IBM Spectrum Fusion
IBM Spectrum Fusion is container-native hybrid cloud data platform that offers simplified deployment and data management for Kubernetes applications on Red Hat® OpenShift® Container Platform. IBM Spectrum Fusion is designed to meet the storage requirements of modern, stateful Kubernetes applications and to make it easy to deploy and manage container-native applications and their data on Red Hat OpenShift Container Platform. For more information, read
https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=product-overview.
IBM Spectrum Fusion is an enterprise solution which considers security policies of organizations. Most organizations prefer to have data centers in disconnected (air-gap) environments for security reasons. Adhering to these business processes of organizations, IBM Spectrum Fusion can be deployed from an enterprise registry hosted within data center with no outbound access eliminating any security threats.
Before you can start IBM Spectrum Fusion deployment in disconnected environment, there are few prerequisites to be met, as listed below.
Pre-requisite for Enterprise installation
- Prepare secured enterprise registry that supports v2 manifest and can be connected to both mirroring host and your cluster network.
- Mirror images to enterprise registry.
Prepare enterprise registry
Deploy a secure enterprise registry with well-known certificate signed by signing authority. Insecure registries or registries with self-signed certificate are not supported. This article uses artifactory as enterprise registry.
Throughout this article we have used enterprise registry host hci-offline.artifactory.ibm.com:443 with credentials reguser:passw0rd
Setup a mirroring host
"auths": {
...
"hci-offline.artifactory.ibm.com:443":
{
"auth": "cmVndXNlcjpwYXNzdzByZA==",
"email": "test@ibm.com"
}
}
After setting up mirroring host, it is time to mirror images to your enterprise registry.
Mirror images:
IBM Spectrum Fusion HCI v2.3.0, supports maximum two registries for installation. Images can be mirrored either to a single or two different registries. Also, if you want to use multiple repositories then mirror RedHat Openshift Container Platform (OCP) release image to the one and all other images to second registry.
Following are six sets of image that are required to complete IBM Spectrum Fusion installation.
- RedHat Openshift Container Platform release images
- RedHat operator images
- Community operator images
- IBM Spectrum Fusion (ISF) operator images
- IBM Spectrum scale images
- IBM Spectrum Protect Plus images. (This is optional and required only if you plan to enable Data Protection service. Read more about service here https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=protecting-data)
For using IBM documentation, below are the sample values with repository path
Variables description:
LOCAL_SECRET_JSON is the absolute path for pull-secret.json, this could be same for all repos, containing auths for all repository.
LOCAL_OCP_REGISTRY is your secure enterprise registry to mirror Openshift Container Platform release image. Do provide port, If other than 443.
LOCAL_OCP_REPOSITORY is the target path you want to mirror OCP images.
LOCAL_ISF_REGISTRY is your secure enterprise registry to mirror ISF related image. Do provide port, If other than 443.
LOCAL_ISF_REPOSITORY is the target path you want to mirror ISF related images.
Single repository - Use same registry and same target paths for both OCP release and ISF related images: All sets of images should be mirrored to same repository.
For mirroring Openshift Container Platform release images:
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='hci230'
For mirroring all other images to same registry as OCP:
LOCAL_ISF_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_ISF_REPOSITORY='hci230'
Repository path used during IBM Spectrum Fusion HCI v2.3.0 install:
https://hci-offline.artifactory.ibm.com:443/hci230
Single registry with different repository paths for OCP and other images- Using same registries for OCP and other images, but different repository paths.
For mirroring OCP release images:
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='hci230-ocp'
For mirroring all other images:
LOCAL_ISF_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_ISF_REPOSITORY='hci230/ibm-isf'
Repository path used during IBM Spectrum Fusion HCI 2.3.0 install:
- For Openshift images repository:
https://hci-offline.artifactory.ibm.com:443/hci230-ocp
- For IBM Spectrum Fusion images repository:
https://hci-offline.artifactory.ibm.com:443/hci230/ibm-isf
Multiple registries – Using different registries for OCP and ISF related images.
For mirroring OCP release images:
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='ocp/test'
For mirroring all other images:
LOCAL_ISF_REGISTRY='hci-isf-offline.artifactory.ibm.com:443'
LOCAL_ISF_REPOSITORY='hci230/ibm-isf/test'
Repository path used during IBM Spectrum Fusion HCI 2.3.0 install:
- For Openshift images repository:
https://hci-offline.artifactory.ibm.com:443/ocp/test
- For IBM Spectrum Fusion images repository:
https://hci-isf-offline.artifactory.ibm.com/hci230/ibm-isf/test
**Note: Even if you are using same registry, but different paths to mirror, it will be treated as multiple registries.
To complete mirroring using attached scripts. All commands need to be executed from your mirroring host.
Mirror RedHat Openshift Container Platform release images:
OCP release images are mirrored using a single command, so set the below environment variables and complete mirroring task. Provided, are sample values for LOCAL_SECRET_JSON, LOCAL_OCP_REGISTRY and LOCAL_OCP REPOSITORY so do replace them as per your details.
