Storage Fusion

 View Only

Deploying IBM Spectrum Fusion (ISF) 2.3.0 from enterprise registry

By DIVYA JAIN posted Tue November 01, 2022 01:55 AM

  
IBM Spectrum Fusion
IBM Spectrum Fusion is container-native hybrid cloud data platform that offers simplified deployment and data management for Kubernetes applications on Red Hat® OpenShift® Container Platform. IBM Spectrum Fusion is designed to meet the storage requirements of modern, stateful Kubernetes applications and to make it easy to deploy and manage container-native applications and their data on Red Hat OpenShift Container Platform. For more information, read https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=product-overview.
IBM Spectrum Fusion is an enterprise solution which considers security policies of organizations. Most organizations prefer to have data centers in disconnected (air-gap) environments for security reasons. Adhering to these business processes of organizations, IBM Spectrum Fusion can be deployed from an enterprise registry hosted within data center with no outbound access eliminating any security threats.
IBM Spectrum Fusion can also be deployed from public registries. For installing in connected environment see https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=hci-installing-spectrum-fusion. This article focuses on setting up and prerequisites and deployment in disconnected environment from enterprise registry. Refer to https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=installation-mirroring-your-images-enterprise-registry for detailed instructions.
Before you can start IBM Spectrum Fusion deployment in disconnected environment, there are few prerequisites to be met, as listed below.
Pre-requisite for Enterprise installation
  1. Prepare secured enterprise registry that supports v2 manifest and can be connected to both mirroring host and your cluster network.
  2. Mirror images to enterprise registry.

Prepare enterprise registry
Deploy a secure enterprise registry with well-known certificate signed by signing authority. Insecure registries or registries with self-signed certificate are not supported. This article uses artifactory as enterprise registry.
Throughout this article we have used enterprise registry host hci-offline.artifactory.ibm.com:443 with credentials reguser:passw0rd

Setup a mirroring host
  1. The mirror host must have access to both internet and enterprise registry.
  2. Install Podman or Docker.
  3. Install opm CLI tool. For more information about installing opm CLI tool, see https://docs.openshift.com/container-platform/4.10/cli_reference/opm-cli.html.
  4. Install skopeo for image copy operation. For more information to install skopeo, see https://github.com/containers/skopeo
  5. Install OC command line tool. For more information to install oc, see https://docs.openshift.com/container-platform/4.6/cli_reference/openshift_cli/getting-started-cli.html
  6. Download redhat pull-secret.txt, using link: https://console.redhat.com/openshift/install/pull-secret
  7. Edit downloaded pull-secret with your enterprise registry credentials. Add a new section of key-value pair under auths. Calculate your auth value using: echo -n '<registry username>:<registry password>' | base64 -w0


 For our registry :
"auths": {
                    ...
                 "hci-offline.artifactory.ibm.com:443":
                    {
                      "auth": "cmVndXNlcjpwYXNzdzByZA==",
                      "email": "test@ibm.com"
                    }
}

After setting up mirroring host, it is time to mirror images to your enterprise registry.

Mirror images:
IBM Spectrum Fusion HCI v2.3.0, supports maximum two registries for installation. Images can be mirrored either to a single or two different registries. Also, if you want to use multiple repositories then mirror RedHat Openshift Container Platform (OCP) release image to the one and all other images to second registry.
Following are six sets of image that are required to complete IBM Spectrum Fusion installation.
  1. RedHat Openshift Container Platform release images
  2. RedHat operator images
  3. Community operator images
  4. IBM Spectrum Fusion (ISF) operator images
  5. IBM Spectrum scale images
  6. IBM Spectrum Protect Plus images. (This is optional and required only if you plan to enable Data Protection service. Read more about service here https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=protecting-data)
You can use IBM document for mirroring images to enterprise registry to mirror images (See sample values for variables used below). Alternatively, you can download scripts from library using link click to download scripts (scripts included are only supported on best effort).

