"},{"location":"installation/deployment/#Deployment-Parametrization","page":"Installation","title":"Deployment Parametrization","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Now you can parametrize the referenced roles to fit your environment. The role parametrization can be looked up in the role documentation on metal-roles/control-plane. You should not need to define a lot of variables for the beginning as most values are reasonably defaulted. You can start with the following content for group_vars/control-plane/common.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\nmetal_control_plane_ingress_dns: # if you do not have a DNS entry, you could also start with .nip.io","category":"page"},{"location":"installation/deployment/#Providing-Certificates","page":"Installation","title":"Providing Certificates","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We have several components in our stack that communicate over encrypted gRPC just like Kubernetes components do.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"For the very basic setup you will need to create self-signed certificates for the communication between the following components (see architecture document):","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"metal-api and masterdata-api (in-cluster traffic communication)\nmetal-api and metal-hammer (partition to control plane communication)","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Here is a snippet for files/roll_certs.sh that you can use for generating your certificates (requires cfssl):","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"#!/usr/bin/env bash\nset -eo pipefail\n\nfor i in \"$@\"\ndo\ncase $i in\n -t=*|--target=*)\n TARGET=\"${i#*=}\"\n shift\n ;;\n *)\n echo \"unknown parameter passed: $1\"\n exit 1\n ;;\nesac\ndone\n\nif [ -z \"$TARGET\" ]; then\n echo \"generating ca cert\"\n cfssl genkey -initca ca-csr.json | cfssljson -bare ca\n rm *.csr\nfi\n\nif [ -z \"$TARGET\" ] || [ $TARGET == \"grpc\" ]; then\n pushd metal-api-grpc\n echo \"generating grpc certs\"\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=server server.json | cfssljson -bare server\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client client.json | cfssljson -bare client\n rm *.csr\n popd\nfi\n\nif [ -z \"$TARGET\" ] || [ $TARGET == \"masterdata-api\" ]; then\n pushd masterdata-api\n echo \"generating masterdata-api certs\"\n rm -f *.pem\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client-server server.json | cfssljson -bare server\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client client.json | cfssljson -bare client\n rm *.csr\n popd\nfi","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Also define the following configurations for cfssl:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"files/certs/ca-config.json\n{\n \"signing\": {\n \"default\": {\n \"expiry\": \"43800h\"\n },\n \"profiles\": {\n \"server\": {\n \"expiry\": \"43800h\",\n \"usages\": [\"signing\", \"key encipherment\", \"server auth\"]\n },\n \"client\": {\n \"expiry\": \"43800h\",\n \"usages\": [\"signing\", \"key encipherment\", \"client auth\"]\n },\n \"client-server\": {\n \"expiry\": \"43800h\",\n \"usages\": [\n \"signing\",\n \"key encipherment\",\n \"client auth\",\n \"server auth\"\n ]\n }\n }\n }\n}\nfiles/certs/ca-csr.json\n{\n \"CN\": \"metal-control-plane\",\n \"hosts\": [],\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 4096\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/masterdata-api/client.json\n{\n \"CN\": \"masterdata-client\",\n \"hosts\": [\"\"],\n \"key\": {\n \"algo\": \"ecdsa\",\n \"size\": 256\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/masterdata-api/server.json\n{\n \"CN\": \"masterdata-api\",\n \"hosts\": [\n \"localhost\",\n \"masterdata-api\",\n \"masterdata-api.metal-control-plane.svc\",\n \"masterdata-api.metal-control-plane.svc.cluster.local\"\n ],\n \"key\": {\n \"algo\": \"ecdsa\",\n \"size\": 256\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/metal-api-grpc/client.json\n{\n \"CN\": \"grpc-client\",\n \"hosts\": [\"\"],\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 4096\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/metal-api-grpc/server.json (Fill in your control plane ingress DNS here)\n{\n \"CN\": \"metal-api\",\n \"hosts\": [\"\"],\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 4096\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Running the roll_certs.sh bash script without any arguments should generate you the required certificates.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Now Provide the paths to these certificates in group_vars/control-plane/metal.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\nmetal_masterdata_api_tls_ca: \"{{ lookup('file', 'certs/ca.pem') }}\"\nmetal_masterdata_api_tls_cert: \"{{ lookup('file', 'certs/masterdata-api/server.pem') }}\"\nmetal_masterdata_api_tls_cert_key: \"{{ lookup('file', 'certs/masterdata-api/server-key.pem') }}\"\nmetal_masterdata_api_tls_client_cert: \"{{ lookup('file', 'certs/masterdata-api/client.pem') }}\"\nmetal_masterdata_api_tls_client_key: \"{{ lookup('file', 'certs/masterdata-api/client-key.pem') }}\"\n\nmetal_api_grpc_certs_server_key: \"{{ lookup('file', 'certs/metal-api-grpc/server-key.pem') }}\"\nmetal_api_grpc_certs_server_cert: \"{{ lookup('file', 'certs/metal-api-grpc/server.pem') }}\"\nmetal_api_grpc_certs_client_key: \"{{ lookup('file', 'certs/metal-api-grpc/client-key.pem') }}\"\nmetal_api_grpc_certs_client_cert: \"{{ lookup('file', 'certs/metal-api-grpc/client.pem') }}\"\nmetal_api_grpc_certs_ca_cert: \"{{ lookup('file', 'certs/ca.pem') }}\"","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nFor the actual communication between the metal-api and the user clients (REST API, runs over the ingress-controller you deployed before), you can simply deploy a tool like cert-manager into your Kubernetes cluster, which will automatically provide your ingress domains with Let's Encrypt certificates.","category":"page"},{"location":"installation/deployment/#Running-the-Deployment","page":"Installation","title":"Running the Deployment","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Finally, it should be possible to run the deployment through a Docker container. Make sure to have the Kubeconfig file of your cluster and set the path in the following command accordingly:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"using Docs\n\nbase_image = releaseVector()[\"docker-images\"][\"metal-stack\"][\"generic\"][\"deployment-base\"][\"tag\"]\n\nt = raw\"\"\"\n```bash\nexport KUBECONFIG=\ndocker run --rm -it \\\n -v $(pwd):/workdir \\\n --workdir /workdir \\\n -e KUBECONFIG=\"${KUBECONFIG}\" \\\n -e K8S_AUTH_KUBECONFIG=\"${KUBECONFIG}\" \\\n -e ANSIBLE_INVENTORY=inventories/control-plane.yaml \\\n metalstack/metal-deployment-base:%s \\\n /bin/bash -ce \\\n \"ansible-playbook obtain_role_requirements.yaml\n ansible-galaxy install -r requirements.yaml\n ansible-playbook deploy_metal_control_plane.yaml\"\n```\n\"\"\"\n\nmarkdownTemplate(t, base_image)","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nIf you are having issues regarding the deployment take a look at the troubleshoot document. Please give feedback such that we can make the deployment of the metal-stack easier for you and for others!","category":"page"},{"location":"installation/deployment/#Providing-Images","page":"Installation","title":"Providing Images","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"After the deployment has finished (hopefully without any issues!), you should consider deploying some masterdata entities into your metal-api. For example, you can add your first machine sizes and operating system images. You can do this by further parametrizing the metal role. We will just add an operating system for demonstration purposes. Add the following variable to your inventories/group_vars/control-plane/common.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"metal_api_images:\n- id: firewall-ubuntu-2.0.20201004\n name: Firewall 2 Ubuntu 20201004\n description: Firewall 2 Ubuntu 20201004\n url: http://images.metal-stack.io/metal-os/master/firewall/2.0-ubuntu/20201004/img.tar.lz4\n features:\n - firewall\n- id: ubuntu-20.04.20201004\n name: Ubuntu 20.04 20201004\n description: Ubuntu 20.04 20201004\n url: http://images.metal-stack.io/metal-os/master/ubuntu/20.04/20201004/img.tar.lz4\n features:\n - machine","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Then, re-run the deployment to apply your changes. Our playbooks are idempotent.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"info: Info\nImage versions should be regularly checked for updates.","category":"page"},{"location":"installation/deployment/#Setting-up-metalctl","page":"Installation","title":"Setting up metalctl","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"You can now verify the existence of the operating system images in the metal-api using our CLI client called metalctl. The configuration for metalctl should look like this:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"# ~/.metalctl/config.yaml\n---\ncurrent: test\ncontexts:\n test:\n # the metal-api endpoint depends on your dns name specified before\n # you can look up the url to the metal-api via the kubernetes ingress\n # resource with:\n # $ kubectl get ingress -n metal-control-plane\n url: \n # in the future you have to change the HMAC to a strong, random string\n # in order to protect against unauthorized api access\n # the default hmac is \"change-me\"\n hmac: change-me","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Issue the following command:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"$ metalctl image ls\nID \tNAME \tDESCRIPTION \tFEATURES\tEXPIRATION\tSTATUS\nubuntu-19.10.20200331 \tUbuntu 19.10 20200331 \tUbuntu 19.10 20200331 \tmachine \t89d 23h \tpreview","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The basic principles of how the metal control plane can be deployed should now be clear. It is now up to you to move the deployment execution into your CI and add things like certificates for the ingress-controller and NSQ.","category":"page"},{"location":"installation/deployment/#Setting-Up-the-backup-restore-sidecar","page":"Installation","title":"Setting Up the backup-restore-sidecar","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The backup-restore-sidecar can come up very handy when you want to add another layer of security to the metal-stack databases in your Kubernetes cluster. The sidecar takes backups of the metal databases in small time intervals and stores them in a blobstore of a cloud provider. This way your metal-stack setup can even survive the deletion of your Kubernetes control plane cluster (including all volumes getting lost). After re-deploying metal-stack to another Kubernetes clusters, the databases come up with the latest backup data in a matter of seconds.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Checkout the role documentation of the individual databases to find out how to configure the sidecar properly. You can also try out the mechanism from the backup-restore-sidecar repository.","category":"page"},{"location":"installation/deployment/#Auth","page":"Installation","title":"Auth","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"metal-stack currently supports two authentication methods:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"dex for providing user authentication through OpenID Connect (OIDC)\nHMAC auth, typically used for access by technical users (because we do not have service account tokens at the time being)","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In the metal-api, we have three different user roles for authorization:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Admin\nEdit\nView","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"How the user permissions are used is documented in the technical API docs.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"If you decided to set up a dex server, you can parametrize the metal role for using the dex server by defining the variable metal_api_dex_address.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"info: Info\nWe also have dedicated controllers for using the dex server for Kubernetes clusters when deploying metal-stack along with the Gardener in your environment. The approach is described in further detail in the section Gardener with metal-stack.","category":"page"},{"location":"installation/deployment/#Bootstrapping-a-Partition","page":"Installation","title":"Bootstrapping a Partition","text":"","category":"section"},{"location":"installation/deployment/#Out-Of-Band-Network","page":"Installation","title":"Out-Of-Band-Network","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"To be able to deploy and maintain a metal-stack partition, you need to bootstrap the Out-Of-Band-Network first. Some considerations must be made to fulfill the requirements of our infrastructure, a partition is designed to be:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"secure\nfully routable (BGP)\nscalable\nresilient\ndeployable via CI/CD jobs\naccessible from the internet from specific IPs","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In order to accomplish this task remotely and in a nearly automatic manner, you have to bootstrap the components in this order:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"management firewalls\nmanagement servers\nmanagement spines\nmanagement leaves\nleaves, spines and exits","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This document assumes that all cabling is done. Here is a quick overview of the architecture:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"(Image: Out-of-Band-Network)","category":"page"},{"location":"installation/deployment/#Management-Firewalls","page":"Installation","title":"Management Firewalls","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"As you can see, the management firewalls are the first bastion hosts in a partition to provide access to our infrastructure. There are two of them in each partition to guarantee high availability and load balancing. The very first configuration of these routers has to be done manually to solve the chicken and egg problem that you need the management firewalls in place to deploy the partition. Manually means that we generate a configuration template with ansible that we deploy with copy/paste, and the load, through the machine console. Once the management server has been deployed, we are able to deploy this configuration via CI runner and ansible. For this you need the user and the ssh-key, which is deployed with the configuration file mentioned above. The Edgerouters has to fulfill some requirements including:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"provide and restrict access to the Out-Of-Band-Network from the internet with a firewall ruleset\nprovide destination NAT to the management server and its IPMI interface\nprovide Onie Boot and ztp via DHCP options for the management spine\nprovide DHCP management addresses for management spine, management server and ipmi interface of the management server\nHairpin-NAT for the management server to access itself via its puplic IP, needed by the CI runner to delegate CI Jobs.\npropagate a default gateway via BGP","category":"page"},{"location":"installation/deployment/#Management-Servers","page":"Installation","title":"Management Servers","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The second bastion hosts are the management servers. They are the main bootstrapping components of the Out-Of-Band-Network. They also act as jump hosts for all components in a partition. Once they are installed and deployed, we are able to bootstrap all the other components. To bootstrap the management servers, we generate an ISO image which will automatically install an OS and an ansible user with ssh keys. It is preconfigured with a preseed file to allow an unattended OS installation for our needs. This is why we need remote access to the IPMI interface of the management servers: The generated ISO is attached via the virtual media function of the BMC. After that, all we have to do is boot from that virtual CD-ROM and wait for the installation to finish. Deployment jobs (Gitlab-CI) in a partition are delegated to the appropriate management servers, therefore we need a CI runner active on each management server.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"After the CI runner has been installed, you can trigger your Playbooks from the the CI. The Ansible-Playbooks have to make sure that these functionalities are present on the management servers:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Prometheus and exporters\nCI runner\nmetal-bmc\nimage-cache\nsimple webserver to provide images\nOnie Boot and ZTP\nDHCP addresses for ipmi interfaces of the workers\nDHCP addresses for switches","category":"page"},{"location":"installation/deployment/#Management-Spines","page":"Installation","title":"Management Spines","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nIf you are using SONiC switches, you should make use of Zero Touch Provisioning and Onie Boot","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The purpose of these switches is to connect the management interfaces of all switches to the management servers. The management spine's own management interface is connected to the management firewall for the bootstrapping of the management spine itself. The management firewall will provide a DHCP address and DHCP options to start SONiC's Zero Touch Provisioning; the images for all switches are downloaded from the management server (nginx container). Each management leaf is connected to both management spines to provide redundant connectivity to both management servers. BGP is used as a routing protocol such that, when a link goes down, an alternate path is used. In the picture above you can see that there are also switch management interfaces connected to the management spine. This has to be done so that we can bootstrap these switches; the management spine relays the DHCP requests from these switches to the management servers so that they are able to Onie Boot and get their ZTP scripts.","category":"page"},{"location":"installation/deployment/#Management-Leaves","page":"Installation","title":"Management Leaves","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"All workers have to be connected with their IPMI/BMC interface to the management leaves to get DHCP addresses from the management server. The management leaves are relaying those DHCP requests to the management server which will answer the requests and provide IPs from a given range. The management interfaces of the management leaves also have to be reachable from the management server, and need to get their IP address via DHCP for the bootstrapping process.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In the example setup, these interfaces are connected to an end-of-row-switch which aggregates them and connects them to the management spines with a fiber-optics connection. If you can reach the management spines from the management leaves with copper cables, you do not need the end of row switch. After the initial bootstrapping, the management interfaces of the management leaves continue to be used for access to the switches' command line, and for subsequent OS updates. (update=reset+bootrap+deployment)","category":"page"},{"location":"installation/deployment/#Partition-Deployment","page":"Installation","title":"Partition Deployment","text":"","category":"section"},{"location":"installation/deployment/#Gardener-with-metal-stack","page":"Installation","title":"Gardener with metal-stack","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"If you want to deploy metal-stack as a cloud provider for Gardener, you should follow the regular Gardener installation instructions and setup a Gardener cluster first. It's perfectly fine to setup the Gardener cluster in the same cluster that you use for hosting metal-stack.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"You can find installation instructions for Gardener on the Gardener website beneath docs. metal-stack is an out-of-tree provider and therefore you will not find example files for metal-stack resources in the Gardener repositories. The following list describes the resources and components that you need to deploy into the Gardener cluster in order to make Gardener work with metal-stack:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"warning: Warning\nThe following list assumes you have Gardener installed in a Kubernetes cluster and that you have a basic understanding of how Gardener works. If you need further help with the following steps, you can also come and ask in our Slack channel.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Deploy the validator from the gardener-extension-provider-metal repository to your cluster via Helm\nAdd a cloud profile called metal containing all your machine images, machine types and regions (region names can be chosen freely, the zone names need to match your partition names) together with our metal-stack-specific provider config as defined here\nRegister the gardener-extension-provider-metal controller by deploying the controller-registration into your Gardener cluster, parametrize the embedded chart in the controller registration's values section if necessary (this is the corresponding values file)\nmetal-stack does not provide an own backup storage infrastructure for now. If you want to enable ETCD backups (which you should do because metal-stack also does not have persistent storage out of the box, which makes these backups even more valuable), you should deploy an extension-provider of another cloud provider and configure it to only reconcile the backup buckets (you can reference this backup infrastructure used for the metal shoot in the shoot spec)\nRegister the os-extension-provider-metal controller by deploying the controller-registration into your Gardener cluster, this controller can transform the operating system configuration from Gardener into Ignition user data\nYou need to use the Gardener's networking-calico controller for setting up shoot CNI, you will have to put specific provider configuration into the shoot spec to make it work with metal-stack:\nnetworking:\n type: calico\n # we can peer with the frr within 10.244.0.0/16, which we do with the metallb\n # the networks for the shoot need to be disjunct with the networks of the seed, otherwise the VPN connection will not work properly\n # the seeds are typically deployed with podCIDR 10.244.128.0/18 and serviceCIDR 10.244.192.0/18\n # the shoots are typically deployed with podCIDR 10.244.0.0/18 and serviceCIDR 10.244.64.0/18\n pods: 10.244.0.0/18\n services: 10.244.64.0/18\n providerConfig:\n apiVersion: calico.networking.extensions.gardener.cloud/v1alpha1\n kind: NetworkConfig\n backend: vxlan\n ipv4:\n pool: vxlan\n mode: Always\n autoDetectionMethod: interface=lo\n typha:\n enabled: false\nFor your seed cluster you will need to provide the provider secret for metal-stack containing the key metalAPIHMac, which is the API HMAC to grant editor access to the metal-api\nCheckout our current provider configuration for infrastructure and control-plane before deploying your shoot","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nWe are officially supported by Gardener dashboard. The dashboard can also help you setting up some of the resources mentioned above.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#metalctl-switch-list","page":"metalctl switch list","title":"metalctl switch list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":"list all switches","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":"metalctl switch list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#Options","page":"metalctl switch list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":" -h, --help help for list\n --id string ID of the switch.\n --name string Name of the switch.\n --os-vendor string OS vendor of this switch.\n --os-version string OS version of this switch.\n --partition string Partition of this switch.\n --rack string Rack of this switch.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#Options-inherited-from-parent-commands","page":"metalctl switch list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#SEE-ALSO","page":"metalctl switch list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#metalctl-network-ip-apply","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"applies one or more ips from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"metalctl network ip apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#Options","page":"metalctl network ip apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip apply -f -\n $ # or via file\n $ metalctl ip apply -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#Options-inherited-from-parent-commands","page":"metalctl network ip apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#SEE-ALSO","page":"metalctl network ip apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#metalctl-image-create","page":"metalctl image create","title":"metalctl image create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":"creates the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":"metalctl image create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#Options","page":"metalctl image create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the image.\n --features strings features of the image, can be one of machine|firewall\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image create -f -\n $ # or via file\n $ metalctl image create -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string ID of the image.\n -n, --name string Name of the image.\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --url string url of the image.","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#Options-inherited-from-parent-commands","page":"metalctl image create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#SEE-ALSO","page":"metalctl image create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":"metalctl image\t - manage image entities","category":"page"},{"location":"#Welcome-to-the-metal-stack-docs!","page":"Introduction","title":"Welcome to the metal-stack docs!","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"metal-stack is an open source software that provides an API for provisioning and managing physical servers in the data center. To categorize this product, we use the terms Metal-as-a-Service (MaaS) or bare metal cloud.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"From the perspective of a user, the metal-stack does not feel any different from working with a conventional cloud provider. Users manage their resources (machines, networks and ip addresses, etc.) by themselves, which effectively turns your data center into an elastic cloud infrastructure.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"The major difference to other cloud providers is that compute power and data reside in your own data center.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"Pages = [\"index.md\"]\nDepth = 5","category":"page"},{"location":"#Why-metal-stack?","page":"Introduction","title":"Why metal-stack?","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Before we started with our mission to implement the metal-stack, we decided on a couple of key characteristics and constraints that we think are unique in the domain (otherwise we would definitely have chosen an existing solution).","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"We hope that the following properties appeal to you as well.","category":"page"},{"location":"#On-Premise","page":"Introduction","title":"On-Premise","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Running on-premise gives you data sovereignty and usually a better price / performance ratio than with hyperscalers — especially the larger you grow your environment. Another benefit of running on-premise is an easier connectivity to existing company networks.","category":"page"},{"location":"#Fast-Provisioning","page":"Introduction","title":"Fast Provisioning","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Provisioning bare metal machines should not feel much different from virtual machines. metal-stack is capable of provisioning servers in less than a minute. The underlying network topology is based on BGP and allows announcing new routes to your host machines in a matter of seconds.","category":"page"},{"location":"#No-Ops","page":"Introduction","title":"No-Ops","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Part of the metal-stack runs on dedicated switches in your data center. This way, it is possible to automate server inventorization, permanently reconcile network configuration and automatically manage machine lifecycles. Manual configuration is neither required nor wanted.","category":"page"},{"location":"#Security","page":"Introduction","title":"Security","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Our networking approach was designed for highest standards on security. Also, we enforce firewalling on dedicated tenant firewalls before users can establish connections to other networks than their private tenant network. API authentication and authorization is done with the help of OIDC.","category":"page"},{"location":"#API-driven","page":"Introduction","title":"API driven","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"The development of metal-stack is strictly API driven and offers self-service to end-users. This approach delivers the highest possible degree of automation, maintainability and performance.","category":"page"},{"location":"#Ready-for-Kubernetes","page":"Introduction","title":"Ready for Kubernetes","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Not only does the metal-stack run smoothly on Kubernetes (K8s). The major intent of metal-stack has always been to build a scalable machine infrastructure for Kubernetes as a Service (KaaS). In partnership with the open-source project Gardener, we can provision Kubernetes clusters on metal-stack at scale.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"From the perspective of the Gardener, the metal-stack is just another cloud provider. The time savings compared to providing machines and Kubernetes by hand are significant. We actually want to be able to compete with offers of public cloud providers, especially regarding speed and usability.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"Of course, you can use metal-stack only for machine provisioning as well and just put something else on top of your metal infrastructure.","category":"page"},{"location":"#Open-Source","page":"Introduction","title":"Open Source","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"The metal-stack is open source and free of constraints regarding vendors and third-party products. The stack is completely built on open source products. We have a community actively working on the metal-stack, which can assist you delivering all reasonable features you are gonna need.","category":"page"},{"location":"#Why-Bare-Metal?","page":"Introduction","title":"Why Bare Metal?","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Bare metal has several advantages over virtual environments and overcomes several drawbacks of virtual machines. We also listed drawbacks of the bare metal approach. Bare in mind though that it is still possible to virtualize on bare metal environments when you have your stack up and running.","category":"page"},{"location":"#Virtual-Environment-Drawbacks","page":"Introduction","title":"Virtual Environment Drawbacks","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Spectre and Meltdown can only be mitigated with a \"cluster per tenant\" approach\nMissing isolation of multi-tenant change impacts\nLicensing restrictions\nNoisy-neighbors","category":"page"},{"location":"#Bare-Metal-Advantages","page":"Introduction","title":"Bare Metal Advantages","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Guaranteed and fastest possible performance (especially disk i/o)\nReduced stack depth (Host / VM / Application vs. Host / Container)\nReduced attack surface\nLower costs, higher performance\nNo VM live-migrations\nBigger hardware configurations possible (hypervisors have restrictions, e.g. it is not possible to assign all CPUs to a single VM)","category":"page"},{"location":"#Bare-Metal-Drawbacks","page":"Introduction","title":"Bare Metal Drawbacks","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Hardware defects have direct impact (should be considered by design) and can not be mitigated by live-migration as in virtual environments\nCapacity planning is more difficult (no resource overbooking possible)","category":"page"},{"location":"development/proposals/MEP2/README/#Two-Factor-Authentication","page":"Two Factor Authentication","title":"Two Factor Authentication","text":"","category":"section"},{"location":"development/proposals/MEP14/README/#Independence-from-external-sources","page":"Independence from external sources","title":"Independence from external sources","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints.","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"So far, the following components have been identified as requiring changes:","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"pixiecore\nmetal-hammer\nmetal-images","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"More components are likely to be added to the list during processing. For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones.","category":"page"},{"location":"development/proposals/MEP14/README/#pixiecore","page":"Independence from external sources","title":"pixiecore","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up.","category":"page"},{"location":"development/proposals/MEP14/README/#metal-hammer","page":"Independence from external sources","title":"metal-hammer","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from pool.ntp.org and time.google.com are used.","category":"page"},{"location":"development/proposals/MEP14/README/#metal-images","page":"Independence from external sources","title":"metal-images","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"Configurations for the metal-images are different for machines and firewalls.","category":"page"},{"location":"development/proposals/MEP14/README/#metalctl","page":"Independence from external sources","title":"metalctl","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"In order to pass DNS and NTP servers to partitions and machines while creating them, the flags dnsservers and ntpservers need to be added.","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection.","category":"page"},{"location":"apidocs/apidocs/#API-Documentation","page":"API Documentation","title":"API Documentation","text":"","category":"section"},{"location":"apidocs/apidocs/","page":"API Documentation","title":"API Documentation","text":"In this section you will find links to the API documentation of metal-stack components.","category":"page"},{"location":"apidocs/apidocs/","page":"API Documentation","title":"API Documentation","text":"using Docs\n\nmetal_api_image = releaseVector()[\"docker-images\"][\"metal-stack\"][\"control-plane\"][\"metal-api\"][\"tag\"]\ncontent = redocTemplate(\"metal-api\", string(\"https://raw.githubusercontent.com/metal-stack/metal-api/\", metal_api_image, \"/spec/metal-api.json\"))\n\nf = open(string(@__DIR__, \"/metal-api/index.html\"), \"w\")\nwrite(f, content)\nclose(f);\n\nnothing","category":"page"},{"location":"apidocs/apidocs/","page":"API Documentation","title":"API Documentation","text":"metal-api","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#metalctl-network-delete","page":"metalctl network delete","title":"metalctl network delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":"deletes the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":"metalctl network delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#Options","page":"metalctl network delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network delete -f -\n $ # or via file\n $ metalctl network delete -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#Options-inherited-from-parent-commands","page":"metalctl network delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#SEE-ALSO","page":"metalctl network delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#metalctl-switch-port-down","page":"metalctl switch port down","title":"metalctl switch port down","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"sets the given switch port state down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#Synopsis","page":"metalctl switch port down","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"sets the port status to DOWN so the connected machine will not be able to connect to the switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"metalctl switch port down [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#Options","page":"metalctl switch port down","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":" -h, --help help for down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#Options-inherited-from-parent-commands","page":"metalctl switch port down","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --port string the port to be changed.\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#SEE-ALSO","page":"metalctl switch port down","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"metalctl switch port\t - sets the given switch port state up or down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#metalctl-switch-ssh","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"connect to the switch via ssh","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#Synopsis","page":"metalctl switch ssh","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"this requires a network connectivity to the management ip address of the switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"metalctl switch ssh [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#Options","page":"metalctl switch ssh","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":" -h, --help help for ssh","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#Options-inherited-from-parent-commands","page":"metalctl switch ssh","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#SEE-ALSO","page":"metalctl switch ssh","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#metalctl-firmware-upload-bmc","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"upload a BMC firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#Synopsis","page":"metalctl firmware upload bmc","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"the given BMC firmware file will be uploaded and tagged as given revision.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"metalctl firmware upload bmc [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#Options","page":"metalctl firmware upload bmc","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":" --board string the board type (required)\n -h, --help help for bmc\n --revision string the BMC firmware revision (required)\n --vendor string the vendor (required)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#Options-inherited-from-parent-commands","page":"metalctl firmware upload bmc","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#SEE-ALSO","page":"metalctl firmware upload bmc","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"metalctl firmware upload\t - upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#metalctl-machine-list","page":"metalctl machine list","title":"metalctl machine list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"list all machines","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#Synopsis","page":"metalctl machine list","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"list all machines","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"Meaning of the emojis:","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"🚧 Machine is reserved. Reserved machines are not considered for random allocation until the reservation flag is removed. 🔒 Machine is locked. Locked machines can not be deleted until the lock is removed. 💀 Machine is dead. The metal-api does not receive any events from this machine. ❗ Machine has a last event error. The machine has recently encountered an error during the provisioning lifecycle. ❓ Machine is in unknown condition. The metal-api does not receive phoned home events anymore or has never booted successfully. ⭕ Machine is in a provisioning crash loop. Flag can be reset through an API-triggered reboot or when the machine reaches the phoned home state. 🚑 Machine reclaim has failed. The machine was deleted but it is not going back into the available machine pool. 🛡 Machine is connected to our VPN, ssh access only possible via this VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"metalctl machine list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#Options","page":"metalctl machine list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":" --bmc-address string bmc ipmi address (needs to include port) to filter [optional]\n --bmc-mac string bmc mac address to filter [optional]\n --board-part-number string fru board part number to filter [optional]\n -h, --help help for list\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional] (default 1h0m0s)\n --mac string mac to filter [optional]\n --manufacturer string fru manufacturer to filter [optional]\n --name string allocation name to filter [optional]\n --network-destination-prefixes string network destination prefixes to filter [optional]\n --network-ids string network ids to filter [optional]\n --network-ips string network ips to filter [optional]\n --partition string partition to filter [optional]\n --product-part-number string fru product part number to filter [optional]\n --product-serial string fru product serial to filter [optional]\n --project string allocation project to filter [optional]\n --rack string rack to filter [optional]\n --role string allocation role to filter [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|event|id|image|liveliness|partition|project|rack|size|when\n --state string state to filter [optional]\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#Options-inherited-from-parent-commands","page":"metalctl machine list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#SEE-ALSO","page":"metalctl machine list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#metalctl-firmware-list","page":"metalctl firmware list","title":"metalctl firmware list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"list firmwares","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#Synopsis","page":"metalctl firmware list","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"lists all available firmwares matching the given criteria.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"metalctl firmware list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#Options","page":"metalctl firmware list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":" --board string the board type\n -h, --help help for list\n --kind string the firmware kind [bmc|bios]\n --machineid string the machine id (ignores vendor and board flags)\n --vendor string the vendor","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#Options-inherited-from-parent-commands","page":"metalctl firmware list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#SEE-ALSO","page":"metalctl firmware list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"metalctl firmware\t - manage firmwares","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#metalctl-vpn","page":"metalctl vpn","title":"metalctl vpn","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":"access VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#Synopsis","page":"metalctl vpn","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":"access VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#Options","page":"metalctl vpn","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":" -h, --help help for vpn","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#Options-inherited-from-parent-commands","page":"metalctl vpn","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#SEE-ALSO","page":"metalctl vpn","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl vpn key\t - create an auth key","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#metalctl-firmware-upload-bios","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"upload a BIOS firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#Synopsis","page":"metalctl firmware upload bios","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"the given BIOS firmware file will be uploaded and tagged as given revision.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"metalctl firmware upload bios [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#Options","page":"metalctl firmware upload bios","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":" --board string the board type (required)\n -h, --help help for bios\n --revision string the BIOS firmware revision (required)\n --vendor string the vendor (required)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#Options-inherited-from-parent-commands","page":"metalctl firmware upload bios","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#SEE-ALSO","page":"metalctl firmware upload bios","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"metalctl firmware upload\t - upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#metalctl-size-suggest","page":"metalctl size suggest","title":"metalctl size suggest","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":"suggest size from a given machine id","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":"metalctl size suggest [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#Options","page":"metalctl size suggest","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":" --description string The description of the suggested size (default \"a suggested size\")\n -h, --help help for suggest\n --labels strings labels to add to the size\n --machine-id string Machine id used to create the size suggestion. [required]\n --name string The name of the suggested size (default \"suggested-size\")","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#Options-inherited-from-parent-commands","page":"metalctl size suggest","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#SEE-ALSO","page":"metalctl size suggest","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/csi-driver-lvm/README/#csi-driver-lvm","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"CSI DRIVER LVM utilizes local storage of Kubernetes nodes to provide persistent storage for pods.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"It automatically creates hostPath based persistent volumes on the nodes.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Underneath it creates a LVM logical volume on the local disks. A comma-separated list of grok pattern, which disks to use must be specified.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"This CSI driver is derived from csi-driver-host-path and csi-lvm","category":"page"},{"location":"external/csi-driver-lvm/README/#Currently-it-can-create,-delete,-mount,-unmount-and-resize-block-and-filesystem-volumes-via-lvm","page":"csi-driver-lvm","title":"Currently it can create, delete, mount, unmount and resize block and filesystem volumes via lvm","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"For the special case of block volumes, the filesystem-expansion has to be performed by the app using the block device","category":"page"},{"location":"external/csi-driver-lvm/README/#Installation","page":"csi-driver-lvm","title":"Installation","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Helm charts for installation are located in a separate repository called helm-charts. If you would like to contribute to the helm chart, please raise an issue or pull request there.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"You have to set the devicePattern for your hardware to specify which disks should be used to create the volume group.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"helm install --repo https://helm.metal-stack.io mytest csi-driver-lvm --set lvm.devicePattern='/dev/nvme[0-9]n[0-9]'","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Now you can use one of following storageClasses:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"csi-driver-lvm-linear\ncsi-driver-lvm-mirror\ncsi-driver-lvm-striped","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"To get the previous old and now deprecated csi-lvm-sc-linear, ... storageclasses, set helm-chart value compat03x=true.","category":"page"},{"location":"external/csi-driver-lvm/README/#Migration","page":"csi-driver-lvm","title":"Migration","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"If you want to migrate your existing PVC to / from csi-driver-lvm, you can use korb.","category":"page"},{"location":"external/csi-driver-lvm/README/#Todo","page":"csi-driver-lvm","title":"Todo","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"implement CreateSnapshot(), ListSnapshots(), DeleteSnapshot()","category":"page"},{"location":"external/csi-driver-lvm/README/#Test","page":"csi-driver-lvm","title":"Test","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"kubectl apply -f examples/csi-pvc-raw.yaml\nkubectl apply -f examples/csi-pod-raw.yaml\n\n\nkubectl apply -f examples/csi-pvc.yaml\nkubectl apply -f examples/csi-app.yaml\n\nkubectl delete -f examples/csi-pod-raw.yaml\nkubectl delete -f examples/csi-pvc-raw.yaml\n\nkubectl delete -f examples/csi-app.yaml\nkubectl delete -f examples/csi-pvc.yaml","category":"page"},{"location":"external/csi-driver-lvm/README/#Development","page":"csi-driver-lvm","title":"Development","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"In order to run the integration tests locally, you need to create to loop devices on your host machine. Make sure the loop device mount paths are not used on your system (default path is /dev/loop10{0,1}).","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"You can create these loop devices like this:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"for i in 100 101; do fallocate -l 1G loop${i}.img ; sudo losetup /dev/loop${i} loop${i}.img; done\nsudo losetup -a\n# use this for recreation or cleanup\n# for i in 100 101; do sudo losetup -d /dev/loop${i}; rm -f loop${i}.img; done","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"You can then run the tests against a kind cluster, running:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"make test","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"To recreate or cleanup the kind cluster:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"make test-cleanup","category":"page"},{"location":"external/csi-driver-lvm/README/#Page-Tree","page":"csi-driver-lvm","title":"Page Tree","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#metalctl-machine-apply","page":"metalctl machine apply","title":"metalctl machine apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":"applies one or more machines from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":"metalctl machine apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#Options","page":"metalctl machine apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine apply -f -\n $ # or via file\n $ metalctl machine apply -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#Options-inherited-from-parent-commands","page":"metalctl machine apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#SEE-ALSO","page":"metalctl machine apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#metalctl-image-update","page":"metalctl image update","title":"metalctl image update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":"updates the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":"metalctl image update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#Options","page":"metalctl image update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image update -f -\n $ # or via file\n $ metalctl image update -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#Options-inherited-from-parent-commands","page":"metalctl image update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#SEE-ALSO","page":"metalctl image update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#metalctl-login","page":"metalctl login","title":"metalctl login","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"login user and receive token","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#Synopsis","page":"metalctl login","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"login and receive token that will be used to authenticate commands.","category":"page"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"metalctl login [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#Options","page":"metalctl login","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":" -h, --help help for login\n --print-only If true, the token is printed to stdout","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#Options-inherited-from-parent-commands","page":"metalctl login","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#SEE-ALSO","page":"metalctl login","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#metalctl-switch-port-up","page":"metalctl switch port up","title":"metalctl switch port up","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"sets the given switch port state up","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#Synopsis","page":"metalctl switch port up","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"sets the port status to UP so the connected machine will be able to connect to the switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"metalctl switch port up [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#Options","page":"metalctl switch port up","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":" -h, --help help for up","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#Options-inherited-from-parent-commands","page":"metalctl switch port up","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --port string the port to be changed.\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#SEE-ALSO","page":"metalctl switch port up","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"metalctl switch port\t - sets the given switch port state up or down","category":"page"},{"location":"external/mini-lab/README/#mini-lab","page":"mini-lab","title":"mini-lab","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"The mini-lab is a small, virtual setup to locally run the metal-stack. It deploys the metal control plane and a metal-stack partition with two simulated leaf switches. The lab can be used for trying out metal-stack, demonstration purposes or development.","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"(Image: overview components)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"ℹ This project can also be used as a template for writing your own metal-stack deployments.","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Requirements\nKnown Limitations\nTry it out\nReinstall machine\nFree machine\nFlavors","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"","category":"page"},{"location":"external/mini-lab/README/#Requirements","page":"mini-lab","title":"Requirements","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Linux machine with hardware virtualization support\nkvm as hypervisor for the VMs (you can check through the kvm-ok command)\ndocker >= 24.x.y (for using kind and our deployment base image)\nkind == v0.23.0 (for hosting the metal control plane)\ncontainerlab >= v0.56.0\nthe lab creates a docker network on your host machine with the address block 203.0.113.0/24, designated as TEST-NET-3 for documentation and examples.\n(recommended) haveged to have enough random entropy (only needed if the PXE process does not work)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Here is some code that should help you to set up most of the requirements:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"# If UFW enabled.\n# Disable the firewall or allow traffic through Docker network IP range.\nsudo ufw status\nsudo ufw allow from 172.17.0.0/16\n\n# Install kvm\nsudo apt install -y git curl qemu qemu-kvm haveged\n\n# Install Docker\ncurl -fsSL https://get.docker.com | sh\n# if you want to be on the safe side, follow the original installation\n# instructions at https://docs.docker.com/engine/install/ubuntu/\n\n# Ensure that your user is member of the group \"docker\"\n# you need to login again in order to make this change take effect\nsudo usermod -G docker -a ${USER}\n\n# Install containerlab\nbash -c \"$(curl -sL https://get.containerlab.dev)\"\n\n# Install kind (kubernetes in docker), for more details see https://kind.sigs.k8s.io/docs/user/quick-start/#installation\nsudo curl -Lo /usr/local/bin/kind \"https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64\"\nsudo chmod +x /usr/local/bin/kind","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"The following ports are used statically on your host machine:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Port Bind Address Description\n6443 0.0.0.0 kube-apiserver of the kind cluster\n4443 0.0.0.0 HTTPS ingress\n4150 0.0.0.0 nsqd\n8080 0.0.0.0 HTTP ingress","category":"page"},{"location":"external/mini-lab/README/#Known-Limitations","page":"mini-lab","title":"Known Limitations","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"to keep the demo small there is no EVPN\nmachine restart and destroy does not work because we cannot change the boot order via IPMI in the lab easily (virtual-bmc could, but it's buggy)\nlogin to the machines is possible with virsh console, login to the firewall is possible with SSH from your local machine","category":"page"},{"location":"external/mini-lab/README/#Try-it-out","page":"mini-lab","title":"Try it out","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"git clone https://github.com/metal-stack/mini-lab.git\ncd mini-lab","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Start the mini-lab with a kind cluster, a metal-api instance as well as two containers wrapping leaf switches and another container that hosts two user-allocatable machines:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make\n# containerlab will ask you for root permissions (https://github.com/srl-labs/containerlab/issues/669)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"After the deployment and waiting for a short amount of time, two machines in status PXE booting become visible through metalctl machine ls:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine ls\n\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\ne0ab02d2-27cd-5a5e-8efc-080ba80cf258   PXE Booting 3s\n2294c949-88f6-5390-8154-fa53d93a3313 PXE Booting 5s","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Wait until the machines reach the waiting state:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine ls\n\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\ne0ab02d2-27cd-5a5e-8efc-080ba80cf258   Waiting 8s v1-small-x86 mini-lab\n2294c949-88f6-5390-8154-fa53d93a3313   Waiting 8s v1-small-x86 mini-lab","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Create a firewall and a machine with:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make firewall\nmake machine","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Alternatively, you may want to issue the metalctl commands on your own:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl network allocate \\\n --partition mini-lab \\\n --project 00000000-0000-0000-0000-000000000000 \\\n --name user-private-network\n\n# lookup the network ID and create a machine\ndocker compose run --rm metalctl machine create \\\n --description test \\\n --name machine \\\n --hostname machine \\\n --project 00000000-0000-0000-0000-000000000000 \\\n --partition mini-lab \\\n --image ubuntu-20.04 \\\n --size v1-small-x86 \\\n --networks \n\n# create a firewall that is also connected to the virtual internet-mini-lab network\ndocker compose run --rm metalctl machine create \\\n --description fw \\\n --name fw \\\n --hostname fw \\\n --project 00000000-0000-0000-0000-000000000000 \\\n --partition mini-lab \\\n --image firewall-ubuntu-2.0 \\\n --size v1-small-x86 \\\n --networks internet-mini-lab,$(privatenet)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"See the installation process in action","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make console-machine01/02\n...\nUbuntu 20.04 machine ttyS0\n\nmachine login:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Two machines are now installed and have status \"Phoned Home\"","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine ls\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\ne0ab02d2-27cd-5a5e-8efc-080ba80cf258   Phoned Home 2s 21s machine 00000000-0000-0000-0000-000000000000 v1-small-x86 Ubuntu 20.04 20200331 mini-lab\n2294c949-88f6-5390-8154-fa53d93a3313   Phoned Home 8s 18s fw 00000000-0000-0000-0000-000000000000 v1-small-x86 Firewall 2 Ubuntu 20200730 mini-lab","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Login with user name metal and the console password from","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine consolepassword e0ab02d2-27cd-5a5e-8efc-080ba80cf258","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"To remove the kind cluster, the switches and machines, run:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make cleanup","category":"page"},{"location":"external/mini-lab/README/#Reinstall-machine","page":"mini-lab","title":"Reinstall machine","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Reinstall a machine with","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine reinstall \\\n --image ubuntu-20.04 \\\n e0ab02d2-27cd-5a5e-8efc-080ba80cf258","category":"page"},{"location":"external/mini-lab/README/#Free-machine","page":"mini-lab","title":"Free machine","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Free a machine with make free-machine01 or","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine rm e0ab02d2-27cd-5a5e-8efc-080ba80cf258","category":"page"},{"location":"external/mini-lab/README/#Flavors","page":"mini-lab","title":"Flavors","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"There are two versions, or flavors, of the mini-lab environment which differ in regards to the NOS running on the leaves:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"cumulus – runs 2 Cumulus switches.\nsonic – runs 2 SONiC switches","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"In order to start specific flavor, you can define the flavor as follows:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"export MINI_LAB_FLAVOR=sonic\nmake","category":"page"},{"location":"external/mini-lab/README/#Page-Tree","page":"mini-lab","title":"Page Tree","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#metalctl-completion-zsh","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"Generate the autocompletion script for zsh","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Synopsis","page":"metalctl completion zsh","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"Generate the autocompletion script for the zsh shell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"echo \"autoload -U compinit; compinit\" >> ~/.zshrc","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"source <(metalctl completion zsh)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"To load completions for every new session, execute once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Linux:","page":"metalctl completion zsh","title":"Linux:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion zsh > \"${fpath[1]}/_metalctl\"","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#macOS:","page":"metalctl completion zsh","title":"macOS:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_metalctl","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"You will need to start a new shell for this setup to take effect.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion zsh [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Options","page":"metalctl completion zsh","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":" -h, --help help for zsh\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Options-inherited-from-parent-commands","page":"metalctl completion zsh","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#SEE-ALSO","page":"metalctl completion zsh","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#metalctl-switch-describe","page":"metalctl switch describe","title":"metalctl switch describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":"describes the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":"metalctl switch describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#Options","page":"metalctl switch describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#Options-inherited-from-parent-commands","page":"metalctl switch describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#SEE-ALSO","page":"metalctl switch describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#metalctl-context-short","page":"metalctl context short","title":"metalctl context short","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":"only show the default context name","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":"metalctl context short [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#Options","page":"metalctl context short","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":" -h, --help help for short","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#Options-inherited-from-parent-commands","page":"metalctl context short","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#SEE-ALSO","page":"metalctl context short","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":"metalctl context\t - manage metalctl context","category":"page"},{"location":"development/proposals/MEP4/README/#Multi-Tenancy-for-the-metal-api","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"info: Info\nThis document is work in progress.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"In the past we decided to treat the metal-api as a \"low-level API\", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a \"higher-level APIs\". From there, a user would be able to only see his own clusters and IP addresses.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those \"higher-level APIs\" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Becoming a \"fully-featured\" API\nNarrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors\nDiscouraging people to implement their own scoping layers in front of the metal-stack\nGaining performance through resource scopes\nLetting untrusted / third-parties work with the API","category":"page"},{"location":"development/proposals/MEP4/README/#Table-of-Contents","page":"Multi-Tenancy for the metal-api","title":"Table of Contents","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Pages = [\"README.md\"]\nDepth = 5","category":"page"},{"location":"development/proposals/MEP4/README/#Requirements","page":"Multi-Tenancy for the metal-api","title":"Requirements","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"These are some general requirements / higher objectives that MEP-4 has to fulfill.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...)\nSimple to start with, more complex options for production setups\nShould utilize auth mechanisms that we have already in place to best possible degree\nFine-grained access permissions (every endpoint maps to a permission)\nTenant scoping (disallow resource access to resources of other tenants)\nProject scoping (disallow resource access to resources of other projects)\nAccess tokens in self-service for technical user access","category":"page"},{"location":"development/proposals/MEP4/README/#Implementation","page":"Multi-Tenancy for the metal-api","title":"Implementation","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"gRPC in combination with connectrpc\nOPA for making auth decisions\nREST HTTP only for OIDC login flows","category":"page"},{"location":"development/proposals/MEP4/README/#API-Definitions","page":"Multi-Tenancy for the metal-api","title":"API Definitions","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"This repository contains the proto3 specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the proto3 annotations.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Client implementations for the most relevant languages (go, python) are generated automatically.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"This api is divided into end-user and admin access at the top level. The proposed APIs are:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"api.v2: For end-user facing services\nadmin.v2: For operators and controllers which need access to unscoped entities","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions):","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"tenant: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload)\nAvailable roles: VIEWER, EDITOR, OWNER\nproject: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload)\nAvailable roles: VIEWER, EDITOR, OWNER\nadmin Admin-scoped methods, e.g. unscoped tenant list or switch register\nAvailable roles: VIEWER, EDITOR","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"And has methods with different visibility scopes:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"self: Methods that only the logged in user can access, e.g. show permissions with the presented token\npublic: Methods that do not require any specific authorization\nprivate: Methods that are not exposed","category":"page"},{"location":"development/proposals/MEP4/README/#API","page":"Multi-Tenancy for the metal-api","title":"API","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"With these tokens, users can create Access Tokens for CI/CD or other use cases.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"JWT Tokens can be revoked by admins and the user itself.","category":"page"},{"location":"development/proposals/MEP4/README/#API-Server","page":"Multi-Tenancy for the metal-api","title":"API Server","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Is put into a new github repo which implements the services defined in the api repository. It opens a https endpoints where the grpc (via connectrpc.com) and oidc servives are exposed.","category":"page"},{"location":"development/proposals/MEP4/README/#Migration-of-the-Consumers","page":"Multi-Tenancy for the metal-api","title":"Migration of the Consumers","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"To allow consumers to migrate to the v2 API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. api.example.com is forwarded to metal-api and metal.example.com is forwarded to the new api-server.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The migration process can be done in the following manner:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"for each resource in the metal-api:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"create a new proto3 based definition in the api repo.\nimplement at least a small wrapper service in the api-server which asks the metal-api for this resource an maps the response back the caller in the grpc format.\nidentify all consumers of this resource and replace them to use the grpc instead of the rest api\nmove the business logic incl. the backend calls to ipam, metal-db, masterdata-ap, nsq for this resource from the metal-api to the api-server","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"We will try to migrate the rethinkdb backend implementation to a generic approach during this effort.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"There are a lot of consumers of metal-api, which need to be migrated:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"ansible\nfirewall-controller\nfirewall-controller-manager\ngardener-extension-auth\ngardener-extension-provider-metal\nDo not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces.\nmachine-controller-manager-provider-metal\nmetal-ccm\nmetal-console\nmetal-bmc\nmetal-core\nmetal-hammer\nmetal-image-cache-sync\nmetal-images\nmetal-metrics-exporter\nmetal-networker\nmetalctl\npixie","category":"page"},{"location":"development/proposals/MEP4/README/#User-Scenarios","page":"Multi-Tenancy for the metal-api","title":"User Scenarios","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal.","category":"page"},{"location":"development/proposals/MEP4/README/#Machine-Creation","page":"Multi-Tenancy for the metal-api","title":"Machine Creation","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"A regular user wants to create a machine resource.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Requirements: Project was created, permissions are present","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The user can see networks that were provided by the admin.\n$ metalctl network ls\nID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS\ninternet Internet Network true false 212.34.83.0/27  ●\ntenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ●\nunderlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ●\nThe user has to set the project scope first or provide --project flags for all commands.\n$ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1\nYou are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1.\nThe user can create the child network required for machine allocation.\n$ metalctl network allocate --partition fra-equ01 --name test\nNow, the user sees his own child network.\n$ metalctl network ls\nID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS\ninternet Internet Network true false 212.34.83.0/27  ●\ntenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ●\n└─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ●\nunderlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ●\nThe user does not see any machines yet.\n$ metalctl machine ls\nThe user can create a machine.\n$ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86`\nThe machine will now be provisioned.\n$ metalctl machine ls\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\n00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"warning: Warning\nA user cannot list all allocated machines for all projects. The user must always switch project context first and can only view the machines inside this project. Only admins can see all machines at once.","category":"page"},{"location":"development/proposals/MEP4/README/#Scopes-for-Resources","page":"Multi-Tenancy for the metal-api","title":"Scopes for Resources","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The admins / operators of the metal-stack should be able to provide global resources that users are able to use along with their own resources. In particular, users can view and use global resources, but they are not allowed to create, modify or delete them.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"info: Info\nWhen a project ID field is empty on a resource, the resource is considered global.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Where possible, users should be capable of creating their own resource entities.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Resource User Global\nFile System Layout yes yes\nFirewall yes \nFirmware yes\nOS Image yes\nMachine yes \nNetwork (Base) yes\nNetwork (Children) yes \nIP yes \nPartition yes\nProject yes \nProject Token yes \nSize yes\nSwitch \nTenant yes","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"info: Info\nExample: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#metalctl-size-reservation-list","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"list all reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"metalctl size reservation list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#Options","page":"metalctl size reservation list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":" -h, --help help for list\n --id string the id to filter\n --partition string the partition id to filter\n --project string the project id to filter\n --size string the size id to filter\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: amount|id|partition|project|size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#Options-inherited-from-parent-commands","page":"metalctl size reservation list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#SEE-ALSO","page":"metalctl size reservation list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#metalctl-size-reservation","page":"metalctl size reservation","title":"metalctl size reservation","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":"manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#Synopsis","page":"metalctl size reservation","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":"manage size reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#Options","page":"metalctl size reservation","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":" -h, --help help for reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#Options-inherited-from-parent-commands","page":"metalctl size reservation","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#SEE-ALSO","page":"metalctl size reservation","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":"metalctl size\t - manage size entities\nmetalctl size reservation apply\t - applies one or more reservations from a given file\nmetalctl size reservation create\t - creates the reservation\nmetalctl size reservation delete\t - deletes the reservation\nmetalctl size reservation describe\t - describes the reservation\nmetalctl size reservation edit\t - edit the reservation through an editor and update\nmetalctl size reservation list\t - list all reservations\nmetalctl size reservation update\t - updates the reservation\nmetalctl size reservation usage\t - see current usage of size reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#metalctl-network-describe","page":"metalctl network describe","title":"metalctl network describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":"describes the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":"metalctl network describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#Options","page":"metalctl network describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#Options-inherited-from-parent-commands","page":"metalctl network describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#SEE-ALSO","page":"metalctl network describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#metalctl-project-update","page":"metalctl project update","title":"metalctl project update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":"updates the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":"metalctl project update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#Options","page":"metalctl project update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project update -f -\n $ # or via file\n $ metalctl project update -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#Options-inherited-from-parent-commands","page":"metalctl project update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#SEE-ALSO","page":"metalctl project update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":"metalctl project\t - manage project entities","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-Networks","page":"DMZ Networks","title":"DMZ Networks","text":"","category":"section"},{"location":"development/proposals/MEP6/README/#Reasoning","page":"DMZ Networks","title":"Reasoning","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload.","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-network","page":"DMZ Networks","title":"DMZ network","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"Use a separate DMZ network prefix for every tenant\nThis is used as intermediate network btw. private networks of a tenant and the internet\nFor every partition a distinct DMZ firewall/cluster is needed for a tenant\nFor Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us.","category":"page"},{"location":"development/proposals/MEP6/README/#Approach-1:-DMZ-with-publicly-reachable-internet-prefix","page":"DMZ Networks","title":"Approach 1: DMZ with publicly reachable internet prefix","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"(Image: DMZ Internet)","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"A DMZ network with publicly reachable internet prefix will look like this in the metal-api:","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"---\ndescription: DMZ-Network\ndestinationprefixes:\n- 0.0.0.0/0\nid: dmz\nlabels:\n network.metal-stack.io/default-external: \"\"\nname: DMZ-Network\nparentnetworkid: null\npartitionid: \"\"\nprefixes:\n- 212.90.30.128/25\nprivatesuper: false\nprojectid: \"\"\nvrf: 104007\nvrfshared: false\nnat: true\nshared: false\nunderlay: false","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-firewall","page":"DMZ Networks","title":"DMZ firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The private network of the project needs to import\nthe default route from the internet network\nthe DMZ network\nThe internet network must import the DMZ network\nThe DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network","category":"page"},{"location":"development/proposals/MEP6/README/#Application-Firewall","page":"DMZ Networks","title":"Application Firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of application workloads intersects its private network for attached machines and the DMZ network.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"This is currently supported by the metal-networker and needs no further changes!","category":"page"},{"location":"development/proposals/MEP6/README/#Approach-2:-DMZ-with-private-IPs","page":"DMZ Networks","title":"Approach 2: DMZ with private IPs","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"(Image: DMZ Internet)","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"A DMZ network with private IPs will look like this in the metal-api:","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"---\ndescription: DMZ-Network\ndestinationprefixes:\n- 0.0.0.0/0\nid: dmz\nlabels:\n network.metal-stack.io/default-external: \"\"\nname: DMZ-Network\nparentnetworkid: tenant-super-network-fra-equ01\npartitionid: fra-equ01\nprefixes:\n- 10.90.30.128/25\nprivatesuper: false\nprojectid: \"\"\nvrf: 4711\nvrfshared: false\nnat: true\nshared: true # it's usable from multiple projects\nunderlay: false","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-firewall-2","page":"DMZ Networks","title":"DMZ firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The private network of the project needs to import\nthe default route from the internet network\nthe DMZ network\nThe internet network must import the DMZ network (only locally, no-export)\nThe DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network","category":"page"},{"location":"development/proposals/MEP6/README/#Application-Firewall-2","page":"DMZ Networks","title":"Application Firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of application workloads intersects its private network for attached machines and the DMZ network. ","category":"page"},{"location":"development/proposals/MEP6/README/#Code-Changes-/-Implications","page":"DMZ Networks","title":"Code Changes / Implications","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"metal-networker and metal-ccm assume that there is only one network providing the default-route\nmetal-networker needs to\nimport the default route from the internet network to the dmz network (DMZ Firewall)\nimport the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall)\nimport destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall)\nimport DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall)\nmetal-api: destination prefixes of private networks need to be configurable (allocateNetwork)\ngardener-extension-provider-metal: needs to be able to delete DMZ clusters (but skip the network deletion part)\nthe application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed","category":"page"},{"location":"development/proposals/MEP6/README/#Decision","page":"DMZ Networks","title":"Decision","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"We decided to follow the second approach with private DMZ networks.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#metalctl-size-reservation-describe","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"describes the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"metalctl size reservation describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#Options","page":"metalctl size reservation describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#Options-inherited-from-parent-commands","page":"metalctl size reservation describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#SEE-ALSO","page":"metalctl size reservation describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"quickstart/#Getting-Started","page":"Quickstart","title":"Getting Started","text":"","category":"section"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"Before starting to buy any hardware, you should try out the metal-stack on your notebook and familiarize with the software.","category":"page"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"For this, we made the mini-lab.","category":"page"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"The mini-lab is a fully virtual setup of metal-stack and is supposed to be run locally on a single machine. For this reason, the setup was slightly simplified in comparison to full-blown setups on real hardware. However, the lab should help to understand all ideas behind the metal-stack.","category":"page"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"Get your hands dirty and follow the guide on how to get on with the mini-lab here.","category":"page"},{"location":"overview/networking/#Networking","page":"Networking","title":"Networking","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"We spent a lot of time on trying to provide state-of-the-art networking in the data center. This document describes the requirements, ideas and implementation details of the network topology that hosts the metal-stack.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The document is separated into three main sections describing the constraints, theoretical ideas and implementation details.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Pages = [\"networking.md\"]\nDepth = 5","category":"page"},{"location":"overview/networking/#Requirements","page":"Networking","title":"Requirements","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Finding the requirements for this greenfield project was kicked off with a handful of design parameters that included:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Investigation of the idea of a layer-3 based infrastructure to overcome the drawbacks of traditional layer-2 architectures.\nApplication of a routing technology that involves a single stand-alone protocol BGP for operational simplicity.\nUtilization of the overlay virtual network technology EVPN to support cost-effective scaling, efficient network information exchange and a manageable amount of administration effort.\nApplying the routing topology on top of a completely new physical infrastructure that is designed as a CLOS network topology.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Evaluation of those parameters led to more specific requirements:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Physical Wiring:\nThe data center is made of a leaf-spine CLOS topology containing:\nleaf switches\nspine switches\nexit switches\nmanagement server\nmanagement switch\ntenant servers\ntenant firewalls.\nBare metal servers are dual-attached to leaf switches. The bare metal servers either become tenant servers or firewalls for a group of tenant servers.\nAll network switches are connected to a management switch. A management server provides access to this management network.\nNetwork Operation Characteristics:\nIPv4 based network.\nNo IPv6 deployment.\nUtilization of external BGP.\nNumbered BGP only for peerings at exit switches with third parties (Internet Service Provider).\nOverall BGP unnumbered.\n4-byte private ASN instead of default 2-byte ASN for BGP.\nNetwork operation relies on SONiC Linux.\nBleeding edge Routing-to-the-Host/EVPN-to-the-Host with ordinary Linux distributions.\nLayer-3 routing using BGP and VXLAN/EVPN.\nEvery VTEP acts as a layer-3 gateway and does routing. Routing is done on both the ingress and the egress VTEP (aka distributed symmetric routing).\nTenant isolation is realized with VRF.\nInternet Access is implemented with route leak on the firewall servers and during the PXE-Process with route leak on the exit switches.\nMTU 9216 is used for VXLAN-facing interfaces, otherwise MTU 9000 is used.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Furthermore, requirements such as operational simplicity and network stability that a small group of people can effectively support have been identified being a primary focus for building metal-stack.","category":"page"},{"location":"overview/networking/#Concept","page":"Networking","title":"Concept","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The theoretical concept targets the aforementioned requirements. New technologies have been evaluated to apply the best solutions. The process was heavily inspired by the work of Dinesh G. Dutt regarding BGP (bgp-ebook), EVPN (evpn-ebook) and the his 2019 work \"Cloud Native Data Center Networking\" (O'Reilly), which teaches some interesting basics.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"External BGP together with network overlay concepts as EVPN can address the essential demands. These revolutionary concepts are part of the next evolutionary step in data center design. It overcomes common issues of traditional layer 2 architectures (e.g. VLAN limitations, network visibility for operations, firewall requirements) by introducing a layer 3 based network topology.","category":"page"},{"location":"overview/networking/#CLOS","page":"Networking","title":"CLOS","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"A CLOS topology is named after the pioneer Charles Clos (short: CLOS) who first formalized this approach. CLOS defines a multistage network topology that is used today to improve performance and resilience while enabling a cost effective scalability. A CLOS topology comprises network switches aggregated into spine and leaf layers. Each leaf switch (short: leaf) is connected to all spine switches (short: spine) but there is no direct leaf-to-leaf or spine-to-spine connection (See: picture 1).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: 2 Layer CLOS Topology)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 1: Fragment of CLOS to show leaf-spine layer.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"This data center network architecture, based on a leaf-spine architecture, is also know as \"two-tier\" CLOS topology.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: 3 Layer CLOS Topology)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 2: Fragment to show a 3-stage, 2-layer CLOS topology.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Tenant servers are dual-attached to the leaf layer in order to have redundancy and load balancing capability (Picture 2). The set of leaves, spine switches and tenant servers define stages. From top down each server is reachable with 3 hops (spine -> leaf -> server). This is why that CLOS design is called a 3-stage CLOS. Consistent latency throughout the data center are an outcome of this design.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"It is not only important to have a scalable and resilient infrastructure but also to support planning and operation teams. Visibility within the network is of significant meaning for them. Consequently layer-3 routing in favor of layer-2 bridging provides this kind of tooling.","category":"page"},{"location":"overview/networking/#BGP","page":"Networking","title":"BGP","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"For routing the Border Gateway Protocol (BGP), more specific: External BGP was selected. Extensive testing and operational experiences have shown that External BGP is well suited as a stand-alone routing protocol (see: RFC7938).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Not all tenant servers are connected to the same leaf. Instead they can be distributed among any of the leaves of the data center. To not let this detail restrict the intra-tenant communication it is required to interconnect those layer-2 domains. In the context of BGP there is a concept of overlay networking with VXLAN/ EVPN that was evaluated to satisfy the needs of the metal-stack.","category":"page"},{"location":"overview/networking/#BGP-Unnumbered","page":"Networking","title":"BGP Unnumbered","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In BGP traditionally each BGP peer-facing interface requires a separate IPv4 address. This consumes a lot of IP addresses. RFC 5549 defines the BGP unnumbered standard. It allows to use interface's IPv6 link local address (LLA) to set up a BGP session with a peer. With BGP unnumbered the IPv6 LLA of the remote is automatically discovered via Router Advertisement (RA) protocol. Important: This does not (!) mean that IPv6 must be deployed in the network. BGP uses RFC 5549 to encode IPv4 routes as reachable over IPv6 next-hop using the LLA. Having unnumbered interfaces does not mean no IPv4 address may be in place. It is a good practice to configure an IP address to the never failing and always present local loopback interface (lo). This lo address is reachable over BGP from other peers because the RFC 5549 standard provides an encoding scheme to allow a router to advertise IPv4 routes with an IPv6 next-hop. BGP unnumbered also has an advantage from security perspective. It removes IPv4 and global IPv6 addresses from router interfaces, thus reducing the attack vector.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To sum it up:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"BGP unnumbered uses IPv6 next-hops to announce IPv4 routes.\nThere is no IPv6 deployment in the network required.\nIPv6 just has to be enabled on the BGP peers to provide LLA and RA.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In External BGP, ASN is how BGP peers know each other.","category":"page"},{"location":"overview/networking/#ASN-Numbering","page":"Networking","title":"ASN Numbering","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Within the data center each BGP router is identified by a private autonomous system number (ASN). This ASN is used for internal communication. The default is to have 2-byte ASN. To avoid having to find workarounds in case the ASN address space is exhausted, a 4-byte ASN (see RFC 6793) that supports up to 95 million private ASNs (4200000000–4294967294, see RFC 6996) is used from the beginning.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"ASN numbering in a CLOS topology should follow a model to avoid routing problems (path hunting) due to it's redundant nature. Within a a two-tier CLOS topology the following ASN numbering model is suggested to solve path hunting problems:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Leaves have unique ASN\nSpines share an ASN\nExit switches share an ASN","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"A illustrated example of the background of this architecture decision can be inspected in the chapter \"BGP’s ASN Numbering Scheme\" (\"BGP’S PATH HUNTING PROBLEM\") of the previously mentioned \"Cloud Native Data Center Networking\" book.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To summarize that, one can say: Since all nodes receive or know the physical connection status of all other nodes in the network, the nodes potentially have routing information that they do not know whether they still have up to date, since it takes some time before they are fully distributed in the network. Routes to nodes may actually no longer exist (because not a single link to the node, but the node itself has failed) or the path may have changed. To determine how and whether a particular node can be reached, a path search must therefore be carried out at all its communication partners or BGP routers. Essentially, the sharing of ASNs reduces the transmission of incorrect or outdated path information (this reduces path transmissions and calculations and thus saves resources).","category":"page"},{"location":"overview/networking/#Address-Families","page":"Networking","title":"Address-Families","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As stated, BGP is a multi-protocol routing protocol. Since it is planned to use IPv4 and overlay networks using EVPN/VXLAN several address-families have to be activated for the BGP sessions to use:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"IPv4 unicast address-family\nL2 EVPN address-family","category":"page"},{"location":"overview/networking/#EVPN","page":"Networking","title":"EVPN","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Ethernet VPN (EVPN, see RFC 7432) is an overlay virtual network that connects layer-2 segments over layer-3 infrastructure. EVPN is an answer to common problems of entire layer-2 data centers.","category":"page"},{"location":"overview/networking/#The-necessity-of-EVPN","page":"Networking","title":"The necessity of EVPN","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Challenges such as large failure domains, spanning tree complexities, difficult troubleshooting and scaling issues are addressed by EVPN:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"administration: less routers are involved in configuration (with VLAN every switch on routing-paths needs VLAN awareness). The configuration is less error prone due to the nature of EVPN and the good support in FRR.\nscaling: EVPN overcomes scaling issues with traditional VLANs (max. 4094 VLANs).\ncost-effectiveness: EVPN is an overlay virtual network. Not every switch on the routing path needs EVPN awareness. This enables the use of standard routers (in contrast to traditional VLAN); e.g.: spine switches act only as EVPN information replicator and do not need to have knowledge of specific virtual networks.\nefficiency: EVPN information is exclusively exchanged via BGP (Multiprotocol BGP, see RFC 4760). Only a single eBGP session is needed to advertise layer-2 reachability. No other protocols beneath BGP are involved and flood traffic is reduced to a minimum (no \"flood-and-learn\", no BUM traffic).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Virtual routing permits multiple network paths without the need of multiple switches. Hence the servers are logically isolated by assigning their networks to dedicated virtual routers using virtual routing and forwarding (short, VRF, see Linux Virtual Routing and Forwarding and SONiC VRF support).","category":"page"},{"location":"overview/networking/#The-operation-of-EVPN","page":"Networking","title":"The operation of EVPN","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"EVPN (technology) is based on BGP as control plane protocol (underlay) and VXLAN as data plane protocol (overlay).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As EVPN is an overlay network, only the VXLAN Tunnel End Points (VTEPs) must be configured. In the case of two-tier CLOS networks leaf switches are tunnel endpoints.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As described earlier, a dedicated VRF is used for each new tenant. VRF enables true multi-tenancy/isolation for routing tables. This is why the same ip-addresses or -networks can be used for tenants with different meanings without collisions or conflicts.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In EVPN routing is assumed to occur in the context of a VRF. VRF enables true multitenancy/isolatation for routing tables. Therewith, VRF is the first step for EVPN configuration and there is a 1:1 relationship between tenant and VRF.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To enable layer-2 connectivity, we need a special interface to route between layer-2 networks. This interface is called Switched VLAN Interface (SVI). The SVI is realized with a VLAN. It is part of a VRF (layer-3).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The VTEP configuration requires the setup of a VXLAN interface. A VLAN aware bridge interconnects the VXLAN interface and the SVI.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Required resources to establish the EVPN control plane:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"VRF: because routing happens in the context of this interface.\nSVI: because remote host routes for symmetric routing are installed over this interface.\nVLAN-aware bridge: because router MAC addresses of remote VTEPs are installed over this interface.\nVXLAN Interface / VXLAN Tunnel Endpoint: because the VRF to layer-3 VNI mapping has to be consistent across all VTEPs)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: EVPN VTEP)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 3: Required interfaces on the switch to wire up the vrf to swp 1 connectivity with a given vxlan","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Integrated routing and bridging (IRB) is the most complex part of EVPN. You could choose between centralized or distributed routing, and between asymmetrical (routing on ingress) or symmetrical (routing on ingress and egress) routing. We expect a lot of traffic within the data center itself which implies the need to avoid zigzag routing. This is why we go with distributed routing model. Further it is recommended to use the symmetric model since it makes the cut in most cases and has advantages in scalability (see \"EVPN in the Data Center\", Dinesh G. Dutt).","category":"page"},{"location":"overview/networking/#MTU","page":"Networking","title":"MTU","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In a layer-3 network it is important to associate each interface with a proper Maximum Transmission Unit (MTU) to avoid fragmentation of IP packets. Typical modern networks do not fragment IP packets and the introduction of VXLAN adds another additional header to the packets that must not exceed the MTU. If the MTU is exceeded, VXLAN might just fail without error. This already represents a difficult-to-diagnose connectivity issue that has to be avoided.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"It is common practice to set the MTU for VXLAN facing interfaces (e.g. inter-switch links) to a value of 9216 to compensate the additional VXLAN overhead and an MTU of 9000 as a default to other interfaces (e.g. server facing ports). The common MTU of 1500 is not sufficient for traffic inside a data center!","category":"page"},{"location":"overview/networking/#VRF","page":"Networking","title":"VRF","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Routing is needed for communication between VXLAN tunnels or between a VXLAN tunnel and an external networks. VXLAN routing supports layer-3 multi-tenancy. All routing occurs in the context of a VRF. There is a 1:1 relation of a VRF to a tenant. Picture 3 illustrates this. Servers A and B belong to the same vrf VRF1. Server C is enslaved into VRF2. There is no communication possible between members of VRF1 and those of VRF2.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: Two routing tables)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 4: Illustration of two distinct routing tables of VRF1 (enslaved: servers A and B) and VRF2 (enslaved: server C)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To leaverage the potential and power of BGP, VRF, EVPN/VXLAN without a vendor lock-in the implementation relies on hardware that is supported by open network operating system: SONiC.","category":"page"},{"location":"overview/networking/#Implementation","page":"Networking","title":"Implementation","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Implementation of the network operation requires the data center infrastructure to be in place. To implement a functional meaning for the parts of the CLOS network, all members must be wired accordingly.","category":"page"},{"location":"overview/networking/#Physical-Wiring","page":"Networking","title":"Physical Wiring","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Reference: See the CLOS overview picture","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Name Wiring\nTenant server (aka Machine) Bare metal server that is associated to a tenant. Dual-connected to leafs.\nTenant firewall Bare metal server that is associated to a tenant. Dual-connected to leafs.\nLeaf Network Switch that interconnects tenant servers and firewalls. Connected to spines.\nSpine Network switch that interconnects leafs and exit switches.\nExit Network switch that connects to spines and interconnects to external networks.\nManagement Server Jump-host to access all network switches within the CLOS topology for administrative purpose.\nManagement Switch Connected to the management port of each of the network switches.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Tenant servers are organized into a layer called projects. In case those tenant servers require access to or from external networks, a new tenant server to function as a firewall is created. Leaf and spine switches form the fundament of the CLOS network to facilitate redundancy, resilience and scalability. Exit switches establish connectivity to or from external networks. Management Switch and Management Server are mandatory parts that build a management network to access the network switches for administration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To operate the CLOS topology, software defined configuration to enable BGP, VRF, EVPN and VXLAN must be set up.","category":"page"},{"location":"overview/networking/#Network-Operating-Systems","page":"Networking","title":"Network Operating Systems","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"SONiC as the network operating system will be installed on all network switches (leaves, spines, exit switches) within the CLOS topology. SONiC cannot be installed on bare metal servers that require BGP/EVPN but does not have a switching silicon.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Components without a switching silicon are:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"tenant servers\ntenant firewalls\nmanagement server","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"There exist two paradigms to use BGP and/or VXLAN/EVPN on non switching bare metal servers: BGP-to-the-host and EVPN-to-the-host. Both describe a setup of Free Range Routing Framework (see frrouting.org) and its configuration. FRR seamlessly integrates with the native Linux IP networking stacks.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Starting with an explanation of the tenant server's BGP-to-the-Host helps to get an insight into the setup of the CLOS network from a bottom-up perspective.","category":"page"},{"location":"overview/networking/#Tenant-Servers:-BGP-to-the-Host","page":"Networking","title":"Tenant Servers: BGP-to-the-Host","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Tenant servers are dual-connected to leaf switches. To communicate with other servers or reach out to external networks they must join a BGP session with each of the leaf switches. Thus, it is required to bring BGP to those hosts (aka BGP-to-the-Host). Each tenant server becomes a BGP router (aka BGP speaker).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"BGP-to-the-Host is established by installing and configuring FRR. The required FRR configuration for tenant servers is limited to a basic setup to peer with BGP next-hops:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n\nauto lo\niface lo inet static\n address 10.0.0.1/32\n\nauto lan0\niface lan0 inet6 auto\n mtu 9000\n\nauto lan1\niface lan1 inet6 auto\n mtu 9000","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 1: Network interfaces of a tenant server.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 1 shows the local interfaces configuration. lan0 and lan1 connect to the leaves. As described, there is no IPv4 address assigned to them (BGP unnumbered). The local loopback has an IPv4 address assigned that is announced by BGP.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The required BGP configuration:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/frr/frr.conf\n\nfrr version 7.0\nfrr defaults datacenter\nlog syslog debugging\nservice integrated-vtysh-config\n!\ninterface lan0\n ipv6 nd ra-interval 6\n no ipv6 nd suppress-ra\n!\ninterface lan1\n ipv6 nd ra-interval 6\n no ipv6 nd suppress-ra\n!\nrouter bgp 4200000001\n bgp router-id 10.0.0.1\n bgp bestpath as-path multipath-relax\n neighbor TOR peer-group\n neighbor TOR remote-as external\n neighbor TOR timers 1 3\n neighbor lan0 interface peer-group TOR\n neighbor lan1 interface peer-group TOR\n neighbor LOCAL peer-group\n neighbor LOCAL remote-as internal\n neighbor LOCAL timers 1 3\n neighbor LOCAL route-map local-in in\n bgp listen range 10.244.0.0/16 peer-group LOCAL\n address-family ipv4 unicast\n redistribute connected\n neighbor TOR route-map only-self-out out\n exit-address-family\n!\nbgp as-path access-list SELF permit ^$\n!\nroute-map local-in permit 10\n set weight 32768\n!\nroute-map only-self-out permit 10\n match as-path SELF\n!\nroute-map only-self-out deny 99\n!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 2: FRR configuration of a tenant server.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The frr configuration in Listing 2 starts with frr defaults datacenter. This is a marker that enables compile-time provided settings that e.g. set specific values for BGP session timers. This is followed by a directive to state that instead of several configuration files for different purposes a single frr.conf file is used: service integrated-vtysh-config. The two interface specific blocks starting with interface ... enable the RA mechanism that is required for BGP unnumbered peer discovery. There is a global BGP instance configuration router bgp 4200000001 that sets the private ASN. The BGP router configuration contains a setup that identifies the BGP speaker bgp router-id 10.0.0.1. This router id should be unique. It is a good practice to assign the local loopback IPv4 as router-id. To apply the same configuration to several interfaces a peer group named TOR is defined via neighbor TOR peer-group. remote-as external activates external BGP for this peer group. To have a fast convergence, limits of default timers are reduced by timer 1 3 section. The two BGP-peer-facing interfaces are enslaved into the peer-group to inherit the peer-group's setup. Activation of IPv4 unicast protocol is completed with address-family ipv4 unicast. To prevent a tenant server from announcing other paths than lo interface a route-map only-self-out is defined. This route map is activated within the ipv4 address family: neighbor TOR route-map only-self-out out.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Application of the route map only-self-out enables to announce only local ip(s). This is to avoid that a tenant server announces paths to other servers (prevents unwanted traffic). To achieve this:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"the route-map named only-self-out permits only matches against an access list named SELF\naccess list SELF permits only empty path announcements\nthe path of the tenant server itself has no ASN. It is always empty (see line *> 10.0.0.2/32 0.0.0.0 0 32768 ?):\nroot@machine:~# vtysh -c 'show bgp ipv4 unicast'\nBGP table version is 7, local router ID is 10.0.0.2, vrf id 0\nDefault local pref 100, local AS 4200000002\nStatus codes: s suppressed, d damped, h history, * valid, > best, = multipath,\n i internal, r RIB-failure, S Stale, R Removed\nNexthop codes: @NNN nexthop's vrf id, < announce-nh-self\nOrigin codes: i - IGP, e - EGP, ? - incomplete\n\n Network Next Hop Metric LocPrf Weight Path\n*= 0.0.0.0/0 lan1 0 4200000012 4200000040 i\n*> lan0 0 4200000011 4200000040 i\n*= 10.0.0.1/32 lan1 0 4200000012 4200000001 ?\n*> lan0 0 4200000011 4200000001 ?\n*> 10.0.0.2/32 0.0.0.0 0 32768 ?\n*= 10.0.0.78/32 lan1 0 4200000012 4200000001 ?\n*> lan0 0 4200000011 4200000001 ?\n\nDisplayed 4 routes and 7 total paths\nThat is why only the self ip (loopback ip) is announced.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To allow for peering between FRR and other routing daemons on a tenant server a listen range is specified to accept iBGP sessions on the network 10.244.0.0/16. Therewith it gets possible that pods / containers like metal-lb with IPs of this range may peer with FRR.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"This is the only place where we use iBGP in our topology. For local peering this has the advantage, that we don't need an additional ASN that has to be handled / pruned in the AS-path of routes. Routes coming from other routing daemons look as if they are configured on the tenant server's lo interface from the viewpoint of the leaves. iBGP routes are differently handled than eBGP routes in BGPs best path algorithm. Generally BGP has the rule to prefer eBGP routes over iBGP routes (see 'eBGP over iBGP' ). BGP adds automatically an weight based on the route type. To overcome this issue, we set the weight of iBGP routes to the same weight that eBGP routes have, namely 32768 (set weight 32768). Without this configuration we will only get a single route to the IPs announced via iBGP. So this setting is essential for HA/failover!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Statistics of the established BGP session can be viewed locally from the tenant server via: sudo vtysh -c 'show bgp ipv4 unicast'","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To establish this BGP session a BGP setup is required on the leaves as well.","category":"page"},{"location":"overview/networking/#Leaf-Setup","page":"Networking","title":"Leaf Setup","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Every leaf switch is connected to every spine switch. Tenant servers can be distributed within the data center and thus be connected to different leaves. Routing for tenant servers is isolated in unique VRFs. These constraints imply several configuration requirements for the leaf and spine switches:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"leaves define tenant VRFs\nleaves terminate VXLAN tunnels (aka \"VXLAN tunnel endpoint\" = VTEP)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The leaf setup requires the definition of a tenant VRF that enslaves the tenant server facing interfaces:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n\n# [...]\n\niface vrf3981\n vrf-table auto\n\niface swp1\n mtu 9000\n post-up sysctl -w net.ipv6.conf.swp1.disable_ipv6=0\n vrf vrf3981\n\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 3: Fragment that shows swp1 being member of vrf vrf3981.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"There is a VRF definition iface vrf3981 to create a distinct routing table and a section vrf vrf3981 that enslaves swp1 (connects the tenant server) into the VRF. Those host facing ports are also called edge ports.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Additional to the VRF definition the leaf must be configured to provide and connect a VXLAN interface to establish a VXLAN tunnel. This network virtualization begins at the leaves. Therefore, the leaves are also called Network Virtualization Edges (NVEs). The leaves encapsulate and decapsulate VXLAN packets.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n\n# [...]\n\niface bridge\n bridge-ports vni3981\n bridge-vids 1001\n bridge-vlan-aware yes\n\niface vlan1001\n mtu 9000\n vlan-id 1001\n vlan-raw-device bridge\n vrf vrf3981\n\niface vni3981\n mtu 9000\n bridge-access 1001\n bridge-arp-nd-suppress on\n bridge-learning off\n mstpctl-bpduguard yes\n mstpctl-portbpdufilter yes\n vxlan-id 3981\n vxlan-local-tunnelip 10.0.0.11\n\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 4: Fragment that shows VXLAN setup for vrf vrf3981.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"All routing happens in the context of the tenant VRF. To send and receive packets of a VRF, several interface are in place.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"A bridge is used to attach VXLAN interface bridge-ports vni3981 and map its local VLAN to a VNI. Router MAC addresses of remote VTEPs are installed over this interface.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The Routed VLAN Interface or Switched Virtual Interface (SVI) iface vlan1001 is configured corresponding to the per-tenant VXLAN interface. It is attached to the tenant VRF. Remote host routes are installed over this SVI. The vlan-raw-device bridge is used to associate the SVI with the VLAN aware bridge. For a packet received from a locally attached host the SVI interface corresponding to the VLAN determines the VRF vrf vrf3981.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The VXLAN interface iface vni3981 defines a tunnel address that is used for the VXLAN tunnel header vlxan-local-tunnelip 10.0.0.11. This VTEP IP address is typically the loopback device address of the switch. When EVPN is provisioned, data plane MAC learning for VXLAN interfaces must be disabled because the purpose of EVPN is to exchange MACs between VTEPs in the control plane: bridge-learning off. EVPN is responsible for installing remote MACs. bridge-arp-nd-suppress suppresses ARP flooding over VXLAN tunnels. Instead, a local proxy handles ARP requests received from locally attached hosts for remote hosts. ARP suppression is the implementation for IPv4; ND suppression is the implementation for IPv6. It is recommended to enable ARP suppression on all VXLAN interfaces. Bridge Protocol Data Unit (BPDU) are not transmitted over VXLAN interfaces. So as a good practice bpduguard and pbdufilter are enabled with mstpctl-bpduguard yes and mstpctl-portbpdufilter yes. These settings filter BPDU and guard the spanning tree topology from unauthorized switches affecting the forwarding path. vxlan-id 3981 specifies the VXLAN Network Identifier (VNI). The type of VNI can either be layer-2 (L2) or layer-3 (L3). This is an implicit thing. A VNI is a L3 VNI (L3VNI) when a mapping exists that maps the VNI to a VRF (configured in /etc/frr/frr.conf) otherwise it is a L2 VNI (L2VNI).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/frr/frr.conf\n# [...]\nvrf vrf3981\n vni 3981\n exit-vrf\n#[...]\nrouter bgp 4200000011\n# [...]\n address-family ipv4 unicast\n redistribute connected route-map LOOPBACKS\n # [...]\n address-family l2vpn evpn\n neighbor FABRIC activate\n advertise-all-vni\n exit-address-family\n# [...]\nrouter bgp 4200000011 vrf vrf3981\n # [...]\n address-family ipv4 unicast\n redistribute connected\n neighbor MACHINE maximum-prefix 100\n exit-address-family\n !\n address-family l2vpn evpn\n advertise ipv4 unicast\n exit-address-family\n\n# [...]\nroute-map LOOPBACKS permit 10\n match interface lo\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 5: Leaf FRR configuration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 5 shows the required FRR configuration of the BGP control plane. Only content not discussed so far is explained. The section vrf vrf3981 contains the mapping from layer-3 VNI to VRF. This is required to be able to install EVPN IP prefix routes (type-5 routes) into the routing table. Further the file contains a global BGP instance router bgp 4200000011 definition. A new setting redistribute connected route-map LOOPBACKS is in place to filter the redistribution of routes that are not matching the local loopback interface. The route-map is defined with route-map LOOPBACKS permit 10. With the configuration line address-family l2vpn evpn, the EVPN address family is enabled between BGP neighbours. advertise-all-vni makes the switch a VTEP configures it in such a way, that all locally configured VNIs should be advertised by the BGP control plane.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The second BGP instance configuration is specific to the tenant VRF router bgp 4200000011 vrf vrf3981. This VRF BGP instance configures the l2vpn evpn address family with advertise ipv4 unicast to announce IP prefixes in BGP's routing information base (RIB). This is required to apply learned routes to the routing tables of connected hosts. The Maximum-Prefix feature is useful to avoid that a router receives more routes than the router memory can take. The maximum number of prefixes a tenant server is allowed to announce is limited to 100 with: neighbor MACHINE maximum-prefix 100.","category":"page"},{"location":"overview/networking/#Spine-setup","page":"Networking","title":"Spine setup","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"On the spine switches the setup is quite simple. /etc/network/interfaces contains the loopback interface definition to support BGP unnumbered and listings for connected switch ports to provide proper MTUs (Listing 6). I.e. swp1 is configured with an MTU of 9216 as it is a VXLAN-facing interface.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface swp1\n mtu 9216","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 6: Fragment of spine interface configuration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The spines are important to forward EVPN routes and transport VXLAN packets between the VTEPs. They are not configured as VTEPs. The FRR configuration only contains the already known global BGP instance configuration router bgp 4200000020 plus the activation of the l2vpn evpn address family address-family l2vpn evpn to enable EVPN type-5 route forwarding (Listing 7).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"hostname spine01\nusername admin nopassword\n!\n# [...]\ninterface swp1\n ipv6 nd ra-interval 6\n no ipv6 nd suppress-ra\n!\n# [...]\n!\nrouter bgp 4200000020\n # [...]\n!\n address-family l2vpn evpn\n neighbor FABRIC activate\n exit-address-family\n!\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 7: Fragment of spine FRR configuration to show the activated L2VPN EVPN address-family.","category":"page"},{"location":"overview/networking/#Tenant-Firewalls:-EVPN-to-the-Host","page":"Networking","title":"Tenant Firewalls: EVPN-to-the-Host","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In case a tenant server needs to reach out to external networks as the Internet, a tenant firewall is provisioned. The firewall is a bare metal server without a switching silicon. Thus, there is no installation of SONiC. FRR provides the BGP / EVPN functionality known as EVPN-to-the-host. The firewall is configured as a VTEP and applies dynamic route-leaking to install routes of an foreign VRF. The set of routes that are leaked are restricted with route-maps.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As Listing 8 shows, the firewall is configured with VXLAN interfaces as known from the leaf setup. Additionally, a VXLAN setup for VRF vrfInternet is added to provide Internet access. vrfInternet contains a route to the Internet that will be leaked into the tenant VRF.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Traffic that originates from the tenant network 10.0.0.0/22 will be masqueraded before leaving the interface vlanInternet towards the internet.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface bridge\n# [...]\niface vlan1001\n# [...]\niface vni3981\n# [...]\niface vrf3981\n# [...]\niface vlanInternet\n mtu 9000\n vlan-id 4009\n vlan-raw-device bridge\n vrf vrfInternet\n address 185.1.2.3\n post-up iptables -t nat -A POSTROUTING -s 10.0.0.0/22 -o vlanInternet -j MASQUERADE\n pre-down iptables -t nat -D POSTROUTING -s 10.0.0.0/22 -o vlanInternet -j MASQUERADE\n\niface vniInternet\n mtu 9000\n bridge-access 4009\n mstpctl-bpduguard yes\n mstpctl-portbpdufilter yes\n vxlan-id 104009\n vxlan-local-tunnelip 10.0.0.40\n\niface vrfInternet\n mtu 9000\n vrf-table auto","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 8: Interfaces configuration of firewall to show the VTEP interface configuration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To install a default route into the routing table of tenant VRF vrf3981 a dynamic route leak is established for it (import vrf vrfInternet). With the help of a route-map import vrf route-map vrf3981-import-map only the default route will be leaked:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"root@firewall01:~# vtysh -c 'show ip route vrf vrf3981'\n# [...]\nVRF vrf3981:\nS>* 0.0.0.0/0 [1/0] is directly connected, vrfInternet(vrf vrfInternet), 03:19:26\nB>* 10.0.0.1/32 [20/0] via 10.0.0.12, vlan1001 onlink, 02:34:48\n * via 10.0.0.11, vlan1001 onlink, 02:34:48\nB>* 10.0.0.2/32 [20/0] via 10.0.0.12, vlan1001 onlink, 02:34:49\n * via 10.0.0.11, vlan1001 onlink, 02:34:49","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To receive responses from vrfInternet in vrf3981 a route is leaked into vrfInternet as well (import vrf vrf3981) restricted with the route-map vrfInternet-import-map that allows leaking of the tenant routes as well as internet prefixes used on worker nodes of the tenant. To limit the prefixes that are announced from the firewall within the global BGP instance a route-map only-self-out is defined and applied within the ipv4 and l2vpn evpn address family. Together with the definition of an as path access list bgp as-path access-list it avoids the announcement of prefixes to non VRF BGP peers.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/frr/frr.conf\n!\nvrf vrf3981\n vni 3981\n!\nvrf vrfInternet\n vni 104009\n!\n# [...]\n!\nrouter bgp 4200000040\n # [...]\n !\n address-family ipv4 unicast\n # [...]\n neighbor FABRIC route-map only-self-out out\n exit-address-family\n !\n!\nrouter bgp 4200000040 vrf vrf3981\n # [...]\n address-family ipv4 unicast\n redistribute connected\n import vrf vrfInternet\n import vrf route-map vrf3981-import-map\n # [...]\n address-family l2vpn evpn\n advertise ipv4 unicast\n # [...]\nrouter bgp 4200000040 vrf vrfInternet\n # [...]\n address-family ipv4 unicast\n redistribute connected\n import vrf vrf3981\n import vrf route-map vrfInternet-import-map\n # [...]\n address-family l2vpn evpn\n advertise ipv4 unicast\n # [...]\n bgp as-path access-list SELF permit ^$\n!\nroute-map only-self-out permit 10\n match as-path SELF\n!\nroute-map only-self-out deny 99\n!\nroute-map LOOPBACKS permit 10\n match interface lo\n!\nip prefix-list vrf3981-import-prefixes seq 100 permit 0.0.0.0/0\n!\nroute-map vrf3981-import-map permit 10\n match ip address prefix-list vrf3981-import-prefixes\n!\nroute-map vrf3981-import-map deny 99\n!\nip prefix-list vrfInternet-import-prefixes seq 100 permit 10.0.0.0/22 le 32\nip prefix-list vrfInternet-import-prefixes seq 101 permit 185.1.2.0/24 le 32\nip prefix-list vrfInternet-import-prefixes seq 102 permit 185.27.0.0/27 le 32\n!\nroute-map vrfInternet-import-map permit 10\n match ip address prefix-list vrfInternet-import-prefixes\n!\nroute-map vrfInternet-import-map deny 99\n!\nline vty\n!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 9: FRR configuration of a tenant firewall to show route leak and prefix announcement filtering.","category":"page"},{"location":"overview/networking/#Exit-Switch","page":"Networking","title":"Exit Switch","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Traffic to external networks is routed via the firewalls to the exit switch. The exit switch, as an exception, connects to the Internet Service Provider using numbered BGP. Numbered BGP implies to assign IPv4 addresses to network interfaces (See Listing 10, swp1). Interface swp1 is enslaved into vrf vrfInternet to include the port that is connected to the ISP within the VRF that is expected to contain a way into the Internet. The exit switch is configured to be a VTEP to terminate traffic coming from the firewall VRF vrfInternet.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface swp1\n mtu 9000\n vrf vrfInternet\n address 172.100.0.2/30\n# [...]\niface vlan4000\n mtu 9000\n address 10.0.0.71/24\n vlan-id 4000\n vlan-raw-device bridge\n# [...]\niface vlanInternet\n# [...]\niface vniInternet\n# [...]\niface vrfInternet\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 10: Fragment of interfaces configuration of exit switch.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The configuration of FRR is equivalent to the previously discussed ones. It contains a global BGP instance configuration that enables IPv4 unicast and l2vpn evpn address families. The vrfInternet BGP instance defines neighbor 172.100.0.1 peer-group INTERNET to use \"old style BGP\" transit network.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# [..]\nvrf vrfInternet\n vni 104009\n!\n# [...]\nrouter bgp 4200000031\n bgp router-id 10.0.0.31\n neighbor FABRIC peer-group\n neighbor FABRIC remote-as external\n neighbor FABRIC timers 1 3\n # [...]\n !\n address-family ipv4 unicast\n neighbor FABRIC activate\n redistribute connected route-map LOOPBACKS\n exit-address-family\n !\n address-family l2vpn evpn\n neighbor FABRIC activate\n advertise-all-vni\n exit-address-family\n!\nrouter bgp 4200000031 vrf vrfInternet\n bgp router-id 10.0.0.31\n bgp bestpath as-path multipath-relax\n neighbor INTERNET peer-group\n neighbor INTERNET remote-as external\n neighbor INTERNET timers 1 3\n neighbor 172.100.0.1 peer-group INTERNET\n !\n address-family ipv4 unicast\n neighbor INTERNET route-map PREPEND-PATH-TO-DISFAVOR-IN in\n neighbor INTERNET route-map PREPEND-PATH-TO-DISFAVOR-OUT out\n exit-address-family\n\n !\n address-family l2vpn evpn\n advertise ipv4 unicast\n exit-address-family\n!\nroute-map LOOPBACKS permit 10\n match interface lo\n!\nroute-map PREPEND-PATH-TO-DISFAVOR-IN permit 10\n set as-path prepend last-as 2\n!\nroute-map PREPEND-PATH-TO-DISFAVOR-OUT permit 10\n set as-path prepend last-as 2\n!\nvrf mgmt\n ip route 10.0.0.0/24 10.0.0.71 nexthop-vrf default\n exit-vrf\n!\nip route 0.0.0.0/0 192.168.0.254 nexthop-vrf mgmt\n!\nline vty\n!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 11: Fragment of FRR configuration on exit switch to give an example for numbered BGP and route leak.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In addition to the standard BGP setup the exit switches have configured static route leak to support internet access during PXE. There is one route leak from default VRF into the mgmt VRF defined with: ip route 0.0.0.0/0 192.168.0.254 nexthop-vrf mgmt and another one from mgmt VRF into the default VRF: ip route 10.0.0.0/24 10.0.0.71 nexthop-vrf default. The first one adds a default route into the default VRF and the second one routes traffic destined to the PXE network back from mgmt VRF into the default VRF.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To reach out into external networks each of the exit nodes joins a BGP session with a distinct external router. There is a different latency to each of these routers. To favor routes of exit nodes connected with lower latency over exit nodes with higher latency two route maps PREPEND-PATH-TO-DISFAVOR-IN and PREPEND-PATH-TO-DISFAVOR-OUT are added to high latency exit nodes. These route maps apply actions to prolong the path of the incoming and outgoing routes. Because of this path extension BGP will calculate a lower weight for these paths and favors paths via other exit nodes. It is important to know that within an address family only one route map (the last) will be applied. To apply more than one actions within a route-map the required entries can be applied to a single route-map.","category":"page"},{"location":"overview/networking/#PXE-Boot-Mode","page":"Networking","title":"PXE Boot Mode","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Before a bare metal server can act as tenant server or tenant firewall, it has to be provisioned. Within the Metal domain, this provisioning mode is called \"PXE Mode\" since it is based on Preboot eXecution Environment (PXE). PXE uses protocols like DHCP. This requires all bare metal servers that need provisioning to be located in a layer-2 domain where DHCP is available. This domain is a VLAN vlan4000. A DHCP server for PXE Mode is installed on the exit switches to work in this specific VLAN.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/default/isc-dhcp-server\nINTERFACES=\"vlan4000\"","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 13: DHCP server configuration of exit switches.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As shown in listing 13, the PXE DHCP server is located on the exit switches and enforced to bind to interface vlan4000. This represents a layer-2 separation that allows only DHCP clients in the same VLAN to request IP addresses. Only unprovisionned bare metal servers are configured to be member of this VLAN. Thus unwanted or accidental provisionning is impossible.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To provide vlan4000 on the leaves (that face the bare metal servers) the exit and leaf switches are configured as VTEPs and share an interface configuration that contains the required interfaces (Listing 13). Since no EVPN routing is in place vni104000 is configured as an L2 VNI (there is no mapping for this VNI in /etc/frr/frr.conf).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface bridge\n bridge-ports vni104000 [...]\n bridge-vids 4000 [...]\n bridge-vlan-aware yes\n\niface vlan4000\n# [...]\n\niface vni104000\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 13: Interfaces configuration on exit and leaf switches to show DHCP/PXE related fragments.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"On the leaf switches the bare metal server facing ports are configured as VLAN access ports to carry the traffic for only the PXE VLAN vlan4000 (listing 14)to separate unprovisioned from other bare metal servers.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\nauto swp1\niface swp1\n mtu 9000\n bridge-access 4000\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 14: VLAN access setup for bare metal server facing ports on leaves.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Once a bare metal server is provisioned it is deconfigured from PXE VLAN vlan4000 to avoid accidental or unwanted provisioning.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"During provisioning bare metal servers get internet access via the management network of the exit switches. This is because the exit switches are announced as DHCP gateway to the DHCP clients.","category":"page"},{"location":"overview/networking/#Management-Network","page":"Networking","title":"Management Network","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To manage network switches beside the out-of-band system console access a further management access is required. For this purpose the concept of Management VRF is applied. The Management VRF is a subset of VRF. It provides a separation between out-of-band management network and the in-band data plane network by introducing another routing table mgmt. SONiC supports eth0 to be used as the management interface.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To enable and use the Management VRF all switches have to be connected via their eth0 interface to a management-switch. The management switch is connected to a management server. All access is established from within the management server. Logins to the switch are set into the Management VRF context once the Management VRF is enabled.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#metalctl-size-reservation-usage","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"see current usage of size reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"metalctl size reservation usage [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#Options","page":"metalctl size reservation usage","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":" -h, --help help for usage\n --partition string the partition to filter\n --project string the project to filter\n --size-id string the size-id to filter\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: amount|id|partition|project|size|used-amount","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#Options-inherited-from-parent-commands","page":"metalctl size reservation usage","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#SEE-ALSO","page":"metalctl size reservation usage","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#metalctl-machine-update-firmware","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":"update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#Options","page":"metalctl machine update-firmware","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":" -h, --help help for update-firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#Options-inherited-from-parent-commands","page":"metalctl machine update-firmware","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#SEE-ALSO","page":"metalctl machine update-firmware","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":"metalctl machine\t - manage machine entities\nmetalctl machine update-firmware bios\t - update a machine BIOS\nmetalctl machine update-firmware bmc\t - update a machine BMC","category":"page"}] +[{"location":"external/metalctl/docs/metalctl_network_edit/#metalctl-network-edit","page":"metalctl network edit","title":"metalctl network edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":"edit the network through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":"metalctl network edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/#Options","page":"metalctl network edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/#Options-inherited-from-parent-commands","page":"metalctl network edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_edit/#SEE-ALSO","page":"metalctl network edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_edit/","page":"metalctl network edit","title":"metalctl network edit","text":"metalctl network\t - manage network entities","category":"page"},{"location":"installation/autonomous-control-plane/#Autonomous-Control-Plane,-aka-solve-the-bootstrap-problem","page":"Autonomous Control Plane","title":"Autonomous Control Plane, aka solve the bootstrap problem","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Setting up a metal-stack.io environment in your own datacenter requires a control plane to be present which hosts the metal-stack api. If you plan to spin up kubernetes clusters, either with gardener.cloud or cluster api, the requirement for this control plane raises. The control plane must be running in a kubernetes cluster, which offers at least the following features:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Loadbalancing\nPersistent Storage\nAccess to a object storage for automatic backups of the stateful sets\nAccess to a DNS provider which is supported by one of the dns extensions in use.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"This cluster must also be highly available to prevent complete loss of control over the managed resources in the datacenter. Regular kubernetes updates to apply security fixes and feature updates must be possible in an automated manner.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The most obvious and simple solution is to use one of the managed kubernetes offerings from another cloud provider.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"But there are use cases, where it is not possible because of network restrictions, or because the company compliances forbid the usage of external datacenter products. For such cases a solution must be found which produces the control plane inside the own datacenter but with reasonable day two operational effort.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Pages = [\"autonomous-control-plane.md\"]\nDepth = 5","category":"page"},{"location":"installation/autonomous-control-plane/#Possible-Solutions","page":"Autonomous Control Plane","title":"Possible Solutions","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"No complete list.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"vmware and rancher\ntalos\n3 physical machines with kubespray","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"...","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"All of these solutions add another stack which is probably new to the team which already operates the metal-stack environment.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"TODO: can we provide a list which of the requirements can be solved with all of the alternatives.","category":"page"},{"location":"installation/autonomous-control-plane/#Use-your-own-dogfood","page":"Autonomous Control Plane","title":"Use your own dogfood","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"With metal-stack.io we already have the possibility to create and manage kubernetes clusters with the help of Gardener. Use this stack to create the control plane clusters only. Do not try to create more clusters for other purposes than metal-stack control planes. If this restriction applies, the requirement for a control plane for this metal-stack setup can be minimal.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"This metal-stack setup also requires a control plane to host metal-api and gardener, but this control plane does not have huge resource requirements in terms of cpu, memory and storage. For this initial control plane cluster we could use kind running on a single server which manages the initial metal-stack partition to host the control plane for the real setup.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"This is a chain of two metal-stack environments.","category":"page"},{"location":"installation/autonomous-control-plane/#Architecture","page":"Autonomous Control Plane","title":"Architecture","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"A high-level architecture consists of two metal-stack.io environments, one for the control plane, the second one for the production or real environment. It might also be possible to call the initial metal-stack.io environment the metal-stack seed, and the actual production environment the metal-stack shoot.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"We could even use some names for this environments which match better to metal, like needle and nail. So, a needle metal-stack is used to create a nail metal-stack environment.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: metal-stack-chain)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The needle and the nail metal-stack have both a control plane and a set of physical bare metal machines they manage and operate on.","category":"page"},{"location":"installation/autonomous-control-plane/#Needle","page":"Autonomous Control Plane","title":"Needle","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The needle control plane is kept very small and running inside a kind cluster. The physical bare metal machines can be any machines and switches which are supported by metal stack, but can be smaller in terms of cpu, memory and network speed, because these machines must only be capable of running the nail metal stack control plane.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Control Plane","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"In the most simple case the needle control plane is based on kind which is running on a machine which was setup manually/partly automated with a debian:12 operating system. This machine provides a decent amount of cpu, memory and storage locally to store all persistent data. The amount of cpus and memory depends on the required size of the expected nail control plane. A typical single socket server with 8-16 cores and 64GB of RAM and two NVMe drives of 1TB would be a good starting point.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"In a typical kind setup, a stateful set would lose the data once the kind cluster was terminated and started again. But there is a possibility to define parts of the local storage of the server to be provided to the kind cluster for the PVCs. With that, kind could be terminated and started again, for example to update and reboot the host os, or update kind itself and the data will persist.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Example kind configuration for persistent storage on the hosts os:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"kind: Cluster\napiVersion: kind.x-k8s.io/v1alpha4\nname: needle-control-plane\nnodes:\n- role: control-plane\n # add a mount from /path/to/my/files on the host to /files on the node\n extraMounts:\n - hostPath: /path/to/my/files\n containerPath: /files\n","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"As mentioned before, kind is used to host the needle control plane. For a gardener managed kubernetes setup, metal-stack and gardener will be deployed into this cluster. This deployment can be done by a gitlab runner which is running on this machine. The mini-lab will be used as a base for this deployment. The current development of gardener-in-minilab must be extended to host all required extensions to make this a working metal stack control plane which can manage the machines in the attached bare metal setup.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"A second kind cluster is started on this machine to host services which are required to complete the service. A non-complete list would be:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"PowerDNS to server as a DNS Server for all dns entries which needs to be created in the needle, like api.needle.metal-stack.local, gardener-api.needle.metal-stack.local and the dns entries for the api servers of the create kubernetes clusters.\nNTP\nMonitoring for the needle partition ?\nOptional: Container Registry to host all metal-stack and gardener containers\nOptional: Letsencrypt boulder as a certificate authority\n...","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-control-plane)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"1.1. Control Plane High Availability","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Running the needle control plane on a single physical server is not as available as it should be in such a use case. It should be possible to survive a loss of this server, because the server could be lost by many events, such as hardware failure, disk corruption or even failure of the datacenter location where this server is deployed.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Setting up a second server with the same software components is an option, but the problem of data redundancy must be solved, because neither the gardener control plane, nor the metal-stack control plane can be instantiated twice.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Given that we provide part of the local storage of the server as backing storage for the stateful sets in the kind cluster, the data stored on the server itself must be synced to a second server in some way.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Here comes DRBD into play, this is a linux kernel module which can be configured to mirror one or more local block devices to another server connected over tcp. With the help of pacemaker a coordinated failover of resources running on top of filesystems created on such replicated drbd devices, a high available stateful server pair is possible. It is also possible to prevent split brain if both servers have a out-of-band management build in with power off capability. DRBD can also be configured to sync storage between WAN links with a higher latency by using a async mechanism.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Sample drbd configuration:","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"resource needle-control-plane {\n meta-disk internal;\n device /dev/drbd0;\n syncer {\n verify-alg sha1;\n }\n net {\n allow-two-primaries;\n }\n on needle1 {\n disk /dev/nvme0n1;\n address 192.168.1.101:7789;\n }\n on needle2 {\n disk /dev/nvme0n1;\n address 192.168.1.102:7789;\n }\n}","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"TODO: LVM Volumes","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Logical View","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-control-plane-ha)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Physical View, minimal ha setup which is only suitable for 1 Seed and 1 Shoot","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-rack)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Physical View, bigger ha setup which is spread to two datacenters, capable to create 1 Seed with 3 nodes and 2 Shoots with 3 nodes each and still 2 waiting machines.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-rack-big)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Partition","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"The partition which is managed by the metal-stack needle can be a simple and small hardware setup but yet capable enough to host the metal-stack nail control plane. It can follow the metal-stack minimal setup which provides about 8-16 small servers connected to a 1G/s or 10G/s network dataplane. Central storage is optional as the persistence of the services running in these clusters is always backed up to a central object storage. Operations would be much easier if a central storage is provided.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"A seed must be created which is responsible for hosting the control planes of the shoots in this partition. The amount of shoots should be minimal, most of the time, two shoots, one for hosting gardener and one for metal-stack.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"(Image: needle-partition)","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Network Diagram","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"TODO: Where to connect the needle servers","category":"page"},{"location":"installation/autonomous-control-plane/#Nail","page":"Autonomous Control Plane","title":"Nail","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"nail is the metal-stack environment which serves for end user production use, the control plane is running in a shoot which in the needle and the seed(s) and shoot(s) for end users are created on the machines provided by this environment. These machines can be of a different type in terms of size, but more importantly, these machines are connected to another network dataplane. Also the management infrastructure is separated from the needle management.","category":"page"},{"location":"installation/autonomous-control-plane/#Failure-Scenarios","page":"Autonomous Control Plane","title":"Failure Scenarios","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Everything could fail, everything will fail at some point. But this must kept in mind and nothing bad should happen if only one component at a time fails. If more than one fails, the restoration to a working state must be easily possible and well documented.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"We must ensure both. To ensure we have all possible breakages in mind, we collect a list of them here and explain what impact a certain failure have.","category":"page"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Scenario expected outage\nkind cluster gone management of needle infrastructure not possible anymore","category":"page"},{"location":"installation/autonomous-control-plane/#Open-Topics","page":"Autonomous Control Plane","title":"Open Topics","text":"","category":"section"},{"location":"installation/autonomous-control-plane/","page":"Autonomous Control Plane","title":"Autonomous Control Plane","text":"Naming of the metal-stack chain elements, is needle and nail appropriate ?\nStorage in the needle partition\nMinIO DirectPV –> new to me, dont know exactly how this works, looks interesting\nlightOS\nDiskomator –> Crazy\nthe needle server as initiator, maybe also replicated with drbd ?\nNVMEoTCP Howto\nNVMEoTCP Howto\nStorage Appliance like Synology\nS3 Object storage is considered as provided\nAirGapped is out of scope for now\nIP address ranges and families\nConsider Autonomous Shoots for the needle seed\nTake a look at: Description of a Microdatacenter","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#metalctl-filesystemlayout-list","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"list all filesystemlayouts","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"metalctl filesystemlayout list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#Options","page":"metalctl filesystemlayout list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/#SEE-ALSO","page":"metalctl filesystemlayout list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_list/","page":"metalctl filesystemlayout list","title":"metalctl filesystemlayout list","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"development/proposals/MEP10/README/#SONiC-Support","page":"SONiC Support","title":"SONiC Support","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"As writing this proposal, metal-stack only supports Cumulus on Broadcom ASICs. Unfortunately, after the acquisition of Cumulus Networks by Nvidia, Broadcom decided to cut its relationship with Cumulus, and therefore Cumulus 4.2 is the last version that supports Broadcom ASICs. Since trashing the existing hardware is not a solution, adding support for a different network operating system is necessary.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"One of the remaining big players is SONiC, which Microsoft created to scale the network of Azure. It's an open-source project and is now part of the Linux Foundation.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"For a general introduction to SONiC, please follow the Architecture official documentation.","category":"page"},{"location":"development/proposals/MEP10/README/#ConfigDB","page":"SONiC Support","title":"ConfigDB","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"On a cold start, the content of /etc/sonic/config_db.json will be loaded into the Redis database CONFIG_DB, and both contain the switch's configuration except the BGP unnumbered configuration, which still has to be configured directly by the frr configuration files. The SONiC community is working to remove this exception, but no release date is known.","category":"page"},{"location":"development/proposals/MEP10/README/#BGP-Configuration","page":"SONiC Support","title":"BGP Configuration","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Frr runs inside a container, and a shell script configured it on the container startup. For BGP unnumbered, we must set the configuration variable docker_routing_config_mode to split to prevent SONiC from overwriting our configuration files created by metal-core. But by using the split mode, the integrated configuration mode of frr is deactivated, and we have to write our BGP configuration to the daemon-specific files bgp.conf, staticd.conf, and zebra.conf instead to frr.conf.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"elif [ \"$CONFIG_TYPE\" == \"split\" ]; then\n echo \"no service integrated-vtysh-config\" > /etc/frr/vtysh.conf\n rm -f /etc/frr/frr.conf","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Reference: docker-init","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Adding support for the integrated configuration mode, we must at least adjust the startup shell script and the supervisor configuration:","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{% if DEVICE_METADATA.localhost.docker_routing_config_mode is defined and DEVICE_METADATA.localhost.docker_routing_config_mode == \"unified\" %}\n[program:vtysh_b]\ncommand=/usr/bin/vtysh -b","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Reference: supervisord.conf","category":"page"},{"location":"development/proposals/MEP10/README/#Non-BGP-Configuration","page":"SONiC Support","title":"Non-BGP Configuration","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"For the Non-BGP configuration we have to write it into the Redis database directly or via one of the following interfaces:","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"config replace \nthe Mgmt Framework\nthe SONiC restapi","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Directly writing into the Redis database isn't a stable interface, and we must determine the create, delete, and update operations on our own. The last point is also valid for the Mgmt Framework and the SONiC restapi. Furthermore, the Mgmt Framework doesn't start anymore for several months, and a potential fix is still not merged. And the SONiC restapi isn't enabled by default, and we must build and maintain our own SONiC images.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Using config replace would reduce the complexity in the metal-core codebase because we don't have to determine the actual changes between the running and the desired configuration. The approach's drawbacks are using a version of SONiC that contains the PR Yang support for VXLAN, and we must provide the whole new startup configuration to prevent unwanted deconfiguration.","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-Loopback-interface-and-activate-VXLAN","page":"SONiC Support","title":"Configure Loopback interface and activate VXLAN","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"LOOPBACK_INTERFACE\": {\n \"Loopback0\": {},\n \"Loopback0|\": {}\n },\n \"VXLAN_TUNNEL\": {\n \"vtep\": {\n \"src_ip\": \"\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-MTU","page":"SONiC Support","title":"Configure MTU","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"PORT\": {\n \"Ethernet0\": {\n \"mtu\": \"9000\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-PXE-Vlan","page":"SONiC Support","title":"Configure PXE Vlan","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"VLAN\": {\n \"Vlan4000\": {\n \"vlanid\": \"4000\"\n }\n },\n \"VLAN_INTERFACE\": {\n \"Vlan4000\": {},\n \"Vlan4000|\": {}\n },\n \"VLAN_MEMBER\": {\n \"Vlan4000|\": {\n \"tagging_mode\": \"untagged\"\n }\n },\n \"VXLAN_TUNNEL_MAP\": {\n \"vtep|map_104000_Vlan4000\": {\n \"vlan\": \"Vlan4000\",\n \"vni\": \"104000\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#Configure-VRF","page":"SONiC Support","title":"Configure VRF","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"INTERFACE\": {\n \"Ethernet0\": {\n \"vrf_name\": \"vrf104001\"\n }\n },\n \"VLAN\": {\n \"Vlan4001\": {\n \"vlanid\": \"4001\"\n }\n },\n \"VLAN_INTERFACE\": {\n \"Vlan4001\": {\n \"vrf_name\": \"vrf104001\"\n }\n },\n \"VRF\": {\n \"vrf104001\": {\n \"vni\": \"104001\"\n }\n },\n \"VXLAN_TUNNEL_MAP\": {\n \"vtep|map_104001_Vlan4001\": {\n \"vlan\": \"Vlan4001\",\n \"vni\": \"104001\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/#DHCP-Relay","page":"SONiC Support","title":"DHCP Relay","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"The DHCP relay container only starts if DEVICE_METADATA.localhost.type is equal to ToRRouter.","category":"page"},{"location":"development/proposals/MEP10/README/#LLDP","page":"SONiC Support","title":"LLDP","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"SONiC always uses the local port subtype for LLDP and sets it to some freely configurable alias field of the interface.","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"# Get the port alias. If None or empty string, use port name instead\nport_alias = port_table_dict.get(\"alias\")\nif not port_alias:\n self.log_info(\"Unable to retrieve port alias for port '{}'. Using port name instead.\".format(port_name))\n port_alias = port_name\n\nlldpcli_cmd = \"lldpcli configure ports {0} lldp portidsubtype local {1}\".format(port_name, port_alias)","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"Reference: lldpmgr","category":"page"},{"location":"development/proposals/MEP10/README/#Mgmt-Interface","page":"SONiC Support","title":"Mgmt Interface","text":"","category":"section"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"The mgmt interface is eth0. To configure a static IP address and activate the Mgmt VRF, use:","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"{\n \"MGMT_INTERFACE\": {\n \"eth0|\": {\n \"gwaddr\": \"\"\n }\n },\n \"MGMT_VRF_CONFIG\": {\n \"vrf_global\": {\n \"mgmtVrfEnabled\": \"true\"\n }\n }\n}","category":"page"},{"location":"development/proposals/MEP10/README/","page":"SONiC Support","title":"SONiC Support","text":"IP forwarding is deactivated on eth0, and no IP Masquerade is configured.","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#metalctl-update-check","page":"metalctl update check","title":"metalctl update check","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":"check for update of the program","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":"metalctl update check [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#Options","page":"metalctl update check","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":" -h, --help help for check","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#Options-inherited-from-parent-commands","page":"metalctl update check","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_update_check/#SEE-ALSO","page":"metalctl update check","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_check/","page":"metalctl update check","title":"metalctl update check","text":"metalctl update\t - update the program","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#metalctl-tenant","page":"metalctl tenant","title":"metalctl tenant","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":"manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#Synopsis","page":"metalctl tenant","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":"a tenant belongs to a tenant and groups together entities in metal-stack.","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#Options","page":"metalctl tenant","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":" -h, --help help for tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#Options-inherited-from-parent-commands","page":"metalctl tenant","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant/#SEE-ALSO","page":"metalctl tenant","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant/","page":"metalctl tenant","title":"metalctl tenant","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl tenant apply\t - applies one or more tenants from a given file\nmetalctl tenant create\t - creates the tenant\nmetalctl tenant delete\t - deletes the tenant\nmetalctl tenant describe\t - describes the tenant\nmetalctl tenant edit\t - edit the tenant through an editor and update\nmetalctl tenant list\t - list all tenants\nmetalctl tenant update\t - updates the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#metalctl-switch","page":"metalctl switch","title":"metalctl switch","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":"manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#Synopsis","page":"metalctl switch","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":"switch are the leaf switches in the data center that are controlled by metal-stack.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#Options","page":"metalctl switch","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":" -h, --help help for switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#Options-inherited-from-parent-commands","page":"metalctl switch","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch/#SEE-ALSO","page":"metalctl switch","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch/","page":"metalctl switch","title":"metalctl switch","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl switch connected-machines\t - shows switches with their connected machines\nmetalctl switch console\t - connect to the switch console\nmetalctl switch delete\t - deletes the switch\nmetalctl switch describe\t - describes the switch\nmetalctl switch detail\t - switch details\nmetalctl switch edit\t - edit the switch through an editor and update\nmetalctl switch list\t - list all switches\nmetalctl switch migrate\t - migrate machine connections and other configuration from one switch to another\nmetalctl switch port\t - sets the given switch port state up or down\nmetalctl switch replace\t - put a leaf switch into replace mode in preparation for physical replacement. For a description of the steps involved see the long help.\nmetalctl switch ssh\t - connect to the switch via ssh\nmetalctl switch update\t - updates the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#metalctl-audit-describe","page":"metalctl audit describe","title":"metalctl audit describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":"describes the audit trace","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":"metalctl audit describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#Options","page":"metalctl audit describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":" -h, --help help for describe\n --phase string phase of the audit trace. One of [request, response, single, error, opened, closed] (default \"response\")\n --prettify-body attempts to interpret the body as json and prettifies it","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#Options-inherited-from-parent-commands","page":"metalctl audit describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_describe/#SEE-ALSO","page":"metalctl audit describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_describe/","page":"metalctl audit describe","title":"metalctl audit describe","text":"metalctl audit\t - manage audit trace entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#metalctl-network-free","page":"metalctl network free","title":"metalctl network free","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":"free a network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":"metalctl network free [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#Options","page":"metalctl network free","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":" -h, --help help for free","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#Options-inherited-from-parent-commands","page":"metalctl network free","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_free/#SEE-ALSO","page":"metalctl network free","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_free/","page":"metalctl network free","title":"metalctl network free","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#metalctl-size-imageconstraint-describe","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"describes the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"metalctl size imageconstraint describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#Options","page":"metalctl size imageconstraint describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/#SEE-ALSO","page":"metalctl size imageconstraint describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_describe/","page":"metalctl size imageconstraint describe","title":"metalctl size imageconstraint describe","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#metalctl-machine-consolepassword","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"fetch the consolepassword for a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"metalctl machine consolepassword [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#Options","page":"metalctl machine consolepassword","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":" -h, --help help for consolepassword\n --reason string a short description why access to the consolepassword is required","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#Options-inherited-from-parent-commands","page":"metalctl machine consolepassword","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/#SEE-ALSO","page":"metalctl machine consolepassword","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_consolepassword/","page":"metalctl machine consolepassword","title":"metalctl machine consolepassword","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#metalctl-machine-power-bios","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"boot a machine into BIOS","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#Synopsis","page":"metalctl machine power bios","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"the machine will boot into bios. (machine does not reboot automatically)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"metalctl machine power bios [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#Options","page":"metalctl machine power bios","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":" -h, --help help for bios","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#Options-inherited-from-parent-commands","page":"metalctl machine power bios","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/#SEE-ALSO","page":"metalctl machine power bios","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_bios/","page":"metalctl machine power bios","title":"metalctl machine power bios","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"installation/updates/#Releases-and-Updates","page":"Releases and Updates","title":"Releases and Updates","text":"","category":"section"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"using Docs\n\nversion = releaseVersion()\n\nt = raw\"\"\"\nYour are currently reading the documentation for the metal-stack `%s` release.\n\"\"\"\n\nmarkdownTemplate(t, version)","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"Releases and integration tests are published through our release repository. You can also find the release notes for this metal-stack version in there. The release notes contain information about new features, upgrade paths and bug fixes.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"A release is created in the following way:","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"Individual repository maintainers within the metal-stack Github Org can publish a release of their component.\nThis release is automatically pushed to the develop branch of the release repository by the metal-robot.\nThe push triggers a small release integration test through the mini-lab.\nTo contribute components that are not directly part of the release vector, a pull request must be made against the develop branch of the release repository. Release maintainers may push directly to the develop branch.\nThe release maintainers can /freeze the develop branch, effectively stopping the metal-robot from pushing component releases to this branch.\nThe develop branch is tagged by a release maintainer with a -rc.x suffix to create a release candidate.\nThe release candidate must pass a large integration test suite on a real environment, which is currently run by FI-TS. It tests the entire machine provisioning engine including the integration with Gardener, the deployment, metal-images and Kubernetes conformance tests.\nIf the integration tests pass, the PR of the develop branch must be approved by at least two release maintainers.\nA release is created via Github releases, including all release notes, with a tag on the main branch.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"If you want, you can sign up at our Slack channel where we are announcing every new release. Often, we provide additional information for metal-stack administrators and adopters at this place, too.","category":"page"},{"location":"installation/updates/#Update-Policy","page":"Releases and Updates","title":"Update Policy","text":"","category":"section"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"For new features and breaking changes we create a new minor release of metal-stack. For every minor release we present excerpts of the changes in a corresponding blog article published on metal-stack.io.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"It is not strictly necessary to cycle through the patch releases if you depend on the pure metal-stack components. However, it is important to go through all the patch releases and apply all required actions from the release notes. Therefore, we recommend to just install every patch release one by one in order to minimize possible problems during the update process.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"In case you depend on the Gardener integration, especially when using metal-stack roles for deploying Gardener, we strongly recommend installing every patch release version. We increment our Gardener dependency version by version following the Gardener update policy. Jumping versions may lead to severe problems with the installation and should only be done if you really know what you are doing.","category":"page"},{"location":"installation/updates/","page":"Releases and Updates","title":"Releases and Updates","text":"info: Info\nIf you use the Gardener integration of metal-stack do not skip any patch releases. You may skip patch releases if you depend on metal-stack only, but we recommend to just deploy every patch release one by one for the best possible upgrade experience.","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#metalctl-vpn-key","page":"metalctl vpn key","title":"metalctl vpn key","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"create an auth key","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Synopsis","page":"metalctl vpn key","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"create an auth key to connect to VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"metalctl vpn key [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Examples","page":"metalctl vpn key","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"auth key for tailscale can be created by this command:\nmetalctl vpn key \\\n\t-- project cluster01\n","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Options","page":"metalctl vpn key","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":" --ephemeral create an ephemeral key (default true)\n -h, --help help for key\n --project string project ID for which auth key should be created","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#Options-inherited-from-parent-commands","page":"metalctl vpn key","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn_key/#SEE-ALSO","page":"metalctl vpn key","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn_key/","page":"metalctl vpn key","title":"metalctl vpn key","text":"metalctl vpn\t - access VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#metalctl-network-ip-edit","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"edit the ip through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"metalctl network ip edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#Options","page":"metalctl network ip edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#Options-inherited-from-parent-commands","page":"metalctl network ip edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/#SEE-ALSO","page":"metalctl network ip edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_edit/","page":"metalctl network ip edit","title":"metalctl network ip edit","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#metalctl-machine-identify-on","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"power on the machine chassis identify LED","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#Synopsis","page":"metalctl machine identify on","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"set the machine chassis identify LED to on state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"metalctl machine identify on [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#Options","page":"metalctl machine identify on","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":" -d, --description string description of the reason for chassis identify LED turn-on.\n -h, --help help for on","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#Options-inherited-from-parent-commands","page":"metalctl machine identify on","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/#SEE-ALSO","page":"metalctl machine identify on","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_on/","page":"metalctl machine identify on","title":"metalctl machine identify on","text":"metalctl machine identify\t - manage machine chassis identify LED power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#metalctl-machine-update","page":"metalctl machine update","title":"metalctl machine update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":"updates the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":"metalctl machine update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#Options","page":"metalctl machine update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":" --add-tags strings tags to be added to the machine [optional]\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description of the machine [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine update -f -\n $ # or via file\n $ metalctl machine update -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --remove-tags strings tags to be removed from the machine [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#Options-inherited-from-parent-commands","page":"metalctl machine update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update/#SEE-ALSO","page":"metalctl machine update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update/","page":"metalctl machine update","title":"metalctl machine update","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#metalctl-tenant-describe","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"describes the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"metalctl tenant describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#Options","page":"metalctl tenant describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#Options-inherited-from-parent-commands","page":"metalctl tenant describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_describe/#SEE-ALSO","page":"metalctl tenant describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_describe/","page":"metalctl tenant describe","title":"metalctl tenant describe","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#metalctl-machine-issues","page":"metalctl machine issues","title":"metalctl machine issues","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"display machines which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#Synopsis","page":"metalctl machine issues","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"display machines which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"Meaning of the emojis:","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"🚧 Machine is reserved. Reserved machines are not considered for random allocation until the reservation flag is removed. 🔒 Machine is locked. Locked machines can not be deleted until the lock is removed. 💀 Machine is dead. The metal-api does not receive any events from this machine. ❗ Machine has a last event error. The machine has recently encountered an error during the provisioning lifecycle. ❓ Machine is in unknown condition. The metal-api does not receive phoned home events anymore or has never booted successfully. ⭕ Machine is in a provisioning crash loop. Flag can be reset through an API-triggered reboot or when the machine reaches the phoned home state. 🚑 Machine reclaim has failed. The machine was deleted but it is not going back into the available machine pool. 🛡 Machine is connected to our VPN, ssh access only possible via this VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"metalctl machine issues [] [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#Options","page":"metalctl machine issues","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":" --bmc-address string bmc ipmi address (needs to include port) to filter [optional]\n --bmc-mac string bmc mac address to filter [optional]\n --board-part-number string fru board part number to filter [optional]\n -h, --help help for issues\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional]\n --mac string mac to filter [optional]\n --manufacturer string fru manufacturer to filter [optional]\n --name string allocation name to filter [optional]\n --network-destination-prefixes string network destination prefixes to filter [optional]\n --network-ids string network ids to filter [optional]\n --network-ips string network ips to filter [optional]\n --omit strings issue types to omit [optional]\n --only strings issue types to include [optional]\n --partition string partition to filter [optional]\n --product-part-number string fru product part number to filter [optional]\n --product-serial string fru product serial to filter [optional]\n --project string allocation project to filter [optional]\n --rack string rack to filter [optional]\n --role string allocation role to filter [optional]\n --severity string issue severity to include [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|bios|bmc|event|id|liveliness|partition|project|rack|size|when\n --state string state to filter [optional]\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#Options-inherited-from-parent-commands","page":"metalctl machine issues","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues/#SEE-ALSO","page":"metalctl machine issues","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues/","page":"metalctl machine issues","title":"metalctl machine issues","text":"metalctl machine\t - manage machine entities\nmetalctl machine issues list\t - list all machine issues that the metal-api can evaluate","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#metalctl-switch-port","page":"metalctl switch port","title":"metalctl switch port","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":"sets the given switch port state up or down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#Options","page":"metalctl switch port","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":" -h, --help help for port\n --port string the port to be changed.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#Options-inherited-from-parent-commands","page":"metalctl switch port","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port/#SEE-ALSO","page":"metalctl switch port","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port/","page":"metalctl switch port","title":"metalctl switch port","text":"metalctl switch\t - manage switch entities\nmetalctl switch port describe\t - gets the given switch port state\nmetalctl switch port down\t - sets the given switch port state down\nmetalctl switch port up\t - sets the given switch port state up","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#metalctl-switch-port-describe","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"gets the given switch port state","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#Synopsis","page":"metalctl switch port describe","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"shows the current actual and desired state of the port of the given switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"metalctl switch port describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#Options","page":"metalctl switch port describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#Options-inherited-from-parent-commands","page":"metalctl switch port describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --port string the port to be changed.\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/#SEE-ALSO","page":"metalctl switch port describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_describe/","page":"metalctl switch port describe","title":"metalctl switch port describe","text":"metalctl switch port\t - sets the given switch port state up or down","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#metalctl-tenant-update","page":"metalctl tenant update","title":"metalctl tenant update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":"updates the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":"metalctl tenant update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#Options","page":"metalctl tenant update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant update -f -\n $ # or via file\n $ metalctl tenant update -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#Options-inherited-from-parent-commands","page":"metalctl tenant update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_update/#SEE-ALSO","page":"metalctl tenant update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_update/","page":"metalctl tenant update","title":"metalctl tenant update","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/csi-driver-lvm/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/csi-driver-lvm/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#metalctl-logout","page":"metalctl logout","title":"metalctl logout","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":"logout user from OIDC SSO session","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":"metalctl logout [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#Options","page":"metalctl logout","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":" -h, --help help for logout","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#Options-inherited-from-parent-commands","page":"metalctl logout","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_logout/#SEE-ALSO","page":"metalctl logout","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_logout/","page":"metalctl logout","title":"metalctl logout","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#metalctl-partition-delete","page":"metalctl partition delete","title":"metalctl partition delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":"deletes the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":"metalctl partition delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#Options","page":"metalctl partition delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition delete -f -\n $ # or via file\n $ metalctl partition delete -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#Options-inherited-from-parent-commands","page":"metalctl partition delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_delete/#SEE-ALSO","page":"metalctl partition delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_delete/","page":"metalctl partition delete","title":"metalctl partition delete","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#metalctl-project-create","page":"metalctl project create","title":"metalctl project create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":"creates the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":"metalctl project create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#Options","page":"metalctl project create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":" --annotation strings add initial annotation, must be in the form of key=value, can be given multiple times to add multiple annotations, e.g. --annotation key=value --annotation foo=bar\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --cluster-quota int32 cluster quota\n --description string description of the project.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project create -f -\n $ # or via file\n $ metalctl project create -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --ip-quota int32 ip quota\n --label strings add initial label, can be given multiple times to add multiple labels, e.g. --label=foo --label=bar\n --machine-quota int32 machine quota\n --name string name of the project, max 10 characters.\n --skip-security-prompts skips security prompt for bulk operations\n --tenant string create project for given tenant\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#Options-inherited-from-parent-commands","page":"metalctl project create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_create/#SEE-ALSO","page":"metalctl project create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_create/","page":"metalctl project create","title":"metalctl project create","text":"metalctl project\t - manage project entities","category":"page"},{"location":"overview/isolated-kubernetes/#Isolated-Kubernetes-Clusters","page":"Isolated Kubernetes","title":"Isolated Kubernetes Clusters","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Pages = [\"isolated-kubernetes.md\"]\nDepth = 5","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Some customers have the need to run their workloads in a very restricted environment. These restrictions are driven by regulatory requirements in some industries such as finance, healthcare, energy and more. Regulatory requirements often mandate that the workload must not be exposed to the public internet, nor is capable to reach the public internet in any case.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"For this purpose we implemented a possibility to start Kubernetes clusters in such a manner. This is referred to as cluster isolation.","category":"page"},{"location":"overview/isolated-kubernetes/#Design-Choices","page":"Isolated Kubernetes","title":"Design Choices","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"When talking about highly secure Kubernetes environments people often raise the term \"Air Gapped Cluster\". This would mean that no physical connection exists between the Kubernetes control plane and the Kubernetes worker nodes with the outside world. This requirement exists in extreme environments such as ships, moon bases or nuclear plants. The effort to produce this in a completely automated manner is extremely challenging.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"We decided to follow a different approach which is more practical, still very secure but much simpler to implement and operate. The solution we created is called \"Isolated Cluster\" which means that there are still physical connections between the Kubernetes cluster, but guarded to prohibit malicious traffic. It is also not possible to enable malicious traffic by accident, e.g. if a cluster user configures network policies or load balancers to untrusted environments.","category":"page"},{"location":"overview/isolated-kubernetes/#Network-Design","page":"Isolated Kubernetes","title":"Network Design","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"In order to be able to restrict ingress and egress internet traffic, but still make it possible to create a working Kubernetes cluster we implemented the following network design.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"All strictly required container images are mirrored to a registry which is only accessible from the Kubernetes clusters.\nDNS and NTP servers are produced alongside the registry.\nThe containerd configuration on every worker node is configured to pull all of the strictly required container images from this private registry mirror.\nDNS and NTP configuration is also adopted to use the DNS and NTP servers on this private environment.\nA list of networks which are allowed to reach is managed, this list reflects the networks of the cloud provider and is not modifiable by the cluster user. This list usually contains the internet prefixes of the provider and one or more RFC address ranges.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"(Image: Network Design)","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Users are advised to attach an additional network to the Kubernetes cluster in order to be able to pull container images for the application workloads from private registries.","category":"page"},{"location":"overview/isolated-kubernetes/#Strictly-Required-Container-Images","page":"Isolated Kubernetes","title":"Strictly Required Container Images","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"In general the creation of a Kubernetes cluster requires the ability to pull container images for several applications which are necessary to make a machine a Kubernetes worker node. To mention the most important:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Kubelet: the main controller on each worker node to manage the workload\nCNI (Container Network Interface): controller and daemon set to setup and run the container networking\nCSI (Container Storage Interface): controller and daemon set to setup and run the container storage\nCoreDNS: DNS for containers\nMetalLB: Service Type LoadBalancer Implementation\nnode-exporter and metrics-server: Monitoring for the worker node\nMetal-Stack Addons: for firewall and auditing events","category":"page"},{"location":"overview/isolated-kubernetes/#Flavors","page":"Isolated Kubernetes","title":"Flavors","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"With the introduction of Isolated Kubernetes Clusters, cluster users must decide upon cluster creation which type of isolation he needs for his workload. There are three different flavours available:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Internet access baseline: This is the default cluster creation mode, which does not change any aspects of network and registry access.\nInternet access forbidden: No internet access is possible, neither ingress nor egress.\nInternet access restricted: No internet access is possible, neither ingress nor egress, but can be enabled by the cluster user.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Please see the detailed description of these flavors below.","category":"page"},{"location":"overview/isolated-kubernetes/#Cluster-Wide-Network-Policies-CWNP","page":"Isolated Kubernetes","title":"Cluster Wide Network Policies CWNP","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"To restrict which egress traffic is allowed, Custom Resources ClusterWideNetworkPolicy are deployed and can be deployed by the cluster user. The set of deployed CWNPs differs between baseline and forbidden/restricted.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"baseline CWNPs:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Rule Name Destination Purpose\nallow-to-http 0.0.0.0/0 egress via http\nallow-to-https 0.0.0.0/0 egress via https\nallow-to-apiserver IP of the Kubernetes API Server on the control plane API Server communication of kubelet and other controllers\nallow-to-dns IP of the Google DNS Servers DNS resolution from the Kubernetes worker nodes and containers\nallow-to-ntp IP of the Cloudflare NTP Servers Time synchronization\nallow-to-storage network of the container storage persistent volumes with the cni driver\nallow-to-vpn IP of the vpn endpoint on the control plane allow communication from the api server to the kubelet for container logs and container exec","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"forbidden and restricted CWNPs:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Rule Name Destination Purpose\nallow-to-apiserver IP of the Kubernetes API Server on the control plane API Server communication of kubelet and other controllers\nallow-to-dns IP of the private DNS Server DNS resolution from the Kubernetes worker nodes and containers\nallow-to-ntp IP of the private NTP Server Time synchronization\nallow-to-registry IP of the private Registry Mirror Pulling strictly required container images\nallow-to-storage network of the container storage persistent volumes with the cni driver\nallow-to-vpn IP of the vpn endpoint on the control plane allow communication from the api server to the kubelet for container logs and container exec","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"All of these CWNPs are managed by the gardener-extension-provider-metal, every manual modification will be reverted immediately.","category":"page"},{"location":"overview/isolated-kubernetes/#Internet-Access-Baseline","page":"Isolated Kubernetes","title":"Internet Access Baseline","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This is the default configuration of a Kubernetes cluster, egress traffic is controlled by multiple CWNPs (ClusterWideNetworkPolicy), ingress traffic is possible by deploying a Service Type LoadBalancer. The cluster user can add additional CWNPs without any restrictions and is responsible for them.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Container images can be pulled from any reachable container registry. The containerd is not reconfigured to point to our private registry mirror.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"DNS and NTP are configured to internet DNS resolvers and NTP servers.","category":"page"},{"location":"overview/isolated-kubernetes/#Internet-Access-Forbidden","page":"Isolated Kubernetes","title":"Internet Access Forbidden","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This configuration can only be achieved by creating a new Kubernetes cluster, it is not possible to modify a existing cluster (with internet access baseline or restricted) to this configuration. It is also required to specify the most recent version of Kubernetes, older versions of Kubernetes are not supported.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Every network access modification triggered by a cluster user, either by adding or modifying CWNPs or adding a Service Type LoadBalancer, is validated against the list of allowed networks.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"containerd is configured so that all required images are pulled from the private registry mirror. This registry contains only the strictly required images, therefore no additional (workload) images can be pulled from public registries.","category":"page"},{"location":"overview/isolated-kubernetes/#Egress-traffic","page":"Isolated Kubernetes","title":"Egress traffic","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Egress traffic is only allowed to the private registry mirror and the DNS and NTP servers. Additional CWNPs can be added to reach destinations in the internal networks if specified. If a CWNP was created which points to a destination outside of the allowed networks, the CWNP will still be present but stays in the status ignored.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"> kubectl get clusterwidenetworkpolicies.metal-stack.io\nNAME STATUS MESSAGE\nallow-to-apiserver deployed\nallow-to-dns deployed\nallow-to-ntp deployed\nallow-to-registry deployed\nallow-to-storage deployed\nallow-to-vpn deployed\nallow-to-google ignored ingress/egress does not match allowed networks","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Also an event is created which describes why the CWNP was ignored:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"> kubectl get events\n5s Warning ForbiddenCIDR clusterwidenetworkpolicy/allow-to-google address:\"8.8.8.8/32\" is outside of the allowed network range:\"10.0.0.0/8,100.64.0.0/10,212.34.83.0/27\", ignoring","category":"page"},{"location":"overview/isolated-kubernetes/#Ingress-traffic","page":"Isolated Kubernetes","title":"Ingress traffic","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Ingress traffic is only allowed from the internal networks if specified. To specify the address where the Service Type LoadBalancer is listening to, the cluster user must use one of his statically acquired ip addresses. Of course, this ip address is only considered if it is contained in the list of allowed networks. Then this ip address must be configured in the service:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"apiVersion: v1\nkind: Service\nspec:\n type: LoadBalancer\n loadBalancerIP: 10.1.1.1 # ip from the internal network","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"By default, no ip address will be automatically selected for such clusters and the ip of the service will stay in pending mode until the ip was specified as shown above.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"> kubectl get svc\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nexample-service LoadBalancer 10.244.75.171 443:32179/TCP 4s\n\n> kubectl get events\n8s Warning AllocationFailed service/example-service Failed to allocate IP for \"default/example-service\": no available IPs\n3s Warning SyncLoadBalancerFailed service/example-service Error syncing load balancer: failed to ensure load balancer: no default network for ip acquisition specified, acquire an ip for your cluster's project and specify it directly in \"spec.loadBalancerIP\"","category":"page"},{"location":"overview/isolated-kubernetes/#Internet-Access-Restricted","page":"Isolated Kubernetes","title":"Internet Access Restricted","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This configuration can only be achieved by creating a new Kubernetes cluster, it is not possible to modify a existing cluster (with internet access baseline or forbidden) to this configuration. It is also required to specify the most recent version of Kubernetes, older versions of Kubernetes are not supported.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The same default CWNPs are deployed and the container images are pulled from the private registry. Also DNS and NTP are configured to use the private DNS and NTP servers. The only difference to the forbidden mode is that CWNPs and Service Type LoadBalancers can be created without the restriction that only allowed networks are allowed.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Pulling container images is theoretically possible if a cluster user creates a CWNP which allows network access to an external registry. But most container registries serve the container images from large CDN networks, which have a lot of ip addresses. Simply adding the ip address of docker.io is therefore not sufficient.","category":"page"},{"location":"overview/isolated-kubernetes/#Application-Container-Images","page":"Isolated Kubernetes","title":"Application Container Images","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"In order to deploy application containers into a cluster with Internet Access forbidden a private registry must be provided. This private registry must be located in the list of allowed networks. The DNS name of the registry must resolve in the public DNS servers. The registry must be secured with a TLS certificate that is also valid with the CA certificates from the worker node, e.g. vanilla debian ca-certificates.","category":"page"},{"location":"overview/isolated-kubernetes/#Implementation","page":"Isolated Kubernetes","title":"Implementation","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"To achieve this functionality modifications have been implemented in various components in metal-stack, this includes:","category":"page"},{"location":"overview/isolated-kubernetes/#Gardener-Extension-Provider-Metal","page":"Isolated Kubernetes","title":"Gardener Extension Provider Metal","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The ControlPlane API is adopted to enable a user to configure a shoot with the internet access type forbidden or restricted. The CloudProfile can now be extended to carry the list of allowed networks, the dns and ntp servers, the registry with the mirrored registries.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"ControlPlane:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"// ControlPlaneConfig contains configuration settings for the control plane.\ntype ControlPlaneConfig struct {\n metav1.TypeMeta\n\n // NetworkAccessType defines how the cluster can reach external networks.\n // +optional\n NetworkAccessType *NetworkAccessType\n}\ntype (\n // NetworkAccessType defines how a cluster is capable of accessing external networks\n NetworkAccessType string\n)\n\nconst (\n // NetworkAccessBaseline allows the cluster to access external networks in a baseline manner\n NetworkAccessBaseline = NetworkAccessType(\"baseline\")\n // NetworkAccessRestricted access to external networks is by default restricted to registries, dns and ntp to partition only destinations.\n // Therefore registries, dns and ntp destinations must be specified in the cloud-profile accordingly.\n // If this is not the case, restricting the access must not be possible.\n // Image overrides for all images which are required to create such a shoot, must be specified. No other images are provided in the given registry.\n // customers can define own rules to access external networks as in the baseline.\n // Service type LoadBalancers are also not restricted.\n NetworkAccessRestricted = NetworkAccessType(\"restricted\")\n // NetworkAccessForbidden in this configuration a customer can no longer create rules to access external networks.\n // which are outside of a given list of allowed networks. This is enforced by the firewall.\n // Service type LoadBalancers are also not possible to open a service ip which is not in the list of allowed networks.\n // This is also enforced by the firewall.\n NetworkAccessForbidden = NetworkAccessType(\"forbidden\")\n)","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"A sample Shoot Spec:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"---\napiVersion: core.gardener.cloud/v1beta1\nkind: Shoot\nmetadata:\n name: isolated\n namespace: sample\nspec:\n provider:\n type: metal\n controlPlaneConfig:\n networkAccessType: forbidden\n...","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"CloudProfile:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"type NetworkIsolation struct {\n // AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters.\n AllowedNetworks AllowedNetworks\n // DNSServers\n DNSServers []string\n // NTPServers\n NTPServers []string\n // The registry which serves the images required to create a shoot.\n RegistryMirrors []RegistryMirror\n}\n\n// AllowedNetworks is a list of networks which are allowed to connect in restricted or forbidden NetworkIsolated clusters.\ntype AllowedNetworks struct {\n // Ingress defines a list of networks which are allowed for incoming traffic like service type LoadBalancer\n // to allow all you must specify 0.0.0.0/0 or ::/0\n Ingress []string\n // Egress defines a list of networks which are allowed for outgoing traffic\n // to allow all you must specify 0.0.0.0/0 or ::/0\n Egress []string\n}\n\ntype RegistryMirror struct {\n // Name describes this server\n Name string\n // Endpoint is typically the url of the registry in the form https://hostname\n Endpoint string\n // IP is the ipv4 or ipv6 address of this server\n IP string\n // Port at which port the service is reachable\n Port int32\n // This Registry Mirror mirrors the following registries\n MirrorOf []string \n}","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"A sample configuration in the CloudProfile would look like:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":" network-isolation:\n allowedNetworks:\n egress:\n - 1.2.3.0/24 # Internet CIDR of the Provider\n - 100.64.0.0/10\n - 10.0.0.0/8\n ingress:\n - 100.64.0.0/10\n dnsServers:\n - \"1.2.3.1\"\n - \"1.2.3.2\"\n - \"1.2.3.3\"\n ntpServers:\n - \"1.2.3.1\"\n - \"1.2.3.2\"\n - \"1.2.3.3\"\n registryMirrors:\n - name: test registry\n endpoint: https://some.private.registry\n ip: \"1.2.3.4\"\n port: 443\n mirrorOf:\n - \"docker.io\"\n - \"quay.io\"\n - \"eu.gcr.io\"\n - \"ghcr.io\"\n - \"registry.k8s.io\"","category":"page"},{"location":"overview/isolated-kubernetes/#OS-Metal-Extension","page":"Isolated Kubernetes","title":"OS Metal Extension","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Based on the configuration of a cluster the configuration of the containerd must be changed to pull images from the private registry mirror. If a cluster is either configured with restricted or forbidden, the configuration of containerd will be created as such:","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"config.toml","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"# Generated by os-extension-metal\nversion = 2\nimports = [\"/etc/containerd/conf.d/*.toml\"]\n\ndisabled_plugins = []\n[plugins.\"io.containerd.grpc.v1.cri\".registry]\n config_path = \"/etc/containerd/certs.d\"","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"And for every registry mirror an additional certs.d/$HOST/hosts.yaml will be created. This is in line with Gardener's containerd Registry Configuration.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"# certs.d/docker.io/hosts.yaml\n\nserver = \"https://docker.io\"\n[host.\"https://some.private.registry\"]\n capabilities = [\"pull\", \"resolve\"]","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"DNS and NTP must also be adopted according to the configuration in the CloudProfile.","category":"page"},{"location":"overview/isolated-kubernetes/#Firewall-Controller-Manager-and-Firewall-Controller","page":"Isolated Kubernetes","title":"Firewall Controller Manager and Firewall Controller","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The Firewall Controller Manager has extended the FirewallSpec to configure the Firewall Controller which must enforce the restrictions regarding allowed networks.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"// FirewallSpec defines parameters for the firewall creation along with configuration for the firewall-controller.\ntype FirewallSpec struct {\n // AllowedNetworks defines which networks are allowed to connect to, and allow incoming traffic from.\n // Is enforced with NetworkAccessForbidden.\n // The node network is always allowed.\n AllowedNetworks AllowedNetworks `json:\"allowedNetworks,omitempty\"`\n}\n\n// AllowedNetworks is a list of networks which are allowed to connect when NetworkAccessType is NetworkAccessForbidden.\ntype AllowedNetworks struct {\n // Ingress defines a list of cidrs which are allowed for incoming traffic like service type LoadBalancer\n Ingress []string `json:\"ingress,omitempty\"`\n // Egress defines a list of cidrs which are allowed for outgoing traffic\n Egress []string `json:\"egress,omitempty\"`\n}","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Also the ClusterwideNetworkPolicy in the Firewall Controller was changed to show the deployment status of a CWNP.","category":"page"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"\ntype ClusterwideNetworkPolicy struct {\n metav1.TypeMeta `json:\",inline\"`\n metav1.ObjectMeta `json:\"metadata,omitempty\"` \n\n Spec PolicySpec `json:\"spec,omitempty\"`\n Status PolicyStatus `json:\"status,omitempty\"`\n}\n\n// PolicyDeploymentState describes the state of a CWNP deployment\ntype PolicyDeploymentState string\n\nconst (\n // PolicyDeploymentStateDeployed the CWNP was deployed to a native nftable rule\n PolicyDeploymentStateDeployed = PolicyDeploymentState(\"deployed\")\n // PolicyDeploymentStateIgnored the CWNP was not deployed to a native nftable rule because it is outside of the allowed networks\n PolicyDeploymentStateIgnored = PolicyDeploymentState(\"ignored\")\n)\n\n// PolicyStatus defines the observed state for CWNP resource\ntype PolicyStatus struct {\n // FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule.\n // Key is either MatchName or MatchPattern\n // +optional\n FQDNState FQDNState `json:\"fqdn_state,omitempty\"` \n // State of the CWNP, can be either deployed or ignored\n State PolicyDeploymentState `json:\"state\"` \n // Message describe why the state changed\n Message string `json:\"message,omitempty\"`\n}","category":"page"},{"location":"overview/isolated-kubernetes/#Cloud-Controller-Manager","page":"Isolated Kubernetes","title":"Cloud Controller Manager","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"This component was adopted to allow to be started without a default network specified. This was actually always the internet network and if no ip address was specified in the Service Type LoadBalancer, one ip was allocated from this default network. For isolated clusters this is not provided and a cluster user must always specify this ip to get a working load balancer.","category":"page"},{"location":"overview/isolated-kubernetes/#OCI-Mirror","page":"Isolated Kubernetes","title":"OCI Mirror","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"The OCI Mirror is a new application which acts as a scheduled job that pulls a given list of container images and pushes them to a private registry (which will then serve as the private registry mirror). The detailed description can be read on the project website.","category":"page"},{"location":"overview/isolated-kubernetes/#Related-Pull-Requests","page":"Isolated Kubernetes","title":"Related Pull Requests","text":"","category":"section"},{"location":"overview/isolated-kubernetes/","page":"Isolated Kubernetes","title":"Isolated Kubernetes","text":"Gardener Extension Provider\nFirewall Controller Manager\nFirewall Controller\nOS Metal Extension\nMetal Cloud Controller Manager\nMetal Networker\nMetal Images\nOCI Mirror","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#metalctl-partition","page":"metalctl partition","title":"metalctl partition","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":"manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#Synopsis","page":"metalctl partition","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":"a partition is a failure domain in the data center.","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#Options","page":"metalctl partition","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":" -h, --help help for partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#Options-inherited-from-parent-commands","page":"metalctl partition","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition/#SEE-ALSO","page":"metalctl partition","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition/","page":"metalctl partition","title":"metalctl partition","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl partition apply\t - applies one or more partitions from a given file\nmetalctl partition capacity\t - show partition capacity\nmetalctl partition create\t - creates the partition\nmetalctl partition delete\t - deletes the partition\nmetalctl partition describe\t - describes the partition\nmetalctl partition edit\t - edit the partition through an editor and update\nmetalctl partition list\t - list all partitions\nmetalctl partition update\t - updates the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#metalctl-filesystemlayout-apply","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"applies one or more filesystemlayouts from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"metalctl filesystemlayout apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#Options","page":"metalctl filesystemlayout apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout apply -f -\n $ # or via file\n $ metalctl filesystemlayout apply -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/#SEE-ALSO","page":"metalctl filesystemlayout apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_apply/","page":"metalctl filesystemlayout apply","title":"metalctl filesystemlayout apply","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#metalctl-switch-connected-machines","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"shows switches with their connected machines","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"metalctl switch connected-machines [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#Examples","page":"metalctl switch connected-machines","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"The command will show the machines connected to the switch ports.\n\nCan also be used with -o template in order to generate CSV-style output:\n\n$ metalctl switch connected-machines -o template --template '{{ $machines := .machines }}{{ range .switches }}{{ $switch := . }}{{ range .connections }}{{ $switch.id }},{{ $switch.rack_id }},{{ .nic.name }},{{ .machine_id }},{{ (index $machines .machine_id).ipmi.fru.product_serial }}{{ printf \"\\n\" }}{{ end }}{{ end }}'\nr01leaf01,swp1,f78cc340-e5e8-48ed-8fe7-2336c1e2ded2,\nr01leaf01,swp2,44e3a522-5f48-4f3c-9188-41025f9e401e,\n...\n","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#Options","page":"metalctl switch connected-machines","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":" -h, --help help for connected-machines\n --id string ID of the switch.\n --machine-id string The id of the connected machine, ignores size flag if set.\n --name string Name of the switch.\n --os-vendor string OS vendor of this switch.\n --os-version string OS version of this switch.\n --partition string Partition of this switch.\n --rack string Rack of this switch.\n --size string Size of the connected machines.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#Options-inherited-from-parent-commands","page":"metalctl switch connected-machines","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/#SEE-ALSO","page":"metalctl switch connected-machines","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_connected-machines/","page":"metalctl switch connected-machines","title":"metalctl switch connected-machines","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#metalctl-filesystemlayout-create","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"creates the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"metalctl filesystemlayout create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#Options","page":"metalctl filesystemlayout create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout create -f -\n $ # or via file\n $ metalctl filesystemlayout create -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/#SEE-ALSO","page":"metalctl filesystemlayout create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_create/","page":"metalctl filesystemlayout create","title":"metalctl filesystemlayout create","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#metalctl-project-delete","page":"metalctl project delete","title":"metalctl project delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":"deletes the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":"metalctl project delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#Options","page":"metalctl project delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project delete -f -\n $ # or via file\n $ metalctl project delete -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#Options-inherited-from-parent-commands","page":"metalctl project delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_delete/#SEE-ALSO","page":"metalctl project delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_delete/","page":"metalctl project delete","title":"metalctl project delete","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#metalctl-image-apply","page":"metalctl image apply","title":"metalctl image apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":"applies one or more images from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":"metalctl image apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#Options","page":"metalctl image apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image apply -f -\n $ # or via file\n $ metalctl image apply -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#Options-inherited-from-parent-commands","page":"metalctl image apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_apply/#SEE-ALSO","page":"metalctl image apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_apply/","page":"metalctl image apply","title":"metalctl image apply","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#metalctl-network-list","page":"metalctl network list","title":"metalctl network list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":"list all networks","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":"metalctl network list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#Options","page":"metalctl network list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":" --destination-prefixes strings destination prefixes to filter, use it like: --destination-prefixes prefix1,prefix2.\n -h, --help help for list\n --id string ID to filter [optional]\n --name string name to filter [optional]\n --nat nat to filter [optional]\n --parent string parent network to filter [optional]\n --partition string partition to filter [optional]\n --prefixes strings prefixes to filter, use it like: --prefixes prefix1,prefix2.\n --privatesuper privatesuper to filter [optional]\n --project string project to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name|partition|project\n --underlay underlay to filter [optional]\n --vrf int vrf to filter [optional]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#Options-inherited-from-parent-commands","page":"metalctl network list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_list/#SEE-ALSO","page":"metalctl network list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_list/","page":"metalctl network list","title":"metalctl network list","text":"metalctl network\t - manage network entities","category":"page"},{"location":"development/proposals/MEP5/README/#Shared-Networks","page":"Shared Networks","title":"Shared Networks","text":"","category":"section"},{"location":"development/proposals/MEP5/README/#Why-are-shared-networks-needed","page":"Shared Networks","title":"Why are shared networks needed","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"For special purpose machines that serve shared services with performance critical workloads to all machines of a partition (like persistent storage) it would be good to have kind of a \"shared network\" that is easily accessible. They do not necessarily need another firewall. This would avoid having two firewalls in the datapath between a machine in a private network and the machines of a shared service.","category":"page"},{"location":"development/proposals/MEP5/README/#Constraints-that-need-to-hold","page":"Shared Networks","title":"Constraints that need to hold","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"a shared network is usable from all machines that have a firewall in front, that uses it\na shared network is only usable within a single partition (currently we are constrained in bandwidth and have no routing of 10.0.0.0/8 addresses btw. partitions and failure domain should be the partition but this constraint might get lifted in the future)\nnetworks may be marked as shared after network allocation (but there should be no way back from shared to unshared)\nneither machines nor firewalls may have multiple private, unshared networks configured\nmachines must have a single primary network configured\nthis might be a shared network\nOR a plain, unshared private network\nfirewalls may participate in multiple shared networks\nmachines can be allocated with a primary network using auto IP allocation or with noauto and a specific IP","category":"page"},{"location":"development/proposals/MEP5/README/#Should-shared-networks-be-private","page":"Shared Networks","title":"Should shared networks be private","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Alternative 1: If we implemented shared networks by extending functions around plain, private networks we would not have to manage another CIDR (mini point) and it would be possible to create a k8s cluster with a private network, mark the network as shared and produce shared services from this k8s cluster.","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Alternative 2: If shared networks are implemented as first class networks we could customize the VRF and also accomplish an other goal of our roadmap: being able to create machines directly in an external network.","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Together with @majst01 and @Gerrit91 we decided to continue to implement Alternative 1.","category":"page"},{"location":"development/proposals/MEP5/README/#Firewalls-accessing-a-shared-network","page":"Shared Networks","title":"Firewalls accessing a shared network","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Firewalls that access shared networks need to:","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"hide the private network behind an ip address of the shared network if the shared network was configured with nat=true.\nimport the prefixes of the shared VRF to the private VRF and import the prefixes of the private VRF to the shared VRF so that the communication between the two is working in both directions. As long as no nat=true was set on the shared VRF, the original machine ips are visible in both communication directions.","category":"page"},{"location":"development/proposals/MEP5/README/#Setup-with-shared-networks-and-single-consumer","page":"Shared Networks","title":"Setup with shared networks and single consumer","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"(Image: Simple Setup)","category":"page"},{"location":"development/proposals/MEP5/README/#Setup-with-single-shared-network-and-multiple-consumers","page":"Shared Networks","title":"Setup with single shared network and multiple consumers","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"(Image: Advanced Setup)","category":"page"},{"location":"development/proposals/MEP5/README/#Getting-internet-access","page":"Shared Networks","title":"Getting internet access","text":"","category":"section"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"Machines contained in a shared network can access the internet with different scenarios:","category":"page"},{"location":"development/proposals/MEP5/README/","page":"Shared Networks","title":"Shared Networks","text":"if they have an own firewall: this is internet accessibility, as common (check whether all traffic gets routed through it!)\nif they don't have an own firewall, an external HTTP proxy is needed that has an endpoint exposed as Service Type NodePort","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#metalctl-tenant-delete","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"deletes the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"metalctl tenant delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#Options","page":"metalctl tenant delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant delete -f -\n $ # or via file\n $ metalctl tenant delete -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#Options-inherited-from-parent-commands","page":"metalctl tenant delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_delete/#SEE-ALSO","page":"metalctl tenant delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_delete/","page":"metalctl tenant delete","title":"metalctl tenant delete","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/firewall-controller/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/firewall-controller/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#metalctl-network-ip-create","page":"metalctl network ip create","title":"metalctl network ip create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":"creates the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":"metalctl network ip create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#Options","page":"metalctl network ip create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string description of the IP to allocate. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip create -f -\n $ # or via file\n $ metalctl ip create -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --ipaddress string a specific ip address to allocate. [optional]\n -n, --name string name of the IP to allocate. [optional]\n --network string network from where the IP should be allocated.\n --project string project for which the IP should be allocated.\n --skip-security-prompts skips security prompt for bulk operations\n --tags strings tags to attach to the IP.\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --type string type of the IP to allocate: ephemeral|static [optional] (default \"ephemeral\")","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#Options-inherited-from-parent-commands","page":"metalctl network ip create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_create/#SEE-ALSO","page":"metalctl network ip create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_create/","page":"metalctl network ip create","title":"metalctl network ip create","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#metalctl-size-reservation-edit","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"edit the reservation through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"metalctl size reservation edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#Options","page":"metalctl size reservation edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#Options-inherited-from-parent-commands","page":"metalctl size reservation edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/#SEE-ALSO","page":"metalctl size reservation edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_edit/","page":"metalctl size reservation edit","title":"metalctl size reservation edit","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#metalctl-health","page":"metalctl health","title":"metalctl health","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":"shows the server health","category":"page"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":"metalctl health [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#Options","page":"metalctl health","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":" -h, --help help for health","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#Options-inherited-from-parent-commands","page":"metalctl health","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_health/#SEE-ALSO","page":"metalctl health","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_health/","page":"metalctl health","title":"metalctl health","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#metalctl-firmware-upload","page":"metalctl firmware upload","title":"metalctl firmware upload","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":"upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#Options","page":"metalctl firmware upload","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":" -h, --help help for upload","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#Options-inherited-from-parent-commands","page":"metalctl firmware upload","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload/#SEE-ALSO","page":"metalctl firmware upload","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload/","page":"metalctl firmware upload","title":"metalctl firmware upload","text":"metalctl firmware\t - manage firmwares\nmetalctl firmware upload bios\t - upload a BIOS firmware\nmetalctl firmware upload bmc\t - upload a BMC firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#metalctl-switch-detail","page":"metalctl switch detail","title":"metalctl switch detail","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":"switch details","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":"metalctl switch detail [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#Options","page":"metalctl switch detail","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":" -h, --help help for detail\n --id string ID of the switch.\n --name string Name of the switch.\n --os-vendor string OS vendor of this switch.\n --os-version string OS version of this switch.\n --partition string Partition of this switch.\n --rack string Rack of this switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#Options-inherited-from-parent-commands","page":"metalctl switch detail","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_detail/#SEE-ALSO","page":"metalctl switch detail","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_detail/","page":"metalctl switch detail","title":"metalctl switch detail","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#metalctl-switch-edit","page":"metalctl switch edit","title":"metalctl switch edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":"edit the switch through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":"metalctl switch edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#Options","page":"metalctl switch edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#Options-inherited-from-parent-commands","page":"metalctl switch edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_edit/#SEE-ALSO","page":"metalctl switch edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_edit/","page":"metalctl switch edit","title":"metalctl switch edit","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/metalctl/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#metalctl-update","page":"metalctl update","title":"metalctl update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":"update the program","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#Options","page":"metalctl update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":" -h, --help help for update","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#Options-inherited-from-parent-commands","page":"metalctl update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_update/#SEE-ALSO","page":"metalctl update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update/","page":"metalctl update","title":"metalctl update","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl update check\t - check for update of the program\nmetalctl update do\t - do the update of the program","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#metalctl-switch-replace","page":"metalctl switch replace","title":"metalctl switch replace","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"put a leaf switch into replace mode in preparation for physical replacement. For a description of the steps involved see the long help.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#Synopsis","page":"metalctl switch replace","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"Put a leaf switch into replace mode in preparation for physical replacement","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"Operational steps to replace a switch:","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"Put the switch that needs to be replaced in replace mode with this command\nReplace the switch MAC address in the metal-stack deployment configuration\nMake sure that interfaces on the new switch do not get connected to the PXE-bridge immediately by setting the interfaces list of the respective leaf switch to [] in the metal-stack deployment configuration\nDeploy the management servers so that the dhcp servers will serve the right address and DHCP options to the new switch\nReplace the switch physically. Be careful to ensure that the cabling mirrors the remaining leaf exactly because the new switch information will be cloned from the remaining switch! Also make sure to have console access to the switch so you can start and monitor the install process\nIf the switch is not in onie install mode but already has an operating system installed, put it into install mode with \"sudo onie-select -i -f -v\" and reboot it. Now the switch should be provisioned with a management IP from a management server, install itself with the right software image and receive license and ssh keys through ZTP. You can check whether that process has completed successfully with the command \"sudo ztp -s\". The ZTP state should be disabled and the result should be success.\nDeploy the switch plane and metal-core through metal-stack deployment CI job\nThe switch will now register with its metal-api, and the metal-core service will receive the cloned interface and routing information. You can verify successful switch replacement by checking the interface and BGP configuration, and checking the switch status with \"metalctl switch ls -o wide\"; it should now be operational again","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"metalctl switch replace [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#Options","page":"metalctl switch replace","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":" -h, --help help for replace","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#Options-inherited-from-parent-commands","page":"metalctl switch replace","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_replace/#SEE-ALSO","page":"metalctl switch replace","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_replace/","page":"metalctl switch replace","title":"metalctl switch replace","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#metalctl-tenant-create","page":"metalctl tenant create","title":"metalctl tenant create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":"creates the tenant","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":"metalctl tenant create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#Options","page":"metalctl tenant create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":" --annotations strings add initial annotations, must be in the form of key=value, can be given multiple times to add multiple annotations, e.g. --annotation key=value --annotation foo=bar\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --cluster-quota int32 cluster quota\n --description string description of the tenant.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant create -f -\n $ # or via file\n $ metalctl tenant create -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string id of the tenant, max 10 characters.\n --ip-quota int32 ip quota\n --labels strings add initial label, can be given multiple times to add multiple labels, e.g. --label=foo --label=bar\n --machine-quota int32 machine quota\n --name string name of the tenant, max 10 characters.\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#Options-inherited-from-parent-commands","page":"metalctl tenant create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_create/#SEE-ALSO","page":"metalctl tenant create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_create/","page":"metalctl tenant create","title":"metalctl tenant create","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"development/contributing/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"This document describes the way we want to contribute code to the projects of metal-stack, which are hosted on github.com/metal-stack.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"The document is meant to be understood as a general guideline for contributions, but not as burden to be placed on a developer. Use your best judgment when contributing code. Try to be as clean and precise as possible when writing code and try to make your code as maintainable and understandable as possible for other people.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Even if it should go without saying, we live an open culture of discussion, in which everybody is welcome to participate. We treat every contribution with respect and objectiveness with the general aim to write software of quality.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"If you want, feel free to propose changes to this document in a pull request.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Pages = [\"contributing.md\"]\nDepth = 5","category":"page"},{"location":"development/contributing/#How-Can-I-Contribute?","page":"Contributing","title":"How Can I Contribute?","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Open a Github issue in the project you would like to contribute. Within the issue, your idea can be discussed. It is also possible to directly create a pull request when the set of changes is relatively small.","category":"page"},{"location":"development/contributing/#Pull-Requests","page":"Contributing","title":"Pull Requests","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"The process described here has several goals:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Maintain quality\nEnable a sustainable system to review contributions\nEnable documented and reproducible addition of contributions","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Create a meaningful issue describing the WHY? of your contribution\nCreate a repository fork within the context of that issue.\nCreate a Draft Pull Request to the master branch of the target repository.\nDevelop, document and test your contribution (try not to solve more than one issue in a single pull request)\nAsk for merging your contribution by removing the draft marker\nIf code owners are defined, try to assign the request to a code owner","category":"page"},{"location":"development/contributing/#General-Objectives","page":"Contributing","title":"General Objectives","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"This section contains language-agnostic topics that all metal-stack projects are trying to follow.","category":"page"},{"location":"development/contributing/#Code-Ownership","page":"Contributing","title":"Code Ownership","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"The code base is owned by the entire team and every member is allowed to contribute changes to any of the projects. This is considered as collective code ownership[1].","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"As a matter of fact, there are persons in a project, which already have experience with the sources. These are defined directly in the repository's CODEOWNERS file. If you want to merge changes into the master branch, it is advisable to include code owners into the process of discussion and merging.","category":"page"},{"location":"development/contributing/#Microservices","page":"Contributing","title":"Microservices","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"One major ambition of metal-stack is to follow the idea of microservices. This way, we want to achieve that we can","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"adapt to changes faster than with monolithic architectures,\nbe free of restrictions due to certain choices of technology,\nleverage powerful traits of cloud infrastructures (e.g. high-scalability, high-availability, ...).","category":"page"},{"location":"development/contributing/#Programming-Languages","page":"Contributing","title":"Programming Languages","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"We are generally open to write code in any language that fits best to the function of the software. However, we encourage golang to be the main language of metal-stack as we think that it makes development faster when not establishing too many different languages in our architecture. Reason for this is that we are striving for consistent behavior of the microservices, similar to what has been described for the Twelve-Factor App (see 12 Factor). We help enforcing unified behavior by allowing a small layer of shared code for every programming language. We will refer to this shared code as \"libraries\" for the rest of this document.","category":"page"},{"location":"development/contributing/#Artifacts","page":"Contributing","title":"Artifacts","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Artifacts are always produced by a CI process (Github Actions).","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Docker images are published on the Github Container Registry of the metal-stack organization.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Binary artifacts or OS images can be uploaded to images.metal-stack.io if necessary.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"When building Docker images, please consider our build tool docker-make or the specific docker-make action respectively.","category":"page"},{"location":"development/contributing/#APIs","page":"Contributing","title":"APIs","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"We are currently making use of Swagger when we exposing traditional REST APIs for end-users. This helps us with being technology-agnostic as we can generate clients in almost any language using go-swagger. Swagger additionally simplifies the documentation of our APIs.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Most APIs though are not required to be user-facing but are of technical nature. These are preferred to be implemented using grpc.","category":"page"},{"location":"development/contributing/#Versioning","page":"Contributing","title":"Versioning","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Artifacts are versioned by tagging the respective repository with a tag starting with the letter v. After the letter, there stands a valid semantic version.","category":"page"},{"location":"development/contributing/#Documentation","page":"Contributing","title":"Documentation","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"In order to make it easier for others to understand a project, we document general information and usage instructions in a README.md in any project.","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"In addition to that, we document a microservice in the docs repository. The documentation should contain the reasoning why this service exists and why it was being implemented the way it was being implemented. The aim of this procedure is to reduce the time for contributors to comprehend architectural decisions that were made during the process of writing the software and to clarify the general purpose of this service in the entire context of the software.","category":"page"},{"location":"development/contributing/#Guidelines","page":"Contributing","title":"Guidelines","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"This chapter describes general guidelines on how to develop and contribute code for a certain programming language.","category":"page"},{"location":"development/contributing/#Golang","page":"Contributing","title":"Golang","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Development follows the official guide to:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Write clear, idiomatic Go code[2]\nLearn from mistakes that must not be repeated[3]\nApply appropriate names to your artifacts:\nhttps://go.dev/talks/2014/names.slide\nhttps://go.dev/blog/package-names\nhttps://go.dev/doc/effective_go#names\nEnable others to understand the reasoning of non-trivial code sequences by applying a meaningful documentation.","category":"page"},{"location":"development/contributing/#Development-Decisions","page":"Contributing","title":"Development Decisions","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Dependency Management by using Go modules\nBuild and Test Automation by using GNU Make.\nEnd-user APIs should consider using go-swagger and Go-Restful Technical APIs should consider using grpc","category":"page"},{"location":"development/contributing/#Libraries","page":"Contributing","title":"Libraries","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"metal-stack maintains several libraries that you should utilize in your project in order unify common behavior. Some of these projects are:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"metal-go\nmetal-lib","category":"page"},{"location":"development/contributing/#Error-Handling-with-Generated-Swagger-Clients","page":"Contributing","title":"Error Handling with Generated Swagger Clients","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"From the server-side you should ensure that you are returning the common error json struct in case of an error as defined in the metal-lib/httperrors. Ensure you are using go-restful >= v2.9.1 and go-restful-openapi >= v0.13.1 (allows default responses with error codes other than 200).","category":"page"},{"location":"development/contributing/#Documentation-2","page":"Contributing","title":"Documentation","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"We want to share knowledge and keep things simple. If things cannot kept simple we want enable everybody to understand them by:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Document in short sentences[4].\nDo not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect).\nExplain the WHY. Add a \"to\" in your documentation line to force yourself to explain the reasonning (e.g. \" to \").","category":"page"},{"location":"development/contributing/#Python","page":"Contributing","title":"Python","text":"","category":"section"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Development follows the official guide to:","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"Style Guide for Python Code (PEP 8)[5]\nThe use of an IDE like PyCharm helps to write compliant code easily\nConsider setuptools for packaging\nIf you want to add a Python microservice to the mix, consider pyinstaller on Alpine to achieve small image sizes","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[1]: https://martinfowler.com/bliki/CodeOwnership.html","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[2]: https://go.dev/doc/effective_go","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[3]: https://github.com/golang/go/wiki/CodeReviewComments","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[4]: https://github.com/golang/go/wiki/CodeReviewComments#comment-sentences","category":"page"},{"location":"development/contributing/","page":"Contributing","title":"Contributing","text":"[5]: https://www.python.org/dev/peps/pep-0008/","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#metalctl-machine-lock","page":"metalctl machine lock","title":"metalctl machine lock","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"lock a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#Synopsis","page":"metalctl machine lock","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"when a machine is locked, it can not be destroyed, to destroy a machine you must first remove the lock from that machine with –remove","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"metalctl machine lock [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#Options","page":"metalctl machine lock","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":" -d, --description string description of the reason for the lock.\n -h, --help help for lock\n -r, --remove remove the lock.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#Options-inherited-from-parent-commands","page":"metalctl machine lock","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_lock/#SEE-ALSO","page":"metalctl machine lock","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_lock/","page":"metalctl machine lock","title":"metalctl machine lock","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#metalctl-machine-issues-list","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"list all machine issues that the metal-api can evaluate","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"metalctl machine issues list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#Options","page":"metalctl machine issues list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: id|severity","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#Options-inherited-from-parent-commands","page":"metalctl machine issues list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/#SEE-ALSO","page":"metalctl machine issues list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_issues_list/","page":"metalctl machine issues list","title":"metalctl machine issues list","text":"metalctl machine issues\t - display machines which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#metalctl-machine-delete","page":"metalctl machine delete","title":"metalctl machine delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"deletes the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#Synopsis","page":"metalctl machine delete","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"delete a machine and destroy all data stored on the local disks. Once destroyed it is back for usage by other projects. A destroyed machine can not restored anymore","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"metalctl machine delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#Options","page":"metalctl machine delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine delete -f -\n $ # or via file\n $ metalctl machine delete -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --remove-from-database remove given machine from the database, is only required for maintenance reasons [optional] (admin only).\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#Options-inherited-from-parent-commands","page":"metalctl machine delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_delete/#SEE-ALSO","page":"metalctl machine delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_delete/","page":"metalctl machine delete","title":"metalctl machine delete","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"development/proposals/MEP1/README/#Distributed-Metal-Control-Plane","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"","category":"section"},{"location":"development/proposals/MEP1/README/#Problem-Statement","page":"Distributed Metal Control Plane","title":"Problem Statement","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"We face the situation that we argue for running bare metal on premise because this way the customers can control where and how their software and data are processed and stored. On the other hand, we have currently decided that our metal-api control plane components run on a kubernetes cluster (in our case on a cluster provided by one of the available hyperscalers).","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Running the control plane on Kubernetes has the following benefits:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Ease of deployment\nGet most, if not all, of the required infrastructure services like (probably incomplete):\nIPs\nDNS\nL7-Loadbalancing\nStorage\nS3 Backup\nHigh Availability","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Using a kubernetes as a service offering from one of the hyperscalers, enables us to focus on using kubernetes instead of maintaining it as well.","category":"page"},{"location":"development/proposals/MEP1/README/#Goal","page":"Distributed Metal Control Plane","title":"Goal","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"It would be much saner if metal-stack has no, or only minimal dependencies to external services. Imagine a metal-stack deployment in a plant, it would be optimal if we only have to deliver a single rack with servers and networking gear installed and wired, plug that rack to the power supply and a internet uplink and its ready to go.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Have a second plant which you want to be part of all your plants? Just tell both that they are part of something bigger and metal-api knows of two partitions.","category":"page"},{"location":"development/proposals/MEP1/README/#Possible-Solutions","page":"Distributed Metal Control Plane","title":"Possible Solutions","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"We can think of two different solutions to this vision:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Keep the central control plane approach and require some sort of kubernetes deployment accessible from the internet. This has the downside that the user must, provide a managed kubernetes deployment in his own datacenter or uses a hyperscaler. Still not optimal.\nInstall the metal-api and all its dependencies in every partition, replicate or shard the databases to every connected partition, make them know each other. Connect the partitions over the internet with some sort of vpn to make the services visible to each other.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"As we can see, the first approach does not really address the problem, therefore i will describe solution #2 in more details.","category":"page"},{"location":"development/proposals/MEP1/README/#Central/Current-setup","page":"Distributed Metal Control Plane","title":"Central/Current setup","text":"","category":"section"},{"location":"development/proposals/MEP1/README/#Stateful-services","page":"Distributed Metal Control Plane","title":"Stateful services","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Every distributed system suffer from handling state in a scalable, fast and correct way. To start how to cope with the state, we first must identify which state can be seen as partition local only and which state must be synchronous for read, and synchronous for writes across partitions.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Affected states:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"masterdata: e.g. tenant and project must be present in every partition, but these are entities which are read often but updates are rare. A write can therefore be visible with a decent delay in a distinct partition with no consequences.\nipam: the prefixes and ip´s allocated from machines. These entities are also read often and rare updates. But we must differentiate between dirty reads for different types. A machine network is partition local, ips acquired from such a network must by synchronous in the same partition. Ips acquired from global networks such as internet must by synchronous for all partitions, as otherwise a internet ip could be acquired twice.\nvrf ids: they must only be unique in one partition\nimage and size configurations: read often, written seldom, so no high requirements on the storage of these entities.\nimages: os images are already replicated from a central s3 storage to a per partition s3 service. metal-hammer kernel and initrd are small and pull always from the central s3, can be done similar to os images.\nmachine and machine allocation: must be only synchronous in the partition\nswitch: must be only synchronous in the partition\nnsq messages: do not need to cross partition boundaries. No need to keep the messages persistent, even the opposite is true, we don't want to have the messages persist for a longer period.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Now we can see that the most critical state to held and synchronize are the IPAM data, because these entities must be guaranteed to be synchronously updated, while being updated frequently.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Datastores:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"We use three different types of datastores to persist the states of the metal application.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"rethinkdb is the main datastore for almost all entities managed by metal-api\npostgresql is used for masterdata and ipam data.\nnsq uses disk and memory tho store the messages.","category":"page"},{"location":"development/proposals/MEP1/README/#Stateless-services","page":"Distributed Metal Control Plane","title":"Stateless services","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"These are the easy part, all of our services which are stateless can be scaled up and down without any impact on functionality. Even the stateful services like masterdata and metal-api rely fully on the underlying datastore and can therefore also be scaled up and down to meet scalability requirements.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Albeit, most of these services need to be placed behind a loadbalancer which does the L4/L7 balancing across the started/available replicas of the service for the clients talking to it. This is actually provided by kubernetes with either service type loadbalancer or type clusterip.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"One exception is the metal-console service which must have the partition in it´s dns name now, because there is no direct network connectivity between the management networks of the partitions. See \"Network Setup)","category":"page"},{"location":"development/proposals/MEP1/README/#Distributed-setup","page":"Distributed Metal Control Plane","title":"Distributed setup","text":"","category":"section"},{"location":"development/proposals/MEP1/README/#State","page":"Distributed Metal Control Plane","title":"State","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"In order to replicate certain data which must be available across all partitions we can use on of the existing open source databases which enable such kind of setup. There are a few available out there, the following incomplete list will highlight the pro´s and cons of each.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"RethinkDB\nWe already store most of our data in RethinkDB and it gives already the ability to synchronize the data in a distributed manner with different guarantees for consistency and latency. This is described here: Scaling, Sharding and replication. But because rethinkdb has a rough history and unsure future with the last release took more than a year, we in the team already thought that we eventually must move away from rethinkdb in the future.\nPostgresql\nPostgres does not have a multi datacenter with replication in both directions, it just can make the remote instance store the same data.\nCockroachDB\nIs a Postgresql compatible database engine on the wire. CockroachDB gives you both, ACID and geo replication with writes allowed from all connected members. It is even possible to configure Follow the Workload and Geo Partitioning and Replication.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"If we migrate all metal-api entities to be stored the same way we store masterdata, we could use cockroachdb to store all metal entities in one ore more databases spread across all partitions and still ensure consistency and high availability.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"A simple setup how this would look like is shown here.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: Simple CockroachDB setup)","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"go-ipam was modified in a example PR here: PR 17","category":"page"},{"location":"development/proposals/MEP1/README/#API-Access","page":"Distributed Metal Control Plane","title":"API Access","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"In order to make the metal-api accessible for api users like cloud-api or metalctl as easy at it is today, some effort has to be taken. One possible approach would be to use a external loadbalancer which spread the requests evenly to all metal-api endpoints in all partitions. Because all data are accessible from all partitions, a api request going to partition A with a request to create a machine in partition B, will still work. If on the other hand partition B is not in a connected state because the interconnection between both partitions is broken, then of course the request will fail.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"IMPORTANT The NSQ Message to inform metal-core must end in the correct partition","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"To provide such a external loadbalancer we have several opportunities:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Cloudflare or comparable CDN service.\nBGP Anycast from every partition","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Another setup would place a small gateway behind the metal-api address, which forwards to the metal-api in the partition where the request must be executed. This gateway, metal-api-router must inspect the payload, extract the desired partition, and forward the request without any modifications to the metal-api endpoint in this partition. This can be done for all requests, or if we want to optimize, only for write accesses.","category":"page"},{"location":"development/proposals/MEP1/README/#Network-setup","page":"Distributed Metal Control Plane","title":"Network setup","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"In order to have the impact to the overall security concept as minimal as possible i would not modify the current network setup. The only modifications which has to be made are:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Allow https ingress traffic to all metal-api instances.\nAllow ssh ingress traffic to all metal-console instances.\nAllow CockroachDB Replication between all partitions.\nNo NSQ traffic from outside required anymore, except we cant solve the topic above.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"A simple setup how this would look like is shown here, this does not work though because of the forementioned NSQ issue.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: API and Console Access)","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"Therefore we need the metal-api-router:","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: Working API and Console Access)","category":"page"},{"location":"development/proposals/MEP1/README/#Deployment","page":"Distributed Metal Control Plane","title":"Deployment","text":"","category":"section"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"The deployment of our components will substantially differ in a partition compared to a the deployment we have actually. Deploying it in kubernetes in the partition would be very difficult to achieve because we have no sane way to deploy kubernetes on physical machines without a underlying API. I would therefore suggest to deploy our components in the same way we do that for the services running on the management server. Use systemd to start docker containers.","category":"page"},{"location":"development/proposals/MEP1/README/","page":"Distributed Metal Control Plane","title":"Distributed Metal Control Plane","text":"(Image: Deployment)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"marp: true theme: metal-stack paginate: true footer: Gerrit Schwerthelm – x-cellent technologies GmbH — metal-stack Training backgroundImage: url(\"https://metal-stack.io/images/shape/banner.png\") –- ","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"(Image: h:200px)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Multi-Partition-Layout","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":" (Image: bg contain)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":" (Image: bg contain)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Multi-Partition-Layout-Properties","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout Properties","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"Fully independent locations with own storage and own node networks\nClusters can only be created independent in every location\nFailover mechanism for deployed applications requires duplicated deployments, which can serve independently\nFailover through BGP\nIf cluster nodes are spread across partitions (not implemented yet), nodes will not be able to reach each other\nWould require an overlay network for inter-node-communication","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Single-Partition-Layout","page":"Multi-Partition-Layout","title":"Single-Partition-Layout","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":" (Image: bg contain)","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#Single-Partition-Layout-Properties","page":"Multi-Partition-Layout","title":"Single-Partition-Layout Properties","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"Multiple groups of racks at multiple locations but connected to same CLOS topology\nAll racks can connect to the same storage network\nNodes in private networks can communicate\nWhen creating a cluster, nodes will be randomly spread across the racks\nPossible improvement of this situation, see MEP-12: Rack Spreading","category":"page"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"","category":"page"},{"location":"development/proposals/MEP12/partitioning/#MEP-12:-Rack-Spreading","page":"Multi-Partition-Layout","title":"MEP-12: Rack Spreading","text":"","category":"section"},{"location":"development/proposals/MEP12/partitioning/","page":"Multi-Partition-Layout","title":"Multi-Partition-Layout","text":"Instead of selecting a machine from a machine pool randomly\nGet all existing machines in the same project and count to which rack they belong\nPlace machine on the rack with the least amount of machines already allocated\nBest effort only","category":"page"},{"location":"overview/hardware/#Hardware-Support","page":"Hardware Support","title":"Hardware Support","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"In order to keep the automation and maintenance overhead small, we strongly advise against building highly heterogeneous environments with metal-stack. Having a lot of different vendors and server models in your partitions will heavily increase the time and effort for introducing metal-stack in your infrastructure. From experience we can tell that the interfaces for automating hardware provisioning are usually inconsistent between vendors and even between server models of the same vendor. Therefore, we encourage adopters to start off with only a small amount of machine types. If you want to be on the safe side, you should consider buying the hardware that we officially support.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"We came up with a repository called go-hal, which includes the interface required for metal-stack to support a machine vendor. If you plan to implement support for new vendors, please check out this repository and contribute back your efforts in order to make the community benefit from extended vendor support as well.","category":"page"},{"location":"overview/hardware/#Servers","page":"Hardware Support","title":"Servers","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following server types are officially supported and verified by the metal-stack project:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Series Model Board Type Status\nSupermicro Big-Twin SYS-2029BT-HNR X11DPT-B stable\nSupermicro Big-Twin SYS-220BT-HNTR X12DPT-B6 stable\nSupermicro SuperServer SSG-5019D8-TR12P X11SDV-8C-TP8F stable\nSupermicro SuperServer 2029UZ-TN20R25M X11DPU stable\nSupermicro SuperServer SYS-621C-TN12R X13DDW-A stable\nSupermicro Microcloud 5039MD8-H8TNR X11SDD-8C-F stable\nSupermicro Microcloud SYS-531MC-H8TNR X13SCD-F stable\nSupermicro Microcloud 3015MR-H8TNR H13SRD-F coming soon\nLenovo ThinkSystem SD530 alpha","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Other server series and models might work but were not reported to us.","category":"page"},{"location":"overview/hardware/#GPUs","page":"Hardware Support","title":"GPUs","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following GPU types are officially supported and verified by the metal-stack project:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Model Status\nNVIDIA RTX 6000 stable\nNVIDIA H100 stable","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Other GPU models might work but were not reported to us. For a detailed description howto use GPU support in a kubernetes cluster please check this documentation","category":"page"},{"location":"overview/hardware/#Network-Cards","page":"Hardware Support","title":"Network Cards","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following network cards are officially supported and verified by the metal-stack project for usage in servers:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Series Model Status\nIntel XXV710 DA2 DualPort 2x25G SFP28 stable\nIntel E810 DA2 DualPort 2x25G SFP28 stable\nIntel E810 CQDA2 DualPort 2x100G SFP28 stable\nMellanox ConnectX-5 MCX512A-ACAT 2x25G SFP28 stable","category":"page"},{"location":"overview/hardware/#Switches","page":"Hardware Support","title":"Switches","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"The following switch types are officially supported and verified by the metal-stack project:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Vendor Series Model OS Status\nEdge-Core AS7700 Series AS7712-32X Cumulus 3.7.13 stable\nEdge-Core AS7700 Series AS7726-32X Cumulus 4.1.1 stable\nEdge-Core AS7700 Series AS7712-32X Edgecore SONiC stable\nEdge-Core AS7700 Series AS7726-32X Edgecore SONiC stable","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Other switch series and models might work but were not reported to us.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"warning: Warning\nOn our switches we run SONiC. The metal-core writes network configuration specifically implemented for this operating system. Please also consider running SONiC on your switches if you do not want to run into any issues with networking.Our previous support for Cumulus Linux will come to an end.Of course, contributions for supporting other switch vendors and operating systems are highly appreciated.","category":"page"},{"location":"overview/hardware/#Portable-metal-stack-Setup-DIY","page":"Hardware Support","title":"Portable metal-stack Setup DIY","text":"","category":"section"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"A minimal physical hardware setup may contain at least the following components:","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"warning: Warning\nThis setup should work as the components are very similar to the currently supported ones but it's currently untested.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"# Vendor Series Model Function\n2x Edge-Core AS5500 Series AS5512-54x (10G) Leaf / Exit switches\n1x Supermicro Microcloud SYS-5039MA16-H12RFT Usable machines\n1x Teltonika Router RUTXR1 Front router for internet and out-of-band access to servers and switches","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"Besides that, a 6HE rack with 1000mm depth and a portable LTE modem is needed.","category":"page"},{"location":"overview/hardware/","page":"Hardware Support","title":"Hardware Support","text":"This MVP will yield in 12 usable machines, one of them will be reserved as management server.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#metalctl-machine-update-firmware-bmc","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"update a machine BMC","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#Synopsis","page":"metalctl machine update-firmware bmc","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"the machine BMC will be updated to given revision. If revision flag is not specified an update plan will be printed instead.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"metalctl machine update-firmware bmc [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#Options","page":"metalctl machine update-firmware bmc","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":" --description string the reason why the BMC should be updated\n -h, --help help for bmc\n --revision string the BMC revision","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#Options-inherited-from-parent-commands","page":"metalctl machine update-firmware bmc","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/#SEE-ALSO","page":"metalctl machine update-firmware bmc","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bmc/","page":"metalctl machine update-firmware bmc","title":"metalctl machine update-firmware bmc","text":"metalctl machine update-firmware\t - update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#metalctl-size-imageconstraint-try","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"try if size and image can be allocated","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"metalctl size imageconstraint try [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#Options","page":"metalctl size imageconstraint try","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":" -h, --help help for try\n --image string image to check if allocaltion is possible\n --size string size to check if allocaltion is possible","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint try","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/#SEE-ALSO","page":"metalctl size imageconstraint try","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_try/","page":"metalctl size imageconstraint try","title":"metalctl size imageconstraint try","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#metalctl-audit","page":"metalctl audit","title":"metalctl audit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":"manage audit trace entities","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#Synopsis","page":"metalctl audit","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":"show audit traces of the api. feature must be enabled on server-side.","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#Options","page":"metalctl audit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":" -h, --help help for audit","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#Options-inherited-from-parent-commands","page":"metalctl audit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_audit/#SEE-ALSO","page":"metalctl audit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit/","page":"metalctl audit","title":"metalctl audit","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl audit describe\t - describes the audit trace\nmetalctl audit list\t - list all audit traces","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#metalctl-audit-list","page":"metalctl audit list","title":"metalctl audit list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":"list all audit traces","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":"metalctl audit list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#Options","page":"metalctl audit list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":" --component string component of the audit trace.\n --detail string detail of the audit trace. An HTTP method, unary or stream\n --error string error of the audit trace.\n --forwarded-for string forwarded for of the audit trace.\n --from string start of range of the audit traces. e.g. 1h, 10m, 2006-01-02 15:04:05 (default \"1h\")\n -h, --help help for list\n --limit int limit the number of audit traces. (default 100)\n --path string api path of the audit trace.\n --phase string phase of the audit trace. One of [request, response, single, error, opened, closed]\n -q, --query string filters audit trace body payloads for the given text.\n --remote-addr string remote address of the audit trace.\n --request-id string request id of the audit trace.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: path|tenant|timestamp|user\n --status-code int32 HTTP status code of the audit trace.\n --tenant string tenant of the audit trace.\n --to string end of range of the audit traces. e.g. 1h, 10m, 2006-01-02 15:04:05\n --type string type of the audit trace. One of [http, grpc, event].\n --user string user of the audit trace.","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#Options-inherited-from-parent-commands","page":"metalctl audit list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_audit_list/#SEE-ALSO","page":"metalctl audit list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_audit_list/","page":"metalctl audit list","title":"metalctl audit list","text":"metalctl audit\t - manage audit trace entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#metalctl-machine-power-reset","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"power reset a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#Synopsis","page":"metalctl machine power reset","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"(hard) reset the machine power.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"metalctl machine power reset [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#Options","page":"metalctl machine power reset","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":" -h, --help help for reset","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#Options-inherited-from-parent-commands","page":"metalctl machine power reset","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/#SEE-ALSO","page":"metalctl machine power reset","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_reset/","page":"metalctl machine power reset","title":"metalctl machine power reset","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"development/proposals/MEP3/README/#Machine-Re-Installation","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"","category":"section"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"In the current metal-api only machine installations are possible, performing a machine upgrade is only possible by creating a new machine and delete the old one. This has the drawback that in case a lot of data is stored on the local disks, a full restore of the original data must be performed.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"To prevent this, we will introduce a new metal-api endpoint to reinstall the machine with a new image, without actually deleting the data stored on the additional hard disks.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"Storage is a difficult task to get right and reliable. A short analysis of our different storage requirements lead to 3 different scenarios.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"Storage for the etcd pvs in the seed cluster of every partition. This is the most important storage in our setup because these etcd pods serve as configuration backend for all customer kubernetes clusters. If they fail, the cluster is down. However gardener deploys a backup and restore sidecar into the etcd pod of every customer kubernetes control plane, and if this sidecar detects a corrupt or missing etcd database file(s) it starts automatic restore from the configured backup location. This will take some minutes. If for example a node dies, and gardener creates a new node instead, the csi-lvm created pv is not present on that node. Kubernetes will not schedule the missing etcd pod on this node because it has a local PV configured and is therefore tainted to run only on that node. To let kubernetes create that pod anyhow, someone has to either remove the taint, or delete the pod. If this is done, the pod starts and the restore of the etcd data can start as well. You can see this is a bit too complicated and will take the customer cluster down for a while (not measured yet but in the range of 5-10 minutes).\nStorage in customer clusters. This was not promised in 2020. We have a intermediate solution with the provisioning of csi-lvm by default into all customer clusters. Albeit this is only local storage and will get deleted if a node dies.\nS3 Storage. We have two possibilities to cope with storage:\nIn place update of the OS with a daemonset This will be fast and simple, but might fail because the packages being installed are broken right now, or a filesystem gets full, or any other failure you can think of during a os update. Another drawback is that metal-api does not reflect the updated os image.\nmetal-api get a machine reinstall endpoint With this approach we leverage from existing and already proven mechanisms. Reinstall must keep all data except the sata-dom. Gardener currently is not able to do an update with this approach because it can only do rolling updates. Therefore a additional osupdatestrategy has to be implemented for metal and other providers in gardener to be able to leverage the metal reinstall on the same machineID approach.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"If reinstall is implemented, we should focus on the same technology for all scenarios and put ceph via rook.io into the kubernetes clusters as additional StorageClass. It has to be checked whether to use the raw disk or a PV as the underlay block device where ceph stores its data.","category":"page"},{"location":"development/proposals/MEP3/README/#API-and-behavior","page":"Machine Re-Installation","title":"API and behavior","text":"","category":"section"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"The API will get an new endpoint \"reinstall\" this endpoint takes two arguments:","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"machineID\nimage","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"No other aspects of the machine can be modified during the re-installation. All data stored in the existing allocation will be preserved, only the image will be modified. Once this endpoint was called, the machine will get a reboot signal with the boot order set to PXE instead of HDD and the network interfaces on the leaf are set to PXE as well. Then the normal installation process starts:","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"unchanged: PXE boot with metal-hammer\nchanged: metal-hammer first checks with the machineID in the metal-api (through metal-core) if there is already a allocation present\nchanged: if a allocation is present and the allocation has set reinstall: true, wipe disk is only executed for the root disk, all other disks are untouched.\nunchanged: the specified image is downloaded and burned, /install.sh is executed\nunchanged: successful installation is reported back, network is set the the vrf, boot order is set to HDD.\nunchanged: distribution kernel is booted via kexec","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"We can see that the allocation requires one additional parameter: reinstall and metal-hammer must check for already existing allocation at an earlier stage.","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"Components which requires modifications (first guess):","category":"page"},{"location":"development/proposals/MEP3/README/","page":"Machine Re-Installation","title":"Machine Re-Installation","text":"metal-hammer:\ncheck for allocation present earlier\nevaluation of reinstall flag set\nwipe of disks depends on that flag\nBonus: move configuration of disk layout and primary disk detection algorithm (PDDA) from metal-hammer into metal-api. metal-api MUST reject reinstallation if the disk found by PDDA does not have the /etc/metal directory!\nmetal-core:\nprobably nothing\nmetal-api:\nnew endpoint /machine/reinstall\nadd Reinstall bool to data model of allocation\nmake sure to reset Reinstall after reinstallation to prevent endless reinstallation loop\nmetalctl:\nimplement reinstall\nmetal-go:\nimplement reinstall\ngardener (longterm):\nadd the OSUpgradeStrategy reinstall","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#metalctl-machine-create","page":"metalctl machine create","title":"metalctl machine create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"creates the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"metalctl machine create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#Examples","page":"metalctl machine create","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"machine create can be done in two different ways:\n\n- default with automatic allocation:\n\n\tmetalctl machine create \\\n\t\t--hostname worker01 \\\n\t\t--name worker \\\n\t\t--image ubuntu-18.04 \\ # query available with: metalctl image list\n\t\t--size t1-small-x86 \\ # query available with: metalctl size list\n\t\t--partition test \\ # query available with: metalctl partition list\n\t\t--project cluster01 \\\n\t\t--sshpublickey \"@~/.ssh/id_rsa.pub\"\n\n- for metal administration with reserved machines:\n\n\treserve a machine you want to allocate:\n\n\tmetalctl machine reserve 00000000-0000-0000-0000-0cc47ae54694 --description \"blocked for maintenance\"\n\n\tallocate this machine:\n\n\tmetalctl machine create \\\n\t\t--hostname worker01 \\\n\t\t--name worker \\\n\t\t--image ubuntu-18.04 \\ # query available with: metalctl image list\n\t\t--project cluster01 \\\n\t\t--sshpublickey \"@~/.ssh/id_rsa.pub\" \\\n\t\t--id 00000000-0000-0000-0000-0cc47ae54694\n\nafter you do not want to use this machine exclusive, remove the reservation:\n\nmetalctl machine reserve 00000000-0000-0000-0000-0cc47ae54694 --remove\n\nOnce created the machine installation can not be modified anymore.\n","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#Options","page":"metalctl machine create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the machine to create. [optional]\n --dnsservers strings dns servers to add to the machine or firewall. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine create -f -\n $ # or via file\n $ metalctl machine create -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n --filesystemlayout string Filesystemlayout to use during machine installation. [optional]\n -h, --help help for create\n -H, --hostname string Hostname of the machine. [required]\n -I, --id string ID of a specific machine to allocate, if given, size and partition are ignored. Need to be set to reserved (--reserve) state before.\n -i, --image string OS Image to install. [required]\n --ips strings Sets the machine's IP address. Usage: [--ips[=IPV4-ADDRESS[,IPV4-ADDRESS]...]]...\n IPV4-ADDRESS specifies the IPv4 address to add.\n It can only be used in conjunction with --networks.\n -n, --name string Name of the machine. [optional]\n --networks strings Adds a network. Usage: [--networks NETWORK[:MODE][,NETWORK[:MODE]]...]...\n NETWORK specifies the name or id of an existing network.\n MODE cane be omitted or one of:\n \tauto\tIP address is automatically acquired from the given network\n \tnoauto\tIP address for the given network must be provided via --ips\n --ntpservers strings ntp servers to add to the machine or firewall. [optional]\n -S, --partition string partition/datacenter where the machine is created. [required, except for reserved machines]\n -P, --project string Project where the machine should belong to. [required]\n -s, --size string Size of the machine. [required, except for reserved machines]\n --skip-security-prompts skips security prompt for bulk operations\n -p, --sshpublickey string SSH public key for access via ssh and console. [optional]\n Can be either the public key as string, or pointing to the public key file to use e.g.: \"@~/.ssh/id_rsa.pub\".\n If ~/.ssh/[id_ed25519.pub | id_rsa.pub | id_dsa.pub] is present it will be picked as default, matching the first one in this order.\n --tags strings tags to add to the machine, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --userdata string cloud-init.io compatible userdata. [optional]\n Can be either the userdata as string, or pointing to the userdata file to use e.g.: \"@/tmp/userdata.cfg\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#Options-inherited-from-parent-commands","page":"metalctl machine create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_create/#SEE-ALSO","page":"metalctl machine create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_create/","page":"metalctl machine create","title":"metalctl machine create","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"installation/monitoring/#Monitoring-the-metal-stack","page":"Monitoring","title":"Monitoring the metal-stack","text":"","category":"section"},{"location":"installation/monitoring/#Overview","page":"Monitoring","title":"Overview","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"(Image: Monitoring Stack)","category":"page"},{"location":"installation/monitoring/#Logging","page":"Monitoring","title":"Logging","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"Logs are being collected by Promtail and pushed to a Loki instance running in the control plane. Loki is deployed in monolithic mode and with storage type 'filesystem'. You can find all logging related configuration parameters for the control plane in the control plane's logging role.","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"In the partitions, Promtail is deployed inside a systemd-managed Docker container. Configuration parameters can be found in the partition's promtail role. Which hosts Promtail collects from can be configured via the prometheus_promtail_targets variable.","category":"page"},{"location":"installation/monitoring/#Monitoring","page":"Monitoring","title":"Monitoring","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"For monitoring we deploy the kube-prometheus-stack and a Thanos instance in the control plane. Metrics for the control plane are supplied by","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"metal-metrics-exporter\nrethindb-exporter\nevent-exporter\ngardener-metrics-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"To query and visualize logs, metrics and alerts we deploy several grafana dashboards to the control plane:","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"grafana-dashboard-alertmanager\ngrafana-dashboard-machine-capacity\ngrafana-dashboard-metal-api\ngrafana-dashboard-rethinkdb\ngrafana-dashboard-sonic-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"and also some gardener related dashboards:","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"grafana-dashboard-gardener-overview\ngrafana-dashboard-shoot-cluster\ngrafana-dashboard-shoot-customizations\ngrafana-dashboard-shoot-details\ngrafana-dashboard-shoot-states","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"The following ServiceMonitors are also deployed:","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"gardener-metrics-exporter\nipam-db\nmasterdata-api\nmasterdata-db\nmetal-api\nmetal-db\nrethinkdb-exporter\nmetal-metrics-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"All monitoring related configuration parameters for the control plane can be found in the control plane's monitoring role.","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"Partition metrics are supplied by","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"node-exporter\nblackbox-exporter\nipmi-exporter\nsonic-exporter\nmetal-core\nfrr-exporter","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"and scraped by Prometheus. For each of these exporters, the target hosts can be defined by","category":"page"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"prometheus_node_exporter_targets\nprometheus_blackbox_exporter_targets\nprometheus_frr_exporter_targets\nprometheus_sonic_exporter_targets\nprometheus_metal_core_targets\nprometheus_frr_exporter_targets","category":"page"},{"location":"installation/monitoring/#Alerting","page":"Monitoring","title":"Alerting","text":"","category":"section"},{"location":"installation/monitoring/","page":"Monitoring","title":"Monitoring","text":"In addition to Grafana, alerts can optionally be sent to a Slack channel. For this to work, at least a valid monitoring_slack_api_url and a monitoring_slack_notification_channel must be specified. For further configuration parameters refer to the monitoring role. Alerting rules are defined in the rules directory of the partition's prometheus role.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#metalctl-machine-reserve","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"reserve a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#Synopsis","page":"metalctl machine reserve","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"reserve a machine for exclusive usage, this machine will no longer be picked by other allocations. This is useful for maintenance of the machine or testing. After the reservation is not needed anymore, the reservation should be removed with –remove.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"metalctl machine reserve [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#Options","page":"metalctl machine reserve","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":" -d, --description string description of the reason for the reservation.\n -h, --help help for reserve\n -r, --remove remove the reservation.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#Options-inherited-from-parent-commands","page":"metalctl machine reserve","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reserve/#SEE-ALSO","page":"metalctl machine reserve","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reserve/","page":"metalctl machine reserve","title":"metalctl machine reserve","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#metalctl-completion-bash","page":"metalctl completion bash","title":"metalctl completion bash","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"Generate the autocompletion script for bash","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Synopsis","page":"metalctl completion bash","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"Generate the autocompletion script for the bash shell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"source <(metalctl completion bash)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"To load completions for every new session, execute once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Linux:","page":"metalctl completion bash","title":"Linux:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion bash > /etc/bash_completion.d/metalctl","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#macOS:","page":"metalctl completion bash","title":"macOS:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion bash > $(brew --prefix)/etc/bash_completion.d/metalctl","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"You will need to start a new shell for this setup to take effect.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion bash","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Options","page":"metalctl completion bash","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":" -h, --help help for bash\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#Options-inherited-from-parent-commands","page":"metalctl completion bash","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_bash/#SEE-ALSO","page":"metalctl completion bash","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_bash/","page":"metalctl completion bash","title":"metalctl completion bash","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#metalctl-machine-power-on","page":"metalctl machine power on","title":"metalctl machine power on","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"power on a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#Synopsis","page":"metalctl machine power on","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"set the machine to power on state, if the machine already was on nothing happens.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"metalctl machine power on [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#Options","page":"metalctl machine power on","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":" -h, --help help for on","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#Options-inherited-from-parent-commands","page":"metalctl machine power on","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_on/#SEE-ALSO","page":"metalctl machine power on","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_on/","page":"metalctl machine power on","title":"metalctl machine power on","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#metalctl-firmware","page":"metalctl firmware","title":"metalctl firmware","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":"manage firmwares","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#Synopsis","page":"metalctl firmware","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":"list, upload and remove firmwares.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#Options","page":"metalctl firmware","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":" -h, --help help for firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#Options-inherited-from-parent-commands","page":"metalctl firmware","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware/#SEE-ALSO","page":"metalctl firmware","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware/","page":"metalctl firmware","title":"metalctl firmware","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl firmware delete\t - delete a firmware\nmetalctl firmware list\t - list firmwares\nmetalctl firmware upload\t - upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#metalctl-filesystemlayout-edit","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"edit the filesystemlayout through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"metalctl filesystemlayout edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#Options","page":"metalctl filesystemlayout edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/#SEE-ALSO","page":"metalctl filesystemlayout edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_edit/","page":"metalctl filesystemlayout edit","title":"metalctl filesystemlayout edit","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#metalctl-firmware-delete","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"delete a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#Synopsis","page":"metalctl firmware delete","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"deletes the specified firmware.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"metalctl firmware delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#Options","page":"metalctl firmware delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":" --board string the board type (required)\n -h, --help help for delete\n --kind string the firmware kind [bmc|bios] (required)\n --revision string the firmware revision (required)\n --vendor string the vendor (required)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#Options-inherited-from-parent-commands","page":"metalctl firmware delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_delete/#SEE-ALSO","page":"metalctl firmware delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_delete/","page":"metalctl firmware delete","title":"metalctl firmware delete","text":"metalctl firmware\t - manage firmwares","category":"page"},{"location":"overview/gpu-support/#GPU-Support","page":"GPU Support","title":"GPU Support","text":"","category":"section"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"Pages = [\"gpu-support.md\"]\nDepth = 5","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"For workloads which require the assistance of GPUs, support for GPUs in bare metal servers was added to metal-stack.io v0.18.0.","category":"page"},{"location":"overview/gpu-support/#GPU-Operator-installation","page":"GPU Support","title":"GPU Operator installation","text":"","category":"section"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"With the nvidia image a worker has basic GPU support. This means that the required kernel driver, the containerd shim and the required containerd configuration are already installed and configured.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"To enable Pods that require GPU support to be scheduled on a worker node with a GPU, a `gpu-operator' must be installed. This has to be done by the cluster owner after the cluster is up and running.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"The simplest way to install this operator is as follows:","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"helm repo add nvidia https://helm.ngc.nvidia.com/nvidia\nhelm repo update\n\nkubectl create ns gpu-operator\nkubectl label --overwrite ns gpu-operator pod-security.kubernetes.io/enforce=privileged\n\nhelm install --wait \\\n --generate-name \\\n --namespace gpu-operator \\\n --create-namespace \\\n nvidia/gpu-operator \\\n --set driver.enabled=false \\\n --set toolkit.enabled=false","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"After that kubectl describe node must show the gpu in the capacity like so:","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"...\nCapacity:\n cpu: 64\n ephemeral-storage: 100205640Ki\n hugepages-1Gi: 0\n hugepages-2Mi: 0\n memory: 263802860Ki\n nvidia.com/gpu: 1\n pods: 510\n...","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"With this basic installation, the worker node is ready to process GPU workloads.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"warning: Warning\nHowever, there is a caveat - only one 'Pod' can access the GPU. If this is all you need, no additional configuration is required. On the other hand, if you are planning to deploy multiple applications that require GPU support, and there are not that many GPUs available, you will need to configure the gpu-operator to allow the GPU to be shared between multiple Pods.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"There are several approaches to sharing GPUs, please consult the official Nvidia documentation for further reference.","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"https://developer.nvidia.com/blog/improving-gpu-utilization-in-kubernetes https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-operator-mig.html https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/gpu-sharing.html","category":"page"},{"location":"overview/gpu-support/","page":"GPU Support","title":"GPU Support","text":"With this, happy AI processing.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#metalctl-completion-powershell","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"Generate the autocompletion script for powershell","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#Synopsis","page":"metalctl completion powershell","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"Generate the autocompletion script for powershell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"metalctl completion powershell | Out-String | Invoke-Expression","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"To load completions for every new session, add the output of the above command to your powershell profile.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"metalctl completion powershell [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#Options","page":"metalctl completion powershell","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":" -h, --help help for powershell\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#Options-inherited-from-parent-commands","page":"metalctl completion powershell","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_powershell/#SEE-ALSO","page":"metalctl completion powershell","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_powershell/","page":"metalctl completion powershell","title":"metalctl completion powershell","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#metalctl-size-list","page":"metalctl size list","title":"metalctl size list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":"list all sizes","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":"metalctl size list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#Options","page":"metalctl size list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#Options-inherited-from-parent-commands","page":"metalctl size list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_list/#SEE-ALSO","page":"metalctl size list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_list/","page":"metalctl size list","title":"metalctl size list","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#metalctl-size-imageconstraint","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#Synopsis","page":"metalctl size imageconstraint","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"if a size has specific requirements regarding the images which must fulfill certain constraints, this can be configured here.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#Options","page":"metalctl size imageconstraint","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":" -h, --help help for imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/#SEE-ALSO","page":"metalctl size imageconstraint","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint/","page":"metalctl size imageconstraint","title":"metalctl size imageconstraint","text":"metalctl size\t - manage size entities\nmetalctl size imageconstraint apply\t - applies one or more imageconstraints from a given file\nmetalctl size imageconstraint create\t - creates the imageconstraint\nmetalctl size imageconstraint delete\t - deletes the imageconstraint\nmetalctl size imageconstraint describe\t - describes the imageconstraint\nmetalctl size imageconstraint edit\t - edit the imageconstraint through an editor and update\nmetalctl size imageconstraint list\t - list all imageconstraints\nmetalctl size imageconstraint try\t - try if size and image can be allocated\nmetalctl size imageconstraint update\t - updates the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#metalctl-size","page":"metalctl size","title":"metalctl size","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":"manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#Synopsis","page":"metalctl size","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":"a size matches a machine in terms of cpu cores, ram and storage.","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#Options","page":"metalctl size","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":" -h, --help help for size","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#Options-inherited-from-parent-commands","page":"metalctl size","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size/#SEE-ALSO","page":"metalctl size","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size/","page":"metalctl size","title":"metalctl size","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl size apply\t - applies one or more sizes from a given file\nmetalctl size create\t - creates the size\nmetalctl size delete\t - deletes the size\nmetalctl size describe\t - describes the size\nmetalctl size edit\t - edit the size through an editor and update\nmetalctl size imageconstraint\t - manage imageconstraint entities\nmetalctl size list\t - list all sizes\nmetalctl size reservation\t - manage reservation entities\nmetalctl size suggest\t - suggest size from a given machine id\nmetalctl size update\t - updates the size","category":"page"},{"location":"overview/os/#Operating-Systems","page":"Operating Systems","title":"Operating Systems","text":"","category":"section"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Our operating system images are built on regular basis from the metal-images repository.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"All images are hosted on GKE at images.metal-stack.io. Feel free to use this as a mirror for your metal-stack partitions if you want. The metal-stack developers continuously have an eye on the supported images. They are updated regularly and scanned for vulnerabilities.","category":"page"},{"location":"overview/os/#Supported-OS-Images","page":"Operating Systems","title":"Supported OS Images","text":"","category":"section"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"The operating system images that we build are trimmed down to their bare essentials for serving as Kubernetes worker nodes. Small image sizes make machine provisioning blazingly fast.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"The supported images for worker nodes currently are:","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Platform Distribution Version\nLinux Debian 11\nLinux Ubuntu 22.04","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"The supported images for firewalls are:","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Platform Distribution Version Based On\nLinux Ubuntu 3 22.04","category":"page"},{"location":"overview/os/#Building-Your-Own-Images","page":"Operating Systems","title":"Building Your Own Images","text":"","category":"section"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"It is fully possible to build your own operating system images and provide them through the metal-stack.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"There are some conventions though that you need to follow in order to make your image installable through the metal-hammer. You should understand the machine provisioning sequence before starting to write your own images.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"Images need to be compressed to a tarball using the lz4 compression algorithm\nAn md5 checksum file with the same name as the image archive needs to be provided in the download path along with the actual os image\nA packages.txt containing the packages contained in the OS image should be provided in the download path (not strictly required)\nConsider semantic image versioning, which we use in our algorithms to select latest images (e.g. os-major.minor.patch ➡️ ubuntu-19.10.20191018)\nConsider installing packages used by the metal-stack infrastructure\nFRR to enable routing-to-the-host in our network topology\ngo-lldpd to enable checking if the machine is still alive after user allocation\nignition for enabling users to run user-specific initialization instructions before bootup. It's pretty small in size, which is why we use it. However, you are free to use other cloud instance initialization tools if you want to.\nYou have to provide an install.sh script, which applies user-specific configuration in the installed image\nThis script should consume parameters from the install.yaml file that the metal-hammer writes to /etc/metal/install.yaml\nPlease check this contract between image and the metal-hammer here\nFor the time being, your image must be able to support kexec into the new operating system kernel, the kexec command is issued by the metal-hammer after running the install.sh. We do this because kexec is much faster than rebooting a machine.\nWe recommend building images from Dockerfiles as it is done in metal-images repository.","category":"page"},{"location":"overview/os/","page":"Operating Systems","title":"Operating Systems","text":"info: Info\nBuilding own operating system images is an advanced topic. When you have just started with metal-stack, we recommend using the public operating system images first.","category":"page"},{"location":"external/metalctl/README/#metalctl","page":"metalctl","title":"metalctl","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl is the command line client to access the metal-api.","category":"page"},{"location":"external/metalctl/README/#Installation","page":"metalctl","title":"Installation","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Download locations:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl-linux-amd64\nmetalctl-darwin-amd64\nmetalctl-darwin-arm64\nmetalctl-windows-amd64","category":"page"},{"location":"external/metalctl/README/#Installation-on-Linux","page":"metalctl","title":"Installation on Linux","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-linux-amd64\nchmod +x metalctl-linux-amd64\nsudo mv metalctl-linux-amd64 /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/#Installation-on-MacOS","page":"metalctl","title":"Installation on MacOS","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"For x86 based Macs:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-darwin-amd64\nchmod +x metalctl-darwin-amd64\nsudo mv metalctl-darwin-amd64 /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"For Apple Silicon (M1) based Macs:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-darwin-arm64\nchmod +x metalctl-darwin-arm64\nsudo mv metalctl-darwin-arm64 /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/#Installation-on-Windows","page":"metalctl","title":"Installation on Windows","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"curl -LO https://github.com/metal-stack/metalctl/releases/latest/download/metalctl-windows-amd64\ncopy metalctl-windows-amd64 metalctl.exe","category":"page"},{"location":"external/metalctl/README/#metalctl-update","page":"metalctl","title":"metalctl update","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"In order to keep your local metalctl installation up to date, you can update the binary like this:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl update check\nlatest version:v0.8.3 from:2020-08-13T11:55:14Z\nlocal version:v0.8.2 from:2020-08-12T09:27:39Z\nmetalctl is not up to date\n\nmetalctl update do\n# a download with progress bar starts and replaces the binary. If the binary has root permissions please execute\nsudo metalctl update do\n# instead","category":"page"},{"location":"external/metalctl/README/#Built-from-project","page":"metalctl","title":"Built from project","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"make\nsudo ln -sf $(pwd)/bin/metalctl /usr/local/bin/metalctl","category":"page"},{"location":"external/metalctl/README/#Configuration","page":"metalctl","title":"Configuration","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Set up auto-completion for metalctl, e.g. add to your ~/.bashrc:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"source <(metalctl completion bash)","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Set up metalctl config, by first creating the config folder (mkdir -p ~/.metalctl), then set the values according to your installation in ~/.metalctl/config.yaml:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"---\ncurrent: prod\ncontexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://dex.metal-stack.io/dex\n client_id: metal_client\n client_secret: 456\n hmac: YOUR_HMAC","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Optional you can specify issuer_type: generic if you use other issuers as Dex, e.g. Keycloak (this will request scopes openid,profile,email):","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"contexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://keycloak.somedomain.io\n issuer_type: generic\n client_id: my-client-id\n client_secret: my-secret","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"If you must specify special scopes for your issuer, you can use custom_scopes:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"contexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://keycloak.somedomain.io\n custom_scopes: roles,openid,profile,email\n client_id: my-client-id\n client_secret: my-secret","category":"page"},{"location":"external/metalctl/README/#Available-commands","page":"metalctl","title":"Available commands","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Full documentation is generated out of the cobra command implementation with:","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"metalctl markdown","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"generated markdown is here and here","category":"page"},{"location":"external/metalctl/README/#Development","page":"metalctl","title":"Development","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"For MacOS users, running the tests might throw an error because tests are utilizing go-mpatch in order to manipulate the time.Now function. The patch allows testing with fixed timestamps.","category":"page"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Instead, MacOS users can utilize the make test-in-docker target to execute the tests.","category":"page"},{"location":"external/metalctl/README/#Page-Tree","page":"metalctl","title":"Page Tree","text":"","category":"section"},{"location":"external/metalctl/README/","page":"metalctl","title":"metalctl","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#metalctl-network-ip","page":"metalctl network ip","title":"metalctl network ip","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":"manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#Synopsis","page":"metalctl network ip","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":"an ip address can be attached to a machine or firewall such that network traffic can be routed to these servers.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#Options","page":"metalctl network ip","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":" -h, --help help for ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#Options-inherited-from-parent-commands","page":"metalctl network ip","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip/#SEE-ALSO","page":"metalctl network ip","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip/","page":"metalctl network ip","title":"metalctl network ip","text":"metalctl network\t - manage network entities\nmetalctl network ip apply\t - applies one or more ips from a given file\nmetalctl network ip create\t - creates the ip\nmetalctl network ip delete\t - deletes the ip\nmetalctl network ip describe\t - describes the ip\nmetalctl network ip edit\t - edit the ip through an editor and update\nmetalctl network ip issues\t - display ips which are in a potential bad state\nmetalctl network ip list\t - list all ips\nmetalctl network ip update\t - updates the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#metalctl-firewall-create","page":"metalctl firewall create","title":"metalctl firewall create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":"creates the firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":"metalctl firewall create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#Options","page":"metalctl firewall create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the firewall to create. [optional]\n --dnsservers strings dns servers to add to the machine or firewall. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl firewall describe firewall-1 -o yaml > firewall.yaml\n $ vi firewall.yaml\n $ # either via stdin\n $ cat firewall.yaml | metalctl firewall create -f -\n $ # or via file\n $ metalctl firewall create -f firewall.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n --filesystemlayout string Filesystemlayout to use during machine installation. [optional]\n --firewall-rules-file string firewall rules specified in a yaml file\n \n Example:\n \n $ metalctl firewall create ..mandatory args.. --firewall-rules-file rules.yaml\n \n rules.yaml\n ---\n egress:\n - comment: allow outgoing https\n ports:\n - 443\n protocol: TCP\n to:\n - 0.0.0.0/0\n - comment: allow outgoing dns via tcp\n ports:\n - 53\n protocol: TCP\n to:\n - 0.0.0.0/0\n - comment: allow outgoing dns and ntp via udp\n ports:\n - 53\n - 123\n protocol: UDP\n to:\n - 0.0.0.0/0\n ingress:\n - comment: allow incoming ssh only to one ip\n ports:\n - 22\n protocol: TCP\n from:\n - 0.0.0.0/0\n - 1.2.3.4/32\n to:\n - 212.34.83.19/32\n - comment: allow incoming https to all targets\n ports:\n - 80\n - 433\n protocol: TCP\n from:\n - 0.0.0.0/0\n \n \n -h, --help help for create\n -H, --hostname string Hostname of the firewall. [required]\n -I, --id string ID of a specific firewall to allocate, if given, size and partition are ignored. Need to be set to reserved (--reserve) state before.\n -i, --image string OS Image to install. [required]\n --ips strings Sets the firewall's IP address. Usage: [--ips[=IPV4-ADDRESS[,IPV4-ADDRESS]...]]...\n IPV4-ADDRESS specifies the IPv4 address to add.\n It can only be used in conjunction with --networks.\n -n, --name string Name of the firewall. [optional]\n --networks strings Adds network(s). Usage: --networks NETWORK[:MODE][,NETWORK[:MODE]]... [--networks NETWORK[:MODE][,\n NETWORK[:MODE]]...]...\n NETWORK specifies the id of an existing network.\n MODE can be omitted or one of:\n \tauto\tIP address is automatically acquired from the given network\n \tnoauto\tNo automatic IP address acquisition\n --ntpservers strings ntp servers to add to the machine or firewall. [optional]\n -S, --partition string partition/datacenter where the firewall is created. [required, except for reserved machines]\n -P, --project string Project where the firewall should belong to. [required]\n -s, --size string Size of the firewall. [required, except for reserved machines]\n --skip-security-prompts skips security prompt for bulk operations\n -p, --sshpublickey string SSH public key for access via ssh and console. [optional]\n Can be either the public key as string, or pointing to the public key file to use e.g.: \"@~/.ssh/id_rsa.pub\".\n If ~/.ssh/[id_ed25519.pub | id_rsa.pub | id_dsa.pub] is present it will be picked as default, matching the first one in this order.\n --tags strings tags to add to the firewall, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --userdata string cloud-init.io compatible userdata. [optional]\n Can be either the userdata as string, or pointing to the userdata file to use e.g.: \"@/tmp/userdata.cfg\".","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#Options-inherited-from-parent-commands","page":"metalctl firewall create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_create/#SEE-ALSO","page":"metalctl firewall create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_create/","page":"metalctl firewall create","title":"metalctl firewall create","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#metalctl-filesystemlayout-match","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"check if a machine satisfies all disk requirements of a given filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"metalctl filesystemlayout match [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#Options","page":"metalctl filesystemlayout match","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":" --filesystemlayout string filesystemlayout id to check against [required]\n -h, --help help for match\n --machine string machine id to check for match [required]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout match","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/#SEE-ALSO","page":"metalctl filesystemlayout match","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_match/","page":"metalctl filesystemlayout match","title":"metalctl filesystemlayout match","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#metalctl-filesystemlayout-delete","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"deletes the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"metalctl filesystemlayout delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#Options","page":"metalctl filesystemlayout delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout delete -f -\n $ # or via file\n $ metalctl filesystemlayout delete -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/#SEE-ALSO","page":"metalctl filesystemlayout delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_delete/","page":"metalctl filesystemlayout delete","title":"metalctl filesystemlayout delete","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#metalctl-network-ip-update","page":"metalctl network ip update","title":"metalctl network ip update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":"updates the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":"metalctl network ip update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#Options","page":"metalctl network ip update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip update -f -\n $ # or via file\n $ metalctl ip update -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#Options-inherited-from-parent-commands","page":"metalctl network ip update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_update/#SEE-ALSO","page":"metalctl network ip update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_update/","page":"metalctl network ip update","title":"metalctl network ip update","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#metalctl-size-describe","page":"metalctl size describe","title":"metalctl size describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":"describes the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":"metalctl size describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#Options","page":"metalctl size describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#Options-inherited-from-parent-commands","page":"metalctl size describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_describe/#SEE-ALSO","page":"metalctl size describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_describe/","page":"metalctl size describe","title":"metalctl size describe","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#metalctl-tenant-apply","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"applies one or more tenants from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"metalctl tenant apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#Options","page":"metalctl tenant apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl tenant describe tenant-1 -o yaml > tenant.yaml\n $ vi tenant.yaml\n $ # either via stdin\n $ cat tenant.yaml | metalctl tenant apply -f -\n $ # or via file\n $ metalctl tenant apply -f tenant.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#Options-inherited-from-parent-commands","page":"metalctl tenant apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_apply/#SEE-ALSO","page":"metalctl tenant apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_apply/","page":"metalctl tenant apply","title":"metalctl tenant apply","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#metalctl-machine-power-off","page":"metalctl machine power off","title":"metalctl machine power off","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"power off a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#Synopsis","page":"metalctl machine power off","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"set the machine to power off state, if the machine already was off nothing happens. It will usually take some time to power off the machine, depending on the machine type. Power on will therefore not work if the machine is in the powering off phase.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"metalctl machine power off [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#Options","page":"metalctl machine power off","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":" -h, --help help for off","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#Options-inherited-from-parent-commands","page":"metalctl machine power off","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_off/#SEE-ALSO","page":"metalctl machine power off","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_off/","page":"metalctl machine power off","title":"metalctl machine power off","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#metalctl-project-describe","page":"metalctl project describe","title":"metalctl project describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":"describes the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":"metalctl project describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#Options","page":"metalctl project describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#Options-inherited-from-parent-commands","page":"metalctl project describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_describe/#SEE-ALSO","page":"metalctl project describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_describe/","page":"metalctl project describe","title":"metalctl project describe","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#metalctl-machine-logs","page":"metalctl machine logs","title":"metalctl machine logs","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":"display machine provisioning logs","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":"metalctl machine logs [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#Options","page":"metalctl machine logs","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":" -h, --help help for logs\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional] (default 168h0m0s)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#Options-inherited-from-parent-commands","page":"metalctl machine logs","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_logs/#SEE-ALSO","page":"metalctl machine logs","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_logs/","page":"metalctl machine logs","title":"metalctl machine logs","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#metalctl-machine-power-cycle","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"power cycle a machine (graceful shutdown)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#Synopsis","page":"metalctl machine power cycle","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"(soft) cycle the machine power.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"metalctl machine power cycle [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#Options","page":"metalctl machine power cycle","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":" -h, --help help for cycle","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#Options-inherited-from-parent-commands","page":"metalctl machine power cycle","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/#SEE-ALSO","page":"metalctl machine power cycle","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_cycle/","page":"metalctl machine power cycle","title":"metalctl machine power cycle","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#metalctl-image","page":"metalctl image","title":"metalctl image","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":"manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#Synopsis","page":"metalctl image","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":"os images available to be installed on machines.","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#Options","page":"metalctl image","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":" -h, --help help for image","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#Options-inherited-from-parent-commands","page":"metalctl image","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image/#SEE-ALSO","page":"metalctl image","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image/","page":"metalctl image","title":"metalctl image","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl image apply\t - applies one or more images from a given file\nmetalctl image create\t - creates the image\nmetalctl image delete\t - deletes the image\nmetalctl image describe\t - describes the image\nmetalctl image edit\t - edit the image through an editor and update\nmetalctl image list\t - list all images\nmetalctl image update\t - updates the image","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#metalctl-machine-console","page":"metalctl machine console","title":"metalctl machine console","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"console access to a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#Synopsis","page":"metalctl machine console","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"console access to a machine, machine must be created with a ssh public key, authentication is done with your private key. In case the machine did not register properly a direct ipmi console access is available via the –ipmi flag. This is only for administrative access.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"metalctl machine console [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#Options","page":"metalctl machine console","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":" --admin authenticate as admin (admin only).\n -h, --help help for console\n --ipmi use ipmitool with direct network access (admin only).\n --ipmipassword string overwrite ipmi password (admin only).\n --ipmiuser string overwrite ipmi user (admin only).\n -i, --sshidentity string SSH key file, if not given the default ssh key will be used if present [optional].","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#Options-inherited-from-parent-commands","page":"metalctl machine console","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_console/#SEE-ALSO","page":"metalctl machine console","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_console/","page":"metalctl machine console","title":"metalctl machine console","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#metalctl-project","page":"metalctl project","title":"metalctl project","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":"manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#Synopsis","page":"metalctl project","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":"a project belongs to a tenant and groups together entities in metal-stack.","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#Options","page":"metalctl project","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":" -h, --help help for project","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#Options-inherited-from-parent-commands","page":"metalctl project","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project/#SEE-ALSO","page":"metalctl project","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project/","page":"metalctl project","title":"metalctl project","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl project apply\t - applies one or more projects from a given file\nmetalctl project create\t - creates the project\nmetalctl project delete\t - deletes the project\nmetalctl project describe\t - describes the project\nmetalctl project edit\t - edit the project through an editor and update\nmetalctl project list\t - list all projects\nmetalctl project update\t - updates the project","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#metalctl-image-list","page":"metalctl image list","title":"metalctl image list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":"list all images","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":"metalctl image list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#Options","page":"metalctl image list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":" --classification string Classification of this image.\n --features string Features of this image.\n -h, --help help for list\n --id string ID of the image.\n --name string Name of the image.\n --os string OS derivate of this image.\n --show-usage show from how many allocated machines every image is used\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: classification|description|expiration|id|name\n --version string Version of this image.","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#Options-inherited-from-parent-commands","page":"metalctl image list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_list/#SEE-ALSO","page":"metalctl image list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_list/","page":"metalctl image list","title":"metalctl image list","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#metalctl-partition-update","page":"metalctl partition update","title":"metalctl partition update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":"updates the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":"metalctl partition update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#Options","page":"metalctl partition update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition update -f -\n $ # or via file\n $ metalctl partition update -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#Options-inherited-from-parent-commands","page":"metalctl partition update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_update/#SEE-ALSO","page":"metalctl partition update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_update/","page":"metalctl partition update","title":"metalctl partition update","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#metalctl-project-edit","page":"metalctl project edit","title":"metalctl project edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":"edit the project through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":"metalctl project edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#Options","page":"metalctl project edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#Options-inherited-from-parent-commands","page":"metalctl project edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_edit/#SEE-ALSO","page":"metalctl project edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_edit/","page":"metalctl project edit","title":"metalctl project edit","text":"metalctl project\t - manage project entities","category":"page"},{"location":"installation/troubleshoot/#Troubleshoot","page":"Troubleshoot","title":"Troubleshoot","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This document summarizes help when something goes wrong and provides advice on debugging the metal-stack in certain situations.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Of course, it is also advisable to check out the issues on the Github projects for help.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If you still can't find a solution to your problem, please reach out to us and our community. We have a public Slack Channel to discuss problems, but you can also reach us via mail. Check out metal-stack.io for contact information.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Pages = [\"troubleshoot.md\"]\nDepth = 5","category":"page"},{"location":"installation/troubleshoot/#Deployment","page":"Troubleshoot","title":"Deployment","text":"","category":"section"},{"location":"installation/troubleshoot/#Ansible-fails-when-the-metal-control-plane-helm-chart-gets-applied","page":"Troubleshoot","title":"Ansible fails when the metal control plane helm chart gets applied","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"There can be many reasons for this. Since you are deploying the metal control plane into a Kubernetes cluster, the first step should be to install kubectl and check the pods in your cluster. Depending on the metal-stack version and Kubernetes cluster, your control-plane should look something like this after the deployment (this is in a Kind cluster):","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"kubectl get pod -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\ningress-nginx nginx-ingress-controller-56966f7dc7-khfp9 1/1 Running 0 2m34s\nkube-system coredns-66bff467f8-grn7q 1/1 Running 0 2m34s\nkube-system coredns-66bff467f8-n7n77 1/1 Running 0 2m34s\nkube-system etcd-kind-control-plane 1/1 Running 0 2m42s\nkube-system kindnet-4dv7m 1/1 Running 0 2m34s\nkube-system kube-apiserver-kind-control-plane 1/1 Running 0 2m42s\nkube-system kube-controller-manager-kind-control-plane 1/1 Running 0 2m42s\nkube-system kube-proxy-jz7kp 1/1 Running 0 2m34s\nkube-system kube-scheduler-kind-control-plane 1/1 Running 0 2m42s\nlocal-path-storage local-path-provisioner-bd4bb6b75-cwfb7 1/1 Running 0 2m34s\nmetal-control-plane ipam-db-0 2/2 Running 0 2m31s\nmetal-control-plane masterdata-api-6dd4b54db5-rwk45 1/1 Running 0 33s\nmetal-control-plane masterdata-db-0 2/2 Running 0 2m29s\nmetal-control-plane metal-api-998cb46c4-jj2tt 1/1 Running 0 33s\nmetal-control-plane metal-api-initdb-r9sc6 0/1 Completed 0 2m24s\nmetal-control-plane metal-api-liveliness-1590479940-brhc7 0/1 Completed 0 6s\nmetal-control-plane metal-console-7955cbb7d7-p6hxp 1/1 Running 0 33s\nmetal-control-plane metal-db-0 2/2 Running 0 2m34s\nmetal-control-plane nsq-lookupd-5b4ccbfb64-n6prg 1/1 Running 0 2m34s\nmetal-control-plane nsqd-6cd87f69c4-vtn9k 2/2 Running 0 2m33s","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If there are any failing pods, investigate those and look into container logs. This information should point you to the place where the deployment goes wrong.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"info: Info\nSometimes, you see a helm errors like \"no deployed releases\" or something like this. When a helm chart fails after the first deployment it could be that you have a chart installation still pending. Also, the control plane helm chart uses pre- and post-hooks, which creates jobs that helm expects to be completed before attempting another deployment. Delete the helm chart (use Helm 3) with helm delete -n metal-control-plane metal-control-plane and delete the jobs in the metal-control-plane namespace before retrying the deployment.","category":"page"},{"location":"installation/troubleshoot/#In-the-mini-lab-the-control-plane-deployment-fails-because-my-system-can't-resolve-api.172.17.0.1.nip.io","page":"Troubleshoot","title":"In the mini-lab the control-plane deployment fails because my system can't resolve api.172.17.0.1.nip.io","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The control-plane deployment returns an error like this:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"deploy-control-plane | fatal: [localhost]: FAILED! => changed=false\ndeploy-control-plane | attempts: 60\ndeploy-control-plane | content: ''\ndeploy-control-plane | elapsed: 0\ndeploy-control-plane | msg: 'Status code was -1 and not [200]: Request failed: '\ndeploy-control-plane | redirected: false\ndeploy-control-plane | status: -1\ndeploy-control-plane | url: http://api.172.17.0.1.nip.io:8080/metal/v1/health\ndeploy-control-plane |\ndeploy-control-plane | PLAY RECAP *********************************************************************\ndeploy-control-plane | localhost : ok=29 changed=4 unreachable=0 failed=1 skipped=7 rescued=0 ignored=0\ndeploy-control-plane |\ndeploy-control-plane exited with code 2","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Some home routers have a security feature that prevents DNS Servers to resolve anything in the router's local IP range (DNS-Rebind-Protection).","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"You need to add an exception for nip.io in your router configuration or add 127.0.0.1 api.172.17.0.1.nip.io to your /etc/hosts.","category":"page"},{"location":"installation/troubleshoot/#FritzBox","page":"Troubleshoot","title":"FritzBox","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Home Network -> Network -> Network Settings -> Additional Settings -> DNS Rebind Protection -> Host name exceptions -> nip.io","category":"page"},{"location":"installation/troubleshoot/#Operations","page":"Troubleshoot","title":"Operations","text":"","category":"section"},{"location":"installation/troubleshoot/#Fixing-Machine-Issues","page":"Troubleshoot","title":"Fixing Machine Issues","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metalctl machine issues command gives you an overview over machines in your metal-stack environment that are in an unusual state.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"tip: Tip\nMachines that are known not to function properly, should be locked through metalctl machine lock and annotated with a description of the problem. This way, you can mark machine for replacement without being in danger of having a user allocating the faulty machine.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In the following sections, you can look up the machine issues that are returned by metalctl and find out how to deal with them properly.","category":"page"},{"location":"installation/troubleshoot/#no-event-container","page":"Troubleshoot","title":"no-event-container","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Every machine in the metal-stack database usually has a corresponding event container where provisioning events are stored. This database entity gets created lazily as soon as a machine is registered by the metal-hammer or a provisioning event for the machine arrives at the metal-api.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When there is no event container, this means that the machine has never registered nor received a provisioning event. As an operator you should evaluate why this machine is not booting into the metal-hammer.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This issue is special in a way that it prevents other issues from being evaluated for this machine because the issue calculation usually requires information from the machine event container.","category":"page"},{"location":"installation/troubleshoot/#no-partition","page":"Troubleshoot","title":"no-partition","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When a machine has no partition, the metal-hammer has not yet registered the machine at the metal-api. Instead, the machine was created through metal-stack's event machinery, which does not have a lot of information about a machine (e.g. a PXE boot event was reported from the pixiecore), or just by the metal-bmc which discovered the machine through DHCP.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This can usually happen on the very first boot of a machine and the machine's hardware is not supported by metal-stack, leading to the metal-bmc being unable to report BMC details to the metal-api (a metal-bmc report sets the partition id of a machine) and the metal-hammer not finishing the machine registration phase.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"To resolve this issue, you need to identify the machine in your metal-stack partition that emits PXE boot events and find the reason why it is not properly booting into the metal-hammer. The console logs of this machine should enable you to find out the root cause.","category":"page"},{"location":"installation/troubleshoot/#liveliness-dead","page":"Troubleshoot","title":"liveliness-dead","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For machines without an allocation, the metal-hammer consistently reports whether a machine is still being responsive or not. When the liveliness is Dead, there were no events received from this machine for longer than ~5 minutes.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Reasons for this can be:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The network connection between the partition and metal-stack control plane is interrupted\nThe machine was removed from your data center\nThe machine has changed its UUID metal-hammer#52\nThe machine is turned off\nThe machine hangs / freezes\nThe machine booted to BIOS or UEFI shell and does not try to PXE boot again\nThe issue only appears temporarily\nThe machine takes longer than 5 minutes for the reboot\nThe machine is performing a firmware upgrade, which usually takes longer than 5 minutes to succeed","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"info: Info\nIn order to minimize maintenance overhead, a machine which is dead for longer than an hour will be rebooted through the metal-api.In case you want to prevent this action from happening for a machine, you can lock the machine through metalctl machine lock.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If the machine is dead for a long time and you are sure that it will never come back, you can clean up the machine through metalctl machine rm --remove-from-database.","category":"page"},{"location":"installation/troubleshoot/#liveliness-unknown","page":"Troubleshoot","title":"liveliness-unknown","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For machines that are allocated by a user, the ownership has gone over to this user and as an operator you cannot access the machine anymore. This makes it harder to detect whether a machine is in a healthy state or not. Typically, all official metal-stack OS images deploy an LLDP daemon, that consistently emits alive messages. These messages are caught by the metal-core and turned into a Phoned Home event. Internally, the metal-api uses these events as an indicator to decide whether the machine is still responsive or not.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When the LLDP daemon stopped sending packages, the reasons are identical to those of dead machines. However, it's not possible anymore to decide whether the user is responsible for reaching this state or not.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In most of the cases, there is not much that can be done from the operator's perspective. You will need to wait for the user to report an issue with the machine. When you do support, you can use this issue type to quickly identify this machine.","category":"page"},{"location":"installation/troubleshoot/#liveliness-not-available","page":"Troubleshoot","title":"liveliness-not-available","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This is more of a theoretical issue. When the machine liveliness is not available check that the Kubernetes CronJob in the metal-stack control plane for evaluating the machine liveliness is running regularly and not containing error logs. Make the machine boot into the metal-hammer and this issue should not appear.","category":"page"},{"location":"installation/troubleshoot/#failed-machine-reclaim","page":"Troubleshoot","title":"failed-machine-reclaim","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If a machine remains in the Phoned Home state without having an allocation, this indicates that the metal-bmc was not able to put the machine back into PXE boot mode after metalctl machine rm. The machine is still running the operating system and it does not return back into the allocatable machine pool. Effectively, you lost a machine in your environment and no-one pays for it. Therefore, you should resolve this issue as soon as possible.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In bad scenarios, when the machine was a firewall, the machine can still reach the internet through the PXE boot network and also attract traffic, which it cannot route anymore inside the tenant VRF. This can cause traffic loss inside a tenant network.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In most of the cases, it should be sufficient to run another metalctl machine rm on this machine in order to retry booting into PXE mode. If this still does not succeed, you can boot the machine into the BIOS and manually and change the boot order to PXE boot. This should force booting the metal-hammer again and add the machine back into your pool of allocatable machines.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For further reference, see metal-api#145.","category":"page"},{"location":"installation/troubleshoot/#crashloop","page":"Troubleshoot","title":"crashloop","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Under bad circumstances, a machine diverges from its typical machine lifecycle. When this happens, the internal state-machine of the metal-api detects that the machine reboots unexpectedly during the provisioning phase. It is likely that the machine has entered a crash loop where it PXE boots again and again without the machine ever becoming usable.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Reasons for this can be:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The machine's hardware is not supported and the metal-hammer crashes during the machine discovery\nThe machine registration fails through the metal-hammer because an orphaned / dead machine is still present in the metal-api's data base. The machine is connected to the same switch ports that were used by the orphaned machine. In this case, you should clean up the orphaned machine through metalctl machine rm --remove-from-database.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Please also consider console logs of the machine for investigating the issue.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The incomplete cycle count is reset as soon as the machine reaches Phoned Home state or there is a Planned Reboot of the machine (planned reboot is also done by the metal-hammer once a day in order to reboot with the latest version).","category":"page"},{"location":"installation/troubleshoot/#last-event-error","page":"Troubleshoot","title":"last-event-error","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The machine had an error during the provisioning lifecycle recently or events are arriving out of order at the metal-api. This can be an interesting hint for the operator that something during machine provisioning went wrong. You can look at the error through metalctl machine describe or metalctl machine logs.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This error will disappear after a certain time period from machine issues. You can still look up the error as described above.","category":"page"},{"location":"installation/troubleshoot/#asn-not-unique","page":"Troubleshoot","title":"asn-not-unique","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"This issue was introduced by a bug in earlier versions of metal-stack and was fixed in PR105","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"To resolve the issue, you need to recreate the firewalls that use the same ASN.","category":"page"},{"location":"installation/troubleshoot/#bmc-without-mac","page":"Troubleshoot","title":"bmc-without-mac","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report connection data for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.","category":"page"},{"location":"installation/troubleshoot/#bmc-without-ip","page":"Troubleshoot","title":"bmc-without-ip","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report connection data for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If it's uncapable of discovering this information, your hardware might not be supported. Please investigate the logs of the metal-bmc to find out what's going wrong with this machine.","category":"page"},{"location":"installation/troubleshoot/#bmc-no-distinct-ip","page":"Troubleshoot","title":"bmc-no-distinct-ip","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report connection data for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When there is no distinct IP address for the BMC, it can be that an orphaned machine used this IP in the past. In this case, you need to clean up the orphaned machine through metalctl machine rm --remove-from-database.","category":"page"},{"location":"installation/troubleshoot/#bmc-info-outdated","page":"Troubleshoot","title":"bmc-info-outdated","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"The metal-bmc is responsible to report bmc details for the machine's BMC.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When the metal-bmc was not able to fetch the bmc info for longer than 20 minutes, something is wrong with the BMC configuration of the machine. This can be caused by one of the following reasons:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Wrong password for the root user is configured in the BMC\nip address of the BMC is either wrong or not present\nthe device on the given ip address is not a machine, maybe a switch or a management component which is not managed by the metal-api","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In either case, please check the logs for the given machine UUID on the metal-bmc for further details. Also check that the metal-bmc is configured to only consider BMC IPs in the range they are configured from the DHCP server in the partition. This prevents grabbing unrelated BMCs.","category":"page"},{"location":"installation/troubleshoot/#A-machine-has-registered-with-a-different-UUID-after-reboot","page":"Troubleshoot","title":"A machine has registered with a different UUID after reboot","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"metal-stack heavily relies on steady machine UUIDs as the UUID is the primary key of the machine entity in the metal-api.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For further reference also see metal-stack/metal-hammer#52.","category":"page"},{"location":"installation/troubleshoot/#Reasons","page":"Troubleshoot","title":"Reasons","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"There are some scenarios (can be vendor-specific), which can cause a machine UUID to change over time, e.g.:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"When the UUID partly contains of a network card's mac address, it can happen when:\nExchanging network cards\nDisabling network cards through BIOS\nChanging the UUID through vendor-specific CLI tool","category":"page"},{"location":"installation/troubleshoot/#Solution","page":"Troubleshoot","title":"Solution","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"After five minutes, the orphaned machine UUID will be marked dead (💀) because machine events will be sent only to the most recent UUID\nIdentify the dead machine through metalctl machine ls\nRemove the dead machine forcefully with metalctl machine rm --remove-from-database --yes-i-really-mean-it ","category":"page"},{"location":"installation/troubleshoot/#Fixing-Switch-Issues","page":"Troubleshoot","title":"Fixing Switch Issues","text":"","category":"section"},{"location":"installation/troubleshoot/#switch-sync-failing","page":"Troubleshoot","title":"switch-sync-failing","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"For your network infrastructure it is key to adapt to new configuration. In case this sync process fails for more than 10 minutes, it is likely to require manual investigation.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Depending on your switch operating system, the error sources might differ a lot. Try to connect to your switch using the console or ssh and investigate the logs. Check if the hard drive is full.","category":"page"},{"location":"installation/troubleshoot/#Switch-Replacement-and-Migration","page":"Troubleshoot","title":"Switch Replacement and Migration","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"There are two mechanisms to replace an existing switch with a new one, both of which will transfer existing VRF configuration and machine connections from one switch to another. Due to the redundance of the CLOS topology, a switch replacement can be performed without downtime.","category":"page"},{"location":"installation/troubleshoot/#Replacing-a-Switch","page":"Troubleshoot","title":"Replacing a Switch","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If the new switch should have the same ID as the old one you should perform a switch replacement. To find detailed information about the procedure of a switch replacement use metalctl switch replace --help. Basically, what you need to do is mark the switch for replacement via metalctl switch replace, then physically replace the switch with the new one and configure it. The last step is to deploy metal-core on the switch. Once metal-core registers the new switch at the metal-api, the old switches configuration and machine connections will be transferred to the new one. Note that the replacement only works if the new switch has the same ID as the old one. Otherwise metal-core will simply register a new switch and leave the old one untouched.","category":"page"},{"location":"installation/troubleshoot/#Migrating-from-one-Switch-to-another","page":"Troubleshoot","title":"Migrating from one Switch to another","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"If the new switch should not or cannot have the same ID as the old one, then the switch migrate command can be used to achieve the same result as a switch replacement. Perform the following steps:","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Leave the old switch in place.\nInstall the new switch in the rack without connecting it to any machines yet.\nAdjust the metal-stack deployment in the same way as for a switch replacement.\nDeploy metal-core on the new switch and wait for it to register at the metal-api. Once the switch is registered it will be listed when you run metalctl switch ls.\nRun metalctl switch migrate .\nDisconnect all machines from the old switch and connect them to the new one.","category":"page"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"In between steps 5 and 6 there is a mismatch between the switch-machine-connections known to the metal-api and the real connections. Since the metal-api learns about the connections from what a machine reports during registration, a machine registration that occurs in between steps 5 and 6 will result in a condition that looks somewhat broken. The metal-api will think that a machine is connected to three switches. This, however, should not cause any problems. Just move on to step 6 and delete the old switch from the metal-api afterwards. If the case just described really occurs, then metalctl switch delete will throw an error, because deleting a switch with existing machine connections might be dangerous. If, apart from that, the migration was successful, then the old switch can be safely deleted with metalctl switch delete --force.","category":"page"},{"location":"installation/troubleshoot/#Preconditions-for-Migration-and-Replacement","page":"Troubleshoot","title":"Preconditions for Migration and Replacement","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"An invariant that must be satisfied throughout is that the switch ports a machine is connected to must match, i.e. a machine connected to Ethernet0 on switch 1 must be connected to Ethernet0 on switch 2 etc. Furthermore, the breakout configurations of both switches must match and the new switch must contain at least all of the old switch's interfaces.","category":"page"},{"location":"installation/troubleshoot/#Migrating-from-Cumulus-to-Edgecore-SONiC","page":"Troubleshoot","title":"Migrating from Cumulus to Edgecore SONiC","text":"","category":"section"},{"location":"installation/troubleshoot/","page":"Troubleshoot","title":"Troubleshoot","text":"Both migration and replacement can be used to move from Cumulus to Edgecore SONiC (or vice versa). Migrating to or from Broadcom SONiC or mixing Broadcom SONiC with Cumulus or Edgecore SONiC is not supported.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#metalctl-network-ip-delete","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"deletes the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"metalctl network ip delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#Options","page":"metalctl network ip delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip delete -f -\n $ # or via file\n $ metalctl ip delete -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#Options-inherited-from-parent-commands","page":"metalctl network ip delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/#SEE-ALSO","page":"metalctl network ip delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_delete/","page":"metalctl network ip delete","title":"metalctl network ip delete","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#metalctl-network-ip-describe","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"describes the ip","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"metalctl network ip describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#Options","page":"metalctl network ip describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#Options-inherited-from-parent-commands","page":"metalctl network ip describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/#SEE-ALSO","page":"metalctl network ip describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_describe/","page":"metalctl network ip describe","title":"metalctl network ip describe","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"development/proposals/#Metal-Stack-Enhancement-Proposals-(MEPs)","page":"Enhancement Proposals","title":"Metal Stack Enhancement Proposals (MEPs)","text":"","category":"section"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"This section contains proposals which address substantial modifications to metal-stack.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Every proposal has a short name which starts with MEP followed by an incremental, unique number. Proposals should be raised as pull requests in the docs repository and can be discussed in Github issues.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"The list of proposal and their current state is listed in the table below.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Possible states are:","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"In Discussion\nAccepted\nDeclined\nIn Progress\nCompleted\nAborted","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Once a proposal was accepted, an issue should be raised and the implementation should be done in a separate PR.","category":"page"},{"location":"development/proposals/","page":"Enhancement Proposals","title":"Enhancement Proposals","text":"Name Description State\nMEP-1 Distributed Control Plane Deployment In Discussion\nMEP-2 Two Factor Authentication Aborted\nMEP-3 Machine Re-Installation to preserve local data Completed\nMEP-4 Multi-tenancy for the metal-api In Discussion\nMEP-5 Shared Networks Completed\nMEP-6 DMZ Networks Completed\nMEP-8 Configurable Filesystemlayout Completed\nMEP-9 No Open Ports To the Data Center Completed\nMEP-10 SONiC Support Completed\nMEP-11 Auditing of metal-stack resources Completed\nMEP-12 Rack Spreading Completed\nMEP-14 Independence from external sources In Discussion","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#metalctl-image-delete","page":"metalctl image delete","title":"metalctl image delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":"deletes the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":"metalctl image delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#Options","page":"metalctl image delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image delete -f -\n $ # or via file\n $ metalctl image delete -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#Options-inherited-from-parent-commands","page":"metalctl image delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_delete/#SEE-ALSO","page":"metalctl image delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_delete/","page":"metalctl image delete","title":"metalctl image delete","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#metalctl-markdown","page":"metalctl markdown","title":"metalctl markdown","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":"create markdown documentation","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":"metalctl markdown [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#Options","page":"metalctl markdown","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":" -h, --help help for markdown","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#Options-inherited-from-parent-commands","page":"metalctl markdown","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_markdown/#SEE-ALSO","page":"metalctl markdown","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_markdown/","page":"metalctl markdown","title":"metalctl markdown","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#metalctl-size-create","page":"metalctl size create","title":"metalctl size create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":"creates the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":"metalctl size create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#Options","page":"metalctl size create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the size. [required]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size create -f -\n $ # or via file\n $ metalctl size create -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string ID of the size. [required]\n --max int min value of given size constraint type. [required]\n --min int min value of given size constraint type. [required]\n -n, --name string Name of the size. [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --type string type of constraints. [required]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#Options-inherited-from-parent-commands","page":"metalctl size create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_create/#SEE-ALSO","page":"metalctl size create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_create/","page":"metalctl size create","title":"metalctl size create","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#metalctl-firewall-describe","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"describes the firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"metalctl firewall describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#Options","page":"metalctl firewall describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#Options-inherited-from-parent-commands","page":"metalctl firewall describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_describe/#SEE-ALSO","page":"metalctl firewall describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_describe/","page":"metalctl firewall describe","title":"metalctl firewall describe","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"development/roadmap/#Roadmap","page":"Roadmap","title":"Roadmap","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"A roadmap with short-, mid- and long-term planning will be available soon. For now, there is only a backlog.","category":"page"},{"location":"development/roadmap/#Short-term","page":"Roadmap","title":"Short-term","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Available soon.","category":"page"},{"location":"development/roadmap/#Mid-term","page":"Roadmap","title":"Mid-term","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Available soon.","category":"page"},{"location":"development/roadmap/#Long-term","page":"Roadmap","title":"Long-term","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Available soon.","category":"page"},{"location":"development/roadmap/#Backlog","page":"Roadmap","title":"Backlog","text":"","category":"section"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"The backlog contains ideas of what could become part of the roadmap in the future. The list is ordered alphabetically. Therefore, the order does not express the importance or weight of a backlog item.","category":"page"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"We incorporate community feedback into the roadmap. If you think that important points are missing in the backlog, please share your ideas with us. We have a Slack channel. Please check out metal-stack.io for contact information.","category":"page"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"danger: Danger\nBy no means this list is a promise of what is being worked on in the near future. It is just a summary of ideas that was agreed on to be \"nice to have\". It is up to the investors, maintainers and the community to choose topics from this list and to implement them or to remove them from the list.","category":"page"},{"location":"development/roadmap/","page":"Roadmap","title":"Roadmap","text":"Add metal-stack to Gardener conformance test grid\nAutoscaler for metal control plane components\nCI dashboard and public integration testing\nCilium as the default CNI for metal-stack on Gardener K8s clusters\nImproved release and deploy processes (GitOps, Spinnaker, Flux)\nMachine internet without firewalls\nmetal-stack dashboard (UI)\nOffer our metal-stack extensions as enterprise products (accounting, cluster-api, S3) (neither of them will ever be required for running metal-stack, they just add extra value for certain enterprises)\nPartition managed by Kubernetes (with Kubelets joining the control plane cluster)\nPublic offering / demo playground\nResource scoping in the metal-api (MEP-4)\nService / API tokens (for scoped technical user access)","category":"page"},{"location":"external/firewall-controller/DEVELOP/#Develop-Setup","page":"Develop Setup","title":"Develop Setup","text":"","category":"section"},{"location":"external/firewall-controller/DEVELOP/","page":"Develop Setup","title":"Develop Setup","text":"download kubebuilder\ndownload kustomize from kustomize\ninit project and run kubebuilder\nkubebuilder init --domain metal-stack.io\nkubebuilder create api --group firewall --version v1 --kind Network\nrun test\nexport KUBEBUILDER_ASSETS=/usr/local/kubebuilder/bin # path-to-kubebuilder/bin\nmake test","category":"page"},{"location":"external/firewall-controller/DEVELOP/#Testing-locally","page":"Develop Setup","title":"Testing locally","text":"","category":"section"},{"location":"external/firewall-controller/DEVELOP/","page":"Develop Setup","title":"Develop Setup","text":"# make binary\nmake\n\n# start the controller\nbin/firewall-controller --hosts-file ./hosts --enable-signature-check=false --enable-IDS=false\n\n# install kind (k8s in docker)\n\n# create a local kind cluster\nkind create cluster\n\n# deploy manifests\nk apply -f deploy\n\n# watch results\nk describe -n firewall firewall\ncat nftables.v4\ncat hosts","category":"page"},{"location":"development/proposals/MEP11/README/#Auditing-of-metal-stack-resources","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Currently no logs of the ownership of resources like machines, networks, ips and volumes are generated or kept. Though due to legal requirements data centers are required to keep track of this ownership over time to prevent liability issues when opening the platform for external users.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"In this proposal we want to introduce a flexible and low-maintenance approach for auditing on top of Meilisearch.","category":"page"},{"location":"development/proposals/MEP11/README/#Overview","page":"Auditing of metal-stack resources","title":"Overview","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"In general our auditing logs will be collected by a request interceptor or middleware. Every request and response will be processed and eventually logged to Meilisearch. Meilisearch will be configured to regularly create chunks of the auditing logs. These finished chunks will be backed up to a S3 compatible storage with a read-only option enabled.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Of course sensitive data like session keys or passwords will be redacted before logging. We want to track relevant requests and responses. If auditing the request fails, the request itself will be aborted and will not be processed further. The requests and responses that will be audited will be annotated with a correlation id.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Transferring the meilisearch auditing data chunks to the S3 compatible storage will be done by a sidecar cronjob that is executed periodically. To avoid data manipulation the S3 compatible storage will be configured to be read-only.","category":"page"},{"location":"development/proposals/MEP11/README/#Whitelisting","page":"Auditing of metal-stack resources","title":"Whitelisting","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"To reduce the amount of unnecessary logs we want to introduce a whitelist of resources and operations on those that should be logged. Other requests will be passed directly to the next middleware or web service without any further processing.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"As we are only interested in mutating endpoints, we ignore all GET requests. The whitelist includes all POST, PUT, PATCH and DELETE endpoints of the HTTP middleware except for the following (non-manipulating) route suffixes:","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"/find\n/notify\n/try and /match\n/capacity\n/from-hardware","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Regarding GRPC audit trails, they are not so interesting because only internal clients are using this API. However, we can log the trails of the Boot service, which can be interesting to revise the machine lifecycle.","category":"page"},{"location":"development/proposals/MEP11/README/#Chunking-in-Meilisearch","page":"Auditing of metal-stack resources","title":"Chunking in Meilisearch","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"We want our data to be chunked in Meilisearch. To accomplish this, we rotate the index identifier on a scheduled basis. The index identifiers will be derived from the current date and time.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"To keep things simple, we only support hourly, daily and monthly rotation. The eventually prefixed index names will only include relevant parts of date and time like 2021-01, 2021-01-01 or 2021-01-01_13.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"The metal-api will only write to the current index and switches to the new index on rotation. The metal-api will never read or update data in any indices.","category":"page"},{"location":"development/proposals/MEP11/README/#Moving-chunks-to-S3-compatible-storage","page":"Auditing of metal-stack resources","title":"Moving chunks to S3 compatible storage","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"As Meilisearch will be filled with data over time, we want to move completed chunks to a S3 compatible storage. This will be done by a sidecar cronjob that is executed periodically. Note that the periods of the index rotation and the cronjob execution don't have to match.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"When the backup process gets started, it initiates a Meilisearch dump of the whole database across all indices. Once the returned task is finished, the dump must be copied from a Meilisearch volume to the S3 compatible storage. After a successful copy, the dump can be deleted.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Now we want to remove all indices from Meilisearch, except the most recent one. For this, we get all indices, sort them and delete each index except the most recent one to avoid data loss.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"For the actual implementation, we can build upon backup-restore-sidecar. But due to the index rotation and the fact, that older indices need to be deleted, this probably does not fit into the mentioned sidecar.","category":"page"},{"location":"development/proposals/MEP11/README/#S3-compatible-storage","page":"Auditing of metal-stack resources","title":"S3 compatible storage","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"The dumps of chunks should automatically deleted after a certain amount of time, once we are either no longer allowed or required to keep them. The default retention time will be 6 months. Ideally already uploaded chunks should be read-only to prevent data manipulation.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"A candidate for the S3 compatible storage is Google Cloud Storage, which allows to configure automatic expiration of objects through a lifecycle rule.","category":"page"},{"location":"development/proposals/MEP11/README/#Affected-components","page":"Auditing of metal-stack resources","title":"Affected components","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"metal-api grpc server needs an auditing interceptor\nmetal-api web server needs an auditing filter chain / middleware\nmetal-api needs new command line arguments to configure the auditing\nmini-lab needs a Meilisearch instance\nmini-lab may need a local S3 compatible storage\nwe need a sidecar to implement the backup to S3 compatible storage\nConsider auditing of volume allocations and freeings outside of metal-stack","category":"page"},{"location":"development/proposals/MEP11/README/#Alternatives-considered","page":"Auditing of metal-stack resources","title":"Alternatives considered","text":"","category":"section"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"Instead of using Meilisearch we investigated using an immutable database like immudb. But immudb does not support chunking of data and due to its immutable nature, we will never be able to free up space of expired data. Even if we are legally allowed or required to delete data, we will not be able to do so with immudb.","category":"page"},{"location":"development/proposals/MEP11/README/","page":"Auditing of metal-stack resources","title":"Auditing of metal-stack resources","text":"In another variant of the Meilisearch approach the metal-api would also be responsible for copying chunks to the S3 compatible storage and deleting old indices. But separating the concerns allows completely different implementations for every deployment stage.","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#metalctl-firewall","page":"metalctl firewall","title":"metalctl firewall","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":"manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#Synopsis","page":"metalctl firewall","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":"firewalls are used to establish network connectivity between metal-stack networks. firewalls are similar to machines but are managed by the provider. almost every command of the machine command subset works on firewalls, too.","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#Options","page":"metalctl firewall","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":" -h, --help help for firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#Options-inherited-from-parent-commands","page":"metalctl firewall","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall/#SEE-ALSO","page":"metalctl firewall","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall/","page":"metalctl firewall","title":"metalctl firewall","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl firewall create\t - creates the firewall\nmetalctl firewall describe\t - describes the firewall\nmetalctl firewall list\t - list all firewalls\nmetalctl firewall ssh\t - SSH to a firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#metalctl-update-do","page":"metalctl update do","title":"metalctl update do","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":"do the update of the program","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":"metalctl update do [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#Options","page":"metalctl update do","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":" -h, --help help for do\n -v, --version string the version to update to, by default updates to the supported version, use \"latest\" to update to latest version","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#Options-inherited-from-parent-commands","page":"metalctl update do","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_update_do/#SEE-ALSO","page":"metalctl update do","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_update_do/","page":"metalctl update do","title":"metalctl update do","text":"metalctl update\t - update the program","category":"page"},{"location":"development/client_libraries/#Client-Libraries","page":"Client Libraries","title":"Client Libraries","text":"","category":"section"},{"location":"development/client_libraries/","page":"Client Libraries","title":"Client Libraries","text":"Our public-facing APIs are built on swagger, which allows you generating API clients in all sorts of programming languages.","category":"page"},{"location":"development/client_libraries/","page":"Client Libraries","title":"Client Libraries","text":"For the metal-api we officially support the following client libraries:","category":"page"},{"location":"development/client_libraries/","page":"Client Libraries","title":"Client Libraries","text":"metal-go\nmetal-python","category":"page"},{"location":"development/proposals/MEP9/README/#No-Open-Ports-To-the-Data-Center","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Our metal-stack partitions typically have open ports for metal-stack native services, these are:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"SSH port on the firewalls\nbmc-reverse-proxy for serial console access through the metal-console","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"These open ports are potential security risks. For example, while SSH access is possible only with private key it's still vulnerable to DoS attack.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Therefore, we want to get rid off these open ports to reduce the attack surface to the data center.","category":"page"},{"location":"development/proposals/MEP9/README/#Requirements","page":"No Open Ports To the Data Center","title":"Requirements","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Access to firewall SSH only via VPN\nEasy to update VPN components","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"As a next step, we can also consider joining the management servers to the VPN mesh, which would replace typical WireGuard setups for operators to enter resources inside the partition.","category":"page"},{"location":"development/proposals/MEP9/README/#High-Level-Design","page":"No Open Ports To the Data Center","title":"High Level Design","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Simplified drawing showing old vs. new architecture.","category":"page"},{"location":"development/proposals/MEP9/README/#Concerns","page":"No Open Ports To the Data Center","title":"Concerns","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"There's few concerns when using WireGuard for implementing VPN:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"WireGuard doesn't implement dynamic cipher substitution. Which is important in case one of the crypto methods, used by WireGuard will be broken. The only possible solution for that will be to update WireGuard to a fixed version.\nCoordination server(Headscale) is a single point of failure. In case it fails, it potentially can disconnect existing members of the network, as WireGuard can't manage dynamic IPs by itself.\nHeadscale is already falls behind Tailscale coordination server implementation. Which can complicate the upgrade to newer version of Tailscale client in case of emergency.","category":"page"},{"location":"development/proposals/MEP9/README/#Solutions-to-concerns","page":"No Open Ports To the Data Center","title":"Solutions to concerns","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Tailscale node software is using userspace implementation of WireGuard – wireguard-go. One of the options is to inject Tailscale client into metalctl. And make it available as metalctl vpn or similar command. It should be possible to do as tailscale node is already available as open sourced Go pkg. That would allow us to control, what version of Tailscale users are using and in case of any critical changes to enforce them to update metalctl to use VPN functionality.\nWould it be a considerable risk? We could look into wg-dynamic project to cover this problem.\nAt the moment, repository looks well maintained and the metal-stack team already contributes to it.","category":"page"},{"location":"development/proposals/MEP9/README/#Implementation-Details","page":"No Open Ports To the Data Center","title":"Implementation Details","text":"","category":"section"},{"location":"development/proposals/MEP9/README/#metal-roles","page":"No Open Ports To the Data Center","title":"metal-roles","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metal-roles will be responsible for deployment of headscale server(via new headscale role). It also should provide sufficient config to metal-api so it establishes connection with headscale gRPC server.","category":"page"},{"location":"development/proposals/MEP9/README/#New-metalctl-commands","page":"No Open Ports To the Data Center","title":"New metalctl commands","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl will be responsible for client-side implementation of this MEP. Specifically, it's by using metalctl user expected to connect to firewalls.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl vpn – section for VPN related commands:\nmetalctl vpn get key [vpn name] --namespace [namespace name] – returns auth key to be used with tailscale client for establishing connection.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Extend metalctl firewall:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl firewall ssh [ID] – connect to firewall via SSH.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Extend metalctl machine:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl machine ssh [ID] – connect to machine via SSH.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metalctl will be able to connect to firewall and machines by running tailscale in container.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-api","page":"No Open Ports To the Data Center","title":"metal-api","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Updates to metal-api should be made, so that it's able to add firewalls to VPNs. There should be one Tailscale namespace per project. So if multiple firewalls are created in single project, they will join the same namespace.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Two new flags should be introduced to connect metal-api to headscale gRPC server:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"headscale-addr – specifies address of Headscale grpc API.\nheadscale-api-key – specifies temporary API key to connect to Headscale. It should be replaced and then rotated by metal-api.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"If metal-api initialized with headscale connection it should automatically join all created firewalls to VPN.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Add new endpoint, that will be used by metalctl to connect to VPN:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"/v1/vpn GET – requests auth key from headscale server.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-hammer","page":"No Open Ports To the Data Center","title":"metal-hammer","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metal-hammer acts as an intermediary for machine configuration between metal-api and machine's image. Specifically it writes to /etc/metal/install.yaml file, data from which later will be used by image's install.sh file.","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"To implement VPN support we have to add authentication key and VPN server address to install.yaml file. This key will be used to join machine to a VPN.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-images","page":"No Open Ports To the Data Center","title":"metal-images","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Images install.sh script have to be updated to work with authentication key and VPN server address, provided in install.yaml file. If this key is present, machine should connect to VPN.","category":"page"},{"location":"development/proposals/MEP9/README/#metal-networker","page":"No Open Ports To the Data Center","title":"metal-networker","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"metal-networker also have to know if VPN was configured. In that case we need to disable public access to SSH and allow all(?) traffic from WireGuard interface.","category":"page"},{"location":"development/proposals/MEP9/README/#firewall-controller","page":"No Open Ports To the Data Center","title":"firewall-controller","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"firewall-controller have to monitor changes in Firewall resource and keep tailscaled version up-to-date.","category":"page"},{"location":"development/proposals/MEP9/README/#Resources","page":"No Open Ports To the Data Center","title":"Resources","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Update Firewall resource to include desired/actual tailscale version:","category":"page"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"Firewall:\n Spec:\n tailscale:\n Version: Minimal version\n ...\n Status:\n ...\n VPN:\n Status: Boolean field\n tailscale:\n Version: Actual version\n ...","category":"page"},{"location":"development/proposals/MEP9/README/#bmc-reverse-proxy","page":"No Open Ports To the Data Center","title":"bmc-reverse-proxy","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"TODO","category":"page"},{"location":"development/proposals/MEP9/README/#References","page":"No Open Ports To the Data Center","title":"References","text":"","category":"section"},{"location":"development/proposals/MEP9/README/","page":"No Open Ports To the Data Center","title":"No Open Ports To the Data Center","text":"WireGuard: Next Generation Secure Network Tunnel\nHow Tailscale works\nTailscale is officially SOC 2 compliant\nWhy not Wireguard\nWireguard: Known Limitations\nWireguard: Things That Might Be Accomplished\nHeadscale: Tailscale control protocol v2","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#metalctl-machine-identify-off","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"power off the machine chassis identify LED","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#Synopsis","page":"metalctl machine identify off","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"set the machine chassis identify LED to off state","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"metalctl machine identify off [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#Options","page":"metalctl machine identify off","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":" -d, --description string description of the reason for chassis identify LED turn-off. (default \"Triggered by metalctl\")\n -h, --help help for off","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#Options-inherited-from-parent-commands","page":"metalctl machine identify off","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/#SEE-ALSO","page":"metalctl machine identify off","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify_off/","page":"metalctl machine identify off","title":"metalctl machine identify off","text":"metalctl machine identify\t - manage machine chassis identify LED power","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#metalctl-partition-capacity","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"show partition capacity","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"metalctl partition capacity [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#Options","page":"metalctl partition capacity","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":" -h, --help help for capacity\n --id string filter on partition id. [optional]\n --project-id string consider project-specific counts, e.g. size reservations. [optional]\n --size string filter on size id. [optional]\n --sort-by strings order by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#Options-inherited-from-parent-commands","page":"metalctl partition capacity","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_capacity/#SEE-ALSO","page":"metalctl partition capacity","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_capacity/","page":"metalctl partition capacity","title":"metalctl partition capacity","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#metalctl-switch-migrate","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"migrate machine connections and other configuration from one switch to another","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"metalctl switch migrate [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#Options","page":"metalctl switch migrate","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":" -h, --help help for migrate","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#Options-inherited-from-parent-commands","page":"metalctl switch migrate","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_migrate/#SEE-ALSO","page":"metalctl switch migrate","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_migrate/","page":"metalctl switch migrate","title":"metalctl switch migrate","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"overview/comparison/#Comparison-with-Commercial-Solutions","page":"Comparison","title":"Comparison with Commercial Solutions","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"As metal-stack is the foundation to build Kubernetes clusters on premise on bare metal, there are several commercial solutions available which offer management of Kubernetes. In this document we describe the differences between some of the most popular solutions. It´s is not a complete list.","category":"page"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Pages = [\"comparison.md\"]\nDepth = 5","category":"page"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Comparison between Gardener on Metal Stack and Openshift running on VMWare.","category":"page"},{"location":"overview/comparison/#Gardener","page":"Comparison","title":"Gardener","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Gardener is a Kubernetes cluster manager to organize a fleet of Kubernetes clusters at scale. It is designed to scale to thousands of clusters at a variety of IaaS Providers regardless where - in the cloud or on premise, virtualized or bare metal. It not only manages the creation and deletion of Kubernetes clusters, it also takes care of updating or upgrading Kubernetes and the operating system of the involved worker nodes in a automatic manner. Gardener is designed cloud-native and as such, it defines clusters, workers and all other components as Kubernetes resources (like pods and deployments) and reconciles these resources to the desired state.","category":"page"},{"location":"overview/comparison/#Kubernetes","page":"Comparison","title":"Kubernetes","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Kubernetes is the de facto open-source standard for container scheduling and orchestration in the data center.","category":"page"},{"location":"overview/comparison/#Openshift","page":"Comparison","title":"Openshift","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"A fork of Kubernetes with proprietary addons, created by RedHat. For all details see: https://en.wikipedia.org/wiki/OpenShift.","category":"page"},{"location":"overview/comparison/#metal-stack","page":"Comparison","title":"metal-stack","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Is an IaaS provider for bare metal focused to create Kubernetes cluster on premise. Gardener support is built in.","category":"page"},{"location":"overview/comparison/#VMWare","page":"Comparison","title":"VMWare","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"The most used virtualization technology in the enterprise data centers.","category":"page"},{"location":"overview/comparison/#Comparison-of-Gardener-on-Metal-Stack-vs.-Openshift-on-VMWare","page":"Comparison","title":"Comparison of Gardener on Metal Stack vs. Openshift on VMWare","text":"","category":"section"},{"location":"overview/comparison/","page":"Comparison","title":"Comparison","text":"Feature Gardener on Metal Stack Openshift on VMWare\nContainer Runtime docker, containerd, gvisor cri-o\nHost Operating System Ubuntu, Debian , also see OS RHEL, Fedora-Core\nNetwork Plugins Calico, Cilium(soon) Openshift SDN\nStorage Local NVME, Lightbits NVMEoTCP, all CSI compatible Solutions, also see Storage CSI compatible\nLoadbalancing BGP built in requires extra HW like F5, VMWare NSX\nIO at Native Speed Pods run on bare metal all IO must go through the Hypervisor\nHard Multitenancy Workers, firewall and load balancers are dedicated for every cluster on bare metal Shared virtualization hosts, shared load balancers\nUI Gardener Dashboard Openshift Console\nMulti-cluster management Yes (through Gardener) Requires extra licences SW: Redhat Advanced Cluster Manager\nAutomatic Kubernetes Updates Yes Yes\nAutomatic Worker Nodes Updates Yes Yes\nSupported IaaS Providers GCP, AWS, Azure, Alibaba, Openstack, VMWare, metal-stack and more GCP, AWS, Azure Openstack, VMWare\nMonitoring / Logging Stack Grafana/Loki, Kibana/Elastic Kibana/Elastic\nGitOPS Tool of choice via Helm Install Openshift GitOPS\nContainer Registry all public accessible registries, private deployed registry of choice all public accessible registries, in cluster registry\nCI/CD Tool of choice via Helm Install Jenkins\nSecurity K8s control plane isolated from tenant, PSP enabled by default Strong cluster defaults\nCNCF Kubernetes certified Yes (Gardener) Yes\nLocal development minikube, kind minishift\nProprietary extensions No DeploymentConfig and others\nkubectl access Yes Yes","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#metalctl-project-apply","page":"metalctl project apply","title":"metalctl project apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":"applies one or more projects from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":"metalctl project apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#Options","page":"metalctl project apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project apply -f -\n $ # or via file\n $ metalctl project apply -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#Options-inherited-from-parent-commands","page":"metalctl project apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_apply/#SEE-ALSO","page":"metalctl project apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_apply/","page":"metalctl project apply","title":"metalctl project apply","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#metalctl-firewall-ssh","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"SSH to a firewall","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#Synopsis","page":"metalctl firewall ssh","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"SSH to a firewall via VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"metalctl firewall ssh [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#Options","page":"metalctl firewall ssh","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":" -h, --help help for ssh\n -i, --identity string specify identity file to SSH to the firewall like: -i path/to/id_rsa (default \"~/.ssh/id_rsa\")","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#Options-inherited-from-parent-commands","page":"metalctl firewall ssh","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/#SEE-ALSO","page":"metalctl firewall ssh","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_ssh/","page":"metalctl firewall ssh","title":"metalctl firewall ssh","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#metalctl-image-edit","page":"metalctl image edit","title":"metalctl image edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":"edit the image through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":"metalctl image edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#Options","page":"metalctl image edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#Options-inherited-from-parent-commands","page":"metalctl image edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_edit/#SEE-ALSO","page":"metalctl image edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_edit/","page":"metalctl image edit","title":"metalctl image edit","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#metalctl-machine-power-disk","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"boot a machine from disk","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#Synopsis","page":"metalctl machine power disk","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"the machine will boot from disk. (machine does not reboot automatically)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"metalctl machine power disk [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#Options","page":"metalctl machine power disk","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":" -h, --help help for disk","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#Options-inherited-from-parent-commands","page":"metalctl machine power disk","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/#SEE-ALSO","page":"metalctl machine power disk","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_disk/","page":"metalctl machine power disk","title":"metalctl machine power disk","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#metalctl-image-describe","page":"metalctl image describe","title":"metalctl image describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":"describes the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":"metalctl image describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#Options","page":"metalctl image describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#Options-inherited-from-parent-commands","page":"metalctl image describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_describe/#SEE-ALSO","page":"metalctl image describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_describe/","page":"metalctl image describe","title":"metalctl image describe","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#metalctl-partition-list","page":"metalctl partition list","title":"metalctl partition list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":"list all partitions","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":"metalctl partition list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#Options","page":"metalctl partition list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#Options-inherited-from-parent-commands","page":"metalctl partition list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_list/#SEE-ALSO","page":"metalctl partition list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_list/","page":"metalctl partition list","title":"metalctl partition list","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#metalctl-filesystemlayout-describe","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"describes the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"metalctl filesystemlayout describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#Options","page":"metalctl filesystemlayout describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/#SEE-ALSO","page":"metalctl filesystemlayout describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_describe/","page":"metalctl filesystemlayout describe","title":"metalctl filesystemlayout describe","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#metalctl-partition-apply","page":"metalctl partition apply","title":"metalctl partition apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":"applies one or more partitions from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":"metalctl partition apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#Options","page":"metalctl partition apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition apply -f -\n $ # or via file\n $ metalctl partition apply -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#Options-inherited-from-parent-commands","page":"metalctl partition apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_apply/#SEE-ALSO","page":"metalctl partition apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_apply/","page":"metalctl partition apply","title":"metalctl partition apply","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#metalctl-firewall-list","page":"metalctl firewall list","title":"metalctl firewall list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":"list all firewalls","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":"metalctl firewall list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#Options","page":"metalctl firewall list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":" -h, --help help for list\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --mac string mac to filter [optional]\n --name string allocation name to filter [optional]\n --partition string partition to filter [optional]\n --project string allocation project to filter [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|event|id|image|liveliness|partition|project|size|when\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#Options-inherited-from-parent-commands","page":"metalctl firewall list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firewall_list/#SEE-ALSO","page":"metalctl firewall list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firewall_list/","page":"metalctl firewall list","title":"metalctl firewall list","text":"metalctl firewall\t - manage firewall entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#metalctl-project-list","page":"metalctl project list","title":"metalctl project list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":"list all projects","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":"metalctl project list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#Options","page":"metalctl project list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":" -h, --help help for list\n --id string ID of the project.\n --name string Name of the project.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name|tenant\n --tenant string tenant of this project.","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#Options-inherited-from-parent-commands","page":"metalctl project list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_list/#SEE-ALSO","page":"metalctl project list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_list/","page":"metalctl project list","title":"metalctl project list","text":"metalctl project\t - manage project entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#metalctl-switch-console","page":"metalctl switch console","title":"metalctl switch console","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"connect to the switch console","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#Synopsis","page":"metalctl switch console","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"this requires a network connectivity to the ip address of the console server this switch is connected to.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"metalctl switch console [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#Options","page":"metalctl switch console","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":" -h, --help help for console","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#Options-inherited-from-parent-commands","page":"metalctl switch console","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_console/#SEE-ALSO","page":"metalctl switch console","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_console/","page":"metalctl switch console","title":"metalctl switch console","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#metalctl-size-imageconstraint-list","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"list all imageconstraints","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"metalctl size imageconstraint list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#Options","page":"metalctl size imageconstraint list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":" -h, --help help for list\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/#SEE-ALSO","page":"metalctl size imageconstraint list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_list/","page":"metalctl size imageconstraint list","title":"metalctl size imageconstraint list","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#metalctl-machine-power-pxe","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"boot a machine from PXE","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#Synopsis","page":"metalctl machine power pxe","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"the machine will boot from PXE. (machine does not reboot automatically)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"metalctl machine power pxe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#Options","page":"metalctl machine power pxe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":" -h, --help help for pxe","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#Options-inherited-from-parent-commands","page":"metalctl machine power pxe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/#SEE-ALSO","page":"metalctl machine power pxe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power_pxe/","page":"metalctl machine power pxe","title":"metalctl machine power pxe","text":"metalctl machine power\t - manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#metalctl-size-reservation-create","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"creates the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"metalctl size reservation create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#Options","page":"metalctl size reservation create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":" --amount int32 the amount to associate with this reservation\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description to associate with this reservation\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation create -f -\n $ # or via file\n $ metalctl reservation create -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string the id to associate with this reservation\n --labels strings the labels to associate with this reservation\n --partitions strings the partition ids to associate with this reservation\n --project string the project id to associate with this reservation\n --size string the size id to associate with this reservation\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#Options-inherited-from-parent-commands","page":"metalctl size reservation create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/#SEE-ALSO","page":"metalctl size reservation create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_create/","page":"metalctl size reservation create","title":"metalctl size reservation create","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#metalctl-partition-describe","page":"metalctl partition describe","title":"metalctl partition describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":"describes the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":"metalctl partition describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#Options","page":"metalctl partition describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#Options-inherited-from-parent-commands","page":"metalctl partition describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_describe/#SEE-ALSO","page":"metalctl partition describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_describe/","page":"metalctl partition describe","title":"metalctl partition describe","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#metalctl-machine-edit","page":"metalctl machine edit","title":"metalctl machine edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":"edit the machine through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":"metalctl machine edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#Options","page":"metalctl machine edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#Options-inherited-from-parent-commands","page":"metalctl machine edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_edit/#SEE-ALSO","page":"metalctl machine edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_edit/","page":"metalctl machine edit","title":"metalctl machine edit","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#metalctl-network-allocate","page":"metalctl network allocate","title":"metalctl network allocate","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":"allocate a network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":"metalctl network allocate [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#Options","page":"metalctl network allocate","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":" -d, --description string description of the network to create. [optional]\n --dmz use this private network as dmz. [optional]\n -h, --help help for allocate\n --labels strings labels for this network. [optional]\n -n, --name string name of the network to create. [required]\n --partition string partition where this network should exist. [required]\n --project string partition where this network should exist. [required]\n --shared shared allows usage of this private network from other networks","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#Options-inherited-from-parent-commands","page":"metalctl network allocate","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_allocate/#SEE-ALSO","page":"metalctl network allocate","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_allocate/","page":"metalctl network allocate","title":"metalctl network allocate","text":"metalctl network\t - manage network entities","category":"page"},{"location":"development/proposals/MEP8/README/#Configurable-Filesystem-layout-for-Machine-Allocation","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The current implementation uses a hard coded filesystem layout depending on the specified size and image. This is done in the metal-hammer. This worked well in the past because we had a small amount of sizes and images. But we reached a point where this is to restricted for all use cases we have to fulfill. It also forces us to modify the metal-hammer source code to support a new filesystem layout.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"This proposal tries to address this issue by introducing a filesystem layout struct in the metal-api which is then configurable per machine allocation. The original behavior of automatic filesystem layout decision must still be present, because there must be no API change for existing API consumers. It should be a additional feature during machine allocation.","category":"page"},{"location":"development/proposals/MEP8/README/#API-and-behavior","page":"Configurable Filesystem layout for Machine Allocation","title":"API and behavior","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The API will get a new endpoint filesystemlayoutsto create/update/delete a set of available filesystemlayouts.","category":"page"},{"location":"development/proposals/MEP8/README/#Constraints","page":"Configurable Filesystem layout for Machine Allocation","title":"Constraints","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"In order to keep the actual machine allocation api compatible, there must be no difference while allocating a machine. To achieve this every filesystemlayout defines constraints which specifies for which combination of sizes and images this layout should be used by default. The specified constraints over all filesystemlayouts therefore must be collision free, to be more specific, there must be exactly one layout outcome for every possible combination of sizes and images.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The size constraint must be a list of the exact size ids, the image constraint must be a map of os to semver compatible version constraint. For example:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"debian: \">= 10.20210101\" or debian: \"< 10.20210101\"","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The general form of a image constraint is a map from os to versionconstraint where:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"os must match the first part of the image without the version. versionconstraint must be the comparator, a space and the version, or simply * to match all versions of this os. The comparator must be one of: \"=\", \"!=\", \">\", \"<\", \">=\", \"=>\", \"<=\", \"=<\", \"~\", \"~>\", \"^\"","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"It must also be possible to have a filesystemlayout in development or for other special purposes, which can be specified during the machine allocation. To have such a layout, both constraints sizes and imagesmust be empty list.","category":"page"},{"location":"development/proposals/MEP8/README/#Reinstall","page":"Configurable Filesystem layout for Machine Allocation","title":"Reinstall","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The current reinstall implementation the metal-hammer detects during the installation on which disk the OS was installed and reports back to the metal-api the Report struct which has two properties primarydisk and ospartition. Both fields are not required anymore because the logic is now shifted to the filesystemlayout definition. If Disk.WipeOnReinstall is set to true, this disk will be wiped, default is false and is preserved.","category":"page"},{"location":"development/proposals/MEP8/README/#Handling-of-s2-xlarge-machines","page":"Configurable Filesystem layout for Machine Allocation","title":"Handling of s2-xlarge machines","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"These machines are a bit special compared to our c1-* machines because they have rotating hard disks for the mass storage purpose. The downside is that the on board SATA-DOM has the same naming as the HDDs and can not be specified as the first /dev/sda disk because all HDDs are also /dev/sd* disks. Therefore we had a special SATA-DOM detection algorithm inside metal-hammer which simply checks for the smallest /dev/sd disk and took this to install the OS.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"This is not possible with the current approach, but we figured out that the SATA-DOM is always /dev/sde. So we can create a special filesystemlayout where the installations is made on this disk.","category":"page"},{"location":"development/proposals/MEP8/README/#Possible-Filesystemlayout-hierarchies","page":"Configurable Filesystem layout for Machine Allocation","title":"Possible Filesystemlayout hierarchies","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"It is only possible to create a filesystem on top of a block device. The creation of a block device can be done on multiple ways, depending on the requirements regarding performance, space and redundancy of the filesystem. It also depends on the disks available on the server.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The current approach implements the following hierarchies:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"(Image: filesystems)","category":"page"},{"location":"development/proposals/MEP8/README/#Implementation","page":"Configurable Filesystem layout for Machine Allocation","title":"Implementation","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"// FilesystemLayout to be created on the given machine\ntype FilesystemLayout struct {\n // ID unique layout identifier\n ID string\n // Description is human readable\n Description string\n // Filesystems to create on the server\n Filesystems []Filesystem\n // Disks to configure in the server with their partitions\n Disks []Disk\n // Raid if not empty, create raid arrays out of the individual disks, to place filesystems onto\n Raid []Raid\n // VolumeGroups to create\n VolumeGroups []VolumeGroup\n // LogicalVolumes to create on top of VolumeGroups\n LogicalVolumes []LogicalVolume\n // Constraints which must match to select this Layout\n Constraints FilesystemLayoutConstraints\n}\n\ntype FilesystemLayoutConstraints struct {\n // Sizes defines the list of sizes this layout applies to\n Sizes []string\n // Images defines a map from os to versionconstraint\n // the combination of os and versionconstraint per size must be conflict free over all filesystemlayouts\n Images map[string]string\n}\n\ntype RaidLevel string\ntype Format string\ntype GPTType string\n\n// Filesystem defines a single filesystem to be mounted\ntype Filesystem struct {\n // Path defines the mountpoint, if nil, it will not be mounted\n Path *string\n // Device where the filesystem is created on, must be the full device path seen by the OS\n Device string\n // Format is the type of filesystem should be created\n Format Format\n // Label is optional enhances readability\n Label *string\n // MountOptions which might be required\n MountOptions []string\n // CreateOptions during filesystem creation\n CreateOptions []string\n}\n\n// Disk represents a single block device visible from the OS, required\ntype Disk struct {\n // Device is the full device path\n Device string\n // Partitions to create on this device\n Partitions []Partition\n // WipeOnReinstall, if set to true the whole disk will be erased if reinstall happens\n // during fresh install all disks are wiped\n WipeOnReinstall bool\n}\n\n// Raid is optional, if given the devices must match.\n// TODO inherit GPTType from underlay device ?\ntype Raid struct {\n // ArrayName of the raid device, most often this will be /dev/md0 and so forth\n ArrayName string\n // Devices the devices to form a raid device\n Devices []Device\n // Level the raidlevel to use, can be one of 0,1,5,10 \n // TODO what should be support\n Level RaidLevel\n // CreateOptions required during raid creation, example: --metadata=1.0 for uefi boot partition\n CreateOptions []string\n // Spares defaults to 0\n Spares int\n}\n\n\n// VolumeGroup is optional, if given the devices must match.