1. Goal of the Tutorial
This is a beginner’s tutorial on how eventually you can run your workload on the IBM Cloud Hyper Protect Virtual Server. In this tutorial, we start with using IBM Cloud LinuxONE zVSI, before we move on to exploring bring up of the same workload on Hyper Protect Virtual Server for VPC (HPVS for VPC) as part of the next tutorial.
2. Prerequisites / Points to Note
a) Strongly recommend reviewing the contents at the IBM Cloud Official documentation before we proceed, as it is the primary source of latest information.
b) Ensure you have a valid IBM Cloud account. Refer to this documentation.
c) This article uses IBM UI to take you through the steps but the same can be achieved through IBM Cloud VPC CLI, IBM Cloud VPC REST APIs and corresponding Terraform provider.
d) The IBM Cloud UI menus might change in the future. Please contact hpa@ibm.com if there are any questions on the documentation.
3. How do we plan to achieve this?
In this tutorial, we will bring up an instance of LinuxONE zVSI with PostgreSQL. In the subsequent tutorial, we will use HPVS for VPC to bring up the same workload.
4. What is LinuxONE zVSI and what is Hyper Protect Virtual Server for VPC?
Both LinuxONE zVSI and Hyper Protect for VPC are IBM Cloud VPC service offerings for IBM Z (LinuxONE). LinuxONE zVSI provides virtual server as a service. This is an easy and simple way to quickly get started with IBM Z based virtual servers in cloud. There are stock images provided by IBM Cloud that can be used to create LinuxONE based Virtual Servers in a few minutes. Hyper Protect Virtual Server is a ‘Confidential Computing’ based container offering (basically brings up your containers in a hardware based secure enclave), that uses the LinuxONE Secure Execution technology. You can read more about HPVS here.
5. What are the high-level stages?
a. Bring up a PostgreSQL container-based workload on zVSI (this tutorial)
b. Bring up a PostgreSQL container-based workload on HPVS for VPC (Next Tutorial)
Let’s get started with the first stage.
6. Bring up PostgreSQL workload on LinuxONE zVSI
The approximate time that you will take to finish all the steps in this section is 15 minutes or lesser including any preparation time (excluding account registration). The LinuxONE zVSI instance creation should take only few seconds.
6.1 Create a LinuxONE zVSI instance:
Login to IBM Cloud and from the left-hand side panel, select VPC Infrastructure and go to the Virtual Server page:
6.1.1 VPC virtual server create flow – select IBM Z
Click on the “Create” button on the right-hand side to reach the Virtual Server for VPC page. Select a Region of your choice.
6.1.2 zVSI name
Give an intuitive name of your choice for the zVSI instance you are creating. I have used “mypostgresql” in for my instance below.
6.1.3 Image and Profile
From the ‘Image and Profile’ section, click on “Change image” and select “IBM Z, LinuxONE architecture’ and select an image of your choice. Please select either ibm-ubuntu-* or ibm-sles-*. In the example below, I have selected ibm-ubuntu-22-04-3-* image.
Click on “save” after selecting the image.
You can now click on the “Change Profile” link to select a profile of your choice. Ensure that the Processor Type selected as ‘IBM Z’ when you are in the ‘instance profile’ window.
6.1.4 SSH key to login to the zVSI
To be able to SSH into the zVSI instance that we create, we need to provide a SSH public key as input. If you have one already, you can use that or you can create a new one (click on the Create an SSH key).
6.1.5 Additional disk
You can opt for more storage for your workload that what comes with your zVSI instance, and it is highly recommended for production workloads. However, for this simple example we will not add additional volumes. We can explore that in a later post.
6.1.6 Create VPC and subnet
Go ahead and create your VPC and subnet if you are doing this for the first time or re-use the existing ones.
6.1.7 Advanced Options
I am going to keep the advanced options as it is and make no changes there:
6.1.8 Create Virtual Server
Now, from the right-hand side, let’s go ahead and click on “Create Virtual Server”.
You should now see your zVSI instance starting up:
6.1.9 zVSI Serial Console
To know if your instance is booting up fine, you can right click on the above and go to “Open Serial Console”.
You will see your VM boot logs:
6.1.10 zVSI Details
You can also click on the zVSI instance to view more details, as seen below:
6.1.11 zVSI Public Access – Floating IP Assignment
While the zVSI instance is up and running, it does not have a public ip assigned to it. It comes with a private ip and this is generally enough if your goal is to access this zVSI from another zVSI within the same VPC subnet. In this example, I assume that the workload that runs on the zVSI needs to be accessed externally. To achieve this, we need to attach a Floating IP (Public IP) to the instance. Floating IP provides IP that is publicly accessible. For this, go to the “Floating IP” page from the left-hand side panel:
You can click on the “Reserve IP” button to reserve a public IP for this instance:
Now right click on the above reserved IP and bind the ip to the zVSI instance, so that we can SSH into the zVSI instance using this public IP.