For using IBM documentation, below are the sample values with repository path
Variables description:
LOCAL_SECRET_JSON is the absolute path for pull-secret.json, this could be same for all repos, containing auths for all repository.
LOCAL_OCP_REGISTRY is your secure enterprise registry to mirror Openshift Container Platform release image. Do provide port, If other than 443.
LOCAL_OCP_REPOSITORY is the target path you want to mirror OCP images.
LOCAL_ISF_REGISTRY is your secure enterprise registry to mirror ISF related image. Do provide port, If other than 443.
LOCAL_ISF_REPOSITORY is the target path you want to mirror ISF related images.
Single repository - Use same registry and same target paths for both OCP release and ISF related images: All sets of images should be mirrored to same repository.
For mirroring Openshift Container Platform release images:
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='hci230'
For mirroring all other images to same registry as OCP:
LOCAL_ISF_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_ISF_REPOSITORY='hci230'
Repository path used during IBM Spectrum Fusion HCI v2.3.0 install:
https://hci-offline.artifactory.ibm.com:443/hci230
Single registry with different repository paths for OCP and other images- Using same registries for OCP and other images, but different repository paths.

For mirroring OCP release images:
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='hci230-ocp'
For mirroring all other images:
LOCAL_ISF_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_ISF_REPOSITORY='hci230/ibm-isf'
Repository path used during IBM Spectrum Fusion HCI 2.3.0 install:
  • For Openshift images repository: https://hci-offline.artifactory.ibm.com:443/hci230-ocp
  • For IBM Spectrum Fusion images repository: https://hci-offline.artifactory.ibm.com:443/hci230/ibm-isf


Multiple registries – Using different registries for OCP and ISF related images.
For mirroring OCP release images:
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='ocp/test'
For mirroring all other images:
LOCAL_ISF_REGISTRY='hci-isf-offline.artifactory.ibm.com:443'
LOCAL_ISF_REPOSITORY='hci230/ibm-isf/test'
Repository path used during IBM Spectrum Fusion HCI 2.3.0 install:
  • For Openshift images repository: https://hci-offline.artifactory.ibm.com:443/ocp/test
  • For IBM Spectrum Fusion images repository:https://hci-isf-offline.artifactory.ibm.com/hci230/ibm-isf/test

**Note: Even if you are using same registry, but different paths to mirror, it will be treated as multiple registries.

To complete mirroring using attached scripts. All commands need to be executed from your mirroring host.
Mirror RedHat Openshift Container Platform release images:
OCP release images are mirrored using a single command, so set the below environment variables and complete mirroring task. Provided, are sample values for LOCAL_SECRET_JSON, LOCAL_OCP_REGISTRY and LOCAL_OCP REPOSITORY so do replace them as per your details.
OCP_RELEASE=4.10.21
PRODUCT_REPO='openshift-release-dev'
RELEASE_NAME="ocp-release"
ARCHITECTURE=x86_64
LOCAL_SECRET_JSON='/home/test/mirror-images/pull-secret.json'
LOCAL_OCP_REGISTRY='hci-offline.artifactory.ibm.com:443'
LOCAL_OCP_REPOSITORY='hci230/ocp'

**Note: LOCAL_OCP REPOSITORY can not be empty. Pull-secret json and path within registry is mandatory.
Execute following command on mirroring host to mirror OCP release images
oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY} --to-release-image=${LOCAL_OCP_REGISTRY}/${LOCAL_OCP_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
To verify whether the images were successfully mirrored, check that the command output contains the following information:

imageContentSources:
- mirrors:
   -  hci-offline.artifactory.ibm.com:443/hci230/ocp
   source: quay.io/openshift-release-dev/ocp-release
- mirrors:
   - hci-offline.artifactory.ibm.com:443/hci230/ocp
   source: quay.io/openshift-release-dev/ocp-v4.0-art-dev

Mirroring IBM Spectrum Fusion Software and required RedHat and community operators images:
Commands to execute script with sample valued are provided to mirror remaining set of images, all scripts need to be run as root user and from your mirroring host.
  1. Mirror RedHat and Community operator images:

    nohup ./mirror-redhat-community-images.sh -ps "<absolute path to pull-secret.json>" -rh " <enterprise registry>" -ru "<enterprise registry user>" -rk "<enterprise registry password>" -rhu "<redhat registry user>" -rhp "<redhat registry password>" -tp " <target path>" -p "<port>" -il "isf-230-images.json" &

    Command with sample value:
    nohup ./mirror-redhat-community-images.sh -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -rhu "redhat-user.com" -rhp "redhat-password" -tp "hci230/isf<target path>" -p "443" -il "isf-230-images.json" &

  2. Mirror IBM Spectrum Fusion operator images:

    nohup ./mirror-isf-images.sh  -ps "<absolute path to pull-secret.json>" -rh "<enterprise                    registry>" -ru "< enterprise registry user>" -rk "< enterprise registry password>" -tp "<target     path>" -il "isf-230-images.json" -ek "<IBM entitlement key>" &