\ntype VolumeGroup struct {\n // Name of the volumegroup without the /dev prefix\n Name string\n // Devices the devices to form a volumegroup device\n Devices []string\n // Tags to attach to the volumegroup\n Tags []string\n}\n\n// LogicalVolume is a block devices created with lvm on top of a volumegroup\ntype LogicalVolume struct {\n // Name the name of the logical volume, without /dev prefix, will be accessible at /dev/vgname/lvname\n Name string\n // VolumeGroup the name of the volumegroup\n VolumeGroup string\n // Size of this LV in mebibytes (MiB)\n Size uint64\n // LVMType can be either striped or raid1\n LVMType LVMType\n}\n\n// Partition is a single partition on a device, only GPT partition types are supported\ntype Partition struct {\n // Number of this partition, will be added to the device once partitioned\n Number int\n // Label to enhance readability\n Label *string\n // Size given in MebiBytes (MiB)\n // if \"0\" is given the rest of the device will be used, this requires Number to be the highest in this partition\n Size string\n // GPTType defines the GPT partition type\n GPTType *GPTType\n}\n\nconst (\n // VFAT is used for the UEFI boot partition\n VFAT = Format(\"vfat\")\n // EXT3 is usually only used for /boot\n EXT3 = Format(\"ext3\")\n // EXT4 is the default fs\n EXT4 = Format(\"ext4\")\n // SWAP is for the swap partition\n SWAP = Format(\"swap\")\n // None\n NONE = Format(\"none\")\n\n // GPTBoot EFI Boot Partition\n GPTBoot = GPTType(\"ef00\")\n // GPTLinux Linux Partition\n GPTLinux = GPTType(\"8300\")\n // GPTLinuxRaid Linux Raid Partition\n GPTLinuxRaid = GPTType(\"fd00\")\n // GPTLinux Linux Partition\n GPTLinuxLVM = GPTType(\"8e00\")\n\n // LVMTypeLinear append across all physical volumes\n LVMTypeLinear = LVMType(\"linear\")\n // LVMTypeStriped stripe across all physical volumes\n LVMTypeStriped = LVMType(\"striped\")\n // LVMTypeStripe mirror with raid across all physical volumes\n LVMTypeRaid1 = LVMType(\"raid1\")\n)","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"Example metalctl outputs:","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"$ metalctl filesystemlayouts ls\nID DESCRIPTION SIZES IMAGES\ndefault default fs layout c1-large-x86, c1-xlarge-x86 debian >=10, ubuntu >=20.04, centos >=7\nceph fs layout for ceph s2-large-x86, s2-xlarge-x86 debian >=10, ubuntu >=20.04\nfirewall firewall fs layout c1-large-x86, c1-xlarge-x86 firewall >=2\nstorage storage fs layout s3-large-x86 centos >=7\ns3 storage fs layout s2-xlarge-x86 debian >=10, ubuntu >=20.04, >=firewall-2\ndefault-devel devel fs layout ","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The default layout reflects what is actually implemented in metal-hammer to guarantee backward compatibility.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: default\nconstraints:\n sizes:\n - c1-large-x86\n - c1-xlarge-x86\n images:\n debian: \">=10\"\n ubuntu: \">=20.04\"\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sda1\"\n format: \"vfat\"\n options: \"-F 32\"\n label: \"efi\" # required to be compatible with old images\n - path: \"/\"\n device: \"/dev/sda2\"\n format: \"ext4\"\n label: \"root\" # required to be compatible with old images\n - path: \"/var/lib\"\n device: \"/dev/sda3\"\n format: \"ext4\"\n label: \"varlib\" # required to be compatible with old images\n - path: \"/tmp\"\n device: \"tmpfs\"\n format: \"tmpfs\"\n mountoptions: [\"defaults\",\"noatime\",\"nosuid\",\"nodev\",\"noexec\",\"mode=1777\",\"size=512M\"]\ndisks:\n - device: \"/dev/sda\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTBoot\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinux\n - number: 3\n label: \"varlib\"\n size: 0 # to end of partition\n type: GPTLinux","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The firewall layout reuses the built in nvme disk to store the logs, which is way faster and larger than what the sata-dom ssd provides.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: firewall\nconstraints:\n sizes:\n - c1-large-x86\n - c1-xlarge-x86\n images:\n firewall: \">=2\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sda1\"\n format: \"vfat\"\n options: \"-F 32\"\n - path: \"/\"\n device: \"/dev/sda2\"\n format: \"ext4\"\n - path: \"/var\"\n device: \"/dev/nvme0n1p1\"\n format: \"ext4\"\ndisks:\n - device: \"/dev/sda\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTBoot\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinux\n - device: \"/dev/nvme0n1\"\n wipe: true\n partitions:\n - number: 1\n label: \"var\"\n size: 0\n type: GPTLinux","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The storage layout will be used for the storage servers, which must have mirrored boot disks.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: storage\nconstraints:\n sizes:\n - s3-large-x86\n images:\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/md1\"\n format: \"vfat\"\n options: \"-F32\"\n - path: \"/\"\n device: \"/dev/md2\"\n format: \"ext4\"\ndisks:\n - device: \"/dev/sda\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTLinuxRaid\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinuxRaid\n - device: \"/dev/sdb\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTLinuxRaid\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinuxRaid\nraid:\n - name: \"/dev/md1\"\n level: 1\n devices:\n - \"/dev/sda1\"\n - \"/dev/sdb1\"\n options: \"--metadata=1.0\"\n - name: \"/dev/md2\"\n level: 1\n devices:\n - \"/dev/sda2\"\n - \"/dev/sdb2\"\n options: \"--metadata=1.0\"","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"The s3-storage layout matches the special situation on the s2-xlarge machines.","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: s3-storage\nconstraints:\n sizes:\n - c1-large-x86\n - s2-xlarge-x86\n images:\n debian: \">=10\"\n ubuntu: \">=20.04\"\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sde1\"\n format: \"vfat\"\n options: \"-F 32\"\n - path: \"/\"\n device: \"/dev/sde2\"\n format: \"ext4\"\n - path: \"/var/lib\"\n device: \"/dev/sde3\"\n format: \"ext4\"\ndisks:\n - device: \"/dev/sde\"\n wipe: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n type: GPTBoot\n - number: 2\n label: \"root\"\n size: 5000\n type: GPTLinux\n - number: 3\n label: \"varlib\"\n size: 0 # to end of partition\n type: GPTLinux","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"A sample lvm layout which puts /var/lib as stripe on the nvme device","category":"page"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"---\nid: lvm\ndescription: \"lvm layout\"\nconstraints:\n size:\n - s2-xlarge-x86\n images:\n debian: \">=10\"\n ubuntu: \">=20.04\"\n centos: \">=7\"\nfilesystems:\n - path: \"/boot/efi\"\n device: \"/dev/sda1\"\n format: \"vfat\"\n createoptions: \n - \"-F 32\"\n label: \"efi\"\n - path: \"/\"\n device: \"/dev/sda2\"\n format: \"ext4\"\n label: \"root\"\n - path: \"/var/lib\"\n device: \"/dev/vg00/varlib\"\n format: \"ext4\"\n label: \"varlib\"\n - path: \"/tmp\"\n device: \"tmpfs\"\n format: \"tmpfs\"\n mountoptions: [\"defaults\",\"noatime\",\"nosuid\",\"nodev\",\"noexec\",\"mode=1777\",\"size=512M\"]\nvolumegroups:\n - name: \"vg00\"\n devices:\n - \"/dev/nvmne0n1\"\n - \"/dev/nvmne0n2\"\nlogicalvolumes:\n - name: \"varlib\"\n volumegroup: \"vg00\"\n size: 200\n lvmtype: \"striped\"\ndisks:\n - device: \"/dev/sda\"\n wipeonreinstall: true\n partitions:\n - number: 1\n label: \"efi\"\n size: 500\n gpttype: \"ef00\"\n - number: 2\n label: \"root\"\n size: 5000\n gpttype: \"8300\"\n - device: \"/dev/nvmne0n1\"\n wipeonreinstall: false\n - device: \"/dev/nvmne0n2\"\n wipeonreinstall: false","category":"page"},{"location":"development/proposals/MEP8/README/#Components-which-requires-modifications","page":"Configurable Filesystem layout for Machine Allocation","title":"Components which requires modifications","text":"","category":"section"},{"location":"development/proposals/MEP8/README/","page":"Configurable Filesystem layout for Machine Allocation","title":"Configurable Filesystem layout for Machine Allocation","text":"metal-hammer:\nchange implementation from build in hard coded logic\nmove logic to create fstab from install.sh to metal-hammer\nmetal-api:\nnew endpoint filesystemlayouts\nadd optional spec of filesystemlayout during allocation with validation if given filesystemlayout is possible on given size.\nadd allocation.filesystemlayout in the response, based on either the specified filesystemlayout or the calculated one.\nimplement filesystemlayouts validation for:\nmatching to disks in the size\nno overlapping with the sizes/imagefilter specified in filesystemlayouts\nall devices specified exists from top to bottom (fs -> disks -> device || fs -> raid -> devices)\nmetalctl:\nimplement filesystemlayouts\nmetal-go:\nadopt api changes\nmetal-images:\ninstall mdadm for raid support","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#metalctl-network-update","page":"metalctl network update","title":"metalctl network update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":"updates the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":"metalctl network update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#Options","page":"metalctl network update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":" --add-destinationprefixes strings destination prefixes to be added to the network [optional]\n --add-prefixes strings prefixes to be added to the network [optional]\n --additional-announcable-cidrs strings list of cidrs which are added to the route maps per tenant private network, these are typically pod- and service cidrs, can only be set in a supernetwork\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description of the network [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network update -f -\n $ # or via file\n $ metalctl network update -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --labels strings the labels of the network, must be in the form of key=value, use it like: --labels \"key1=value1,key2=value2\". [optional]\n --name string the name of the network [optional]\n --remove-destinationprefixes strings destination prefixes to be removed from the network [optional]\n --remove-prefixes strings prefixes to be removed from the network [optional]\n --shared marks a network as shared or not [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#Options-inherited-from-parent-commands","page":"metalctl network update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_update/#SEE-ALSO","page":"metalctl network update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_update/","page":"metalctl network update","title":"metalctl network update","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#metalctl-size-edit","page":"metalctl size edit","title":"metalctl size edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":"edit the size through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":"metalctl size edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#Options","page":"metalctl size edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#Options-inherited-from-parent-commands","page":"metalctl size edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_edit/#SEE-ALSO","page":"metalctl size edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_edit/","page":"metalctl size edit","title":"metalctl size edit","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#metalctl-size-imageconstraint-delete","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"deletes the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"metalctl size imageconstraint delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#Options","page":"metalctl size imageconstraint delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint delete -f -\n $ # or via file\n $ metalctl imageconstraint delete -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/#SEE-ALSO","page":"metalctl size imageconstraint delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_delete/","page":"metalctl size imageconstraint delete","title":"metalctl size imageconstraint delete","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"development/proposals/MEP12/README/#Rack-Spreading","page":"Rack Spreading","title":"Rack Spreading","text":"","category":"section"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Currently, when creating a machine through the metal-api, the machine is placed randomly inside a partition. This algorithm does not consider spreading machines across different racks and different chassis. This may lead to the situation that a group of machines (that for example form a cluster) can end up being placed in the same rack and the same chassis.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Spreading a group of machines across racks can enhance availability for scenarios like a rack loosing power or a chassis meltdown.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"So, instead of just randomly deciding the placement of a machine candidate, we want to propose a placement strategy that attempts to spread machine candidates across the racks inside a partition.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Furthermore a followup improvement to guarantee that machines are really spread across multiple racks, even if multiple machines are ordered in parallel, was implemented with PR490.","category":"page"},{"location":"development/proposals/MEP12/README/#Placement-Strategy","page":"Rack Spreading","title":"Placement Strategy","text":"","category":"section"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"Machines in the project are spread across all available racks evenly within a partition (best effort). For this, an additional request to the datastore has to be made in order to find allocated machines within the project in the partition.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"The algorithm will then figure out the least occupied racks and elect a machine candidate randomly from those racks.","category":"page"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"The user can optionally pass placement tags which will be considered for spreading the machines as well (this will for example allow spreading by a cluster id tag inside the same project).","category":"page"},{"location":"development/proposals/MEP12/README/#API","page":"Rack Spreading","title":"API","text":"","category":"section"},{"location":"development/proposals/MEP12/README/","page":"Rack Spreading","title":"Rack Spreading","text":"// service/v1/machine.go\n\ntype MachineAllocation struct {\n // existing fields are omitted for readability\n PlacementTags []string `json:\"placement_tags\" description:\"by default machines are spread across the racks inside a partition for every project. if placement tags are provided, the machine candidate has an additional anti-affinity to other machines having the same tags\"`\n}","category":"page"},{"location":"external/mini-lab/CONTRIBUTING/#Contributing","page":"Contributing","title":"Contributing","text":"","category":"section"},{"location":"external/mini-lab/CONTRIBUTING/","page":"Contributing","title":"Contributing","text":"Please check out the contributing section in our docs.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#metalctl-completion","page":"metalctl completion","title":"metalctl completion","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":"Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#Synopsis","page":"metalctl completion","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":"Generate the autocompletion script for metalctl for the specified shell. See each sub-command's help for details on how to use the generated script.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#Options","page":"metalctl completion","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":" -h, --help help for completion","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#Options-inherited-from-parent-commands","page":"metalctl completion","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion/#SEE-ALSO","page":"metalctl completion","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion/","page":"metalctl completion","title":"metalctl completion","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl completion bash\t - Generate the autocompletion script for bash\nmetalctl completion fish\t - Generate the autocompletion script for fish\nmetalctl completion powershell\t - Generate the autocompletion script for powershell\nmetalctl completion zsh\t - Generate the autocompletion script for zsh","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#metalctl-network-ip-list","page":"metalctl network ip list","title":"metalctl network ip list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":"list all ips","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":"metalctl network ip list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#Options","page":"metalctl network ip list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":" -h, --help help for list\n --ipaddress string ipaddress to filter [optional]\n --machineid string machineid to filter [optional]\n --name string name to filter [optional]\n --network string network to filter [optional]\n --prefix string prefix to filter [optional]\n --project string project to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|description|id|ipaddress|name|network|type\n --tags strings tags to filter [optional]\n --type string type to filter [optional]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#Options-inherited-from-parent-commands","page":"metalctl network ip list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_list/#SEE-ALSO","page":"metalctl network ip list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_list/","page":"metalctl network ip list","title":"metalctl network ip list","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#metalctl-size-update","page":"metalctl size update","title":"metalctl size update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":"updates the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":"metalctl size update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#Options","page":"metalctl size update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size update -f -\n $ # or via file\n $ metalctl size update -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#Options-inherited-from-parent-commands","page":"metalctl size update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_update/#SEE-ALSO","page":"metalctl size update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_update/","page":"metalctl size update","title":"metalctl size update","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#metalctl-network-create","page":"metalctl network create","title":"metalctl network create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":"creates the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":"metalctl network create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#Options","page":"metalctl network create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":" --additional-announcable-cidrs strings list of cidrs which are added to the route maps per tenant private network, these are typically pod- and service cidrs, can only be set in a supernetwork\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string description of the network to create. [optional]\n --destination-prefixes strings destination prefixes in this network.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network create -f -\n $ # or via file\n $ metalctl network create -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string id of the network to create. [optional]\n --labels strings add initial labels, must be in the form of key=value, use it like: --labels \"key1=value1,key2=value2\".\n -n, --name string name of the network to create. [optional]\n --nat set nat flag of network, if set to true, traffic from this network will be natted.\n -p, --partition string partition where this network should exist.\n --prefixes strings prefixes in this network.\n --privatesuper set private super flag of network, if set to true, this network is used to start machines there.\n --project string project of the network to create. [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --underlay set underlay flag of network, if set to true, this is used to transport underlay network traffic\n --vrf int vrf of this network\n --vrfshared vrf shared allows multiple networks to share a vrf","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#Options-inherited-from-parent-commands","page":"metalctl network create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_create/#SEE-ALSO","page":"metalctl network create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_create/","page":"metalctl network create","title":"metalctl network create","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#metalctl-size-reservation-update","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"updates the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"metalctl size reservation update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#Options","page":"metalctl size reservation update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":" --amount int32 the amount to associate with this reservation\n --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --description string the description to associate with this reservation\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation update -f -\n $ # or via file\n $ metalctl reservation update -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --labels strings the labels to associate with this reservation\n --partitions strings the partition ids to associate with this reservation\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#Options-inherited-from-parent-commands","page":"metalctl size reservation update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/#SEE-ALSO","page":"metalctl size reservation update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_update/","page":"metalctl size reservation update","title":"metalctl size reservation update","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#metalctl-filesystemlayout-update","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"updates the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"metalctl filesystemlayout update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#Options","page":"metalctl filesystemlayout update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl filesystemlayout describe filesystemlayout-1 -o yaml > filesystemlayout.yaml\n $ vi filesystemlayout.yaml\n $ # either via stdin\n $ cat filesystemlayout.yaml | metalctl filesystemlayout update -f -\n $ # or via file\n $ metalctl filesystemlayout update -f filesystemlayout.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/#SEE-ALSO","page":"metalctl filesystemlayout update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_update/","page":"metalctl filesystemlayout update","title":"metalctl filesystemlayout update","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#metalctl-machine-reinstall","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"reinstalls an already allocated machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#Synopsis","page":"metalctl machine reinstall","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"reinstalls an already allocated machine. If it is not yet allocated, nothing happens, otherwise only the machine's primary disk is wiped and the new image will subsequently be installed on that device","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"metalctl machine reinstall [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#Options","page":"metalctl machine reinstall","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":" -d, --description string description of the reinstallation. [optional]\n -h, --help help for reinstall\n --image string id of the image to get installed. [required]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#Options-inherited-from-parent-commands","page":"metalctl machine reinstall","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/#SEE-ALSO","page":"metalctl machine reinstall","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_reinstall/","page":"metalctl machine reinstall","title":"metalctl machine reinstall","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#metalctl-network","page":"metalctl network","title":"metalctl network","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":"manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#Synopsis","page":"metalctl network","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":"networks can be attached to a machine or firewall such that they can communicate with each other.","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#Options","page":"metalctl network","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":" -h, --help help for network","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#Options-inherited-from-parent-commands","page":"metalctl network","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network/#SEE-ALSO","page":"metalctl network","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network/","page":"metalctl network","title":"metalctl network","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl network allocate\t - allocate a network\nmetalctl network apply\t - applies one or more networks from a given file\nmetalctl network create\t - creates the network\nmetalctl network delete\t - deletes the network\nmetalctl network describe\t - describes the network\nmetalctl network edit\t - edit the network through an editor and update\nmetalctl network free\t - free a network\nmetalctl network ip\t - manage ip entities\nmetalctl network list\t - list all networks\nmetalctl network update\t - updates the network","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#metalctl-size-delete","page":"metalctl size delete","title":"metalctl size delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":"deletes the size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":"metalctl size delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#Options","page":"metalctl size delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size delete -f -\n $ # or via file\n $ metalctl size delete -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#Options-inherited-from-parent-commands","page":"metalctl size delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_delete/#SEE-ALSO","page":"metalctl size delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_delete/","page":"metalctl size delete","title":"metalctl size delete","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#metalctl-completion-fish","page":"metalctl completion fish","title":"metalctl completion fish","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"Generate the autocompletion script for fish","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#Synopsis","page":"metalctl completion fish","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"Generate the autocompletion script for the fish shell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion fish | source","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"To load completions for every new session, execute once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion fish > ~/.config/fish/completions/metalctl.fish","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"You will need to start a new shell for this setup to take effect.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion fish [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#Options","page":"metalctl completion fish","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":" -h, --help help for fish\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#Options-inherited-from-parent-commands","page":"metalctl completion fish","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_fish/#SEE-ALSO","page":"metalctl completion fish","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_fish/","page":"metalctl completion fish","title":"metalctl completion fish","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#metalctl-size-imageconstraint-edit","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"edit the imageconstraint through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"metalctl size imageconstraint edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#Options","page":"metalctl size imageconstraint edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/#SEE-ALSO","page":"metalctl size imageconstraint edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_edit/","page":"metalctl size imageconstraint edit","title":"metalctl size imageconstraint edit","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#metalctl-machine-ipmi","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#Synopsis","page":"metalctl machine ipmi","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"Meaning of the emojis:","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"🚧 Machine is reserved. Reserved machines are not considered for random allocation until the reservation flag is removed. 🔒 Machine is locked. Locked machines can not be deleted until the lock is removed. 💀 Machine is dead. The metal-api does not receive any events from this machine. ❗ Machine has a last event error. The machine has recently encountered an error during the provisioning lifecycle. ❓ Machine is in unknown condition. The metal-api does not receive phoned home events anymore or has never booted successfully. ⭕ Machine is in a provisioning crash loop. Flag can be reset through an API-triggered reboot or when the machine reaches the phoned home state. 🚑 Machine reclaim has failed. The machine was deleted but it is not going back into the available machine pool. 🛡 Machine is connected to our VPN, ssh access only possible via this VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"metalctl machine ipmi [] [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#Options","page":"metalctl machine ipmi","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":" --bmc-address string bmc ipmi address (needs to include port) to filter [optional]\n --bmc-mac string bmc mac address to filter [optional]\n --board-part-number string fru board part number to filter [optional]\n -h, --help help for ipmi\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional] (default 1h0m0s)\n --mac string mac to filter [optional]\n --manufacturer string fru manufacturer to filter [optional]\n --name string allocation name to filter [optional]\n --network-destination-prefixes string network destination prefixes to filter [optional]\n --network-ids string network ids to filter [optional]\n --network-ips string network ips to filter [optional]\n --partition string partition to filter [optional]\n --product-part-number string fru product part number to filter [optional]\n --product-serial string fru product serial to filter [optional]\n --project string allocation project to filter [optional]\n --rack string rack to filter [optional]\n --role string allocation role to filter [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|bios|bmc|event|id|liveliness|partition|project|rack|size|when\n --state string state to filter [optional]\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#Options-inherited-from-parent-commands","page":"metalctl machine ipmi","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/#SEE-ALSO","page":"metalctl machine ipmi","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi/","page":"metalctl machine ipmi","title":"metalctl machine ipmi","text":"metalctl machine\t - manage machine entities\nmetalctl machine ipmi events\t - display machine hardware events","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#metalctl-size-reservation-apply","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"applies one or more reservations from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"metalctl size reservation apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#Options","page":"metalctl size reservation apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation apply -f -\n $ # or via file\n $ metalctl reservation apply -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#Options-inherited-from-parent-commands","page":"metalctl size reservation apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/#SEE-ALSO","page":"metalctl size reservation apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_apply/","page":"metalctl size reservation apply","title":"metalctl size reservation apply","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#metalctl-whoami","page":"metalctl whoami","title":"metalctl whoami","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"shows current user","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#Synopsis","page":"metalctl whoami","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"shows the current user, that will be used to authenticate commands.","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"metalctl whoami [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#Options","page":"metalctl whoami","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":" -h, --help help for whoami","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#Options-inherited-from-parent-commands","page":"metalctl whoami","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_whoami/#SEE-ALSO","page":"metalctl whoami","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_whoami/","page":"metalctl whoami","title":"metalctl whoami","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#metalctl-machine-power","page":"metalctl machine power","title":"metalctl machine power","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":"manage machine power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#Options","page":"metalctl machine power","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":" -h, --help help for power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#Options-inherited-from-parent-commands","page":"metalctl machine power","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_power/#SEE-ALSO","page":"metalctl machine power","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_power/","page":"metalctl machine power","title":"metalctl machine power","text":"metalctl machine\t - manage machine entities\nmetalctl machine power bios\t - boot a machine into BIOS\nmetalctl machine power cycle\t - power cycle a machine (graceful shutdown)\nmetalctl machine power disk\t - boot a machine from disk\nmetalctl machine power off\t - power off a machine\nmetalctl machine power on\t - power on a machine\nmetalctl machine power pxe\t - boot a machine from PXE\nmetalctl machine power reset\t - power reset a machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#metalctl-machine-ipmi-events","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"display machine hardware events","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"metalctl machine ipmi events [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#Options","page":"metalctl machine ipmi events","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":" -h, --help help for events\n --ipmipassword string overwrite ipmi password (admin only).\n --ipmiuser string overwrite ipmi user (admin only).\n -n, --last string show last log entries. (default \"10\")","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#Options-inherited-from-parent-commands","page":"metalctl machine ipmi events","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/#SEE-ALSO","page":"metalctl machine ipmi events","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_ipmi_events/","page":"metalctl machine ipmi events","title":"metalctl machine ipmi events","text":"metalctl machine ipmi\t - display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#metalctl-filesystemlayout-try","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"try to detect a filesystem by given size and image","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"metalctl filesystemlayout try [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#Options","page":"metalctl filesystemlayout try","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":" -h, --help help for try\n --image string image to try\n --size string size to try","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout try","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/#SEE-ALSO","page":"metalctl filesystemlayout try","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout_try/","page":"metalctl filesystemlayout try","title":"metalctl filesystemlayout try","text":"metalctl filesystemlayout\t - manage filesystemlayout entities","category":"page"},{"location":"overview/kubernetes/#Kubernetes-Integration","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"With the help of the Gardener project, metal-stack can be used for spinning up Kubernetes clusters quickly and reliably on bare metal machines.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"To make this happen, we implemented a couple of components, which are described here.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Pages = [\"kubernetes.md\"]\nDepth = 5","category":"page"},{"location":"overview/kubernetes/#metal-ccm","page":"Kubernetes Integration","title":"metal-ccm","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"CCM stands for cloud-controller-manager and is the bridge between Kubernetes and a cloud-provider.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"We implemented the cloud provider interface in the metal-ccm repository. With the help of the cloud-controller-controller we provide metal-stack-specific properties for Kubernetes clusters, e.g. load balancer configuration through MetalLB or node properties.","category":"page"},{"location":"overview/kubernetes/#firewall-controller","page":"Kubernetes Integration","title":"firewall-controller","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"To make the firewalls created with metal-stack easily configurable through Kubernetes resources, we add our firewall-controller to the firewall image. The controller watches special CRDs, enabling users to manage:","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"nftables rules\nIntrusion-detection with suricata\nnetwork metric collection","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Please check out the guide on how to use it.","category":"page"},{"location":"overview/kubernetes/#Gardener-components","page":"Kubernetes Integration","title":"Gardener components","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"There are some Gardener resources that need be reconciled when you act as a cloud provider for the Gardener. This section briefly describes the controllers implemented for deploying Kubernetes clusters through Gardener.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"If you want to learn how to deploy metal-stack with Gardener, please check out the installation section.","category":"page"},{"location":"overview/kubernetes/#gardener-extension-provider-metal","page":"Kubernetes Integration","title":"gardener-extension-provider-metal","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"The gardener-extension-provider-metal contains of a set of webhooks and controllers for reconciling or mutating Gardener-specific resources.","category":"page"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"The project also contains a validator for metal-type Gardener resources, which you should also deploy in case you want to use metal-stack in combination with Gardener.","category":"page"},{"location":"overview/kubernetes/#os-metal-extension","page":"Kubernetes Integration","title":"os-metal-extension","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Due to the reason we use ignition in our operating system images for userdata, we had to provide an own extension controller for metal-stack, which you can find at Github in the os-metal-extension repository.","category":"page"},{"location":"overview/kubernetes/#machine-controller-manager-provider-metal","page":"Kubernetes Integration","title":"machine-controller-manager-provider-metal","text":"","category":"section"},{"location":"overview/kubernetes/","page":"Kubernetes Integration","title":"Kubernetes Integration","text":"Worker nodes are managed through Gardener's machine-controller-manager (MCM). The MCM allows out-of-tree provider implementation via sidecar, which is what we implemented in the machine-controller-manager-provider-metal repository.","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#metalctl-network-apply","page":"metalctl network apply","title":"metalctl network apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":"applies one or more networks from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":"metalctl network apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#Options","page":"metalctl network apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network apply -f -\n $ # or via file\n $ metalctl network apply -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#Options-inherited-from-parent-commands","page":"metalctl network apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_apply/#SEE-ALSO","page":"metalctl network apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_apply/","page":"metalctl network apply","title":"metalctl network apply","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#metalctl-switch-update","page":"metalctl switch update","title":"metalctl switch update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":"updates the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":"metalctl switch update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#Options","page":"metalctl switch update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl switch describe switch-1 -o yaml > switch.yaml\n $ vi switch.yaml\n $ # either via stdin\n $ cat switch.yaml | metalctl switch update -f -\n $ # or via file\n $ metalctl switch update -f switch.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#Options-inherited-from-parent-commands","page":"metalctl switch update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_update/#SEE-ALSO","page":"metalctl switch update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_update/","page":"metalctl switch update","title":"metalctl switch update","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#metalctl-context","page":"metalctl context","title":"metalctl context","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"manage metalctl context","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Synopsis","page":"metalctl context","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"context defines the backend to which metalctl talks to. You can switch back and forth with \"-\"","category":"page"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"metalctl context [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Examples","page":"metalctl context","title":"Examples","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"\n~/.metalctl/config.yaml\n---\ncurrent: prod\ncontexts:\n prod:\n url: https://api.metal-stack.io/metal\n issuer_url: https://dex.metal-stack.io/dex\n client_id: metal_client\n client_secret: 456\n dev:\n url: https://api.metal-stack.dev/metal\n issuer_url: https://dex.metal-stack.dev/dex\n client_id: metal_client\n client_secret: 123\n...\n","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Options","page":"metalctl context","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":" -h, --help help for context","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#Options-inherited-from-parent-commands","page":"metalctl context","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_context/#SEE-ALSO","page":"metalctl context","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context/","page":"metalctl context","title":"metalctl context","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl context short\t - only show the default context name","category":"page"},{"location":"overview/storage/#Storage","page":"Storage","title":"Storage","text":"","category":"section"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"When working with bare-metal servers, providing cloud storage is a challenge. With physical machines there is no opportunity that a hypervisor can mount storage devices into the servers and thus, we have to implement other mechanisms that are capable of dynamically mounting storage onto the machines.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"In the meantime, we have started to integrate third-party solutions into our metal-stack landscape. They help us to provide modern, well-integrated and scalable storage solutions to our end-users.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"Pages = [\"persistent_storage.md\"]\nDepth = 5","category":"page"},{"location":"overview/storage/#Lightbits-Labs-NVMe-over-TCP-Storage-Integration","page":"Storage","title":"Lightbits Labs NVMe over TCP Storage Integration","text":"","category":"section"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"Lightbits Labs offers a proprietary implementation of persistent storage using NVMe over TCP. The solution has some very superior traits that fit very well to metal-stack. The strongest advantages are:","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"High performance\nBuilt-in multi-tenant capabilities\nConfigurable compression and replication factors","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"We are maintaining an open source integration for running LightOS in our Gardener cluster provisioning. You can enable it through the controller registration of the gardener-extension-provider-metal.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"With the integration in place, the extension-provider deploys a duros-controller along with a Duros Storage CRD into the seed's shoot namespace. The duros-controller takes care of creating projects and managing credentials at the Lightbits Duros API. It also provides storage classes as configured in the extension-provider's controller registration to the customer's shoot cluster such that users can start consuming the Lightbits storage immediately.","category":"page"},{"location":"overview/storage/#Simple-Node-Local-Storage-with-csi-driver-lvm","page":"Storage","title":"Simple Node Local Storage with csi-driver-lvm","text":"","category":"section"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"If you wish to quickly start off with cluster provisioning without caring so much about complex cloud storage solutions, we recommend using a small storage driver we wrote called csi-driver-lvm. It provides a storage class that manages node-local storage through LVM.","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"A definition of a PVC can look like this:","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"apiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: csi-pvc\nspec:\n accessModes:\n - ReadWriteOnce\n resources:\n requests:\n storage: 100Mi\n storageClassName: csi-lvm-sc-linear","category":"page"},{"location":"overview/storage/","page":"Storage","title":"Storage","text":"The solution does not provide cloud-storage or whatsoever, but it improves the user's accessibility of local storage on bare-metal machines through Kubernetes. Check out the driver's documentation here.","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#metalctl-partition-edit","page":"metalctl partition edit","title":"metalctl partition edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":"edit the partition through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":"metalctl partition edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#Options","page":"metalctl partition edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#Options-inherited-from-parent-commands","page":"metalctl partition edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_edit/#SEE-ALSO","page":"metalctl partition edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_edit/","page":"metalctl partition edit","title":"metalctl partition edit","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#metalctl-machine-identify","page":"metalctl machine identify","title":"metalctl machine identify","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":"manage machine chassis identify LED power","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#Options","page":"metalctl machine identify","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":" -h, --help help for identify","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#Options-inherited-from-parent-commands","page":"metalctl machine identify","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_identify/#SEE-ALSO","page":"metalctl machine identify","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_identify/","page":"metalctl machine identify","title":"metalctl machine identify","text":"metalctl machine\t - manage machine entities\nmetalctl machine identify off\t - power off the machine chassis identify LED\nmetalctl machine identify on\t - power on the machine chassis identify LED","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#metalctl-partition-create","page":"metalctl partition create","title":"metalctl partition create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":"creates the partition","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":"metalctl partition create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#Options","page":"metalctl partition create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n --cmdline string kernel commandline for the metal-hammer in the partition. [required]\n -d, --description string Description of the partition. [required]\n --dnsservers string dns servers for the machines and firewalls in the partition. [optional]\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl partition describe partition-1 -o yaml > partition.yaml\n $ vi partition.yaml\n $ # either via stdin\n $ cat partition.yaml | metalctl partition create -f -\n $ # or via file\n $ metalctl partition create -f partition.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string ID of the partition. [required]\n --imageurl string initrd for the metal-hammer in the partition. [required]\n --kernelurl string kernel url for the metal-hammer in the partition. [required]\n --mgmtserver string management server address in the partition. [required]\n -n, --name string Name of the partition. [optional]\n --ntpservers string ntp servers for the machines and firewalls in the partition. [optional]\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#Options-inherited-from-parent-commands","page":"metalctl partition create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_partition_create/#SEE-ALSO","page":"metalctl partition create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_partition_create/","page":"metalctl partition create","title":"metalctl partition create","text":"metalctl partition\t - manage partition entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#metalctl-filesystemlayout","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"manage filesystemlayout entities","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#Synopsis","page":"metalctl filesystemlayout","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"a filesystemlayout is a specification how the disks in a machine are partitioned, formatted and mounted.","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#Options","page":"metalctl filesystemlayout","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":" -h, --help help for filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#Options-inherited-from-parent-commands","page":"metalctl filesystemlayout","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/#SEE-ALSO","page":"metalctl filesystemlayout","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_filesystemlayout/","page":"metalctl filesystemlayout","title":"metalctl filesystemlayout","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl filesystemlayout apply\t - applies one or more filesystemlayouts from a given file\nmetalctl filesystemlayout create\t - creates the filesystemlayout\nmetalctl filesystemlayout delete\t - deletes the filesystemlayout\nmetalctl filesystemlayout describe\t - describes the filesystemlayout\nmetalctl filesystemlayout edit\t - edit the filesystemlayout through an editor and update\nmetalctl filesystemlayout list\t - list all filesystemlayouts\nmetalctl filesystemlayout match\t - check if a machine satisfies all disk requirements of a given filesystemlayout\nmetalctl filesystemlayout try\t - try to detect a filesystem by given size and image\nmetalctl filesystemlayout update\t - updates the filesystemlayout","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#metalctl-size-imageconstraint-apply","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"applies one or more imageconstraints from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"metalctl size imageconstraint apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#Options","page":"metalctl size imageconstraint apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint apply -f -\n $ # or via file\n $ metalctl imageconstraint apply -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/#SEE-ALSO","page":"metalctl size imageconstraint apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_apply/","page":"metalctl size imageconstraint apply","title":"metalctl size imageconstraint apply","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl/#metalctl","page":"metalctl","title":"metalctl","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl/","page":"metalctl","title":"metalctl","text":"a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl/#Options","page":"metalctl","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl/","page":"metalctl","title":"metalctl","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n -h, --help help for metalctl\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl/#SEE-ALSO","page":"metalctl","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl/","page":"metalctl","title":"metalctl","text":"metalctl audit\t - manage audit trace entities\nmetalctl completion\t - Generate the autocompletion script for the specified shell\nmetalctl context\t - manage metalctl context\nmetalctl filesystemlayout\t - manage filesystemlayout entities\nmetalctl firewall\t - manage firewall entities\nmetalctl firmware\t - manage firmwares\nmetalctl health\t - shows the server health\nmetalctl image\t - manage image entities\nmetalctl login\t - login user and receive token\nmetalctl logout\t - logout user from OIDC SSO session\nmetalctl machine\t - manage machine entities\nmetalctl markdown\t - create markdown documentation\nmetalctl network\t - manage network entities\nmetalctl partition\t - manage partition entities\nmetalctl project\t - manage project entities\nmetalctl size\t - manage size entities\nmetalctl switch\t - manage switch entities\nmetalctl tenant\t - manage tenant entities\nmetalctl update\t - update the program\nmetalctl version\t - print the client and server version information\nmetalctl vpn\t - access VPN\nmetalctl whoami\t - shows current user","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#metalctl-size-reservation-delete","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"deletes the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"metalctl size reservation delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#Options","page":"metalctl size reservation delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl reservation describe reservation-1 -o yaml > reservation.yaml\n $ vi reservation.yaml\n $ # either via stdin\n $ cat reservation.yaml | metalctl reservation delete -f -\n $ # or via file\n $ metalctl reservation delete -f reservation.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#Options-inherited-from-parent-commands","page":"metalctl size reservation delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/#SEE-ALSO","page":"metalctl size reservation delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_delete/","page":"metalctl size reservation delete","title":"metalctl size reservation delete","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"overview/architecture/#Architecture","page":"Architecture","title":"Architecture","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The metal-stack is a compound of microservices predominantly written in Golang.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"This page gives you an overview over which microservices exist, how they communicate with each other and where they are deployed.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Pages = [\"architecture.md\"]\nDepth = 5","category":"page"},{"location":"overview/architecture/#Target-Deployment-Platforms","page":"Architecture","title":"Target Deployment Platforms","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"For our environments, we chose to deploy the metal-stack into a Kubernetes cluster. This means that also our entire installation was developed for metal-stack being run on Kubernetes. Running applications on Kubernetes gives you a lot of benefits regarding ease-of-deployment, scalability, reliability and so on.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"However, very early we decided that we do not want to depend on technical Kubernetes functionality with our software (i.e. we did not implement the stack \"kube-native\" by using controllers and Kubernetes CRDs and things like that). With the following paragraph we want to point out the reasoning behind this \"philosophical\" decision that may sound conservative at first glance. But not relying on Kubernetes technology:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Makes deployments of the stack without Kubernetes theoretically possible.\nWe believe that cloud providers should be able to act beneath Kubernetes\nThis way it is possible to use metal-stack for providing your own Kubernetes offering without relying on Kubernetes yourself (breaks the chicken-egg problem)\nFollows an important claim in microservice development: \"Be agnostic to your choice of technology\"\nFor applications that are purely made for being run on Kubernetes, it does not matter to rely on this technology (we even do the same a lot with our applications that integrate the metal-stack with Gardener) but as soon as you start using things like the underlying reconciliation abilities (which admittedly are fanstatic) you are locking your code into a certain technology\nWe don't know what comes after Kubernetes but we believe that a cloud offering should have the potential to survive a choice of technology\nBy this decision we ensured that we can migrate the stack to another future technology and survive the change","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"One more word towards determining the location for your metal control plane: It is not strictly required to run the control plane inside the same data center as your servers. It even makes sense not to do so because this way you can place your control plane and your servers into a different failure domains, which makes your installation more robust to data center meltdown. Externally hosting the control plane brings you up and running quickly plus having the advantage of higher security through geo-distribution.","category":"page"},{"location":"overview/architecture/#Metal-Control-Plane","page":"Architecture","title":"Metal Control Plane","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The foundation of the metal-stack is what we call the metal control plane.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The control plane contains a couple of essential microservices for the metal-stack including:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"metal-api The API to manage control plane resources like machines, switches, operating system images, machine sizes, networks, IP addresses and more. The exposed API is an old-fashioned REST API with different authentication methods. The metal-api stores the state of these entities in a RethinkDB database. The metal-api also has its own IP address management (go-ipam), which writes IP address and network allocations into a PostgreSQL backend.\nmasterdata-api Manages tenant and project entities, which can be described as entities used for company-specific resource separation and grouping. Having these \"higher level entities\" managed by a separate microservice was a design choice that allows to re-use the information by other microservices without having them to know the metal-api at all. The masterdata gets persisted in a dedicated PostgreSQL database.\nmetal-console Provides access for users to a machine's serial console via SSH. It can be seen as an optional component.\nnsq A message queuing system (not developed by the metal-stack) used for decoupling microservices and distributing tasks.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The following figure shows the relationships between these microservices:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: Metal Control Plane)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 1: The metal control plane deployed in a Kubernetes environment with an ingress-controller exposing additional services via service exposal.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Some notes on this picture:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Users can access the metal-api with the CLI client called metalctl.\nYou can programmatically access the metal-api with client libraries (e.g. metal-go).\nOur databases are wrapped in a specially built backup-restore-sidecar, which is consistently backing up the databases in external blob storage.\nThe metal-api can be scaled out using replicas when being deployed in Kubernetes.","category":"page"},{"location":"overview/architecture/#Partitions","page":"Architecture","title":"Partitions","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"A partition is our term for describing hardware in the data center controlled by the metal-stack with all the hardware participating in the same network topology. Being in the same network topology causes the hardware inside a partition to build a failure domain. Even though the network topology for running the metal-stack is required to be redundant by design, you should consider setting up multiple partitions. With multiple partitions it is possible for users to maintain availability of their applications by spreading them across the partitions. Installing partitions in multiple data centers would be even better in regards of fail-safe application performance, which would even tolerate the meltdown of a data center.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"tip: Tip\nIn our setups, we encode the name of a region and a zone name into our partition names. However, we do not have dedicated entities for regions and zones in our APIs.A region is a geographic area in which data centers are located.Zones are geographic locations in a region usually in different fire compartments. Regions can consist of several zones.A zone can consist of several partitions. Usually, a partition spans a rack or a group of racks.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"We strongly advise to group your hardware into racks that are specifically assembled for running metal-stack. When using modular rack design, the amount of compute resources of a partition can easily be extended by adding more racks to your partition.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"info: Info\nThe hardware that we currently support to be placed inside a partition is described in the hardware document.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"info: Info\nHow large you can grow your partitions and how the network topology inside a partition looks like is described in the networking document.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The metal-stack has microservices running on the leaf switches in a partition. For this reason, your leaf switches are required to run a Linux distribution that you have full access to. Additionally, there are a servers not added to the pool of user-allocatable machines, which are instead required for running metal-stack and we call them management servers. We also call the entirety of switches inside a partition the switch plane.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The microservices running inside a partition are:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"metal-hammer (runs on a server when not allocated by user, often referred to as discovery image) An initrd, which is booted up in PXE mode, preparing and registering a machine. When a user allocates a machine, the metal-hammer will install the target operating system on this machine and kexec into the new operating system kernel.\nmetal-core (runs on leaf switches) Dynamically configures the leaf switch from information provided by the metal-api. It also proxies requests from the metal-hammer to the metal-api including publishment of machine lifecycle events and machine registration requests.\npixiecore (preferably runs on management servers, forked by metal-stack) Provides the capability of PXE booting servers in the PXE boot network.\nmetal-bmc (runs on management servers) Reports the ip addresses that are leased to ipmi devices together with their machine uuids to the metal-api. This provides machine discovery in the partition machines and keeps all IPMI interface access data up-to-date. Also forwards metal-console requests to the actual machine, allowing user access to the machine's serial console. Furthermore it processes firmware updates and power on/off, led on/off, boot order changes.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: Partition)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 2: Simplified illustration of services running inside a partition.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Some notes on this picture:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"This figure is slightly simplified. The switch plane consists of spine switches, exit routers, management firewalls and a bastion router with more software components deployed on these entities. Please refer to the networking document to see the full overview over the switch plane.\nThe image-cache is an optional component consisting of multiple services to allow caching images from the public image store inside a partition. This brings increased download performance on machine allocation and increases independence of a partition on the internet connection.","category":"page"},{"location":"overview/architecture/#Complete-View","page":"Architecture","title":"Complete View","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The following figure shows several partitions connected to a single metal control plane. Of course, it is also possible to have multiple metal control planes, which can be useful for staging.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: metal-stack)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 3: Reduced view on the communication between the metal control plane and multiple partitions.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Some notes on this picture:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"By design, a partition only has very few ports open for incoming-connections from the internet. This contributes to a smaller attack surface and higher security of your infrastructure.\nWith the help of NSQ, it is not required to have connections from the metal control plane to the metal-core. The metal-core instances register at the message bus and can then consume partition-specific topics, e.g. when a machine deletion gets issued by a user.","category":"page"},{"location":"overview/architecture/#Machine-Provisioning-Sequence","page":"Architecture","title":"Machine Provisioning Sequence","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"The following sequence diagram illustrates some of the main principles of the machine provisioning lifecycle.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"(Image: provisioning sequence)","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Figure 4: Sequence diagram of the machine provisioning sequence.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Here is a video showing a screen capture of a machine's serial console while running the metal-hammer in \"wait mode\". Then, a user allocates the machine and the metal-hammer installs the target operating system and the machine boots into the new operating system kernel via the kexec system call.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"
    \n\n
    ","category":"page"},{"location":"overview/architecture/#Offline-Resilience","page":"Architecture","title":"Offline Resilience","text":"","category":"section"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"It is possible to use metal-stack without any external network dependencies by integrating your own DNS and NTP configuration into the stack. This feature is great for workloads requiring strong independence and reliability. Even in case of an internet connection failure, your infrastructure remains operational. Existing machines do not encounter any downtime as well as new machines can be provisioned. All you need to have in place is a DNS and NTP server configured and accessible for metal-stack.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"NTP servers need to be configured on the pixiecore and the metal-hammer microservices. This can be achieved by providing a list of NTP servers with the following Ansible variable through metal-roles:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"pixiecore_metal_hammer_ntp_servers: []","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"In the background, the pixiecore is taking the NTP servers and passing it via the MetalConfig to the metal-hammer. When booting bare-metal servers, the metal-hammer needs to configure NTP servers. It recognises the ones from the MetalConfig and configures itself accordingly. If no NTP servers are passed along, the following standard servers are used:","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"0.de.pool.ntp.org\n1.de.pool.ntp.org\n2.de.pool.ntp.org","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Moreover, machine and firewall images need to be configured with your custom DNS and NTP servers. The customisation can be made via the fields ntp_servers an dns_servers and specifying a list of servers in the creation request for the machine or firewall.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Within a partition default values for DNS and NTP servers can be configured. They are applied to all machines and firewalls within this partition, but can be replaced by specifying different ones inside the machine allocation request.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"Thus, for creating a partition as well as a machine or a firewall, the flags dnsservers and ntpservers can be provided within the metalctl command.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"In order to be fully offline resilient, make sure to check out metal-image-cache-sync. This component provides copies of metal-images, metal-kernel and metal-hammer.","category":"page"},{"location":"overview/architecture/","page":"Architecture","title":"Architecture","text":"This feature is related to MEP14.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#metalctl-machine-update-firmware-bios","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"update a machine BIOS","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#Synopsis","page":"metalctl machine update-firmware bios","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"the machine BIOS will be updated to given revision. If revision flag is not specified an update plan will be printed instead.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"metalctl machine update-firmware bios [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#Options","page":"metalctl machine update-firmware bios","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":" --description string the reason why the BIOS should be updated\n -h, --help help for bios\n --revision string the BIOS revision","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#Options-inherited-from-parent-commands","page":"metalctl machine update-firmware bios","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/#SEE-ALSO","page":"metalctl machine update-firmware bios","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware_bios/","page":"metalctl machine update-firmware bios","title":"metalctl machine update-firmware bios","text":"metalctl machine update-firmware\t - update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#metalctl-switch-delete","page":"metalctl switch delete","title":"metalctl switch delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":"deletes the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":"metalctl switch delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#Options","page":"metalctl switch delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl switch describe switch-1 -o yaml > switch.yaml\n $ vi switch.yaml\n $ # either via stdin\n $ cat switch.yaml | metalctl switch delete -f -\n $ # or via file\n $ metalctl switch delete -f switch.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n --force forcefully delete the switch accepting the risk that it still has machines connected to it\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#Options-inherited-from-parent-commands","page":"metalctl switch delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_delete/#SEE-ALSO","page":"metalctl switch delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_delete/","page":"metalctl switch delete","title":"metalctl switch delete","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#metalctl-size-imageconstraint-create","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"creates the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"metalctl size imageconstraint create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#Options","page":"metalctl size imageconstraint create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint create -f -\n $ # or via file\n $ metalctl imageconstraint create -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/#SEE-ALSO","page":"metalctl size imageconstraint create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_create/","page":"metalctl size imageconstraint create","title":"metalctl size imageconstraint create","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#metalctl-network-ip-issues","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"display ips which are in a potential bad state","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"metalctl network ip issues [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#Options","page":"metalctl network ip issues","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":" -h, --help help for issues","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#Options-inherited-from-parent-commands","page":"metalctl network ip issues","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/#SEE-ALSO","page":"metalctl network ip issues","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_issues/","page":"metalctl network ip issues","title":"metalctl network ip issues","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#metalctl-version","page":"metalctl version","title":"metalctl version","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":"print the client and server version information","category":"page"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":"metalctl version [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#Options","page":"metalctl version","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":" -h, --help help for version","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#Options-inherited-from-parent-commands","page":"metalctl version","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_version/#SEE-ALSO","page":"metalctl version","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_version/","page":"metalctl version","title":"metalctl version","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#metalctl-tenant-edit","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"edit the tenant through an editor and update","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"metalctl tenant edit [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#Options","page":"metalctl tenant edit","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":" -h, --help help for edit","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#Options-inherited-from-parent-commands","page":"metalctl tenant edit","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_edit/#SEE-ALSO","page":"metalctl tenant edit","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_edit/","page":"metalctl tenant edit","title":"metalctl tenant edit","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#metalctl-size-apply","page":"metalctl size apply","title":"metalctl size apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":"applies one or more sizes from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":"metalctl size apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#Options","page":"metalctl size apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl size describe size-1 -o yaml > size.yaml\n $ vi size.yaml\n $ # either via stdin\n $ cat size.yaml | metalctl size apply -f -\n $ # or via file\n $ metalctl size apply -f size.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#Options-inherited-from-parent-commands","page":"metalctl size apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_apply/#SEE-ALSO","page":"metalctl size apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_apply/","page":"metalctl size apply","title":"metalctl size apply","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#metalctl-size-imageconstraint-update","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"updates the imageconstraint","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"metalctl size imageconstraint update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#Options","page":"metalctl size imageconstraint update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl imageconstraint describe imageconstraint-1 -o yaml > imageconstraint.yaml\n $ vi imageconstraint.yaml\n $ # either via stdin\n $ cat imageconstraint.yaml | metalctl imageconstraint update -f -\n $ # or via file\n $ metalctl imageconstraint update -f imageconstraint.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#Options-inherited-from-parent-commands","page":"metalctl size imageconstraint update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/#SEE-ALSO","page":"metalctl size imageconstraint update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_imageconstraint_update/","page":"metalctl size imageconstraint update","title":"metalctl size imageconstraint update","text":"metalctl size imageconstraint\t - manage imageconstraint entities","category":"page"},{"location":"external/firewall-controller/README/#Firewall-Controller","page":"firewall-controller","title":"Firewall Controller","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"This controller is installed on a bare-metal firewall in front of several kubernetes worker nodes and responsible to reconcile a ClusterwideNetworkPolicy to nftables rules to control access to and from the kubernetes cluster. It allows also to control the traffic rate going through, to limit network resources for restricted usage scenarios. Nftable and node metrics are exposed with the nftables-exporter and node-exporter, the ips are visible as service and endpoint from the kubernetes cluster.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Additional an IDS is managed on the firewall to detect known network anomalies. suricata is used for this purpose. Right now, only basic statistics about the amount of scanned packets is reported. In a future release, access to all alarms will be provided.","category":"page"},{"location":"external/firewall-controller/README/#Architecture","page":"firewall-controller","title":"Architecture","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"(Image: Architecture)","category":"page"},{"location":"external/firewall-controller/README/#Automatically-generated-ingress-rules","page":"firewall-controller","title":"Automatically generated ingress rules","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"For every Service of type LoadBalancer in the cluster, the corresponding ingress rules will be automatically generated.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"If loadBalancerSourceRanges is not specified, incomig traffic to this service will be allowed for any source ip addresses.","category":"page"},{"location":"external/firewall-controller/README/#Configuration","page":"firewall-controller","title":"Configuration","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Firewall Controller is configured with 2 CRDs: firewalls.metal-stack.io and clusterwidenetworkpolicies.metal-stack.io. Both are namespaced and must reside in the firewall namespace. The firewalls CRD is typically written from the gardener-extension-provider-metal, the clusterwidenetworkpolicy should be provided by the deployment of your application.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Example Firewall CRD:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"apiVersion: metal-stack.io/v1\nkind: Firewall\nmetadata:\n namespace: firewall\n name: firewall\nspec:\n # Interval of reconciliation if nftables rules and network traffic accounting\n interval: 10s\n # Ratelimits specify on which physical interface, which maximum rate of traffic is allowed\n ratelimits:\n # The name of the interface visible with ip link show\n - interface: vrf104009\n # The maximum rate in MBits/s\n rate: 10\n # Internalprefixes defines a list of prefixes where the traffic going to, or coming from is considered internal, e.g. not leaving into external networks\n # given the architecture picture above this would be:\n internalprefixes:\n - \"1.2.3.0/24\n - \"172.17.0.0/16\"\n - \"10.0.0.0/8\"","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Example ClusterwideNetworkPolicy:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"apiVersion: metal-stack.io/v1\nkind: ClusterwideNetworkPolicy\nmetadata:\n namespace: firewall\n name: clusterwidenetworkpolicy-sample\nspec:\n egress:\n - to:\n - cidr: 1.1.0.0/24\n except:\n - 1.1.1.0/16\n - cidr: 8.8.8.8/32\n ports:\n - protocol: UDP\n port: 53\n - protocol: TCP\n port: 53","category":"page"},{"location":"external/firewall-controller/README/#Status","page":"firewall-controller","title":"Status","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Once the firewall-controller is running, it will report several statistics to the Firewall CRD Status: This can be inspected by running:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"kubectl describe -n firewall firewall","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"The output would look like:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Status:\n Last Run: 2020-06-17T13:18:58Z\n Stats:\n # Network traffic in bytes separated into external and internal in/out/total\n Devices:\n External:\n In: 91696\n Out: 34600\n Total: 0\n Internal:\n In: 0\n Out: 0\n Total: 2678671\n # IDS Statistics by interface\n Idsstats:\n vrf104009:\n Drop: 1992\n Invalidchecksums: 0\n Packets: 4997276\n # nftable rule statistics by rule name\n Rules:\n Accept:\n BGP unnumbered:\n Counter:\n Bytes: 0\n Packets: 0\n SSH incoming connections:\n Counter:\n Bytes: 936\n Packets: 16\n accept established connections:\n Counter:\n Bytes: 21211168\n Packets: 39785\n accept icmp:\n Counter:\n Bytes: 0\n Packets: 0\n accept traffic for k8s service kube-system/vpn-shoot:\n Counter:\n Bytes: 360\n Packets: 6\n Drop:\n drop invalid packets:\n Counter:\n Bytes: 52\n Packets: 1\n drop invalid packets from forwarding to prevent malicious activity:\n Counter:\n Bytes: 0\n Packets: 0\n drop invalid packets to prevent malicious activity:\n Counter:\n Bytes: 0\n Packets: 0\n drop packets with invalid ct state:\n Counter:\n Bytes: 0\n Packets: 0\n drop ping floods:\n Counter:\n Bytes: 0\n Packets: 0\n Other:\n block bgp forward to machines:\n Counter:\n Bytes: 0\n Packets: 0\n count and log dropped packets:\n Counter:\n Bytes: 2528\n Packets: 51\n snat (networkid: internet):\n Counter:\n Bytes: 36960\n Packets: 486","category":"page"},{"location":"external/firewall-controller/README/#Prometheus-integration","page":"firewall-controller","title":"Prometheus integration","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"There are two exporters running on the firewall to report essential metrics from this machine:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"node-exporter for machine specific metrics like cpu, ram and disk usage, see node-exporter for details.\nnftables-exporter for nftables metrics, see nftables-exporter","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Both exporters are exposed as services:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"kubectl get svc -n firewall\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nnftables-exporter ClusterIP None 9630/TCP 13h\nnode-exporter ClusterIP None 9100/TCP 13h","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"These services are in front of virtual endpoints:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"kubectl get ep -n firewall\nNAME ENDPOINTS AGE\nnftables-exporter 10.3.164.1:9630 13h\nnode-exporter 10.3.164.1:9100 13h","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"You can scrape these services in you prometheus installation to get the metrics.","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"To check you can run:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"curl nftables-exporter.firewall.svc.cluster.local:9630/metrics\ncurl node-exporter.firewall.svc.cluster.local:9100/metrics","category":"page"},{"location":"external/firewall-controller/README/#Firewall-Logs","page":"firewall-controller","title":"Firewall Logs","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"It is also possible to tail for the dropped packets with the following command (install stern from stern ):","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"stern -n firewall drop","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"The output will look like:","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:27 +0000 UTC {\"DPT\":\"4000\",\"DST\":\"1.2.3.4\",\"ID\":\"54321\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"vlan179\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"38464\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"236\",\"URGP\":\"0\",\"WINDOW\":\"65535\",\"timestamp\":\"2020-06-17 13:23:27 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:34 +0000 UTC {\"DPT\":\"2362\",\"DST\":\"1.2.3.4\",\"ID\":\"44545\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"40194\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"242\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:34 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:30 +0000 UTC {\"DPT\":\"650\",\"DST\":\"1.2.3.4\",\"ID\":\"12399\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"vlan179\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"40194\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"241\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:30 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:34 +0000 UTC {\"DPT\":\"2362\",\"DST\":\"1.2.3.4\",\"ID\":\"44545\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"40194\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"242\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:34 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:10 +0000 UTC {\"DPT\":\"63351\",\"DST\":\"1.2.3.4\",\"ID\":\"11855\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"vlan179\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"54589\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x00\",\"TTL\":\"245\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:10 +0000 UTC\"}\ndroptailer-6d556bd988-4g8gp droptailer 2020-06-17 13:23:51 +0000 UTC {\"DPT\":\"8002\",\"DST\":\"1.2.3.4\",\"ID\":\"17539\",\"IN\":\"vrf104009\",\"LEN\":\"40\",\"MAC\":\"ca:41:f9:80:fa:89:aa:bb:0e:62:8c:a6:08:00\",\"OUT\":\"\",\"PREC\":\"0x00\",\"PROTO\":\"TCP\",\"RES\":\"0x00\",\"SPT\":\"47615\",\"SRC\":\"2.3.4.5\",\"SYN\":\"\",\"TOS\":\"0x08\",\"TTL\":\"239\",\"URGP\":\"0\",\"WINDOW\":\"1024\",\"timestamp\":\"2020-06-17 13:23:51 +0000 UTC\"}","category":"page"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"You can forward the droptailer logs to any log aggregation infrastructure you have in place.","category":"page"},{"location":"external/firewall-controller/README/#Page-Tree","page":"firewall-controller","title":"Page Tree","text":"","category":"section"},{"location":"external/firewall-controller/README/","page":"firewall-controller","title":"firewall-controller","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#metalctl-tenant-list","page":"metalctl tenant list","title":"metalctl tenant list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":"list all tenants","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":"metalctl tenant list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#Options","page":"metalctl tenant list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":" --annotations strings annotations\n -h, --help help for list\n --id string ID of the tenant.\n --name string Name of the tenant.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#Options-inherited-from-parent-commands","page":"metalctl tenant list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_tenant_list/#SEE-ALSO","page":"metalctl tenant list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_tenant_list/","page":"metalctl tenant list","title":"metalctl tenant list","text":"metalctl tenant\t - manage tenant entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#metalctl-machine","page":"metalctl machine","title":"metalctl machine","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":"manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#Synopsis","page":"metalctl machine","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":"a machine is a bare metal server provisioned through metal-stack that is intended to run user workload.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#Options","page":"metalctl machine","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":" -h, --help help for machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#Options-inherited-from-parent-commands","page":"metalctl machine","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine/#SEE-ALSO","page":"metalctl machine","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine/","page":"metalctl machine","title":"metalctl machine","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl machine apply\t - applies one or more machines from a given file\nmetalctl machine console\t - console access to a machine\nmetalctl machine consolepassword\t - fetch the consolepassword for a machine\nmetalctl machine create\t - creates the machine\nmetalctl machine delete\t - deletes the machine\nmetalctl machine describe\t - describes the machine\nmetalctl machine edit\t - edit the machine through an editor and update\nmetalctl machine identify\t - manage machine chassis identify LED power\nmetalctl machine ipmi\t - display ipmi details of the machine, if no machine ID is given all ipmi addresses are returned.\nmetalctl machine issues\t - display machines which are in a potential bad state\nmetalctl machine list\t - list all machines\nmetalctl machine lock\t - lock a machine\nmetalctl machine logs\t - display machine provisioning logs\nmetalctl machine power\t - manage machine power\nmetalctl machine reinstall\t - reinstalls an already allocated machine\nmetalctl machine reserve\t - reserve a machine\nmetalctl machine update\t - updates the machine\nmetalctl machine update-firmware\t - update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#metalctl-machine-describe","page":"metalctl machine describe","title":"metalctl machine describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":"describes the machine","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":"metalctl machine describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#Options","page":"metalctl machine describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#Options-inherited-from-parent-commands","page":"metalctl machine describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_describe/#SEE-ALSO","page":"metalctl machine describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_describe/","page":"metalctl machine describe","title":"metalctl machine describe","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"installation/deployment/#Deploying-metal-stack","page":"Installation","title":"Deploying metal-stack","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We are bootstrapping the metal control plane as well as our partitions with Ansible through CI.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In order to build up your deployment, we recommend to make use of the same Ansible roles that we are using by ourselves in order to deploy the metal-stack. You can find them in the repository called metal-roles.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In order to wrap up deployment dependencies there is a special deployment base image hosted on GitHub that you can use for running the deployment. Using this Docker image eliminates a lot of moving parts in the deployment and should keep the footprints on your system fairly small and maintainable.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This document will from now on assume that you want to use our Ansible deployment roles for setting up metal-stack. We will also use the deployment base image, so you should also have Docker installed. It is in the nature of software deployments to differ from site to site, company to company, user to user. Therefore, we can only describe you the way of how the deployment works for us. It is up to you to tweak the deployment described in this document to your requirements.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Pages = [\"deployment.md\"]\nDepth = 5","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"warning: Warning\nProbably you need to learn writing Ansible playbooks if you want to be able to deploy the metal-stack as presented in this documentation. However, even when starting without any knowledge about Ansible it should be possible to follow these docs. In case you need further explanations regarding Ansible please refer to docs.ansible.com.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"info: Info\nIf you do not want to use Ansible for deployment, you need to come up with a deployment mechanism by yourself. However, you will probably be able to re-use some of our contents from our metal-roles repository, e.g. the Helm chart for deploying the metal control plane.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nYou can use the mini-lab as a template project for your own deployment. It uses the same approach as described in this document.","category":"page"},{"location":"installation/deployment/#Metal-Control-Plane-Deployment","page":"Installation","title":"Metal Control Plane Deployment","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The metal control plane is typically deployed in a Kubernetes cluster. Therefore, this document will assume that you have a Kubernetes cluster ready for getting deployed. Even though it is theoretically possible to deploy metal-stack without Kubernetes, we strongly advise you to use the described method because we believe that Kubernetes gives you a lot of benefits regarding the stability and maintainability of the application deployment.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nFor metal-stack it does not matter where your control plane Kubernetes cluster is located. You can of course use a cluster managed by a hyperscaler. This has the advantage of not having to setup Kubernetes by yourself and could even become beneficial in terms of fail-safe operation. The only requirement from metal-stack is that your partitions can establish network connections to the metal control plane. If you are interested, you can find a reasoning behind this deployment decision here.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Let's start off with a fresh folder for your deployment:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"mkdir -p metal-stack-deployment\ncd metal-stack-deployment","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"At the end of this section we are gonna end up with the following files and folder structures:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":".\n├── ansible.cfg\n├── deploy_metal_control_plane.yaml\n├── files\n│   └── certs\n│      ├── ca-config.json\n│      ├── ca-csr.json\n│      ├── metal-api-grpc\n│      │   ├── client.json\n│      │   ├── server.json\n│      ├── masterdata-api\n│      │   ├── client.json\n│      │   ├── server.json\n│      └── roll_certs.sh\n├── inventories\n│   ├── control-plane.yaml\n│   └── group_vars\n│      ├── all\n│      │   └── images.yaml\n│      └── control-plane\n│        ├── common.yaml\n│         └── metal.yml\n├── generate_role_requirements.yaml\n└── roles\n └── ingress-controller\n └── tasks\n └── main.yaml","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"You can already define the inventories/group_vars/all/images.yaml file. It contains the metal-stack version you are gonna deploy:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"using Docs\n\nt = \"\"\"\n```yaml\n---\nmetal_stack_release_version: %s\n```\n\"\"\"\n\nmarkdownTemplate(t, releaseVersion())","category":"page"},{"location":"installation/deployment/#Releases-and-Ansible-Role-Dependencies","page":"Installation","title":"Releases and Ansible Role Dependencies","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"As metal-stack consists of many microservices all having individual versions, we have come up with a releases repository. It contains a YAML file (we often call it release vector) describing the fitting versions of all components for every release of metal-stack.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Ansible role dependencies are also part of a metal-stack release. Therefore, we will now write up a playbook, which dynamically renders a requirements.yaml file from the ansible-roles defined in the release repository. The requirements.yaml can then be used to resolve the actual role dependencies through Ansible Galaxy. Define the following playbook in generate_role_requirements.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\n- name: generate requirements.yaml\n hosts: control-plane\n connection: local\n gather_facts: false\n vars:\n release_vector_url: \"https://raw.githubusercontent.com/metal-stack/releases/{{ metal_stack_release_version }}/release.yaml\"\n tasks:\n - name: download release vector\n uri:\n url: \"{{ release_vector_url }}\"\n return_content: yes\n register: release_vector\n\n - name: write requirements.yaml from release vector\n copy:\n dest: \"{{ playbook_dir }}/requirements.yaml\"\n content: |\n {% for role_name, role_params in (release_vector.content | from_yaml).get('ansible-roles').items() %}\n - src: {{ role_params.get('repository') }}\n name: {{ role_name }}\n version: {{ hostvars[inventory_hostname][role_name | lower | replace('-', '_') + '_version'] | default(role_params.get('version'), true) }}\n {% endfor %}","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This playbook will always be run before the actual metal-stack deployment and provide you with the proper versions of the Ansible role dependencies.","category":"page"},{"location":"installation/deployment/#Inventory","page":"Installation","title":"Inventory","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Then, there will be an inventory for the control plane deployment in inventories/control-plane.yaml that adds the localhost to the control-plane host group:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\ncontrol-plane:\n hosts:\n localhost:\n ansible_python_interpreter: \"{{ ansible_playbook_python }}\"","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We do this since we are deploying to Kubernetes and do not need to SSH-connect to any hosts for the deployment (which is what Ansible typically does). This inventory is also necessary to pick up the variables inside inventories/group_vars/control-plane during the deployment.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We recommend using the following ansible.cfg:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"[defaults]\nretry_files_enabled = false\nforce_color = true\nhost_key_checking = false\nstdout_callback = yaml\njinja2_native = true\ntransport = ssh\ntimeout = 30\nforce_valid_group_names = ignore\n\n[ssh_connection]\nretries=3\nssh_executable = /usr/bin/ssh","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Most of the properties in there are up to taste, but make sure you enable the Jinja2 native environment as this is needed for some of our roles in certain cases.","category":"page"},{"location":"installation/deployment/#Control-Plane-Playbook","page":"Installation","title":"Control Plane Playbook","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Next, we will define the actual deployment playbook in a file called deploy_metal_control_plane.yaml. You can start with the following lines:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\n- name: Deploy Control Plane\n hosts: control-plane\n connection: local\n gather_facts: no\n vars:\n setup_yaml:\n - url: https://raw.githubusercontent.com/metal-stack/releases/{{ metal_stack_release_version }}/release.yaml\n meta_var: metal_stack_release\n roles:\n - name: ansible-common\n tags: always\n - name: ingress-controller\n tags: ingress-controller\n - name: metal-roles/control-plane/roles/prepare\n tags: prepare\n - name: metal-roles/control-plane/roles/nsq\n tags: nsq\n - name: metal-roles/control-plane/roles/metal-db\n tags: metal-db\n - name: metal-roles/control-plane/roles/ipam-db\n tags: ipam-db\n - name: metal-roles/control-plane/roles/masterdata-db\n tags: masterdata-db\n - name: metal-roles/control-plane/roles/metal\n tags: metal","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Basically, this playbook does the following:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Include all the modules, filter plugins, etc. of ansible-common into the play\nDeploys an ingress-controller into your cluster\nDeploys the metal-stack by\nRunning preparation tasks\nDeploying NSQ\nDeploying the rethinkdb database for the metal-api (wrapped in a backup-restore-sidecar),\nDeploying the postgres database for go-ipam (wrapped in a backup-restore-sidecar)\nDeploying the postgres database for the masterdata-api (wrapped in a backup-restore-sidecar)\nApplying the metal control plane helm chart","category":"page"},{"location":"installation/deployment/#Setup-an-ingress-controller","page":"Installation","title":"Setup an ingress-controller","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"As a next step you have to add a task for deploying an ingress-controller into your cluster. nginx-ingress is what we use. If you want to use another ingress-controller, you need to parametrize the metal roles carefully. When you just use ingress-nginx, make sure to also deploy it to the default namespace ingress-nginx.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This is how your roles/ingress-controller/tasks/main.yaml could look like:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"- name: Deploy ingress-controller\n include_role:\n name: ansible-common/roles/helm-chart\n vars:\n helm_repo: \"https://helm.nginx.com/stable\"\n helm_chart: nginx-ingress\n helm_release_name: nginx-ingress\n helm_target_namespace: ingress-nginx","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nThe ansible-common repository contains very general roles and modules that you can also use when extending your deployment further.","category":"page"},{"location":"installation/deployment/#Deployment-Parametrization","page":"Installation","title":"Deployment Parametrization","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Now you can parametrize the referenced roles to fit your environment. The role parametrization can be looked up in the role documentation on metal-roles/control-plane. You should not need to define a lot of variables for the beginning as most values are reasonably defaulted. You can start with the following content for group_vars/control-plane/common.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\nmetal_control_plane_ingress_dns: # if you do not have a DNS entry, you could also start with .nip.io","category":"page"},{"location":"installation/deployment/#Providing-Certificates","page":"Installation","title":"Providing Certificates","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"We have several components in our stack that communicate over encrypted gRPC just like Kubernetes components do.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"For the very basic setup you will need to create self-signed certificates for the communication between the following components (see architecture document):","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"metal-api and masterdata-api (in-cluster traffic communication)\nmetal-api and metal-hammer (partition to control plane communication)","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Here is a snippet for files/roll_certs.sh that you can use for generating your certificates (requires cfssl):","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"#!/usr/bin/env bash\nset -eo pipefail\n\nfor i in \"$@\"\ndo\ncase $i in\n -t=*|--target=*)\n TARGET=\"${i#*=}\"\n shift\n ;;\n *)\n echo \"unknown parameter passed: $1\"\n exit 1\n ;;\nesac\ndone\n\nif [ -z \"$TARGET\" ]; then\n echo \"generating ca cert\"\n cfssl genkey -initca ca-csr.json | cfssljson -bare ca\n rm *.csr\nfi\n\nif [ -z \"$TARGET\" ] || [ $TARGET == \"grpc\" ]; then\n pushd metal-api-grpc\n echo \"generating grpc certs\"\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=server server.json | cfssljson -bare server\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client client.json | cfssljson -bare client\n rm *.csr\n popd\nfi\n\nif [ -z \"$TARGET\" ] || [ $TARGET == \"masterdata-api\" ]; then\n pushd masterdata-api\n echo \"generating masterdata-api certs\"\n rm -f *.pem\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client-server server.json | cfssljson -bare server\n cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client client.json | cfssljson -bare client\n rm *.csr\n popd\nfi","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Also define the following configurations for cfssl:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"files/certs/ca-config.json\n{\n \"signing\": {\n \"default\": {\n \"expiry\": \"43800h\"\n },\n \"profiles\": {\n \"server\": {\n \"expiry\": \"43800h\",\n \"usages\": [\"signing\", \"key encipherment\", \"server auth\"]\n },\n \"client\": {\n \"expiry\": \"43800h\",\n \"usages\": [\"signing\", \"key encipherment\", \"client auth\"]\n },\n \"client-server\": {\n \"expiry\": \"43800h\",\n \"usages\": [\n \"signing\",\n \"key encipherment\",\n \"client auth\",\n \"server auth\"\n ]\n }\n }\n }\n}\nfiles/certs/ca-csr.json\n{\n \"CN\": \"metal-control-plane\",\n \"hosts\": [],\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 4096\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/masterdata-api/client.json\n{\n \"CN\": \"masterdata-client\",\n \"hosts\": [\"\"],\n \"key\": {\n \"algo\": \"ecdsa\",\n \"size\": 256\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/masterdata-api/server.json\n{\n \"CN\": \"masterdata-api\",\n \"hosts\": [\n \"localhost\",\n \"masterdata-api\",\n \"masterdata-api.metal-control-plane.svc\",\n \"masterdata-api.metal-control-plane.svc.cluster.local\"\n ],\n \"key\": {\n \"algo\": \"ecdsa\",\n \"size\": 256\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/metal-api-grpc/client.json\n{\n \"CN\": \"grpc-client\",\n \"hosts\": [\"\"],\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 4096\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}\nfiles/certs/metal-api-grpc/server.json (Fill in your control plane ingress DNS here)\n{\n \"CN\": \"metal-api\",\n \"hosts\": [\"\"],\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 4096\n },\n \"names\": [\n {\n \"C\": \"DE\",\n \"L\": \"Munich\",\n \"O\": \"Metal-Stack\",\n \"OU\": \"DevOps\",\n \"ST\": \"Bavaria\"\n }\n ]\n}","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Running the roll_certs.sh bash script without any arguments should generate you the required certificates.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Now Provide the paths to these certificates in group_vars/control-plane/metal.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"---\nmetal_masterdata_api_tls_ca: \"{{ lookup('file', 'certs/ca.pem') }}\"\nmetal_masterdata_api_tls_cert: \"{{ lookup('file', 'certs/masterdata-api/server.pem') }}\"\nmetal_masterdata_api_tls_cert_key: \"{{ lookup('file', 'certs/masterdata-api/server-key.pem') }}\"\nmetal_masterdata_api_tls_client_cert: \"{{ lookup('file', 'certs/masterdata-api/client.pem') }}\"\nmetal_masterdata_api_tls_client_key: \"{{ lookup('file', 'certs/masterdata-api/client-key.pem') }}\"\n\nmetal_api_grpc_certs_server_key: \"{{ lookup('file', 'certs/metal-api-grpc/server-key.pem') }}\"\nmetal_api_grpc_certs_server_cert: \"{{ lookup('file', 'certs/metal-api-grpc/server.pem') }}\"\nmetal_api_grpc_certs_client_key: \"{{ lookup('file', 'certs/metal-api-grpc/client-key.pem') }}\"\nmetal_api_grpc_certs_client_cert: \"{{ lookup('file', 'certs/metal-api-grpc/client.pem') }}\"\nmetal_api_grpc_certs_ca_cert: \"{{ lookup('file', 'certs/ca.pem') }}\"","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nFor the actual communication between the metal-api and the user clients (REST API, runs over the ingress-controller you deployed before), you can simply deploy a tool like cert-manager into your Kubernetes cluster, which will automatically provide your ingress domains with Let's Encrypt certificates.","category":"page"},{"location":"installation/deployment/#Running-the-Deployment","page":"Installation","title":"Running the Deployment","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Finally, it should be possible to run the deployment through a Docker container. Make sure to have the Kubeconfig file of your cluster and set the path in the following command accordingly:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"using Docs\n\nbase_image = releaseVector()[\"docker-images\"][\"metal-stack\"][\"generic\"][\"deployment-base\"][\"tag\"]\n\nt = raw\"\"\"\n```bash\nexport KUBECONFIG=\ndocker run --rm -it \\\n -v $(pwd):/workdir \\\n --workdir /workdir \\\n -e KUBECONFIG=\"${KUBECONFIG}\" \\\n -e K8S_AUTH_KUBECONFIG=\"${KUBECONFIG}\" \\\n -e ANSIBLE_INVENTORY=inventories/control-plane.yaml \\\n metalstack/metal-deployment-base:%s \\\n /bin/bash -ce \\\n \"ansible-playbook obtain_role_requirements.yaml\n ansible-galaxy install -r requirements.yaml\n ansible-playbook deploy_metal_control_plane.yaml\"\n```\n\"\"\"\n\nmarkdownTemplate(t, base_image)","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nIf you are having issues regarding the deployment take a look at the troubleshoot document. Please give feedback such that we can make the deployment of the metal-stack easier for you and for others!","category":"page"},{"location":"installation/deployment/#Providing-Images","page":"Installation","title":"Providing Images","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"After the deployment has finished (hopefully without any issues!), you should consider deploying some masterdata entities into your metal-api. For example, you can add your first machine sizes and operating system images. You can do this by further parametrizing the metal role. We will just add an operating system for demonstration purposes. Add the following variable to your inventories/group_vars/control-plane/common.yaml:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"metal_api_images:\n- id: firewall-ubuntu-2.0.20201004\n name: Firewall 2 Ubuntu 20201004\n description: Firewall 2 Ubuntu 20201004\n url: http://images.metal-stack.io/metal-os/master/firewall/2.0-ubuntu/20201004/img.tar.lz4\n features:\n - firewall\n- id: ubuntu-20.04.20201004\n name: Ubuntu 20.04 20201004\n description: Ubuntu 20.04 20201004\n url: http://images.metal-stack.io/metal-os/master/ubuntu/20.04/20201004/img.tar.lz4\n features:\n - machine","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Then, re-run the deployment to apply your changes. Our playbooks are idempotent.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"info: Info\nImage versions should be regularly checked for updates.","category":"page"},{"location":"installation/deployment/#Setting-up-metalctl","page":"Installation","title":"Setting up metalctl","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"You can now verify the existence of the operating system images in the metal-api using our CLI client called metalctl. The configuration for metalctl should look like this:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"# ~/.metalctl/config.yaml\n---\ncurrent: test\ncontexts:\n test:\n # the metal-api endpoint depends on your dns name specified before\n # you can look up the url to the metal-api via the kubernetes ingress\n # resource with:\n # $ kubectl get ingress -n metal-control-plane\n url: \n # in the future you have to change the HMAC to a strong, random string\n # in order to protect against unauthorized api access\n # the default hmac is \"change-me\"\n hmac: change-me","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Issue the following command:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"$ metalctl image ls\nID \tNAME \tDESCRIPTION \tFEATURES\tEXPIRATION\tSTATUS\nubuntu-19.10.20200331 \tUbuntu 19.10 20200331 \tUbuntu 19.10 20200331 \tmachine \t89d 23h \tpreview","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The basic principles of how the metal control plane can be deployed should now be clear. It is now up to you to move the deployment execution into your CI and add things like certificates for the ingress-controller and NSQ.","category":"page"},{"location":"installation/deployment/#Setting-Up-the-backup-restore-sidecar","page":"Installation","title":"Setting Up the backup-restore-sidecar","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The backup-restore-sidecar can come up very handy when you want to add another layer of security to the metal-stack databases in your Kubernetes cluster. The sidecar takes backups of the metal databases in small time intervals and stores them in a blobstore of a cloud provider. This way your metal-stack setup can even survive the deletion of your Kubernetes control plane cluster (including all volumes getting lost). After re-deploying metal-stack to another Kubernetes clusters, the databases come up with the latest backup data in a matter of seconds.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Checkout the role documentation of the individual databases to find out how to configure the sidecar properly. You can also try out the mechanism from the backup-restore-sidecar repository.","category":"page"},{"location":"installation/deployment/#Auth","page":"Installation","title":"Auth","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"metal-stack currently supports two authentication methods:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"dex for providing user authentication through OpenID Connect (OIDC)\nHMAC auth, typically used for access by technical users (because we do not have service account tokens at the time being)","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In the metal-api, we have three different user roles for authorization:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Admin\nEdit\nView","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"How the user permissions are used is documented in the technical API docs.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"If you decided to set up a dex server, you can parametrize the metal role for using the dex server by defining the variable metal_api_dex_address.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"info: Info\nWe also have dedicated controllers for using the dex server for Kubernetes clusters when deploying metal-stack along with the Gardener in your environment. The approach is described in further detail in the section Gardener with metal-stack.","category":"page"},{"location":"installation/deployment/#Bootstrapping-a-Partition","page":"Installation","title":"Bootstrapping a Partition","text":"","category":"section"},{"location":"installation/deployment/#Out-Of-Band-Network","page":"Installation","title":"Out-Of-Band-Network","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"To be able to deploy and maintain a metal-stack partition, you need to bootstrap the Out-Of-Band-Network first. Some considerations must be made to fulfill the requirements of our infrastructure, a partition is designed to be:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"secure\nfully routable (BGP)\nscalable\nresilient\ndeployable via CI/CD jobs\naccessible from the internet from specific IPs","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In order to accomplish this task remotely and in a nearly automatic manner, you have to bootstrap the components in this order:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"management firewalls\nmanagement servers\nmanagement spines\nmanagement leaves\nleaves, spines and exits","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"This document assumes that all cabling is done. Here is a quick overview of the architecture:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"(Image: Out-of-Band-Network)","category":"page"},{"location":"installation/deployment/#Management-Firewalls","page":"Installation","title":"Management Firewalls","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"As you can see, the management firewalls are the first bastion hosts in a partition to provide access to our infrastructure. There are two of them in each partition to guarantee high availability and load balancing. The very first configuration of these routers has to be done manually to solve the chicken and egg problem that you need the management firewalls in place to deploy the partition. Manually means that we generate a configuration template with ansible that we deploy with copy/paste, and the load, through the machine console. Once the management server has been deployed, we are able to deploy this configuration via CI runner and ansible. For this you need the user and the ssh-key, which is deployed with the configuration file mentioned above. The Edgerouters has to fulfill some requirements including:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"provide and restrict access to the Out-Of-Band-Network from the internet with a firewall ruleset\nprovide destination NAT to the management server and its IPMI interface\nprovide Onie Boot and ztp via DHCP options for the management spine\nprovide DHCP management addresses for management spine, management server and ipmi interface of the management server\nHairpin-NAT for the management server to access itself via its puplic IP, needed by the CI runner to delegate CI Jobs.\npropagate a default gateway via BGP","category":"page"},{"location":"installation/deployment/#Management-Servers","page":"Installation","title":"Management Servers","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The second bastion hosts are the management servers. They are the main bootstrapping components of the Out-Of-Band-Network. They also act as jump hosts for all components in a partition. Once they are installed and deployed, we are able to bootstrap all the other components. To bootstrap the management servers, we generate an ISO image which will automatically install an OS and an ansible user with ssh keys. It is preconfigured with a preseed file to allow an unattended OS installation for our needs. This is why we need remote access to the IPMI interface of the management servers: The generated ISO is attached via the virtual media function of the BMC. After that, all we have to do is boot from that virtual CD-ROM and wait for the installation to finish. Deployment jobs (Gitlab-CI) in a partition are delegated to the appropriate management servers, therefore we need a CI runner active on each management server.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"After the CI runner has been installed, you can trigger your Playbooks from the the CI. The Ansible-Playbooks have to make sure that these functionalities are present on the management servers:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Prometheus and exporters\nCI runner\nmetal-bmc\nimage-cache\nsimple webserver to provide images\nOnie Boot and ZTP\nDHCP addresses for ipmi interfaces of the workers\nDHCP addresses for switches","category":"page"},{"location":"installation/deployment/#Management-Spines","page":"Installation","title":"Management Spines","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nIf you are using SONiC switches, you should make use of Zero Touch Provisioning and Onie Boot","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"The purpose of these switches is to connect the management interfaces of all switches to the management servers. The management spine's own management interface is connected to the management firewall for the bootstrapping of the management spine itself. The management firewall will provide a DHCP address and DHCP options to start SONiC's Zero Touch Provisioning; the images for all switches are downloaded from the management server (nginx container). Each management leaf is connected to both management spines to provide redundant connectivity to both management servers. BGP is used as a routing protocol such that, when a link goes down, an alternate path is used. In the picture above you can see that there are also switch management interfaces connected to the management spine. This has to be done so that we can bootstrap these switches; the management spine relays the DHCP requests from these switches to the management servers so that they are able to Onie Boot and get their ZTP scripts.","category":"page"},{"location":"installation/deployment/#Management-Leaves","page":"Installation","title":"Management Leaves","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"All workers have to be connected with their IPMI/BMC interface to the management leaves to get DHCP addresses from the management server. The management leaves are relaying those DHCP requests to the management server which will answer the requests and provide IPs from a given range. The management interfaces of the management leaves also have to be reachable from the management server, and need to get their IP address via DHCP for the bootstrapping process.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"In the example setup, these interfaces are connected to an end-of-row-switch which aggregates them and connects them to the management spines with a fiber-optics connection. If you can reach the management spines from the management leaves with copper cables, you do not need the end of row switch. After the initial bootstrapping, the management interfaces of the management leaves continue to be used for access to the switches' command line, and for subsequent OS updates. (update=reset+bootrap+deployment)","category":"page"},{"location":"installation/deployment/#Partition-Deployment","page":"Installation","title":"Partition Deployment","text":"","category":"section"},{"location":"installation/deployment/#Gardener-with-metal-stack","page":"Installation","title":"Gardener with metal-stack","text":"","category":"section"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"If you want to deploy metal-stack as a cloud provider for Gardener, you should follow the regular Gardener installation instructions and setup a Gardener cluster first. It's perfectly fine to setup the Gardener cluster in the same cluster that you use for hosting metal-stack.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"You can find installation instructions for Gardener on the Gardener website beneath docs. metal-stack is an out-of-tree provider and therefore you will not find example files for metal-stack resources in the Gardener repositories. The following list describes the resources and components that you need to deploy into the Gardener cluster in order to make Gardener work with metal-stack:","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"warning: Warning\nThe following list assumes you have Gardener installed in a Kubernetes cluster and that you have a basic understanding of how Gardener works. If you need further help with the following steps, you can also come and ask in our Slack channel.","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"Deploy the validator from the gardener-extension-provider-metal repository to your cluster via Helm\nAdd a cloud profile called metal containing all your machine images, machine types and regions (region names can be chosen freely, the zone names need to match your partition names) together with our metal-stack-specific provider config as defined here\nRegister the gardener-extension-provider-metal controller by deploying the controller-registration into your Gardener cluster, parametrize the embedded chart in the controller registration's values section if necessary (this is the corresponding values file)\nmetal-stack does not provide an own backup storage infrastructure for now. If you want to enable ETCD backups (which you should do because metal-stack also does not have persistent storage out of the box, which makes these backups even more valuable), you should deploy an extension-provider of another cloud provider and configure it to only reconcile the backup buckets (you can reference this backup infrastructure used for the metal shoot in the shoot spec)\nRegister the os-extension-provider-metal controller by deploying the controller-registration into your Gardener cluster, this controller can transform the operating system configuration from Gardener into Ignition user data\nYou need to use the Gardener's networking-calico controller for setting up shoot CNI, you will have to put specific provider configuration into the shoot spec to make it work with metal-stack:\nnetworking:\n type: calico\n # we can peer with the frr within 10.244.0.0/16, which we do with the metallb\n # the networks for the shoot need to be disjunct with the networks of the seed, otherwise the VPN connection will not work properly\n # the seeds are typically deployed with podCIDR 10.244.128.0/18 and serviceCIDR 10.244.192.0/18\n # the shoots are typically deployed with podCIDR 10.244.0.0/18 and serviceCIDR 10.244.64.0/18\n pods: 10.244.0.0/18\n services: 10.244.64.0/18\n providerConfig:\n apiVersion: calico.networking.extensions.gardener.cloud/v1alpha1\n kind: NetworkConfig\n backend: vxlan\n ipv4:\n pool: vxlan\n mode: Always\n autoDetectionMethod: interface=lo\n typha:\n enabled: false\nFor your seed cluster you will need to provide the provider secret for metal-stack containing the key metalAPIHMac, which is the API HMAC to grant editor access to the metal-api\nCheckout our current provider configuration for infrastructure and control-plane before deploying your shoot","category":"page"},{"location":"installation/deployment/","page":"Installation","title":"Installation","text":"tip: Tip\nWe are officially supported by Gardener dashboard. The dashboard can also help you setting up some of the resources mentioned above.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#metalctl-switch-list","page":"metalctl switch list","title":"metalctl switch list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":"list all switches","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":"metalctl switch list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#Options","page":"metalctl switch list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":" -h, --help help for list\n --id string ID of the switch.\n --name string Name of the switch.\n --os-vendor string OS vendor of this switch.\n --os-version string OS version of this switch.\n --partition string Partition of this switch.\n --rack string Rack of this switch.\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: description|id|name","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#Options-inherited-from-parent-commands","page":"metalctl switch list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_list/#SEE-ALSO","page":"metalctl switch list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_list/","page":"metalctl switch list","title":"metalctl switch list","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#metalctl-network-ip-apply","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"applies one or more ips from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"metalctl network ip apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#Options","page":"metalctl network ip apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl ip describe ip-1 -o yaml > ip.yaml\n $ vi ip.yaml\n $ # either via stdin\n $ cat ip.yaml | metalctl ip apply -f -\n $ # or via file\n $ metalctl ip apply -f ip.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#Options-inherited-from-parent-commands","page":"metalctl network ip apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/#SEE-ALSO","page":"metalctl network ip apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_ip_apply/","page":"metalctl network ip apply","title":"metalctl network ip apply","text":"metalctl network ip\t - manage ip entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#metalctl-image-create","page":"metalctl image create","title":"metalctl image create","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":"creates the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":"metalctl image create [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#Options","page":"metalctl image create","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -d, --description string Description of the image.\n --features strings features of the image, can be one of machine|firewall\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image create -f -\n $ # or via file\n $ metalctl image create -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for create\n --id string ID of the image.\n -n, --name string Name of the image.\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations\n --url string url of the image.","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#Options-inherited-from-parent-commands","page":"metalctl image create","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_create/#SEE-ALSO","page":"metalctl image create","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_create/","page":"metalctl image create","title":"metalctl image create","text":"metalctl image\t - manage image entities","category":"page"},{"location":"#Welcome-to-the-metal-stack-docs!","page":"Introduction","title":"Welcome to the metal-stack docs!","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"metal-stack is an open source software that provides an API for provisioning and managing physical servers in the data center. To categorize this product, we use the terms Metal-as-a-Service (MaaS) or bare metal cloud.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"From the perspective of a user, the metal-stack does not feel any different from working with a conventional cloud provider. Users manage their resources (machines, networks and ip addresses, etc.) by themselves, which effectively turns your data center into an elastic cloud infrastructure.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"The major difference to other cloud providers is that compute power and data reside in your own data center.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"Pages = [\"index.md\"]\nDepth = 5","category":"page"},{"location":"#Why-metal-stack?","page":"Introduction","title":"Why metal-stack?","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Before we started with our mission to implement the metal-stack, we decided on a couple of key characteristics and constraints that we think are unique in the domain (otherwise we would definitely have chosen an existing solution).","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"We hope that the following properties appeal to you as well.","category":"page"},{"location":"#On-Premise","page":"Introduction","title":"On-Premise","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Running on-premise gives you data sovereignty and usually a better price / performance ratio than with hyperscalers — especially the larger you grow your environment. Another benefit of running on-premise is an easier connectivity to existing company networks.","category":"page"},{"location":"#Fast-Provisioning","page":"Introduction","title":"Fast Provisioning","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Provisioning bare metal machines should not feel much different from virtual machines. metal-stack is capable of provisioning servers in less than a minute. The underlying network topology is based on BGP and allows announcing new routes to your host machines in a matter of seconds.","category":"page"},{"location":"#No-Ops","page":"Introduction","title":"No-Ops","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Part of the metal-stack runs on dedicated switches in your data center. This way, it is possible to automate server inventorization, permanently reconcile network configuration and automatically manage machine lifecycles. Manual configuration is neither required nor wanted.","category":"page"},{"location":"#Security","page":"Introduction","title":"Security","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Our networking approach was designed for highest standards on security. Also, we enforce firewalling on dedicated tenant firewalls before users can establish connections to other networks than their private tenant network. API authentication and authorization is done with the help of OIDC.","category":"page"},{"location":"#API-driven","page":"Introduction","title":"API driven","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"The development of metal-stack is strictly API driven and offers self-service to end-users. This approach delivers the highest possible degree of automation, maintainability and performance.","category":"page"},{"location":"#Ready-for-Kubernetes","page":"Introduction","title":"Ready for Kubernetes","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Not only does the metal-stack run smoothly on Kubernetes (K8s). The major intent of metal-stack has always been to build a scalable machine infrastructure for Kubernetes as a Service (KaaS). In partnership with the open-source project Gardener, we can provision Kubernetes clusters on metal-stack at scale.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"From the perspective of the Gardener, the metal-stack is just another cloud provider. The time savings compared to providing machines and Kubernetes by hand are significant. We actually want to be able to compete with offers of public cloud providers, especially regarding speed and usability.","category":"page"},{"location":"","page":"Introduction","title":"Introduction","text":"Of course, you can use metal-stack only for machine provisioning as well and just put something else on top of your metal infrastructure.","category":"page"},{"location":"#Open-Source","page":"Introduction","title":"Open Source","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"The metal-stack is open source and free of constraints regarding vendors and third-party products. The stack is completely built on open source products. We have a community actively working on the metal-stack, which can assist you delivering all reasonable features you are gonna need.","category":"page"},{"location":"#Why-Bare-Metal?","page":"Introduction","title":"Why Bare Metal?","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Bare metal has several advantages over virtual environments and overcomes several drawbacks of virtual machines. We also listed drawbacks of the bare metal approach. Bare in mind though that it is still possible to virtualize on bare metal environments when you have your stack up and running.","category":"page"},{"location":"#Virtual-Environment-Drawbacks","page":"Introduction","title":"Virtual Environment Drawbacks","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Spectre and Meltdown can only be mitigated with a \"cluster per tenant\" approach\nMissing isolation of multi-tenant change impacts\nLicensing restrictions\nNoisy-neighbors","category":"page"},{"location":"#Bare-Metal-Advantages","page":"Introduction","title":"Bare Metal Advantages","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Guaranteed and fastest possible performance (especially disk i/o)\nReduced stack depth (Host / VM / Application vs. Host / Container)\nReduced attack surface\nLower costs, higher performance\nNo VM live-migrations\nBigger hardware configurations possible (hypervisors have restrictions, e.g. it is not possible to assign all CPUs to a single VM)","category":"page"},{"location":"#Bare-Metal-Drawbacks","page":"Introduction","title":"Bare Metal Drawbacks","text":"","category":"section"},{"location":"","page":"Introduction","title":"Introduction","text":"Hardware defects have direct impact (should be considered by design) and can not be mitigated by live-migration as in virtual environments\nCapacity planning is more difficult (no resource overbooking possible)","category":"page"},{"location":"development/proposals/MEP2/README/#Two-Factor-Authentication","page":"Two Factor Authentication","title":"Two Factor Authentication","text":"","category":"section"},{"location":"development/proposals/MEP14/README/#Independence-from-external-sources","page":"Independence from external sources","title":"Independence from external sources","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"In certain situations some customers may need to operate and create machines without making use of external services like DNS or NTP through the internet. To make this possible, all metal-stack components reaching external services need to be configurable with custom endpoints.","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"So far, the following components have been identified as requiring changes:","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"pixiecore\nmetal-hammer\nmetal-images","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"More components are likely to be added to the list during processing. For DNS and NTP servers it should be possible to provide default values within a partition. They can either be inherited from machines and firewalls or overwritten with own ones.","category":"page"},{"location":"development/proposals/MEP14/README/#pixiecore","page":"Independence from external sources","title":"pixiecore","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"A NTP server endpoint need to be configured on the pixiecore. This can be achieved by providing it through environment variables on start up.","category":"page"},{"location":"development/proposals/MEP14/README/#metal-hammer","page":"Independence from external sources","title":"metal-hammer","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"If using a self-deployed NTP server, also the metal-hammer need to be configured with it. For backward compatibility, default values from pool.ntp.org and time.google.com are used.","category":"page"},{"location":"development/proposals/MEP14/README/#metal-images","page":"Independence from external sources","title":"metal-images","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"Configurations for the metal-images are different for machines and firewalls.","category":"page"},{"location":"development/proposals/MEP14/README/#metalctl","page":"Independence from external sources","title":"metalctl","text":"","category":"section"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"In order to pass DNS and NTP servers to partitions and machines while creating them, the flags dnsservers and ntpservers need to be added.","category":"page"},{"location":"development/proposals/MEP14/README/","page":"Independence from external sources","title":"Independence from external sources","text":"The implementation of this MEP will make metal-stack possible to create and maintain machines without requiring an internet connection.","category":"page"},{"location":"apidocs/apidocs/#API-Documentation","page":"API Documentation","title":"API Documentation","text":"","category":"section"},{"location":"apidocs/apidocs/","page":"API Documentation","title":"API Documentation","text":"In this section you will find links to the API documentation of metal-stack components.","category":"page"},{"location":"apidocs/apidocs/","page":"API Documentation","title":"API Documentation","text":"using Docs\n\nmetal_api_image = releaseVector()[\"docker-images\"][\"metal-stack\"][\"control-plane\"][\"metal-api\"][\"tag\"]\ncontent = redocTemplate(\"metal-api\", string(\"https://raw.githubusercontent.com/metal-stack/metal-api/\", metal_api_image, \"/spec/metal-api.json\"))\n\nf = open(string(@__DIR__, \"/metal-api/index.html\"), \"w\")\nwrite(f, content)\nclose(f);\n\nnothing","category":"page"},{"location":"apidocs/apidocs/","page":"API Documentation","title":"API Documentation","text":"metal-api","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#metalctl-network-delete","page":"metalctl network delete","title":"metalctl network delete","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":"deletes the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":"metalctl network delete [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#Options","page":"metalctl network delete","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl network describe network-1 -o yaml > network.yaml\n $ vi network.yaml\n $ # either via stdin\n $ cat network.yaml | metalctl network delete -f -\n $ # or via file\n $ metalctl network delete -f network.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for delete\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#Options-inherited-from-parent-commands","page":"metalctl network delete","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_delete/#SEE-ALSO","page":"metalctl network delete","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_delete/","page":"metalctl network delete","title":"metalctl network delete","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#metalctl-switch-port-down","page":"metalctl switch port down","title":"metalctl switch port down","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"sets the given switch port state down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#Synopsis","page":"metalctl switch port down","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"sets the port status to DOWN so the connected machine will not be able to connect to the switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"metalctl switch port down [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#Options","page":"metalctl switch port down","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":" -h, --help help for down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#Options-inherited-from-parent-commands","page":"metalctl switch port down","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --port string the port to be changed.\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_down/#SEE-ALSO","page":"metalctl switch port down","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_down/","page":"metalctl switch port down","title":"metalctl switch port down","text":"metalctl switch port\t - sets the given switch port state up or down","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#metalctl-switch-ssh","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"connect to the switch via ssh","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#Synopsis","page":"metalctl switch ssh","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"this requires a network connectivity to the management ip address of the switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"metalctl switch ssh [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#Options","page":"metalctl switch ssh","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":" -h, --help help for ssh","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#Options-inherited-from-parent-commands","page":"metalctl switch ssh","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_ssh/#SEE-ALSO","page":"metalctl switch ssh","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_ssh/","page":"metalctl switch ssh","title":"metalctl switch ssh","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#metalctl-firmware-upload-bmc","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"upload a BMC firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#Synopsis","page":"metalctl firmware upload bmc","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"the given BMC firmware file will be uploaded and tagged as given revision.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"metalctl firmware upload bmc [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#Options","page":"metalctl firmware upload bmc","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":" --board string the board type (required)\n -h, --help help for bmc\n --revision string the BMC firmware revision (required)\n --vendor string the vendor (required)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#Options-inherited-from-parent-commands","page":"metalctl firmware upload bmc","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/#SEE-ALSO","page":"metalctl firmware upload bmc","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bmc/","page":"metalctl firmware upload bmc","title":"metalctl firmware upload bmc","text":"metalctl firmware upload\t - upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#metalctl-machine-list","page":"metalctl machine list","title":"metalctl machine list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"list all machines","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#Synopsis","page":"metalctl machine list","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"list all machines","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"Meaning of the emojis:","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"🚧 Machine is reserved. Reserved machines are not considered for random allocation until the reservation flag is removed. 🔒 Machine is locked. Locked machines can not be deleted until the lock is removed. 💀 Machine is dead. The metal-api does not receive any events from this machine. ❗ Machine has a last event error. The machine has recently encountered an error during the provisioning lifecycle. ❓ Machine is in unknown condition. The metal-api does not receive phoned home events anymore or has never booted successfully. ⭕ Machine is in a provisioning crash loop. Flag can be reset through an API-triggered reboot or when the machine reaches the phoned home state. 🚑 Machine reclaim has failed. The machine was deleted but it is not going back into the available machine pool. 🛡 Machine is connected to our VPN, ssh access only possible via this VPN.","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"metalctl machine list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#Options","page":"metalctl machine list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":" --bmc-address string bmc ipmi address (needs to include port) to filter [optional]\n --bmc-mac string bmc mac address to filter [optional]\n --board-part-number string fru board part number to filter [optional]\n -h, --help help for list\n --hostname string allocation hostname to filter [optional]\n --id string ID to filter [optional]\n --image string allocation image to filter [optional]\n --last-event-error-threshold duration the duration up to how long in the past a machine last event error will be counted as an issue [optional] (default 1h0m0s)\n --mac string mac to filter [optional]\n --manufacturer string fru manufacturer to filter [optional]\n --name string allocation name to filter [optional]\n --network-destination-prefixes string network destination prefixes to filter [optional]\n --network-ids string network ids to filter [optional]\n --network-ips string network ips to filter [optional]\n --partition string partition to filter [optional]\n --product-part-number string fru product part number to filter [optional]\n --product-serial string fru product serial to filter [optional]\n --project string allocation project to filter [optional]\n --rack string rack to filter [optional]\n --role string allocation role to filter [optional]\n --size string size to filter [optional]\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: age|event|id|image|liveliness|partition|project|rack|size|when\n --state string state to filter [optional]\n --tags strings tags to filter, use it like: --tags \"tag1,tag2\" or --tags \"tag3\".","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#Options-inherited-from-parent-commands","page":"metalctl machine list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_list/#SEE-ALSO","page":"metalctl machine list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_list/","page":"metalctl machine list","title":"metalctl machine list","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#metalctl-firmware-list","page":"metalctl firmware list","title":"metalctl firmware list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"list firmwares","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#Synopsis","page":"metalctl firmware list","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"lists all available firmwares matching the given criteria.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"metalctl firmware list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#Options","page":"metalctl firmware list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":" --board string the board type\n -h, --help help for list\n --kind string the firmware kind [bmc|bios]\n --machineid string the machine id (ignores vendor and board flags)\n --vendor string the vendor","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#Options-inherited-from-parent-commands","page":"metalctl firmware list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_list/#SEE-ALSO","page":"metalctl firmware list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_list/","page":"metalctl firmware list","title":"metalctl firmware list","text":"metalctl firmware\t - manage firmwares","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#metalctl-vpn","page":"metalctl vpn","title":"metalctl vpn","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":"access VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#Synopsis","page":"metalctl vpn","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":"access VPN","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#Options","page":"metalctl vpn","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":" -h, --help help for vpn","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#Options-inherited-from-parent-commands","page":"metalctl vpn","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_vpn/#SEE-ALSO","page":"metalctl vpn","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_vpn/","page":"metalctl vpn","title":"metalctl vpn","text":"metalctl\t - a cli to manage entities in the metal-stack api\nmetalctl vpn key\t - create an auth key","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#metalctl-firmware-upload-bios","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"upload a BIOS firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#Synopsis","page":"metalctl firmware upload bios","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"the given BIOS firmware file will be uploaded and tagged as given revision.","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"metalctl firmware upload bios [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#Options","page":"metalctl firmware upload bios","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":" --board string the board type (required)\n -h, --help help for bios\n --revision string the BIOS firmware revision (required)\n --vendor string the vendor (required)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#Options-inherited-from-parent-commands","page":"metalctl firmware upload bios","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/#SEE-ALSO","page":"metalctl firmware upload bios","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_firmware_upload_bios/","page":"metalctl firmware upload bios","title":"metalctl firmware upload bios","text":"metalctl firmware upload\t - upload a firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#metalctl-size-suggest","page":"metalctl size suggest","title":"metalctl size suggest","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":"suggest size from a given machine id","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":"metalctl size suggest [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#Options","page":"metalctl size suggest","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":" --description string The description of the suggested size (default \"a suggested size\")\n -h, --help help for suggest\n --labels strings labels to add to the size\n --machine-id string Machine id used to create the size suggestion. [required]\n --name string The name of the suggested size (default \"suggested-size\")","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#Options-inherited-from-parent-commands","page":"metalctl size suggest","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_suggest/#SEE-ALSO","page":"metalctl size suggest","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_suggest/","page":"metalctl size suggest","title":"metalctl size suggest","text":"metalctl size\t - manage size entities","category":"page"},{"location":"external/csi-driver-lvm/README/#csi-driver-lvm","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"CSI DRIVER LVM utilizes local storage of Kubernetes nodes to provide persistent storage for pods.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"It automatically creates hostPath based persistent volumes on the nodes.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Underneath it creates a LVM logical volume on the local disks. A comma-separated list of grok pattern, which disks to use must be specified.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"This CSI driver is derived from csi-driver-host-path and csi-lvm","category":"page"},{"location":"external/csi-driver-lvm/README/#Currently-it-can-create,-delete,-mount,-unmount-and-resize-block-and-filesystem-volumes-via-lvm","page":"csi-driver-lvm","title":"Currently it can create, delete, mount, unmount and resize block and filesystem volumes via lvm","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"For the special case of block volumes, the filesystem-expansion has to be performed by the app using the block device","category":"page"},{"location":"external/csi-driver-lvm/README/#Installation","page":"csi-driver-lvm","title":"Installation","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Helm charts for installation are located in a separate repository called helm-charts. If you would like to contribute to the helm chart, please raise an issue or pull request there.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"You have to set the devicePattern for your hardware to specify which disks should be used to create the volume group.","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"helm install --repo https://helm.metal-stack.io mytest csi-driver-lvm --set lvm.devicePattern='/dev/nvme[0-9]n[0-9]'","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Now you can use one of following storageClasses:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"csi-driver-lvm-linear\ncsi-driver-lvm-mirror\ncsi-driver-lvm-striped","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"To get the previous old and now deprecated csi-lvm-sc-linear, ... storageclasses, set helm-chart value compat03x=true.","category":"page"},{"location":"external/csi-driver-lvm/README/#Migration","page":"csi-driver-lvm","title":"Migration","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"If you want to migrate your existing PVC to / from csi-driver-lvm, you can use korb.","category":"page"},{"location":"external/csi-driver-lvm/README/#Todo","page":"csi-driver-lvm","title":"Todo","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"implement CreateSnapshot(), ListSnapshots(), DeleteSnapshot()","category":"page"},{"location":"external/csi-driver-lvm/README/#Test","page":"csi-driver-lvm","title":"Test","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"kubectl apply -f examples/csi-pvc-raw.yaml\nkubectl apply -f examples/csi-pod-raw.yaml\n\n\nkubectl apply -f examples/csi-pvc.yaml\nkubectl apply -f examples/csi-app.yaml\n\nkubectl delete -f examples/csi-pod-raw.yaml\nkubectl delete -f examples/csi-pvc-raw.yaml\n\nkubectl delete -f examples/csi-app.yaml\nkubectl delete -f examples/csi-pvc.yaml","category":"page"},{"location":"external/csi-driver-lvm/README/#Development","page":"csi-driver-lvm","title":"Development","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"In order to run the integration tests locally, you need to create to loop devices on your host machine. Make sure the loop device mount paths are not used on your system (default path is /dev/loop10{0,1}).","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"You can create these loop devices like this:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"for i in 100 101; do fallocate -l 1G loop${i}.img ; sudo losetup /dev/loop${i} loop${i}.img; done\nsudo losetup -a\n# use this for recreation or cleanup\n# for i in 100 101; do sudo losetup -d /dev/loop${i}; rm -f loop${i}.img; done","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"You can then run the tests against a kind cluster, running:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"make test","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"To recreate or cleanup the kind cluster:","category":"page"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"make test-cleanup","category":"page"},{"location":"external/csi-driver-lvm/README/#Page-Tree","page":"csi-driver-lvm","title":"Page Tree","text":"","category":"section"},{"location":"external/csi-driver-lvm/README/","page":"csi-driver-lvm","title":"csi-driver-lvm","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#metalctl-machine-apply","page":"metalctl machine apply","title":"metalctl machine apply","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":"applies one or more machines from a given file","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":"metalctl machine apply [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#Options","page":"metalctl machine apply","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl machine describe machine-1 -o yaml > machine.yaml\n $ vi machine.yaml\n $ # either via stdin\n $ cat machine.yaml | metalctl machine apply -f -\n $ # or via file\n $ metalctl machine apply -f machine.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for apply\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#Options-inherited-from-parent-commands","page":"metalctl machine apply","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_apply/#SEE-ALSO","page":"metalctl machine apply","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_apply/","page":"metalctl machine apply","title":"metalctl machine apply","text":"metalctl machine\t - manage machine entities","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#metalctl-image-update","page":"metalctl image update","title":"metalctl image update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":"updates the image","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":"metalctl image update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#Options","page":"metalctl image update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl image describe image-1 -o yaml > image.yaml\n $ vi image.yaml\n $ # either via stdin\n $ cat image.yaml | metalctl image update -f -\n $ # or via file\n $ metalctl image update -f image.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#Options-inherited-from-parent-commands","page":"metalctl image update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_image_update/#SEE-ALSO","page":"metalctl image update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_image_update/","page":"metalctl image update","title":"metalctl image update","text":"metalctl image\t - manage image entities","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#metalctl-login","page":"metalctl login","title":"metalctl login","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"login user and receive token","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#Synopsis","page":"metalctl login","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"login and receive token that will be used to authenticate commands.","category":"page"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"metalctl login [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#Options","page":"metalctl login","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":" -h, --help help for login\n --print-only If true, the token is printed to stdout","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#Options-inherited-from-parent-commands","page":"metalctl login","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_login/#SEE-ALSO","page":"metalctl login","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_login/","page":"metalctl login","title":"metalctl login","text":"metalctl\t - a cli to manage entities in the metal-stack api","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#metalctl-switch-port-up","page":"metalctl switch port up","title":"metalctl switch port up","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"sets the given switch port state up","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#Synopsis","page":"metalctl switch port up","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"sets the port status to UP so the connected machine will be able to connect to the switch.","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"metalctl switch port up [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#Options","page":"metalctl switch port up","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":" -h, --help help for up","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#Options-inherited-from-parent-commands","page":"metalctl switch port up","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --port string the port to be changed.\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_port_up/#SEE-ALSO","page":"metalctl switch port up","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_port_up/","page":"metalctl switch port up","title":"metalctl switch port up","text":"metalctl switch port\t - sets the given switch port state up or down","category":"page"},{"location":"external/mini-lab/README/#mini-lab","page":"mini-lab","title":"mini-lab","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"The mini-lab is a small, virtual setup to locally run the metal-stack. It deploys the metal control plane and a metal-stack partition with two simulated leaf switches. The lab can be used for trying out metal-stack, demonstration purposes or development.","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"(Image: overview components)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"ℹ This project can also be used as a template for writing your own metal-stack deployments.","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Requirements\nKnown Limitations\nTry it out\nReinstall machine\nFree machine\nFlavors","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"","category":"page"},{"location":"external/mini-lab/README/#Requirements","page":"mini-lab","title":"Requirements","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Linux machine with hardware virtualization support\nkvm as hypervisor for the VMs (you can check through the kvm-ok command)\ndocker >= 24.x.y (for using kind and our deployment base image)\nkind == v0.23.0 (for hosting the metal control plane)\ncontainerlab >= v0.56.0\nthe lab creates a docker network on your host machine with the address block 203.0.113.0/24, designated as TEST-NET-3 for documentation and examples.\n(recommended) haveged to have enough random entropy (only needed if the PXE process does not work)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Here is some code that should help you to set up most of the requirements:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"# If UFW enabled.\n# Disable the firewall or allow traffic through Docker network IP range.\nsudo ufw status\nsudo ufw allow from 172.17.0.0/16\n\n# Install kvm\nsudo apt install -y git curl qemu qemu-kvm haveged\n\n# Install Docker\ncurl -fsSL https://get.docker.com | sh\n# if you want to be on the safe side, follow the original installation\n# instructions at https://docs.docker.com/engine/install/ubuntu/\n\n# Ensure that your user is member of the group \"docker\"\n# you need to login again in order to make this change take effect\nsudo usermod -G docker -a ${USER}\n\n# Install containerlab\nbash -c \"$(curl -sL https://get.containerlab.dev)\"\n\n# Install kind (kubernetes in docker), for more details see https://kind.sigs.k8s.io/docs/user/quick-start/#installation\nsudo curl -Lo /usr/local/bin/kind \"https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64\"\nsudo chmod +x /usr/local/bin/kind","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"The following ports are used statically on your host machine:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Port Bind Address Description\n6443 0.0.0.0 kube-apiserver of the kind cluster\n4443 0.0.0.0 HTTPS ingress\n4150 0.0.0.0 nsqd\n8080 0.0.0.0 HTTP ingress","category":"page"},{"location":"external/mini-lab/README/#Known-Limitations","page":"mini-lab","title":"Known Limitations","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"to keep the demo small there is no EVPN\nmachine restart and destroy does not work because we cannot change the boot order via IPMI in the lab easily (virtual-bmc could, but it's buggy)\nlogin to the machines is possible with virsh console, login to the firewall is possible with SSH from your local machine","category":"page"},{"location":"external/mini-lab/README/#Try-it-out","page":"mini-lab","title":"Try it out","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"git clone https://github.com/metal-stack/mini-lab.git\ncd mini-lab","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Start the mini-lab with a kind cluster, a metal-api instance as well as two containers wrapping leaf switches and another container that hosts two user-allocatable machines:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make\n# containerlab will ask you for root permissions (https://github.com/srl-labs/containerlab/issues/669)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"After the deployment and waiting for a short amount of time, two machines in status PXE booting become visible through metalctl machine ls:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine ls\n\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\ne0ab02d2-27cd-5a5e-8efc-080ba80cf258   PXE Booting 3s\n2294c949-88f6-5390-8154-fa53d93a3313 PXE Booting 5s","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Wait until the machines reach the waiting state:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine ls\n\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\ne0ab02d2-27cd-5a5e-8efc-080ba80cf258   Waiting 8s v1-small-x86 mini-lab\n2294c949-88f6-5390-8154-fa53d93a3313   Waiting 8s v1-small-x86 mini-lab","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Create a firewall and a machine with:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make firewall\nmake machine","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Alternatively, you may want to issue the metalctl commands on your own:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl network allocate \\\n --partition mini-lab \\\n --project 00000000-0000-0000-0000-000000000000 \\\n --name user-private-network\n\n# lookup the network ID and create a machine\ndocker compose run --rm metalctl machine create \\\n --description test \\\n --name machine \\\n --hostname machine \\\n --project 00000000-0000-0000-0000-000000000000 \\\n --partition mini-lab \\\n --image ubuntu-20.04 \\\n --size v1-small-x86 \\\n --networks \n\n# create a firewall that is also connected to the virtual internet-mini-lab network\ndocker compose run --rm metalctl machine create \\\n --description fw \\\n --name fw \\\n --hostname fw \\\n --project 00000000-0000-0000-0000-000000000000 \\\n --partition mini-lab \\\n --image firewall-ubuntu-2.0 \\\n --size v1-small-x86 \\\n --networks internet-mini-lab,$(privatenet)","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"See the installation process in action","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make console-machine01/02\n...\nUbuntu 20.04 machine ttyS0\n\nmachine login:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Two machines are now installed and have status \"Phoned Home\"","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine ls\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\ne0ab02d2-27cd-5a5e-8efc-080ba80cf258   Phoned Home 2s 21s machine 00000000-0000-0000-0000-000000000000 v1-small-x86 Ubuntu 20.04 20200331 mini-lab\n2294c949-88f6-5390-8154-fa53d93a3313   Phoned Home 8s 18s fw 00000000-0000-0000-0000-000000000000 v1-small-x86 Firewall 2 Ubuntu 20200730 mini-lab","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Login with user name metal and the console password from","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine consolepassword e0ab02d2-27cd-5a5e-8efc-080ba80cf258","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"To remove the kind cluster, the switches and machines, run:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"make cleanup","category":"page"},{"location":"external/mini-lab/README/#Reinstall-machine","page":"mini-lab","title":"Reinstall machine","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Reinstall a machine with","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine reinstall \\\n --image ubuntu-20.04 \\\n e0ab02d2-27cd-5a5e-8efc-080ba80cf258","category":"page"},{"location":"external/mini-lab/README/#Free-machine","page":"mini-lab","title":"Free machine","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Free a machine with make free-machine01 or","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"docker compose run --rm metalctl machine rm e0ab02d2-27cd-5a5e-8efc-080ba80cf258","category":"page"},{"location":"external/mini-lab/README/#Flavors","page":"mini-lab","title":"Flavors","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"There are two versions, or flavors, of the mini-lab environment which differ in regards to the NOS running on the leaves:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"cumulus – runs 2 Cumulus switches.\nsonic – runs 2 SONiC switches","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"In order to start specific flavor, you can define the flavor as follows:","category":"page"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"export MINI_LAB_FLAVOR=sonic\nmake","category":"page"},{"location":"external/mini-lab/README/#Page-Tree","page":"mini-lab","title":"Page Tree","text":"","category":"section"},{"location":"external/mini-lab/README/","page":"mini-lab","title":"mini-lab","text":"Pages = vcat([[joinpath(root, file)[length(@__DIR__)+2:end] for file in files] for (root, dirs, files) in walkdir(@__DIR__)]...)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#metalctl-completion-zsh","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"Generate the autocompletion script for zsh","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Synopsis","page":"metalctl completion zsh","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"Generate the autocompletion script for the zsh shell.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"echo \"autoload -U compinit; compinit\" >> ~/.zshrc","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"To load completions in your current shell session:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"source <(metalctl completion zsh)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"To load completions for every new session, execute once:","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Linux:","page":"metalctl completion zsh","title":"Linux:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion zsh > \"${fpath[1]}/_metalctl\"","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#macOS:","page":"metalctl completion zsh","title":"macOS:","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_metalctl","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"You will need to start a new shell for this setup to take effect.","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion zsh [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Options","page":"metalctl completion zsh","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":" -h, --help help for zsh\n --no-descriptions disable completion descriptions","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#Options-inherited-from-parent-commands","page":"metalctl completion zsh","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_completion_zsh/#SEE-ALSO","page":"metalctl completion zsh","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_completion_zsh/","page":"metalctl completion zsh","title":"metalctl completion zsh","text":"metalctl completion\t - Generate the autocompletion script for the specified shell","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#metalctl-switch-describe","page":"metalctl switch describe","title":"metalctl switch describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":"describes the switch","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":"metalctl switch describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#Options","page":"metalctl switch describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#Options-inherited-from-parent-commands","page":"metalctl switch describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_switch_describe/#SEE-ALSO","page":"metalctl switch describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_switch_describe/","page":"metalctl switch describe","title":"metalctl switch describe","text":"metalctl switch\t - manage switch entities","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#metalctl-context-short","page":"metalctl context short","title":"metalctl context short","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":"only show the default context name","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":"metalctl context short [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#Options","page":"metalctl context short","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":" -h, --help help for short","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#Options-inherited-from-parent-commands","page":"metalctl context short","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_context_short/#SEE-ALSO","page":"metalctl context short","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_context_short/","page":"metalctl context short","title":"metalctl context short","text":"metalctl context\t - manage metalctl context","category":"page"},{"location":"development/proposals/MEP4/README/#Multi-Tenancy-for-the-metal-api","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"info: Info\nThis document is work in progress.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"In the past we decided to treat the metal-api as a \"low-level API\", i.e. the API does not specifically deal with projects and tenants. A user with editor access can for example assign machines to every project he desires, he can see all the machines available and can control them. We tried to keep the metal-api code base as small as possible and we added resource scoping to a \"higher-level APIs\". From there, a user would be able to only see his own clusters and IP addresses.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"As time passed metal-stack has become an open-source project and people are willing to adopt. Adopters who want to put their own technologies on top of the metal-stack infrastructure don't have those \"higher-level APIs\" that we implemented closed-source for our user base. So, external adopters most likely need to implement resource scoping on their own.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Introducing multi-tenancy to the metal-api is a serious chance of making our product better and more successful as it opens the door for:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Becoming a \"fully-featured\" API\nNarrowing down attack surfaces and possibility of unintended resource modification produced by bugs or human errors\nDiscouraging people to implement their own scoping layers in front of the metal-stack\nGaining performance through resource scopes\nLetting untrusted / third-parties work with the API","category":"page"},{"location":"development/proposals/MEP4/README/#Table-of-Contents","page":"Multi-Tenancy for the metal-api","title":"Table of Contents","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Pages = [\"README.md\"]\nDepth = 5","category":"page"},{"location":"development/proposals/MEP4/README/#Requirements","page":"Multi-Tenancy for the metal-api","title":"Requirements","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"These are some general requirements / higher objectives that MEP-4 has to fulfill.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Should be able to run with mini-lab without requiring to setup complex auth backends (dex, LDAP, keycloak, ...)\nSimple to start with, more complex options for production setups\nShould utilize auth mechanisms that we have already in place to best possible degree\nFine-grained access permissions (every endpoint maps to a permission)\nTenant scoping (disallow resource access to resources of other tenants)\nProject scoping (disallow resource access to resources of other projects)\nAccess tokens in self-service for technical user access","category":"page"},{"location":"development/proposals/MEP4/README/#Implementation","page":"Multi-Tenancy for the metal-api","title":"Implementation","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"We gathered a lot of knowledge while implementing a multi-tenancy-capable backend for metalstack.cloud. The goal is now to use the same technology and adopt that to the metal-api, this includes:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"gRPC in combination with connectrpc\nOPA for making auth decisions\nREST HTTP only for OIDC login flows","category":"page"},{"location":"development/proposals/MEP4/README/#API-Definitions","page":"Multi-Tenancy for the metal-api","title":"API Definitions","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The API definitions should be located on a separate Github repository separate from the server implementation. The proposed repository location is: https://github.com/metal-stack/api.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"This repository contains the proto3 specification of the exposed metal-stack api. This includes the messages, simple validations, services and the access permission to these services. The input parameters for the authorization in the backend are generated from the proto3 annotations.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Client implementations for the most relevant languages (go, python) are generated automatically.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"This api is divided into end-user and admin access at the top level. The proposed APIs are:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"api.v2: For end-user facing services\nadmin.v2: For operators and controllers which need access to unscoped entities","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The methods of the API can have different role scopes (and can be narrowed down further with fine-grained method permissions):","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"tenant: Tenant-scoped methods, e.g. project creation (tenant needs to be provided in the request payload)\nAvailable roles: VIEWER, EDITOR, OWNER\nproject: Project-scoped methods, e.g. machine creation (tenant needs to be provided in the request payload)\nAvailable roles: VIEWER, EDITOR, OWNER\nadmin Admin-scoped methods, e.g. unscoped tenant list or switch register\nAvailable roles: VIEWER, EDITOR","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"And has methods with different visibility scopes:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"self: Methods that only the logged in user can access, e.g. show permissions with the presented token\npublic: Methods that do not require any specific authorization\nprivate: Methods that are not exposed","category":"page"},{"location":"development/proposals/MEP4/README/#API","page":"Multi-Tenancy for the metal-api","title":"API","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The API server implements the services defined in the API and validates access to a method using OPA with the JWT tokens passed in the requests. The server is implemented using the connectrpc.com framework.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The API server implements the login flow through OIDC. After successful authentication, the API server derives user permissions from the OIDC provider and issues a new JWT token which is passed on to the user. The tokens including the permissions are stored in a redis compatible backend.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"With these tokens, users can create Access Tokens for CI/CD or other use cases.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"JWT Tokens can be revoked by admins and the user itself.","category":"page"},{"location":"development/proposals/MEP4/README/#API-Server","page":"Multi-Tenancy for the metal-api","title":"API Server","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Is put into a new github repo which implements the services defined in the api repository. It opens a https endpoints where the grpc (via connectrpc.com) and oidc servives are exposed.","category":"page"},{"location":"development/proposals/MEP4/README/#Migration-of-the-Consumers","page":"Multi-Tenancy for the metal-api","title":"Migration of the Consumers","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"To allow consumers to migrate to the v2 API gradually, both apis, the new and the old, are deployed in parallel. In the control-plane both apis are deployed side-by-side behind the ingress. api.example.com is forwarded to metal-api and metal.example.com is forwarded to the new api-server.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The api-server will talk to the existing metal-api during the process of migration services away to the new grpc api.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The migration process can be done in the following manner:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"for each resource in the metal-api:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"create a new proto3 based definition in the api repo.\nimplement at least a small wrapper service in the api-server which asks the metal-api for this resource an maps the response back the caller in the grpc format.\nidentify all consumers of this resource and replace them to use the grpc instead of the rest api\nmove the business logic incl. the backend calls to ipam, metal-db, masterdata-ap, nsq for this resource from the metal-api to the api-server","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"We will try to migrate the rethinkdb backend implementation to a generic approach during this effort.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"There are a lot of consumers of metal-api, which need to be migrated:","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"ansible\nfirewall-controller\nfirewall-controller-manager\ngardener-extension-auth\ngardener-extension-provider-metal\nDo not point the secret bindings to a the shared provider secret in the seed anymore. Instead, use individual provider-secret containing project-scoped API access tokens in the Gardener project namespaces.\nmachine-controller-manager-provider-metal\nmetal-ccm\nmetal-console\nmetal-bmc\nmetal-core\nmetal-hammer\nmetal-image-cache-sync\nmetal-images\nmetal-metrics-exporter\nmetal-networker\nmetalctl\npixie","category":"page"},{"location":"development/proposals/MEP4/README/#User-Scenarios","page":"Multi-Tenancy for the metal-api","title":"User Scenarios","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"This section gathers a collection of workflows from the perspective of a user that we want to provide with the implementation of this proposal.","category":"page"},{"location":"development/proposals/MEP4/README/#Machine-Creation","page":"Multi-Tenancy for the metal-api","title":"Machine Creation","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"A regular user wants to create a machine resource.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Requirements: Project was created, permissions are present","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The user can see networks that were provided by the admin.\n$ metalctl network ls\nID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS\ninternet Internet Network true false 212.34.83.0/27  ●\ntenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ●\nunderlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ●\nThe user has to set the project scope first or provide --project flags for all commands.\n$ metalctl project set 793bb6cd-8b46-479d-9209-0fedca428fe1\nYou are now acting on project 793bb6cd-8b46-479d-9209-0fedca428fe1.\nThe user can create the child network required for machine allocation.\n$ metalctl network allocate --partition fra-equ01 --name test\nNow, the user sees his own child network.\n$ metalctl network ls\nID NAME PROJECT PARTITION NAT SHARED PREFIXES IPS\ninternet Internet Network true false 212.34.83.0/27  ●\ntenant-super-network-fra-equ01 Project Super Network fra-equ01 false false 10.128.0.0/14  ●\n└─╴08b9114b-ec47-4697-b402-a11421788dc6 test 793bb6cd-8b46-479d-9209-0fedca428fe1 fra-equ01 false false 10.128.64.0/22  ●\nunderlay-fra-equ01 Underlay Network fra-equ01 false false 10.0.0.0/16  ●\nThe user does not see any machines yet.\n$ metalctl machine ls\nThe user can create a machine.\n$ metalctl machine create --networks internet,08b9114b-ec47-4697-b402-a11421788dc6 --name test --hostname test --image ubuntu-20.04 --partition fra-equ01 --size c1-xlarge-x86`\nThe machine will now be provisioned.\n$ metalctl machine ls\nID LAST EVENT WHEN AGE HOSTNAME PROJECT SIZE IMAGE PARTITION\n00000000-0000-0000-0000-ac1f6b7befb2 Phoned Home 20s 50d 4h test 793bb6cd-8b46-479d-9209-0fedca428fe1 c1-xlarge-x86 Ubuntu 20.04 20210415 fra-equ01","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"warning: Warning\nA user cannot list all allocated machines for all projects. The user must always switch project context first and can only view the machines inside this project. Only admins can see all machines at once.","category":"page"},{"location":"development/proposals/MEP4/README/#Scopes-for-Resources","page":"Multi-Tenancy for the metal-api","title":"Scopes for Resources","text":"","category":"section"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"The admins / operators of the metal-stack should be able to provide global resources that users are able to use along with their own resources. In particular, users can view and use global resources, but they are not allowed to create, modify or delete them.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"info: Info\nWhen a project ID field is empty on a resource, the resource is considered global.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Where possible, users should be capable of creating their own resource entities.","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"Resource User Global\nFile System Layout yes yes\nFirewall yes \nFirmware yes\nOS Image yes\nMachine yes \nNetwork (Base) yes\nNetwork (Children) yes \nIP yes \nPartition yes\nProject yes \nProject Token yes \nSize yes\nSwitch \nTenant yes","category":"page"},{"location":"development/proposals/MEP4/README/","page":"Multi-Tenancy for the metal-api","title":"Multi-Tenancy for the metal-api","text":"info: Info\nExample: A user can make use of the file system layouts provided by the admins, but can also create own layouts. Same applies for images. As soon as a user creates own resources, the user takes over the responsibility for the machine provisioning to succeed.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#metalctl-size-reservation-list","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"list all reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"metalctl size reservation list [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#Options","page":"metalctl size reservation list","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":" -h, --help help for list\n --id string the id to filter\n --partition string the partition id to filter\n --project string the project id to filter\n --size string the size id to filter\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: amount|id|partition|project|size","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#Options-inherited-from-parent-commands","page":"metalctl size reservation list","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/#SEE-ALSO","page":"metalctl size reservation list","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_list/","page":"metalctl size reservation list","title":"metalctl size reservation list","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#metalctl-size-reservation","page":"metalctl size reservation","title":"metalctl size reservation","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":"manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#Synopsis","page":"metalctl size reservation","title":"Synopsis","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":"manage size reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#Options","page":"metalctl size reservation","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":" -h, --help help for reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#Options-inherited-from-parent-commands","page":"metalctl size reservation","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation/#SEE-ALSO","page":"metalctl size reservation","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation/","page":"metalctl size reservation","title":"metalctl size reservation","text":"metalctl size\t - manage size entities\nmetalctl size reservation apply\t - applies one or more reservations from a given file\nmetalctl size reservation create\t - creates the reservation\nmetalctl size reservation delete\t - deletes the reservation\nmetalctl size reservation describe\t - describes the reservation\nmetalctl size reservation edit\t - edit the reservation through an editor and update\nmetalctl size reservation list\t - list all reservations\nmetalctl size reservation update\t - updates the reservation\nmetalctl size reservation usage\t - see current usage of size reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#metalctl-network-describe","page":"metalctl network describe","title":"metalctl network describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":"describes the network","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":"metalctl network describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#Options","page":"metalctl network describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#Options-inherited-from-parent-commands","page":"metalctl network describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_network_describe/#SEE-ALSO","page":"metalctl network describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_network_describe/","page":"metalctl network describe","title":"metalctl network describe","text":"metalctl network\t - manage network entities","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#metalctl-project-update","page":"metalctl project update","title":"metalctl project update","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":"updates the project","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":"metalctl project update [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#Options","page":"metalctl project update","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":" --bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.\n -f, --file string filename of the create or update request in yaml format, or - for stdin.\n \n Example:\n $ metalctl project describe project-1 -o yaml > project.yaml\n $ vi project.yaml\n $ # either via stdin\n $ cat project.yaml | metalctl project update -f -\n $ # or via file\n $ metalctl project update -f project.yaml\n \n the file can also contain multiple documents and perform a bulk operation.\n \t\n -h, --help help for update\n --skip-security-prompts skips security prompt for bulk operations\n --timestamps when used with --file (bulk operation): prints timestamps in-between the operations","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#Options-inherited-from-parent-commands","page":"metalctl project update","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_project_update/#SEE-ALSO","page":"metalctl project update","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_project_update/","page":"metalctl project update","title":"metalctl project update","text":"metalctl project\t - manage project entities","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-Networks","page":"DMZ Networks","title":"DMZ Networks","text":"","category":"section"},{"location":"development/proposals/MEP6/README/#Reasoning","page":"DMZ Networks","title":"Reasoning","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"To fulfill higher levels of security measures the standard metal-stack approach with a single firewall in front of a set of machines might be insufficient. There are cases where two physically distinct firewalls in front of application workload are mandatory. In traditional network terms this is known as DMZ approach.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"For Kubernetes workloads it makes sense to use the front cluster for ingress, WAF purposes and as outgoing proxy. The clusters may be used for application workload.","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-network","page":"DMZ Networks","title":"DMZ network","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"Use a separate DMZ network prefix for every tenant\nThis is used as intermediate network btw. private networks of a tenant and the internet\nFor every partition a distinct DMZ firewall/cluster is needed for a tenant\nFor Gardener orchestrated Kubernetes clusters this network must be a publicly reachable internet prefix because shoot clusters need a vpn service that is used for instrumentation from the seed cluster - this will be a requirement as long as the inverse vpn tunnel feature Konnectivity is not available to us.","category":"page"},{"location":"development/proposals/MEP6/README/#Approach-1:-DMZ-with-publicly-reachable-internet-prefix","page":"DMZ Networks","title":"Approach 1: DMZ with publicly reachable internet prefix","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"(Image: DMZ Internet)","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"A DMZ network with publicly reachable internet prefix will look like this in the metal-api:","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"---\ndescription: DMZ-Network\ndestinationprefixes:\n- 0.0.0.0/0\nid: dmz\nlabels:\n network.metal-stack.io/default-external: \"\"\nname: DMZ-Network\nparentnetworkid: null\npartitionid: \"\"\nprefixes:\n- 212.90.30.128/25\nprivatesuper: false\nprojectid: \"\"\nvrf: 104007\nvrfshared: false\nnat: true\nshared: false\nunderlay: false","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-firewall","page":"DMZ Networks","title":"DMZ firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The private network of the project needs to import\nthe default route from the internet network\nthe DMZ network\nThe internet network must import the DMZ network\nThe DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network","category":"page"},{"location":"development/proposals/MEP6/README/#Application-Firewall","page":"DMZ Networks","title":"Application Firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of application workloads intersects its private network for attached machines and the DMZ network.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"This is currently supported by the metal-networker and needs no further changes!","category":"page"},{"location":"development/proposals/MEP6/README/#Approach-2:-DMZ-with-private-IPs","page":"DMZ Networks","title":"Approach 2: DMZ with private IPs","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"(Image: DMZ Internet)","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"A DMZ network with private IPs will look like this in the metal-api:","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"---\ndescription: DMZ-Network\ndestinationprefixes:\n- 0.0.0.0/0\nid: dmz\nlabels:\n network.metal-stack.io/default-external: \"\"\nname: DMZ-Network\nparentnetworkid: tenant-super-network-fra-equ01\npartitionid: fra-equ01\nprefixes:\n- 10.90.30.128/25\nprivatesuper: false\nprojectid: \"\"\nvrf: 4711\nvrfshared: false\nnat: true\nshared: true # it's usable from multiple projects\nunderlay: false","category":"page"},{"location":"development/proposals/MEP6/README/#DMZ-firewall-2","page":"DMZ Networks","title":"DMZ firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of the DMZ will intersect its private network for attached machines, the DMZ network and the public internet.","category":"page"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The private network of the project needs to import\nthe default route from the internet network\nthe DMZ network\nThe internet network must import the DMZ network (only locally, no-export)\nThe DMZ network provides the default route for tenant's clusters in a partition. It imports the default route from the internet network","category":"page"},{"location":"development/proposals/MEP6/README/#Application-Firewall-2","page":"DMZ Networks","title":"Application Firewall","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"The firewall of application workloads intersects its private network for attached machines and the DMZ network. ","category":"page"},{"location":"development/proposals/MEP6/README/#Code-Changes-/-Implications","page":"DMZ Networks","title":"Code Changes / Implications","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"metal-networker and metal-ccm assume that there is only one network providing the default-route\nmetal-networker needs to\nimport the default route from the internet network to the dmz network (DMZ Firewall)\nimport the DMZ network to the internet network and adjusting NAT rules (DMZ Firewall)\nimport destination prefixes of the DMZ network to the private primary network (DMZ Firewall, Application Firewall)\nimport DMZ-IPs of the private primary network to the DMZ network (DMZ Firewall, Application Firewall)\nmetal-api: destination prefixes of private networks need to be configurable (allocateNetwork)\ngardener-extension-provider-metal: needs to be able to delete DMZ clusters (but skip the network deletion part)\nthe application firewall is not publicly reachable - for debugging purposes a hop over the DMZ firewall is needed","category":"page"},{"location":"development/proposals/MEP6/README/#Decision","page":"DMZ Networks","title":"Decision","text":"","category":"section"},{"location":"development/proposals/MEP6/README/","page":"DMZ Networks","title":"DMZ Networks","text":"We decided to follow the second approach with private DMZ networks.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#metalctl-size-reservation-describe","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"describes the reservation","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"metalctl size reservation describe [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#Options","page":"metalctl size reservation describe","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":" -h, --help help for describe","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#Options-inherited-from-parent-commands","page":"metalctl size reservation describe","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/#SEE-ALSO","page":"metalctl size reservation describe","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_describe/","page":"metalctl size reservation describe","title":"metalctl size reservation describe","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"quickstart/#Getting-Started","page":"Quickstart","title":"Getting Started","text":"","category":"section"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"Before starting to buy any hardware, you should try out the metal-stack on your notebook and familiarize with the software.","category":"page"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"For this, we made the mini-lab.","category":"page"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"The mini-lab is a fully virtual setup of metal-stack and is supposed to be run locally on a single machine. For this reason, the setup was slightly simplified in comparison to full-blown setups on real hardware. However, the lab should help to understand all ideas behind the metal-stack.","category":"page"},{"location":"quickstart/","page":"Quickstart","title":"Quickstart","text":"Get your hands dirty and follow the guide on how to get on with the mini-lab here.","category":"page"},{"location":"overview/networking/#Networking","page":"Networking","title":"Networking","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"We spent a lot of time on trying to provide state-of-the-art networking in the data center. This document describes the requirements, ideas and implementation details of the network topology that hosts the metal-stack.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The document is separated into three main sections describing the constraints, theoretical ideas and implementation details.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Pages = [\"networking.md\"]\nDepth = 5","category":"page"},{"location":"overview/networking/#Requirements","page":"Networking","title":"Requirements","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Finding the requirements for this greenfield project was kicked off with a handful of design parameters that included:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Investigation of the idea of a layer-3 based infrastructure to overcome the drawbacks of traditional layer-2 architectures.\nApplication of a routing technology that involves a single stand-alone protocol BGP for operational simplicity.\nUtilization of the overlay virtual network technology EVPN to support cost-effective scaling, efficient network information exchange and a manageable amount of administration effort.\nApplying the routing topology on top of a completely new physical infrastructure that is designed as a CLOS network topology.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Evaluation of those parameters led to more specific requirements:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Physical Wiring:\nThe data center is made of a leaf-spine CLOS topology containing:\nleaf switches\nspine switches\nexit switches\nmanagement server\nmanagement switch\ntenant servers\ntenant firewalls.\nBare metal servers are dual-attached to leaf switches. The bare metal servers either become tenant servers or firewalls for a group of tenant servers.\nAll network switches are connected to a management switch. A management server provides access to this management network.\nNetwork Operation Characteristics:\nIPv4 based network.\nNo IPv6 deployment.\nUtilization of external BGP.\nNumbered BGP only for peerings at exit switches with third parties (Internet Service Provider).\nOverall BGP unnumbered.\n4-byte private ASN instead of default 2-byte ASN for BGP.\nNetwork operation relies on SONiC Linux.\nBleeding edge Routing-to-the-Host/EVPN-to-the-Host with ordinary Linux distributions.\nLayer-3 routing using BGP and VXLAN/EVPN.\nEvery VTEP acts as a layer-3 gateway and does routing. Routing is done on both the ingress and the egress VTEP (aka distributed symmetric routing).\nTenant isolation is realized with VRF.\nInternet Access is implemented with route leak on the firewall servers and during the PXE-Process with route leak on the exit switches.\nMTU 9216 is used for VXLAN-facing interfaces, otherwise MTU 9000 is used.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Furthermore, requirements such as operational simplicity and network stability that a small group of people can effectively support have been identified being a primary focus for building metal-stack.","category":"page"},{"location":"overview/networking/#Concept","page":"Networking","title":"Concept","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The theoretical concept targets the aforementioned requirements. New technologies have been evaluated to apply the best solutions. The process was heavily inspired by the work of Dinesh G. Dutt regarding BGP (bgp-ebook), EVPN (evpn-ebook) and the his 2019 work \"Cloud Native Data Center Networking\" (O'Reilly), which teaches some interesting basics.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"External BGP together with network overlay concepts as EVPN can address the essential demands. These revolutionary concepts are part of the next evolutionary step in data center design. It overcomes common issues of traditional layer 2 architectures (e.g. VLAN limitations, network visibility for operations, firewall requirements) by introducing a layer 3 based network topology.","category":"page"},{"location":"overview/networking/#CLOS","page":"Networking","title":"CLOS","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"A CLOS topology is named after the pioneer Charles Clos (short: CLOS) who first formalized this approach. CLOS defines a multistage network topology that is used today to improve performance and resilience while enabling a cost effective scalability. A CLOS topology comprises network switches aggregated into spine and leaf layers. Each leaf switch (short: leaf) is connected to all spine switches (short: spine) but there is no direct leaf-to-leaf or spine-to-spine connection (See: picture 1).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: 2 Layer CLOS Topology)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 1: Fragment of CLOS to show leaf-spine layer.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"This data center network architecture, based on a leaf-spine architecture, is also know as \"two-tier\" CLOS topology.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: 3 Layer CLOS Topology)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 2: Fragment to show a 3-stage, 2-layer CLOS topology.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Tenant servers are dual-attached to the leaf layer in order to have redundancy and load balancing capability (Picture 2). The set of leaves, spine switches and tenant servers define stages. From top down each server is reachable with 3 hops (spine -> leaf -> server). This is why that CLOS design is called a 3-stage CLOS. Consistent latency throughout the data center are an outcome of this design.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"It is not only important to have a scalable and resilient infrastructure but also to support planning and operation teams. Visibility within the network is of significant meaning for them. Consequently layer-3 routing in favor of layer-2 bridging provides this kind of tooling.","category":"page"},{"location":"overview/networking/#BGP","page":"Networking","title":"BGP","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"For routing the Border Gateway Protocol (BGP), more specific: External BGP was selected. Extensive testing and operational experiences have shown that External BGP is well suited as a stand-alone routing protocol (see: RFC7938).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Not all tenant servers are connected to the same leaf. Instead they can be distributed among any of the leaves of the data center. To not let this detail restrict the intra-tenant communication it is required to interconnect those layer-2 domains. In the context of BGP there is a concept of overlay networking with VXLAN/ EVPN that was evaluated to satisfy the needs of the metal-stack.","category":"page"},{"location":"overview/networking/#BGP-Unnumbered","page":"Networking","title":"BGP Unnumbered","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In BGP traditionally each BGP peer-facing interface requires a separate IPv4 address. This consumes a lot of IP addresses. RFC 5549 defines the BGP unnumbered standard. It allows to use interface's IPv6 link local address (LLA) to set up a BGP session with a peer. With BGP unnumbered the IPv6 LLA of the remote is automatically discovered via Router Advertisement (RA) protocol. Important: This does not (!) mean that IPv6 must be deployed in the network. BGP uses RFC 5549 to encode IPv4 routes as reachable over IPv6 next-hop using the LLA. Having unnumbered interfaces does not mean no IPv4 address may be in place. It is a good practice to configure an IP address to the never failing and always present local loopback interface (lo). This lo address is reachable over BGP from other peers because the RFC 5549 standard provides an encoding scheme to allow a router to advertise IPv4 routes with an IPv6 next-hop. BGP unnumbered also has an advantage from security perspective. It removes IPv4 and global IPv6 addresses from router interfaces, thus reducing the attack vector.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To sum it up:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"BGP unnumbered uses IPv6 next-hops to announce IPv4 routes.\nThere is no IPv6 deployment in the network required.\nIPv6 just has to be enabled on the BGP peers to provide LLA and RA.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In External BGP, ASN is how BGP peers know each other.","category":"page"},{"location":"overview/networking/#ASN-Numbering","page":"Networking","title":"ASN Numbering","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Within the data center each BGP router is identified by a private autonomous system number (ASN). This ASN is used for internal communication. The default is to have 2-byte ASN. To avoid having to find workarounds in case the ASN address space is exhausted, a 4-byte ASN (see RFC 6793) that supports up to 95 million private ASNs (4200000000–4294967294, see RFC 6996) is used from the beginning.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"ASN numbering in a CLOS topology should follow a model to avoid routing problems (path hunting) due to it's redundant nature. Within a a two-tier CLOS topology the following ASN numbering model is suggested to solve path hunting problems:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Leaves have unique ASN\nSpines share an ASN\nExit switches share an ASN","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"A illustrated example of the background of this architecture decision can be inspected in the chapter \"BGP’s ASN Numbering Scheme\" (\"BGP’S PATH HUNTING PROBLEM\") of the previously mentioned \"Cloud Native Data Center Networking\" book.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To summarize that, one can say: Since all nodes receive or know the physical connection status of all other nodes in the network, the nodes potentially have routing information that they do not know whether they still have up to date, since it takes some time before they are fully distributed in the network. Routes to nodes may actually no longer exist (because not a single link to the node, but the node itself has failed) or the path may have changed. To determine how and whether a particular node can be reached, a path search must therefore be carried out at all its communication partners or BGP routers. Essentially, the sharing of ASNs reduces the transmission of incorrect or outdated path information (this reduces path transmissions and calculations and thus saves resources).","category":"page"},{"location":"overview/networking/#Address-Families","page":"Networking","title":"Address-Families","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As stated, BGP is a multi-protocol routing protocol. Since it is planned to use IPv4 and overlay networks using EVPN/VXLAN several address-families have to be activated for the BGP sessions to use:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"IPv4 unicast address-family\nL2 EVPN address-family","category":"page"},{"location":"overview/networking/#EVPN","page":"Networking","title":"EVPN","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Ethernet VPN (EVPN, see RFC 7432) is an overlay virtual network that connects layer-2 segments over layer-3 infrastructure. EVPN is an answer to common problems of entire layer-2 data centers.","category":"page"},{"location":"overview/networking/#The-necessity-of-EVPN","page":"Networking","title":"The necessity of EVPN","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Challenges such as large failure domains, spanning tree complexities, difficult troubleshooting and scaling issues are addressed by EVPN:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"administration: less routers are involved in configuration (with VLAN every switch on routing-paths needs VLAN awareness). The configuration is less error prone due to the nature of EVPN and the good support in FRR.\nscaling: EVPN overcomes scaling issues with traditional VLANs (max. 4094 VLANs).\ncost-effectiveness: EVPN is an overlay virtual network. Not every switch on the routing path needs EVPN awareness. This enables the use of standard routers (in contrast to traditional VLAN); e.g.: spine switches act only as EVPN information replicator and do not need to have knowledge of specific virtual networks.\nefficiency: EVPN information is exclusively exchanged via BGP (Multiprotocol BGP, see RFC 4760). Only a single eBGP session is needed to advertise layer-2 reachability. No other protocols beneath BGP are involved and flood traffic is reduced to a minimum (no \"flood-and-learn\", no BUM traffic).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Virtual routing permits multiple network paths without the need of multiple switches. Hence the servers are logically isolated by assigning their networks to dedicated virtual routers using virtual routing and forwarding (short, VRF, see Linux Virtual Routing and Forwarding and SONiC VRF support).","category":"page"},{"location":"overview/networking/#The-operation-of-EVPN","page":"Networking","title":"The operation of EVPN","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"EVPN (technology) is based on BGP as control plane protocol (underlay) and VXLAN as data plane protocol (overlay).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As EVPN is an overlay network, only the VXLAN Tunnel End Points (VTEPs) must be configured. In the case of two-tier CLOS networks leaf switches are tunnel endpoints.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As described earlier, a dedicated VRF is used for each new tenant. VRF enables true multi-tenancy/isolation for routing tables. This is why the same ip-addresses or -networks can be used for tenants with different meanings without collisions or conflicts.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In EVPN routing is assumed to occur in the context of a VRF. VRF enables true multitenancy/isolatation for routing tables. Therewith, VRF is the first step for EVPN configuration and there is a 1:1 relationship between tenant and VRF.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To enable layer-2 connectivity, we need a special interface to route between layer-2 networks. This interface is called Switched VLAN Interface (SVI). The SVI is realized with a VLAN. It is part of a VRF (layer-3).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The VTEP configuration requires the setup of a VXLAN interface. A VLAN aware bridge interconnects the VXLAN interface and the SVI.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Required resources to establish the EVPN control plane:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"VRF: because routing happens in the context of this interface.\nSVI: because remote host routes for symmetric routing are installed over this interface.\nVLAN-aware bridge: because router MAC addresses of remote VTEPs are installed over this interface.\nVXLAN Interface / VXLAN Tunnel Endpoint: because the VRF to layer-3 VNI mapping has to be consistent across all VTEPs)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: EVPN VTEP)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 3: Required interfaces on the switch to wire up the vrf to swp 1 connectivity with a given vxlan","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Integrated routing and bridging (IRB) is the most complex part of EVPN. You could choose between centralized or distributed routing, and between asymmetrical (routing on ingress) or symmetrical (routing on ingress and egress) routing. We expect a lot of traffic within the data center itself which implies the need to avoid zigzag routing. This is why we go with distributed routing model. Further it is recommended to use the symmetric model since it makes the cut in most cases and has advantages in scalability (see \"EVPN in the Data Center\", Dinesh G. Dutt).","category":"page"},{"location":"overview/networking/#MTU","page":"Networking","title":"MTU","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In a layer-3 network it is important to associate each interface with a proper Maximum Transmission Unit (MTU) to avoid fragmentation of IP packets. Typical modern networks do not fragment IP packets and the introduction of VXLAN adds another additional header to the packets that must not exceed the MTU. If the MTU is exceeded, VXLAN might just fail without error. This already represents a difficult-to-diagnose connectivity issue that has to be avoided.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"It is common practice to set the MTU for VXLAN facing interfaces (e.g. inter-switch links) to a value of 9216 to compensate the additional VXLAN overhead and an MTU of 9000 as a default to other interfaces (e.g. server facing ports). The common MTU of 1500 is not sufficient for traffic inside a data center!","category":"page"},{"location":"overview/networking/#VRF","page":"Networking","title":"VRF","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Routing is needed for communication between VXLAN tunnels or between a VXLAN tunnel and an external networks. VXLAN routing supports layer-3 multi-tenancy. All routing occurs in the context of a VRF. There is a 1:1 relation of a VRF to a tenant. Picture 3 illustrates this. Servers A and B belong to the same vrf VRF1. Server C is enslaved into VRF2. There is no communication possible between members of VRF1 and those of VRF2.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"(Image: Two routing tables)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Picture 4: Illustration of two distinct routing tables of VRF1 (enslaved: servers A and B) and VRF2 (enslaved: server C)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To leaverage the potential and power of BGP, VRF, EVPN/VXLAN without a vendor lock-in the implementation relies on hardware that is supported by open network operating system: SONiC.","category":"page"},{"location":"overview/networking/#Implementation","page":"Networking","title":"Implementation","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Implementation of the network operation requires the data center infrastructure to be in place. To implement a functional meaning for the parts of the CLOS network, all members must be wired accordingly.","category":"page"},{"location":"overview/networking/#Physical-Wiring","page":"Networking","title":"Physical Wiring","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Reference: See the CLOS overview picture","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Name Wiring\nTenant server (aka Machine) Bare metal server that is associated to a tenant. Dual-connected to leafs.\nTenant firewall Bare metal server that is associated to a tenant. Dual-connected to leafs.\nLeaf Network Switch that interconnects tenant servers and firewalls. Connected to spines.\nSpine Network switch that interconnects leafs and exit switches.\nExit Network switch that connects to spines and interconnects to external networks.\nManagement Server Jump-host to access all network switches within the CLOS topology for administrative purpose.\nManagement Switch Connected to the management port of each of the network switches.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Tenant servers are organized into a layer called projects. In case those tenant servers require access to or from external networks, a new tenant server to function as a firewall is created. Leaf and spine switches form the fundament of the CLOS network to facilitate redundancy, resilience and scalability. Exit switches establish connectivity to or from external networks. Management Switch and Management Server are mandatory parts that build a management network to access the network switches for administration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To operate the CLOS topology, software defined configuration to enable BGP, VRF, EVPN and VXLAN must be set up.","category":"page"},{"location":"overview/networking/#Network-Operating-Systems","page":"Networking","title":"Network Operating Systems","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"SONiC as the network operating system will be installed on all network switches (leaves, spines, exit switches) within the CLOS topology. SONiC cannot be installed on bare metal servers that require BGP/EVPN but does not have a switching silicon.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Components without a switching silicon are:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"tenant servers\ntenant firewalls\nmanagement server","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"There exist two paradigms to use BGP and/or VXLAN/EVPN on non switching bare metal servers: BGP-to-the-host and EVPN-to-the-host. Both describe a setup of Free Range Routing Framework (see frrouting.org) and its configuration. FRR seamlessly integrates with the native Linux IP networking stacks.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Starting with an explanation of the tenant server's BGP-to-the-Host helps to get an insight into the setup of the CLOS network from a bottom-up perspective.","category":"page"},{"location":"overview/networking/#Tenant-Servers:-BGP-to-the-Host","page":"Networking","title":"Tenant Servers: BGP-to-the-Host","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Tenant servers are dual-connected to leaf switches. To communicate with other servers or reach out to external networks they must join a BGP session with each of the leaf switches. Thus, it is required to bring BGP to those hosts (aka BGP-to-the-Host). Each tenant server becomes a BGP router (aka BGP speaker).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"BGP-to-the-Host is established by installing and configuring FRR. The required FRR configuration for tenant servers is limited to a basic setup to peer with BGP next-hops:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n\nauto lo\niface lo inet static\n address 10.0.0.1/32\n\nauto lan0\niface lan0 inet6 auto\n mtu 9000\n\nauto lan1\niface lan1 inet6 auto\n mtu 9000","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 1: Network interfaces of a tenant server.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 1 shows the local interfaces configuration. lan0 and lan1 connect to the leaves. As described, there is no IPv4 address assigned to them (BGP unnumbered). The local loopback has an IPv4 address assigned that is announced by BGP.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The required BGP configuration:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/frr/frr.conf\n\nfrr version 7.0\nfrr defaults datacenter\nlog syslog debugging\nservice integrated-vtysh-config\n!\ninterface lan0\n ipv6 nd ra-interval 6\n no ipv6 nd suppress-ra\n!\ninterface lan1\n ipv6 nd ra-interval 6\n no ipv6 nd suppress-ra\n!\nrouter bgp 4200000001\n bgp router-id 10.0.0.1\n bgp bestpath as-path multipath-relax\n neighbor TOR peer-group\n neighbor TOR remote-as external\n neighbor TOR timers 1 3\n neighbor lan0 interface peer-group TOR\n neighbor lan1 interface peer-group TOR\n neighbor LOCAL peer-group\n neighbor LOCAL remote-as internal\n neighbor LOCAL timers 1 3\n neighbor LOCAL route-map local-in in\n bgp listen range 10.244.0.0/16 peer-group LOCAL\n address-family ipv4 unicast\n redistribute connected\n neighbor TOR route-map only-self-out out\n exit-address-family\n!\nbgp as-path access-list SELF permit ^$\n!\nroute-map local-in permit 10\n set weight 32768\n!\nroute-map only-self-out permit 10\n match as-path SELF\n!\nroute-map only-self-out deny 99\n!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 2: FRR configuration of a tenant server.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The frr configuration in Listing 2 starts with frr defaults datacenter. This is a marker that enables compile-time provided settings that e.g. set specific values for BGP session timers. This is followed by a directive to state that instead of several configuration files for different purposes a single frr.conf file is used: service integrated-vtysh-config. The two interface specific blocks starting with interface ... enable the RA mechanism that is required for BGP unnumbered peer discovery. There is a global BGP instance configuration router bgp 4200000001 that sets the private ASN. The BGP router configuration contains a setup that identifies the BGP speaker bgp router-id 10.0.0.1. This router id should be unique. It is a good practice to assign the local loopback IPv4 as router-id. To apply the same configuration to several interfaces a peer group named TOR is defined via neighbor TOR peer-group. remote-as external activates external BGP for this peer group. To have a fast convergence, limits of default timers are reduced by timer 1 3 section. The two BGP-peer-facing interfaces are enslaved into the peer-group to inherit the peer-group's setup. Activation of IPv4 unicast protocol is completed with address-family ipv4 unicast. To prevent a tenant server from announcing other paths than lo interface a route-map only-self-out is defined. This route map is activated within the ipv4 address family: neighbor TOR route-map only-self-out out.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Application of the route map only-self-out enables to announce only local ip(s). This is to avoid that a tenant server announces paths to other servers (prevents unwanted traffic). To achieve this:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"the route-map named only-self-out permits only matches against an access list named SELF\naccess list SELF permits only empty path announcements\nthe path of the tenant server itself has no ASN. It is always empty (see line *> 10.0.0.2/32 0.0.0.0 0 32768 ?):\nroot@machine:~# vtysh -c 'show bgp ipv4 unicast'\nBGP table version is 7, local router ID is 10.0.0.2, vrf id 0\nDefault local pref 100, local AS 4200000002\nStatus codes: s suppressed, d damped, h history, * valid, > best, = multipath,\n i internal, r RIB-failure, S Stale, R Removed\nNexthop codes: @NNN nexthop's vrf id, < announce-nh-self\nOrigin codes: i - IGP, e - EGP, ? - incomplete\n\n Network Next Hop Metric LocPrf Weight Path\n*= 0.0.0.0/0 lan1 0 4200000012 4200000040 i\n*> lan0 0 4200000011 4200000040 i\n*= 10.0.0.1/32 lan1 0 4200000012 4200000001 ?\n*> lan0 0 4200000011 4200000001 ?\n*> 10.0.0.2/32 0.0.0.0 0 32768 ?\n*= 10.0.0.78/32 lan1 0 4200000012 4200000001 ?\n*> lan0 0 4200000011 4200000001 ?\n\nDisplayed 4 routes and 7 total paths\nThat is why only the self ip (loopback ip) is announced.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To allow for peering between FRR and other routing daemons on a tenant server a listen range is specified to accept iBGP sessions on the network 10.244.0.0/16. Therewith it gets possible that pods / containers like metal-lb with IPs of this range may peer with FRR.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"This is the only place where we use iBGP in our topology. For local peering this has the advantage, that we don't need an additional ASN that has to be handled / pruned in the AS-path of routes. Routes coming from other routing daemons look as if they are configured on the tenant server's lo interface from the viewpoint of the leaves. iBGP routes are differently handled than eBGP routes in BGPs best path algorithm. Generally BGP has the rule to prefer eBGP routes over iBGP routes (see 'eBGP over iBGP' ). BGP adds automatically an weight based on the route type. To overcome this issue, we set the weight of iBGP routes to the same weight that eBGP routes have, namely 32768 (set weight 32768). Without this configuration we will only get a single route to the IPs announced via iBGP. So this setting is essential for HA/failover!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Statistics of the established BGP session can be viewed locally from the tenant server via: sudo vtysh -c 'show bgp ipv4 unicast'","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To establish this BGP session a BGP setup is required on the leaves as well.","category":"page"},{"location":"overview/networking/#Leaf-Setup","page":"Networking","title":"Leaf Setup","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Every leaf switch is connected to every spine switch. Tenant servers can be distributed within the data center and thus be connected to different leaves. Routing for tenant servers is isolated in unique VRFs. These constraints imply several configuration requirements for the leaf and spine switches:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"leaves define tenant VRFs\nleaves terminate VXLAN tunnels (aka \"VXLAN tunnel endpoint\" = VTEP)","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The leaf setup requires the definition of a tenant VRF that enslaves the tenant server facing interfaces:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n\n# [...]\n\niface vrf3981\n vrf-table auto\n\niface swp1\n mtu 9000\n post-up sysctl -w net.ipv6.conf.swp1.disable_ipv6=0\n vrf vrf3981\n\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 3: Fragment that shows swp1 being member of vrf vrf3981.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"There is a VRF definition iface vrf3981 to create a distinct routing table and a section vrf vrf3981 that enslaves swp1 (connects the tenant server) into the VRF. Those host facing ports are also called edge ports.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Additional to the VRF definition the leaf must be configured to provide and connect a VXLAN interface to establish a VXLAN tunnel. This network virtualization begins at the leaves. Therefore, the leaves are also called Network Virtualization Edges (NVEs). The leaves encapsulate and decapsulate VXLAN packets.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n\n# [...]\n\niface bridge\n bridge-ports vni3981\n bridge-vids 1001\n bridge-vlan-aware yes\n\niface vlan1001\n mtu 9000\n vlan-id 1001\n vlan-raw-device bridge\n vrf vrf3981\n\niface vni3981\n mtu 9000\n bridge-access 1001\n bridge-arp-nd-suppress on\n bridge-learning off\n mstpctl-bpduguard yes\n mstpctl-portbpdufilter yes\n vxlan-id 3981\n vxlan-local-tunnelip 10.0.0.11\n\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 4: Fragment that shows VXLAN setup for vrf vrf3981.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"All routing happens in the context of the tenant VRF. To send and receive packets of a VRF, several interface are in place.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"A bridge is used to attach VXLAN interface bridge-ports vni3981 and map its local VLAN to a VNI. Router MAC addresses of remote VTEPs are installed over this interface.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The Routed VLAN Interface or Switched Virtual Interface (SVI) iface vlan1001 is configured corresponding to the per-tenant VXLAN interface. It is attached to the tenant VRF. Remote host routes are installed over this SVI. The vlan-raw-device bridge is used to associate the SVI with the VLAN aware bridge. For a packet received from a locally attached host the SVI interface corresponding to the VLAN determines the VRF vrf vrf3981.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The VXLAN interface iface vni3981 defines a tunnel address that is used for the VXLAN tunnel header vlxan-local-tunnelip 10.0.0.11. This VTEP IP address is typically the loopback device address of the switch. When EVPN is provisioned, data plane MAC learning for VXLAN interfaces must be disabled because the purpose of EVPN is to exchange MACs between VTEPs in the control plane: bridge-learning off. EVPN is responsible for installing remote MACs. bridge-arp-nd-suppress suppresses ARP flooding over VXLAN tunnels. Instead, a local proxy handles ARP requests received from locally attached hosts for remote hosts. ARP suppression is the implementation for IPv4; ND suppression is the implementation for IPv6. It is recommended to enable ARP suppression on all VXLAN interfaces. Bridge Protocol Data Unit (BPDU) are not transmitted over VXLAN interfaces. So as a good practice bpduguard and pbdufilter are enabled with mstpctl-bpduguard yes and mstpctl-portbpdufilter yes. These settings filter BPDU and guard the spanning tree topology from unauthorized switches affecting the forwarding path. vxlan-id 3981 specifies the VXLAN Network Identifier (VNI). The type of VNI can either be layer-2 (L2) or layer-3 (L3). This is an implicit thing. A VNI is a L3 VNI (L3VNI) when a mapping exists that maps the VNI to a VRF (configured in /etc/frr/frr.conf) otherwise it is a L2 VNI (L2VNI).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/frr/frr.conf\n# [...]\nvrf vrf3981\n vni 3981\n exit-vrf\n#[...]\nrouter bgp 4200000011\n# [...]\n address-family ipv4 unicast\n redistribute connected route-map LOOPBACKS\n # [...]\n address-family l2vpn evpn\n neighbor FABRIC activate\n advertise-all-vni\n exit-address-family\n# [...]\nrouter bgp 4200000011 vrf vrf3981\n # [...]\n address-family ipv4 unicast\n redistribute connected\n neighbor MACHINE maximum-prefix 100\n exit-address-family\n !\n address-family l2vpn evpn\n advertise ipv4 unicast\n exit-address-family\n\n# [...]\nroute-map LOOPBACKS permit 10\n match interface lo\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 5: Leaf FRR configuration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 5 shows the required FRR configuration of the BGP control plane. Only content not discussed so far is explained. The section vrf vrf3981 contains the mapping from layer-3 VNI to VRF. This is required to be able to install EVPN IP prefix routes (type-5 routes) into the routing table. Further the file contains a global BGP instance router bgp 4200000011 definition. A new setting redistribute connected route-map LOOPBACKS is in place to filter the redistribution of routes that are not matching the local loopback interface. The route-map is defined with route-map LOOPBACKS permit 10. With the configuration line address-family l2vpn evpn, the EVPN address family is enabled between BGP neighbours. advertise-all-vni makes the switch a VTEP configures it in such a way, that all locally configured VNIs should be advertised by the BGP control plane.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The second BGP instance configuration is specific to the tenant VRF router bgp 4200000011 vrf vrf3981. This VRF BGP instance configures the l2vpn evpn address family with advertise ipv4 unicast to announce IP prefixes in BGP's routing information base (RIB). This is required to apply learned routes to the routing tables of connected hosts. The Maximum-Prefix feature is useful to avoid that a router receives more routes than the router memory can take. The maximum number of prefixes a tenant server is allowed to announce is limited to 100 with: neighbor MACHINE maximum-prefix 100.","category":"page"},{"location":"overview/networking/#Spine-setup","page":"Networking","title":"Spine setup","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"On the spine switches the setup is quite simple. /etc/network/interfaces contains the loopback interface definition to support BGP unnumbered and listings for connected switch ports to provide proper MTUs (Listing 6). I.e. swp1 is configured with an MTU of 9216 as it is a VXLAN-facing interface.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface swp1\n mtu 9216","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 6: Fragment of spine interface configuration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The spines are important to forward EVPN routes and transport VXLAN packets between the VTEPs. They are not configured as VTEPs. The FRR configuration only contains the already known global BGP instance configuration router bgp 4200000020 plus the activation of the l2vpn evpn address family address-family l2vpn evpn to enable EVPN type-5 route forwarding (Listing 7).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"hostname spine01\nusername admin nopassword\n!\n# [...]\ninterface swp1\n ipv6 nd ra-interval 6\n no ipv6 nd suppress-ra\n!\n# [...]\n!\nrouter bgp 4200000020\n # [...]\n!\n address-family l2vpn evpn\n neighbor FABRIC activate\n exit-address-family\n!\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 7: Fragment of spine FRR configuration to show the activated L2VPN EVPN address-family.","category":"page"},{"location":"overview/networking/#Tenant-Firewalls:-EVPN-to-the-Host","page":"Networking","title":"Tenant Firewalls: EVPN-to-the-Host","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In case a tenant server needs to reach out to external networks as the Internet, a tenant firewall is provisioned. The firewall is a bare metal server without a switching silicon. Thus, there is no installation of SONiC. FRR provides the BGP / EVPN functionality known as EVPN-to-the-host. The firewall is configured as a VTEP and applies dynamic route-leaking to install routes of an foreign VRF. The set of routes that are leaked are restricted with route-maps.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As Listing 8 shows, the firewall is configured with VXLAN interfaces as known from the leaf setup. Additionally, a VXLAN setup for VRF vrfInternet is added to provide Internet access. vrfInternet contains a route to the Internet that will be leaked into the tenant VRF.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Traffic that originates from the tenant network 10.0.0.0/22 will be masqueraded before leaving the interface vlanInternet towards the internet.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface bridge\n# [...]\niface vlan1001\n# [...]\niface vni3981\n# [...]\niface vrf3981\n# [...]\niface vlanInternet\n mtu 9000\n vlan-id 4009\n vlan-raw-device bridge\n vrf vrfInternet\n address 185.1.2.3\n post-up iptables -t nat -A POSTROUTING -s 10.0.0.0/22 -o vlanInternet -j MASQUERADE\n pre-down iptables -t nat -D POSTROUTING -s 10.0.0.0/22 -o vlanInternet -j MASQUERADE\n\niface vniInternet\n mtu 9000\n bridge-access 4009\n mstpctl-bpduguard yes\n mstpctl-portbpdufilter yes\n vxlan-id 104009\n vxlan-local-tunnelip 10.0.0.40\n\niface vrfInternet\n mtu 9000\n vrf-table auto","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 8: Interfaces configuration of firewall to show the VTEP interface configuration.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To install a default route into the routing table of tenant VRF vrf3981 a dynamic route leak is established for it (import vrf vrfInternet). With the help of a route-map import vrf route-map vrf3981-import-map only the default route will be leaked:","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"root@firewall01:~# vtysh -c 'show ip route vrf vrf3981'\n# [...]\nVRF vrf3981:\nS>* 0.0.0.0/0 [1/0] is directly connected, vrfInternet(vrf vrfInternet), 03:19:26\nB>* 10.0.0.1/32 [20/0] via 10.0.0.12, vlan1001 onlink, 02:34:48\n * via 10.0.0.11, vlan1001 onlink, 02:34:48\nB>* 10.0.0.2/32 [20/0] via 10.0.0.12, vlan1001 onlink, 02:34:49\n * via 10.0.0.11, vlan1001 onlink, 02:34:49","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To receive responses from vrfInternet in vrf3981 a route is leaked into vrfInternet as well (import vrf vrf3981) restricted with the route-map vrfInternet-import-map that allows leaking of the tenant routes as well as internet prefixes used on worker nodes of the tenant. To limit the prefixes that are announced from the firewall within the global BGP instance a route-map only-self-out is defined and applied within the ipv4 and l2vpn evpn address family. Together with the definition of an as path access list bgp as-path access-list it avoids the announcement of prefixes to non VRF BGP peers.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/frr/frr.conf\n!\nvrf vrf3981\n vni 3981\n!\nvrf vrfInternet\n vni 104009\n!\n# [...]\n!\nrouter bgp 4200000040\n # [...]\n !\n address-family ipv4 unicast\n # [...]\n neighbor FABRIC route-map only-self-out out\n exit-address-family\n !\n!\nrouter bgp 4200000040 vrf vrf3981\n # [...]\n address-family ipv4 unicast\n redistribute connected\n import vrf vrfInternet\n import vrf route-map vrf3981-import-map\n # [...]\n address-family l2vpn evpn\n advertise ipv4 unicast\n # [...]\nrouter bgp 4200000040 vrf vrfInternet\n # [...]\n address-family ipv4 unicast\n redistribute connected\n import vrf vrf3981\n import vrf route-map vrfInternet-import-map\n # [...]\n address-family l2vpn evpn\n advertise ipv4 unicast\n # [...]\n bgp as-path access-list SELF permit ^$\n!\nroute-map only-self-out permit 10\n match as-path SELF\n!\nroute-map only-self-out deny 99\n!\nroute-map LOOPBACKS permit 10\n match interface lo\n!\nip prefix-list vrf3981-import-prefixes seq 100 permit 0.0.0.0/0\n!\nroute-map vrf3981-import-map permit 10\n match ip address prefix-list vrf3981-import-prefixes\n!\nroute-map vrf3981-import-map deny 99\n!\nip prefix-list vrfInternet-import-prefixes seq 100 permit 10.0.0.0/22 le 32\nip prefix-list vrfInternet-import-prefixes seq 101 permit 185.1.2.0/24 le 32\nip prefix-list vrfInternet-import-prefixes seq 102 permit 185.27.0.0/27 le 32\n!\nroute-map vrfInternet-import-map permit 10\n match ip address prefix-list vrfInternet-import-prefixes\n!\nroute-map vrfInternet-import-map deny 99\n!\nline vty\n!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 9: FRR configuration of a tenant firewall to show route leak and prefix announcement filtering.","category":"page"},{"location":"overview/networking/#Exit-Switch","page":"Networking","title":"Exit Switch","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Traffic to external networks is routed via the firewalls to the exit switch. The exit switch, as an exception, connects to the Internet Service Provider using numbered BGP. Numbered BGP implies to assign IPv4 addresses to network interfaces (See Listing 10, swp1). Interface swp1 is enslaved into vrf vrfInternet to include the port that is connected to the ISP within the VRF that is expected to contain a way into the Internet. The exit switch is configured to be a VTEP to terminate traffic coming from the firewall VRF vrfInternet.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface swp1\n mtu 9000\n vrf vrfInternet\n address 172.100.0.2/30\n# [...]\niface vlan4000\n mtu 9000\n address 10.0.0.71/24\n vlan-id 4000\n vlan-raw-device bridge\n# [...]\niface vlanInternet\n# [...]\niface vniInternet\n# [...]\niface vrfInternet\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 10: Fragment of interfaces configuration of exit switch.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"The configuration of FRR is equivalent to the previously discussed ones. It contains a global BGP instance configuration that enables IPv4 unicast and l2vpn evpn address families. The vrfInternet BGP instance defines neighbor 172.100.0.1 peer-group INTERNET to use \"old style BGP\" transit network.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# [..]\nvrf vrfInternet\n vni 104009\n!\n# [...]\nrouter bgp 4200000031\n bgp router-id 10.0.0.31\n neighbor FABRIC peer-group\n neighbor FABRIC remote-as external\n neighbor FABRIC timers 1 3\n # [...]\n !\n address-family ipv4 unicast\n neighbor FABRIC activate\n redistribute connected route-map LOOPBACKS\n exit-address-family\n !\n address-family l2vpn evpn\n neighbor FABRIC activate\n advertise-all-vni\n exit-address-family\n!\nrouter bgp 4200000031 vrf vrfInternet\n bgp router-id 10.0.0.31\n bgp bestpath as-path multipath-relax\n neighbor INTERNET peer-group\n neighbor INTERNET remote-as external\n neighbor INTERNET timers 1 3\n neighbor 172.100.0.1 peer-group INTERNET\n !\n address-family ipv4 unicast\n neighbor INTERNET route-map PREPEND-PATH-TO-DISFAVOR-IN in\n neighbor INTERNET route-map PREPEND-PATH-TO-DISFAVOR-OUT out\n exit-address-family\n\n !\n address-family l2vpn evpn\n advertise ipv4 unicast\n exit-address-family\n!\nroute-map LOOPBACKS permit 10\n match interface lo\n!\nroute-map PREPEND-PATH-TO-DISFAVOR-IN permit 10\n set as-path prepend last-as 2\n!\nroute-map PREPEND-PATH-TO-DISFAVOR-OUT permit 10\n set as-path prepend last-as 2\n!\nvrf mgmt\n ip route 10.0.0.0/24 10.0.0.71 nexthop-vrf default\n exit-vrf\n!\nip route 0.0.0.0/0 192.168.0.254 nexthop-vrf mgmt\n!\nline vty\n!","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 11: Fragment of FRR configuration on exit switch to give an example for numbered BGP and route leak.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"In addition to the standard BGP setup the exit switches have configured static route leak to support internet access during PXE. There is one route leak from default VRF into the mgmt VRF defined with: ip route 0.0.0.0/0 192.168.0.254 nexthop-vrf mgmt and another one from mgmt VRF into the default VRF: ip route 10.0.0.0/24 10.0.0.71 nexthop-vrf default. The first one adds a default route into the default VRF and the second one routes traffic destined to the PXE network back from mgmt VRF into the default VRF.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To reach out into external networks each of the exit nodes joins a BGP session with a distinct external router. There is a different latency to each of these routers. To favor routes of exit nodes connected with lower latency over exit nodes with higher latency two route maps PREPEND-PATH-TO-DISFAVOR-IN and PREPEND-PATH-TO-DISFAVOR-OUT are added to high latency exit nodes. These route maps apply actions to prolong the path of the incoming and outgoing routes. Because of this path extension BGP will calculate a lower weight for these paths and favors paths via other exit nodes. It is important to know that within an address family only one route map (the last) will be applied. To apply more than one actions within a route-map the required entries can be applied to a single route-map.","category":"page"},{"location":"overview/networking/#PXE-Boot-Mode","page":"Networking","title":"PXE Boot Mode","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Before a bare metal server can act as tenant server or tenant firewall, it has to be provisioned. Within the Metal domain, this provisioning mode is called \"PXE Mode\" since it is based on Preboot eXecution Environment (PXE). PXE uses protocols like DHCP. This requires all bare metal servers that need provisioning to be located in a layer-2 domain where DHCP is available. This domain is a VLAN vlan4000. A DHCP server for PXE Mode is installed on the exit switches to work in this specific VLAN.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/default/isc-dhcp-server\nINTERFACES=\"vlan4000\"","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 13: DHCP server configuration of exit switches.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"As shown in listing 13, the PXE DHCP server is located on the exit switches and enforced to bind to interface vlan4000. This represents a layer-2 separation that allows only DHCP clients in the same VLAN to request IP addresses. Only unprovisionned bare metal servers are configured to be member of this VLAN. Thus unwanted or accidental provisionning is impossible.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To provide vlan4000 on the leaves (that face the bare metal servers) the exit and leaf switches are configured as VTEPs and share an interface configuration that contains the required interfaces (Listing 13). Since no EVPN routing is in place vni104000 is configured as an L2 VNI (there is no mapping for this VNI in /etc/frr/frr.conf).","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\niface bridge\n bridge-ports vni104000 [...]\n bridge-vids 4000 [...]\n bridge-vlan-aware yes\n\niface vlan4000\n# [...]\n\niface vni104000\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 13: Interfaces configuration on exit and leaf switches to show DHCP/PXE related fragments.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"On the leaf switches the bare metal server facing ports are configured as VLAN access ports to carry the traffic for only the PXE VLAN vlan4000 (listing 14)to separate unprovisioned from other bare metal servers.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"# /etc/network/interfaces\n# [...]\nauto swp1\niface swp1\n mtu 9000\n bridge-access 4000\n# [...]","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Listing 14: VLAN access setup for bare metal server facing ports on leaves.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"Once a bare metal server is provisioned it is deconfigured from PXE VLAN vlan4000 to avoid accidental or unwanted provisioning.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"During provisioning bare metal servers get internet access via the management network of the exit switches. This is because the exit switches are announced as DHCP gateway to the DHCP clients.","category":"page"},{"location":"overview/networking/#Management-Network","page":"Networking","title":"Management Network","text":"","category":"section"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To manage network switches beside the out-of-band system console access a further management access is required. For this purpose the concept of Management VRF is applied. The Management VRF is a subset of VRF. It provides a separation between out-of-band management network and the in-band data plane network by introducing another routing table mgmt. SONiC supports eth0 to be used as the management interface.","category":"page"},{"location":"overview/networking/","page":"Networking","title":"Networking","text":"To enable and use the Management VRF all switches have to be connected via their eth0 interface to a management-switch. The management switch is connected to a management server. All access is established from within the management server. Logins to the switch are set into the Management VRF context once the Management VRF is enabled.","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#metalctl-size-reservation-usage","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"see current usage of size reservations","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"metalctl size reservation usage [flags]","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#Options","page":"metalctl size reservation usage","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":" -h, --help help for usage\n --partition string the partition to filter\n --project string the project to filter\n --size-id string the size-id to filter\n --sort-by strings sort by (comma separated) column(s), sort direction can be changed by appending :asc or :desc behind the column identifier. possible values: amount|id|partition|project|size|used-amount","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#Options-inherited-from-parent-commands","page":"metalctl size reservation usage","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/#SEE-ALSO","page":"metalctl size reservation usage","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_size_reservation_usage/","page":"metalctl size reservation usage","title":"metalctl size reservation usage","text":"metalctl size reservation\t - manage reservation entities","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#metalctl-machine-update-firmware","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":"update a machine firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#Options","page":"metalctl machine update-firmware","title":"Options","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":" -h, --help help for update-firmware","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#Options-inherited-from-parent-commands","page":"metalctl machine update-firmware","title":"Options inherited from parent commands","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":" --api-token string api token to authenticate. Can be specified with METALCTL_API_TOKEN environment variable.\n --api-url string api server address. Can be specified with METALCTL_API_URL environment variable.\n -c, --config string alternative config file path, (default is ~/.metalctl/config.yaml).\n Example config.yaml:\n \n ---\n apitoken: \"alongtoken\"\n ...\n \n \n --debug debug output\n --force-color force colored output even without tty\n --kubeconfig string Path to the kube-config to use for authentication and authorization. Is updated by login. Uses default path if not specified.\n --no-headers do not print headers of table output format (default print headers)\n -o, --output-format string output format (table|wide|markdown|json|yaml|template), wide is a table with more columns. (default \"table\")\n --template string output template for template output-format, go template format.\n For property names inspect the output of -o json or -o yaml for reference.\n Example for machines:\n \n metalctl machine list -o template --template \"{{ .id }}:{{ .size.id }}\"\n \n \n --yes-i-really-mean-it skips security prompts (which can be dangerous to set blindly because actions can lead to data loss or additional costs)","category":"page"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/#SEE-ALSO","page":"metalctl machine update-firmware","title":"SEE ALSO","text":"","category":"section"},{"location":"external/metalctl/docs/metalctl_machine_update-firmware/","page":"metalctl machine update-firmware","title":"metalctl machine update-firmware","text":"metalctl machine\t - manage machine entities\nmetalctl machine update-firmware bios\t - update a machine BIOS\nmetalctl machine update-firmware bmc\t - update a machine BMC","category":"page"}] }