6.1.12 SSH into the zVSI instance using Floating IP
Go back to the “Virtual Server Instance” page. You should now be able to see this public IP in the Floating IP column against your zVSI instance. Now, use this IP and your SSH private key to SSH into the zVSI instance:
You have now successfully created your own instance of zVSI !!
6.2 Bring up container-based PostgreSQL workload
6.2.1 Install docker and docker compose
Now that we have our first instance of LinuxONE zVSI up and running, let’s go to the next step of bringing up a PostgreSQL workload on it. As our eventual goal is to run the same workload on HPVS for VPC, we take the container approach of bringing up the workload. The zVSI image does not come with any container runtime. So, in this example we will use docker to bring up the workload.
As the next steps, we proceed with installing docker and docker-compose. In this example, I referred to the official docker documentation to install these on zVSI. Please be mindful of the s390x architecture for zVSI. The approach I followed in this example is this.
After successfully installing docker, let’s go ahead and install docker compose. HPVS for VPC internally supports docker compose (single OCI container) or Podman Play (multi-OCI containers) and using docker compose at this stage prepares us to easily switch over to HPVS at a later stage.
Below is merely for reference. Please follow the official documentation for accurate instructions:
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
curl -SL https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-s390x -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose --version
6.2.2 Use docker compose to bring up PostgreSQL workload
Now that the needed container runtime is setup, let us focus on bringing up the workload. Let’s create a simple docker-compose yaml file with the below content. Here, we have used the publicly available container image.
Create a file named docker-compose.yaml with the below contents. You can use a password of your choice as the value for the “POSTGRES_PASSWORD” environment variable. In the below example, I have used “passw0rd”.
services:
postgresql:
image: docker.io/library/postgres:12@sha256:429c57f9ae8f379601df6df7448b0c2c8df4da23d7ba2cb57fee8da8f262eda0
ports:
- "5432:5432"
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
- POSTGRES_PASSWORD=passw0rd
Now run the “docker-compose up -d” command to bring the environment up:
6.2.3 Accessing your PostgreSQL service from within the zVSI instance
Now that the PostgreSQL container is up and running, let’s do a quick check on whether the service is accessible from within the zVSI instance (that is connect locally). You might have to install the below packages before you can start using the psql utility.
sudo apt install postgresql-client-common
sudo apt install postgresql-client
psql -h localhost -p 5432 -U postgres
You should now be able to access PostgreSQL:
6.2.4 Accessing your PostgreSQL service from outside the zVSI instance
At this point, we know that our PostgreSQL instance is accessible locally. Let’s try to access it from outside. Create another zVSI or use your laptop to connect to this PostgreSQL instance over the floating ip and port. You will notice that you are not able to connect to this instance externally. That is because we have not yet opened the inbound traffic to this instance. Let’s do that.
To get this working, we need to create a security group that allows traffic to port 5432 and associate it with this zVSI instance. From the left-hand side panel, go to security groups and create a new security group allowing traffic to port 5432:
Once the security group has been created, let’s go back to the “Virtual Server instances” page, click on the “mypostgresql” instance > Network Interfaces section and include the newly created security group to it. In the example below, “postgres” is the name of my security group.
Now try to access your PostgreSQL instance externally again and you should be able to access it.
Hurray! We have now successfully setup the PostgreSQL service (container based) on a LinuxONE zVSI instance and are able to access it externally. Now, you can go ahead and create your database, tables and columns and proceed with using this as the backend DB for any application!
6.3 Summary
In the last section, we did the exercise of bringing up LinuxONE zVSI service, which helps us quickly spin up a SUSE or Ubuntu based LinuxONE virtual machine in a few second. This is a great environment where, as a user you can test, develop, and experiment with your workloads. You have the option to SSH into this environment, run your workloads like PostgreSQL as a systemctl service (not covered in this documentation) or as a container-based workload, in an interactive manner.
6.4 Next Steps
As the next step, we will see how we can get the same workload running in a secure enclave protected by IBM Secure Execution Confidential Computing technology, that protects data from external and internal threats while in use! Check out our next blog on Bringing up Container based workload on HPVS for VPC to learn more. Strongly recommended for production environments, HPVS ensures that your workload is securely deployed in IBM Cloud by ensuring integrity and confidentiality of the boot images, multiparty contract and other features. Check out the official IBM Cloud documentation on “Confidential Computing with LinuxONE in IBM Cloud” to learn more.
Please like and subscribe to this blog to be notified of new blogs in this blog series, where we will be covering more aspects related to Hyper Protect Virtual Server on VPC.
Contributors:
Divya K Konoor, Anbazhagan Mani, Sashwat K, Kalaiarasan Panneerselvam, Seenu Suvarna, Abhiram Kulkarni