    Command with sample value:

    nohup ./mirror-isf-images.sh  -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -tp "hci230/isf" -il "isf-230-images.json" -ek "abc.pqr.zyx" &

  3. Mirror IBM Spectrum Scale images:

    nohup ./mirror-scale-images.sh  -ps "<absolute path to pull-secret.json>" -rh "<enterprise registry>" -ru "< enterprise registry user>" -rk "< enterprise registry password>" -tp "<target path>" -il "isf-230-images.json" -ek "<IBM entitlement key>" &

    Command with sample value:nohup ./mirror-scale-images.sh  -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -tp "hci230/isf" -il "isf-230-images.json" -ek "abc.pqr.zyx" &

  4. Mirror IBM Spectrum Protect Plus images:
    nohup ./mirror-spp-images.sh  -ps "<absolute path to pull-secret.json>" -rh "<enterprise registry>" -ru "< enterprise registry user>" -rk "< enterprise registry password>" -tp "<target path>" -il "isf-230-images.json" -ek "<IBM entitlement key>" &

    Command with sample value:
    nohup ./mirror-spp-images.sh  -ps "/home/test/mirror-images/pull-secret.json" -rh "hci-offline.artifactory.ibm.com" -ru "reguser" -rk "passw0rd" -tp "hci230/isf" -il "isf-230-images.json" -ek "abc.pqr.zyx" &

Validating mirrored images:
It is critical that all images are present in registry before installation is started. To ensure no images are missed we have provided validation scripts for each component that can help you verify all required images are present in registry after mirroring steps have been completed. These scripts are available in library click to download scripts  with this article (available at best effort support).

validate mirrored images using script:
nohup ./validate-hci-images.sh -repo 1|2 -rh1 "<complete registry url for openshift release image with mirror path>" -ru1 "<username for openshift mirror image>" -rk1 "<password for openshift mirror image>" -rh2 "<complete registry url for isf with mirror path>" -ru2 "<username for isf mirror image>" -rk2 "<password for isf mirror image>" -il "isf-230-images.json" &

Command with sample value:
  • For multiple repository: nohup ./validate-hci-images.sh -repo 2 -rh1 "https://hci-offline.artifactory.ibm.com:443/hci230/ocp" -ru1 "reguser" -rk1 "passw0rd" -rh2 "https://hci-offline.artifactory.ibm.com:443/hci230/isf" -ru2 "reguser" -rk2 "passw0rd" -il "isf-230-images.json" &
  • For Single repository: nohup ./validate-hci-images.sh -repo 1 -rh1 "https://hci-offline.artifactory.ibm.com:443/hci230/ocp" -ru1 "reguser" -rk1 "passw0rd" -il "isf-230-images.json" &
 Starting deployment:

During install, on Image Registry page, select private image registry box. You will get two options single and multiple repositories. As per our registry configuration we will select 'Multiple repositories' option and fill configuration details.

Image registry page with sample values:
  • To complete install click on Next button
  • On Disaster Recovery page select whether the installation is for a standalone cluster or a disaster recover pair (first or second) and then Next
  • On Gloabal Data Platform page select Strong data resiliency, Stronger data resiliency or Better storage efficiency and then select block size from advanced menu, and then Next.
  • On Network Customization page configure network for OpenShift and internal storage of IBM Spectrum Fusion HCI,  if not using default and then Next
  • Provide Custom certificate details for openshift on page, if want to use a specific one and then Finish.
The OpenShift initialization page gets displayed. Now, Monitor the progress of the OpenShift initialization. It creates a three node OpenShift cluster. After OpenShift cluster gets successfully created, view the credentials for the OpenShift cluster. It is important that you save these credentials before proceeding with the next phase of the install because you cannot access the OpenShift cluster without this credentials.
Click IBM Spectrum Fusion.

Cluster expansion:
View the progress of OpenShift configuration on your nodes. After the status of all nodes changes to Configured, the Global data platform installation section is enabled to configure storage on all your nodes. If your installation includes disaster recovery, then connections get established between your disaster recovery sites.

Validate IBM Spectrum Fusion HCI installation
using https://www.ibm.com/docs/en/spectrum-fusion/2.3?topic=hci-validating-spectrum-fusion-installation.
0 comments
48 views

Permalink