OCP_RELEASE=4.10.21
PRODUCT_REPO='openshift-release-dev'
RELEASE_NAME="ocp-release"
ARCHITECTURE=x86_64
LOCAL_SECRET_JSON='/home/test/mirror-images/pull-secret.json'
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='hci230/ocp'
**Note: LOCAL_OCP REPOSITORY can not be empty. Pull-secret json and path within registry is mandatory.
Execute following command on mirroring host to mirror OCP release images
oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY} --to-release-image=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
To verify whether the images were successfully mirrored, check that the command output contains the following information:
imageContentSources:
- mirrors:
- hci-offline.artifactory.ibm.com:443/hci230/ocp
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- hci-offline.artifactory.ibm.com:443/hci230/ocp
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
Mirroring IBM Spectrum Fusion Software and required RedHat and community operators images:
Commands to execute script with sample valued are provided to mirror remaining set of images, all scripts need to be run as root user and from your mirroring host.
- Mirror RedHat and Community operator images:
nohup ./mirror-redhat-community-images.sh -ps "<absolute path to pull-secret.json>" -rh " <enterprise registry>" -ru "<enterprise registry user>" -rk "<enterprise registry password>" -rhu "<redhat registry user>" -rhp "<redhat registry password>" -tp " <target path>" -p "<port>" -il "isf-230-images.json" &
Command with sample value:
nohup ./mirror-redhat-community-images.sh -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -rhu "redhat-user.com" -rhp "redhat-password" -tp "hci230/isf<target path>" -p "443" -il "isf-230-images.json" &
- Mirror IBM Spectrum Fusion operator images:
nohup ./mirror-isf-images.sh -ps "<absolute path to pull-secret.json>" -rh "<enterprise registry>" -ru "< enterprise registry user>" -rk "< enterprise registry password>" -tp "<target path>" -il "isf-230-images.json" -ek "<IBM entitlement key>" &
Command with sample value:
nohup ./mirror-isf-images.sh -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -tp "hci230/isf" -il "isf-230-images.json" -ek "abc.pqr.zyx" &
-
Mirror IBM Spectrum Scale images:
nohup ./mirror-scale-images.sh -ps "<absolute path to pull-secret.json>" -rh "<enterprise registry>" -ru "< enterprise registry user>" -rk "< enterprise registry password>" -tp "<target path>" -il "isf-230-images.json" -ek "<IBM entitlement key>" &
Command with sample value:nohup ./mirror-scale-images.sh -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -tp "hci230/isf" -il "isf-230-images.json" -ek "abc.pqr.zyx" &
- Mirror IBM Spectrum Protect Plus images:
nohup ./mirror-spp-images.sh -ps "<absolute path to pull-secret.json>" -rh "<enterprise registry>" -ru "< enterprise registry user>" -rk "< enterprise registry password>" -tp "<target path>" -il "isf-230-images.json" -ek "<IBM entitlement key>" &
Command with sample value:
nohup ./mirror-spp-images.sh -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -tp "hci230/isf" -il "isf-230-images.json" -ek "abc.pqr.zyx" &
Validating mirrored images:
It is critical that all images are present in registry before installation is started. To ensure no images are missed we have provided validation scripts for each component that can help you verify all required images are present in registry after mirroring steps have been completed. These scripts are available in library
click to download scripts with this article (available at best effort support).
validate mirrored images using script:
nohup ./validate-hci-images.sh -repo 1|2 -rh1 "<complete registry url for openshift release image with mirror path>" -ru1 "<username for openshift mirror image>" -rk1 "<password for openshift mirror image>" -rh2 "<complete registry url for isf with mirror path>" -ru2 "<username for isf mirror image>" -rk2 "<password for isf mirror image>" -il "isf-230-images.json" &
Command with sample value:
- For multiple repository:
nohup ./validate-hci-images.sh -repo 2 -rh1 "https://hci-offline.artifactory.ibm.com:443/hci230/ocp" -ru1 "reguser" -rk1 "passw0rd" -rh2 "https://hci-offline.artifactory.ibm.com:443/hci230/isf" -ru2 "reguser" -rk2 "passw0rd" -il "isf-230-images.json" &
- For Single repository:
nohup ./validate-hci-images.sh -repo 1 -rh1 "https://hci-offline.artifactory.ibm.com:443/hci230/ocp" -ru1 "reguser" -rk1 "passw0rd" -il "isf-230-images.json" &
Starting deployment:
During install, on Image Registry page, select private image registry box. You will get two options single and multiple repositories. As per our registry configuration we will select 'Multiple repositories' option and fill configuration details.
Image registry page with sample values:
- To complete install click on
Next button
- On
Disaster Recovery page select whether the installation is for a standalone cluster or a disaster recover pair (first or second) and then Next
- On
Gloabal Data Platform page select Strong data resiliency, Stronger data resiliency or Better storage efficiency and then select block size from advanced menu, and then Next.
Network Customization page configure network for OpenShift and internal storage of IBM Spectrum Fusion HCI, if not using default and then Next- Provide
Custom certificate details for openshift on page, if want to use a specific one and then Finish.
The OpenShift initialization page gets displayed. Now, Monitor the progress of the OpenShift initialization. It creates a three node OpenShift cluster. After OpenShift cluster gets successfully created, view the credentials for the OpenShift cluster. It is important that you save these credentials before proceeding with the next phase of the install because you cannot access the OpenShift cluster without this credentials.
Click IBM Spectrum Fusion.
Cluster expansion: