Veritas InfoScale™ for Kubernetes Environments 8.0.300 - Linux

Last Published:
Product(s): InfoScale & Storage Foundation (8.0.300)
  1. Overview
    1.  
      Introduction
    2.  
      Features of InfoScale in Containerized environment
    3.  
      CSI Introduction
    4.  
      I/O fencing
    5.  
      Disaster Recovery
    6.  
      Licensing
    7.  
      Encryption
  2. System requirements
    1.  
      Introduction
    2.  
      Supported platforms
    3.  
      Disk space requirements
    4.  
      Hardware requirements
    5.  
      Number of nodes supported
    6.  
      DR support
  3. Preparing to install InfoScale on Containers
    1. Setting up the private network
      1.  
        Guidelines for setting the media speed for LLT interconnects
      2.  
        Guidelines for setting the maximum transmission unit (MTU) for LLT
    2.  
      Synchronizing time settings on cluster nodes
    3.  
      Securing your InfoScale deployment
    4.  
      Configuring kdump
  4. Installing Veritas InfoScale on OpenShift
    1.  
      Introduction
    2.  
      Prerequisites
    3.  
      Additional Prerequisites for Azure RedHat OpenShift (ARO)
    4.  
      Considerations for configuring cluster or adding nodes to an existing cluster
    5.  
      Creating multiple InfoScale clusters
    6. Installing InfoScale on a system with Internet connectivity
      1. Installing from OperatorHub by using web console
        1.  
          Adding Nodes to an InfoScale cluster by using OLM
        2.  
          Undeploying and uninstalling InfoScale
      2. Installing from OperatorHub by using Command Line Interface (CLI)
        1.  
          Configuring cluster
        2.  
          Adding nodes to an existing cluster
        3.  
          Undeploying and uninstalling InfoScale by using CLI
      3. Installing by using YAML
        1.  
          Configuring cluster
        2.  
          Adding nodes to an existing cluster
        3.  
          Undeploying and uninstalling InfoScale
    7. Installing InfoScale in an air gapped system
      1.  
        Prerequisites to install by using YAML or OLM
      2.  
        Additional prerequisites to install by using yaml
      3.  
        Installing from OperatorHub by using web console
      4.  
        Installing from OperatorHub by using Command Line Interface (CLI)
      5.  
        Installing by using YAML
    8.  
      Removing and adding back nodes to an Azure RedHat OpenShift (ARO) cluster
  5. Installing Veritas InfoScale on Kubernetes
    1.  
      Introduction
    2. Prerequisites
      1.  
        Installing Node Feature Discovery (NFD) Operator and Cert-Manager on Kubernetes
    3.  
      Downloading Installer
    4. Tagging the InfoScale images on Kubernetes
      1.  
        Downloading side car images
    5.  
      Applying licenses
    6.  
      Considerations for configuring cluster or adding nodes to an existing cluster
    7.  
      Creating multiple InfoScale clusters
    8. Installing InfoScale on Kubernetes
      1.  
        Configuring cluster
      2.  
        Adding nodes to an existing cluster
    9.  
      Undeploying and uninstalling InfoScale
  6. Configuring KMS-based Encryption on an OpenShift cluster
    1.  
      Introduction
    2.  
      Adding a custom CA certificate
    3.  
      Configuring InfoScale to enable transfer of keys
    4.  
      Renewing with an external CA certificate
  7. Configuring KMS-based Encryption on a Kubernetes cluster
    1.  
      Introduction
    2.  
      Adding a custom CA certificate
    3.  
      Configuring InfoScale to enable transfer of keys
    4.  
      Renewing with an external CA certificate
  8. InfoScale CSI deployment in Container environment
    1.  
      CSI plugin deployment
    2.  
      Raw block volume support
    3.  
      Static provisioning
    4. Dynamic provisioning
      1.  
        Reclaiming provisioned storage
    5.  
      Resizing Persistent Volumes (CSI volume expansion)
    6. Snapshot provisioning (Creating volume snapshots)
      1.  
        Dynamic provisioning of a snapshot
      2.  
        Static provisioning of an existing snapshot
      3.  
        Using a snapshot
      4.  
        Restoring a snapshot to new PVC
      5.  
        Deleting a volume snapshot
      6.  
        Creating snapshot of a raw block volume
    7. Managing InfoScale volume snapshots with Velero
      1.  
        Setting up Velero with InfoScale CSI
      2.  
        Taking the Velero backup
      3.  
        Creating a schedule for a backup
      4.  
        Restoring from the Velero backup
    8. Volume cloning
      1.  
        Creating volume clones
      2.  
        Deleting a volume clone
    9.  
      Using InfoScale with non-root containers
    10.  
      Using InfoScale in SELinux environments
    11.  
      CSI Drivers
    12.  
      Creating CSI Objects for OpenShift
    13.  
      Creating ephemeral volumes
  9. Installing and configuring InfoScale DR Manager on OpenShift
    1.  
      Introduction
    2.  
      Prerequisites
    3.  
      Creating Persistent Volume for metadata backup
    4.  
      External dependencies
    5. Installing InfoScale DR Manager by using OLM
      1.  
        Installing InfoScale DR Manager by using web console
      2.  
        Configuring InfoScale DR Manager by using web console
      3.  
        Installing from OperatorHub by using Command Line Interface (CLI)
    6. Installing InfoScale DR Manager by using YAML
      1.  
        Configuring Global Cluster Membership (GCM)
      2.  
        Configuring Data Replication
      3.  
        Additional requirements for replication on Cloud
      4.  
        Configuring DNS
      5.  
        Configuring Disaster Recovery Plan
  10. Installing and configuring InfoScale DR Manager on Kubernetes
    1.  
      Introduction
    2.  
      Prerequisites
    3.  
      Creating Persistent Volume for metadata backup
    4.  
      External dependencies
    5. Installing InfoScale DR Manager
      1.  
        Configuring Global Cluster Membership (GCM)
      2.  
        Configuring Data Replication
      3.  
        Additional requirements for replication on Cloud
      4.  
        Configuring DNS
      5.  
        Configuring Disaster Recovery Plan
  11. Disaster Recovery scenarios
    1.  
      Migration
    2.  
      Takeover
  12. Configuring InfoScale
    1.  
      Logging mechanism
    2.  
      Configuring Veritas Oracle Data Manager (VRTSodm)
    3.  
      Enabling user access and other pod-related logs in Container environment
  13. Administering InfoScale on Containers
    1.  
      Adding Storage to an InfoScale cluster
    2.  
      Managing licenses
    3.  
      Monitoring InfoScale
    4.  
      Configuring Alerts for monitoring InfoScale
    5.  
      Draining InfoScale nodes
    6.  
      Using InfoScale toolset
  14. Migrating applications to InfoScale
    1.  
      Migrating applications to InfoScale from earlier versions
  15. Troubleshooting
    1.  
      Adding a sort data collector utility
    2.  
      Collecting logs by using SORT Data Collector
    3.  
      Approving certificate signing requests (csr) for OpenShift
    4.  
      Cert Renewal related
    5.  
      Known Issues
    6.  
      Limitations

Configuring InfoScale to enable transfer of keys

You must configure InfoScale to enable a connection with the Key Management Server (KMS) to transfer and save rest certs.

If you have created multiple InfoScale clusters, ensure you run steps 23 to 28 for every cluster.

The rest certs are renewed every three months and the renewed certs must be uploaded to the KMS server. Run steps 23 to 28 every three months for encryption to work.

Note:

After a client rest cert is renewed, ensure that you add the renewed client cert to the client group on the KMS server.

Complete the following steps

Note:

The following steps inform you how to configure IBM Key Management Server. As an administrator, you can configure any KMIP-compliant server. Refer to the procedure of that KMIP-compliant server.

  1. Be ready with the IP address and port number of the Key Management Server (KMS).
  2. Run echo "<IP address of the server >"| base64

    Verify the output as under

    Server output for base64
  3. Run echo "<Port number of the server >"| base64

    Verify the output as under

    Port number output for base64
  4. Copy the following content into a file and save it as infoscale-kmip-secret.yaml.
    apiVersion: v1
data:
  host: <Server output for base64>
  port: <Port number output for base64>
kind: Secret
metadata:
  name: infoscale-kmip-encrypt
  namespace: infoscale-vtas
type: Opaque
  5. Run kubectl apply -f infoscale-kmip-secret.yaml to deploy the InfoScale secret.
  6. From another terminal, logon to https://www.ibm.com/docs/en/sgklm/4.1.1?topic=objects-registering-client-by-using-graphical-user-interface.
  7. Select Advanced Configuration > Server Certificate. Click Add. The Add SSL/KMIP Certificate screen opens.
  8. Select Request certificate from a third-party provider and enter values for Certificate label and Certificate description.
  9. Click Add Certificate. The certificate is listed as Administer Server Certificates.
  10. Review the Status of the certificate. The status is Certificate is pending.
  11. From the master node, run ssh root@<IP address of the KMS >. Enter the password and login.
  12. The certificate you just created is listed under /opt/IBM/WebSphere/AppServer/products/sklm/data/ as <Time stamp>_<Certificate name>.csr.

    Note:

    The path might vary depending on the KMS version.

  13. Copy content of /opt/IBM/WebSphere/Liberty/products/sklm/data/<Time stamp>_<Certificate name>.csr into another file <Copy of server cert content>.pem.
  14. Run openssl x509 -req -in <Time stamp>_<Certificate name>.csr -CA infoscale-ca.pem -CAkey infoscale-ca-key.pem -CAcreateserial -out <server-certificate-name> -days 1024 -sha256
  15. Review the output for the following message.
    Signature ok
  16. Copy <Certificate name>.crt to the root directory of the Key Management server.
  17. On the Welcome screen of KMS, click Third-party certificates pending import.
  18. In the Import Certificate screen, click Browse and navigate to the certificate you saved. Click Select.
  19. Run kubectl get secret -n infoscale-vtas.
  20. Review the output for the following 
    NAME
infoscale-ca
  21. Run kubectl get secret -n infoscale-vtas.
  22. Review the output for the following 
    NAME
infoscale-kmip-encrypt
  23. Run kubectl -n <namespace where cr is deployed> get secret infoscale-sds-rest-tls-cert-<cluster-id> -o jsonpath="{.data['tls\.crt']}" | base64 --decode > <kmip-device-client-cert>,
  24. Copy <kmip-device-client-cert> to the root directory of the KMS.
  25. On the KMS, select Advanced Configuration > Client Device Certificates. Click Import.
  26. In the Import SSL/KMIP Certificate for Clients window, assign a name and click Browse to select <device-certificate>.crt from the root directory.
  27. Select the checkbox next to Allow the server to trust this certificate with the associated client device.
  28. Click Import.

After a successful configuration, data is more secure and a need to back up keys required during Disaster Recovery is eliminated.

For a DR configuration

  1. Complete steps 1 to 24 on one of the DR sites to configure infoscale-kmip-encrypt and the server certificate. Ensure that you configure infoscale-kmip-encrypt on all the sites. See steps 4 and 5.
  2. Run the following command on the primary site to get the client certificate.

    kubectl -n infoscale-vtas get secret infoscale-sds-rest-tls-cert-<cluster-id> -o jsonpath="{.data['tls\.crt']}" | base64 --decode > <kmip-primary-cert>

  3. Run the following command on the secondary site to get the client certificate.

    kubectl -n infoscale-vtas get secret infoscale-sds-rest-tls-cert-<cluster-id> -o jsonpath="{.data['tls\.crt']}" | base64 --decode > <kmip-secondary-cert>

  4. Logon to https://www.ibm.com/docs/en/sgklm/4.1.1?topic=objects-registering-client-by-using-graphical-user-interface and perform the following steps to register client and create client group.

    • Navigate to Clients > Clients (subsection) > Create > fill details. Enter <kmip-primary-cert> to register client.

    • Similarly, enter <kmip-secondary-cert> to register client.

  5. Logon to https://www.ibm.com/docs/en/sgklm/4.1.1?topic=mcgctco-creating-managing-client-group-by-using-graphical-user-interface. Navigate to Clients > Client Groups (subsection) > Add > Provide Client Group Name > Create . Select clients from the list and click Save.
  6. Run steps 23 to 28 again.