IBM Security Verify

 View Only
  • 1.  Minimum requirements for docker verify containers

    Posted Mon September 12, 2022 10:03 AM
    Hi,

    I have tried to check the minimum requirements for the ISVA docker images through the Kubernetes metrics server, but this gives me the following 'error: Metrics not available for pod default/isvaconfig-64b...2d, age: 649h26m28.6663584s'

    1. Is this something wrong on the Kubernetes side, or is this not supported by the ISVA images?
    2, What are the minimum requirements for the ISVA docker images (especially memory and CPU).

    ------------------------------
    Gerwin Bastiaansen
    ------------------------------


  • 2.  RE: Minimum requirements for docker verify containers

    Posted Mon September 12, 2022 10:16 AM

    Gerardus,

     

    I must admit that I have never used the Kubernetes Metric Server at all, but it looks like the error which you are receiving is expected.  Check out the following page for some details: https://stackoverflow.com/questions/65007365/metrics-server-no-metrics-known-for-pod-error-during-deployment.

     

    The requirements for running the containerized version of ISVA can be found at the following link: https://www.ibm.com/software/reports/compatibility/clarity/index.html.  You just need to run a hardware report for 'IBM Security Verify Access'.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com

    1 Corporate Court
    Bundall, QLD 4217
    Australia

     

     

     






  • 3.  RE: Minimum requirements for docker verify containers

    Posted Mon September 12, 2022 10:32 AM
    Hi Scott, thanks for your answer, I will check if the metrics server comes up with more info after a while, meanwhile I have fallen back to another machine which has the images in a plain docker setup, with docker stats this info is easily retrieved and at least gives an estimate of what is needed.

    Regarding the hardware requirements page; I already checked that, and maybe I am missing something, but this reports the same (enormous) numbers for all form factors (i.e. 100 GB for disk space, 4GB minimum for memory, for docker, hardware and virtual appliance). I can understand these numbers for an appliance, but  I would like to know the resource usage per container type.

    ------------------------------
    Gerwin Bastiaansen
    ------------------------------



  • 4.  RE: Minimum requirements for docker verify containers

    Posted Mon September 12, 2022 10:58 AM

    Gerwin,

     

    I am not 100% sure if we publish the resource usage for the different container types, but I will check with our performance team to see if they can provide you with this information.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com

    1 Corporate Court
    Bundall, QLD 4217
    Australia

     

     

     






  • 5.  RE: Minimum requirements for docker verify containers
    Best Answer

    Posted Mon September 12, 2022 10:37 PM
    Hi Gerwin,

    Here is the minimum requirement for the Verify Containers
    WGA:
        requests:
          memory: 512Mi
          cpu:    500m
        limits:
          memory: 1Gi
          cpu:    1000m
    
    Runtime:
        requests:
          memory: 1Gi
          cpu:    1000m
        limits:
          memory: 2Gi
          cpu:    2000m
    DSC
       requests:
          memory: 512Mi
          cpu:    500m
        limits:
          memory: 1Gi
          cpu:    1000m
    Config
       requests:
          memory: 1Gi
          cpu:    1000m
        limits:
          memory: 2Gi
          cpu:    2000m

    Do note that runtime and config containers memory utilization is driven by the JVM's heap usage. Container's max memory limit should be double of the max heap size set against the runtime and config profile.

    The main factor that impacts the amount of disk space that is needed is the amount of logging that is sent to disk. If no debug logs are enabled, and the request log is sent to the console of the container, very little extra disk space is required. However, if any file based logging is enabled, it can have a large impact on the amount of disk space that is needed.

    ------------------------------
    Soumyajit Roy
    ------------------------------



  • 6.  RE: Minimum requirements for docker verify containers

    Posted Tue September 13, 2022 01:44 AM
    Hi Soumyajit,

    Thanks, this is very helpful


    ------------------------------
    Gerwin Bastiaansen
    ------------------------------



  • 7.  RE: Minimum requirements for docker verify containers

    IBM Champion
    Posted Wed January 24, 2024 09:12 AM

    Are these requests actually required?  We are seeing much less usage according to our OpenShift metrics, and our OpenShift cluster team is questioning our container resources usage.  Obviously, when you spin up several copies of the containers, it eats a lot of system resources away.

    Also, are these limits still applicable on the newer versions, v10.0.7.0?  Is this information published anywhere in documentation?  Thanks all!



    ------------------------------
    Matt Jenkins
    ------------------------------



  • 8.  RE: Minimum requirements for docker verify containers

    Posted Wed January 24, 2024 07:29 PM

    Matt,

     

    The figures which were originally referenced by Soum are the 'recommended' minimum requirements.  They were obtained by running the system through a common scenario and ensuring that the system performed at a reasonable level.  These numbers haven't changed with more recent versions of ISVA.

     

    However, requirements vary greatly based on your environment and workload.  So, you do have the option of lowering the minimum requirements if this works in your environment.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 9.  RE: Minimum requirements for docker verify containers

    Posted Tue September 13, 2022 09:44 AM
    For those interested, I solved the issue with the metrics server in minikube:

    - stop minikube
    - start minikube with the following arguments:

    minikube start --extra-config=kubelet.housekeeping-interval=10s

    kubectl top pods
    NAME CPU(cores) MEMORY(bytes)
    isvaconfig-64b884f9f5-hhj2d 35m 422Mi
    isvadsc-6fc44bf664-q9jb4 5m 17Mi
    isvaruntime-6fb5864f8f-wjqvn 53m 444Mi
    isvawrprp1-6fd4b965f4-5psdr 6m 61Mi
    openldap-5cb578746c-xgvf2 1m 24Mi
    postgresql-67dcf58fd-zsblh 1m 22Mi

    ------------------------------
    Gerwin Bastiaansen
    ------------------------------