Setting up IBM Cloud File Storage

If you are installing services that depend on NFS and you are planning to use IBM Cloud File Storage on NFS 4 for persistent storage, you must configure ID mapping, which enables no_root_squash. Configuring no_root_squash allows root clients to retain root permissions on the remote NFS share.

About this task

If you are installing any of the following services on Cloud Pak for Data, you must configure ID mapping:
  • Db2®
  • Db2 Warehouse
  • Watson™ Knowledge Catalog
  • OpenPages®
  • DataStage®
  • Big SQL
  • Data Virtualization

You can configure ID mapping through a daemon set or by running manual commands on worker nodes. These steps also enable no_root_squash in the IBM Cloud environment. For more details, see Implementing no_root_squash for NFS in the IBM Cloud documentation.

Configuring ID mapping through a daemon set
  1. Set the DOMAIN_NAME environment to slnfsv4.com:
    export DOMAIN_NAME=slnfsv4.com
  2. Create a service account called norootsquash by running the following command:
    cat <<EOF | oc create -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: norootsquash
  namespace: kube-system
EOF
  3. Give the service account privileged security context constraints (SCC) by running the following command:
    oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:norootsquash
  4. Create the daemon set by running the following command:
    cat <<EOF | oc create -f -
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: norootsquash
  namespace: kube-system
  labels:
    tier: management
    app: norootsquash
spec:
  selector:
    matchLabels:
      name: norootsquash
  template:
    metadata:
      labels:
        name: norootsquash
    spec:
      serviceAccountName: norootsquash
      initContainers:
        - resources:
            requests:
              cpu: 0.1
          securityContext:
            privileged: true
          image: alpine:3.6
          name: unrootsquash
          command: ["chroot", "/host", "sh", "-c"]
          args:
            - >
              grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf;
              if [ "\$?" -ne "0" ] ; then
                sed -i 's/.*Domain =.*/Domain = ${DOMAIN_NAME}/g' /etc/idmapd.conf;
                nfsidmap -c;
                rpc.idmapd
              fi;
          volumeMounts:
            - name: host
              mountPath: /host
      containers:
        - resources:
            requests:
              cpu: 0.1
          image: alpine:3.6
          name: sleep
          command: ["/bin/sh", "-c"]
          args:
            - >
              while true; do
                sleep 100000;
              done
      volumes:
        - hostPath:
            path: /
            type: Directory
          name: host
EOF
Configuring ID mapping by running manual commands on worker nodes
  1. Set the DOMAIN_NAME environment to slnfsv4.com:
    export DOMAIN_NAME=slnfsv4.com
  2. Run the following command to manually configure ID mapping on each worker node.

    It takes approximately 30 seconds per node for the command to take effect.

    oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} --  oc debug {} -- chroot /host sh -c 'grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf || ( sed -i "s/.*Domain =.*/Domain = slnfsv4.com/g" /etc/idmapd.conf; nfsidmap -c; rpc.idmapd )'
    Important: This setting is not automatically applied to new nodes. If you add worker nodes to your cluster, you must re-run this command to apply the setting to the new nodes.