Set up IBM Db2 and firewall rules inside IBM CIC VM
As part of our scenario, we will be applying firewall rich text rule for the database installed inside IBM CIC VM. In this we will explain how to install IBM DB2 database and how to apply rich text firewall rule inside IBM CIC manually and automated through Ansible playbook.
Install IBM Db2 in IBM CIC VM
In this we will explain how to install IBM DB2 database inside the IBM CIC VMs and for the entire setup lets assume IBMCIC_VM_1 and IBMCIC_VM_2 is the hostname for the two VMs. Now lets first install on IBMCIC_VM_1.
The documentation for IBM Db2 can be found here.
-
Obtain the image from the download page and move it to your Linux on Z instance (for example, via scp or ftp).
scp v12.1.1_linux390x64_server_dec.tar.gz IBMCIC_VM_1:/root/db2server -
Log in to your server as the superuser (root privileges are required for installation). Then extract the compressed image using the following command:
tar xvzf v12.1.1_linux390x64_server_dec.tar.gz -
Navigate to the extracted directory server_dec. Make sure, you have all prerequisites installed, by running following command:
./db2prereqcheck -iInstall missing libraries and packages manually, if necessary.
-
Run the cli installer and follow the instructions:
./db2_install -
Check the installation log:
cat /tmp/db2_install.log.* -
To validate your installation files, instance, and database functionality, run the validation tool:
/opt/ibm/db2/V12.1/bin/db2val -
Create
groupanduser IDs, as described here. -
Create an instance using
db2icrt, as described here.
Create a database
-
Export the IBM Db2 path:
export PATH=$PATH:/opt/ibm/db2/V12.1/bin -
Define the IBM Db2 instance environment variable as your created instance:
DB2INSTANCE=db2inst1 -
Export the IBM Db2 environment variable:
export DB2INSTANCE -
Switch to the IBM Db2 instance user:
su - db2inst1 -
Start the IBM Db2 client:
db2 -
Create a database using the SQL command:
CREATE DATABASE lpardb -
Create a table using the SQL command:
CREATE TABLE EMPLOYEES (employee_id INT NOT NULL,employee_name VARCHAR(150) NOT NULL,location VARCHAR(150) NOT NULL);
Add a rich text firewall rule for the database
Apply a firewall rich text rule to allow access to IBM Db2 only from the OCP compute node where the ping app will be installed. Now lets first install on IBMCIC_VM_1.
Set up the rich text firewall:
-
Get the port number on which the IBM Db2 database is running in your VM. In this setup, it runs on port 25010.
-
Retrieve the IP addresses of the compute or worker nodes from your OCP cluster where the Ping application will be installed. For this setup, assume that 100.0.0.50 and 100.0.0.60 are the IP addresses of the compute or worker nodes where the Ping application will be deployed.
-
Run the following firewall rich rule command on your VM to allow only the compute or worker node IP addresses to access the Db2 database ports using the dedicated login credentials. Any requests from other IP addresses are not accepted.
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address=<Node IP> port protocol="tcp" port=<DB2 Port> accept'-
address: The IP address of the compute node from which the Ping app is running. -
port: The port address of the database installed in IBM CIC VM.
Sample Command:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="100.0.0.50" port protocol="tcp" port="25010" accept' firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="100.0.0.60" port protocol="tcp" port="25010" accept' -
-
Restart the firewall service for the rule to take effect.
firewall-cmd --reloadVerification: Run the firewall-cmd --list-rich-rules to list the number of rich rule applied.
[icic_vm]# firewall-cmd --list-rich-rules rule family="ipv4" source address="100.0.0.50" port port="25010" protocol="tcp" accept rule family="ipv4" source address="100.0.0.60" port port="25010" protocol="tcp" accept
Use the Ansible playbook to set up the rich text firewall
The setup described above can be automated within the IBM CIC VM by running the Ansible playbook below, which uses the OpenStack Ansible collection to connect to IBM CIC and run the firewall command.
Follow the steps below to run the Ansible playbook.
-
Create a Python virtual environment and install the required packages to run the Ansible playbook.
pip install pip install ansible pip install openstacksdkInstall the openstack.cloud collection from Ansible Galaxy.
ansible-galaxy collection install openstack.cloud -
Create a YAML file named
cloud.yamlto authenticate to the IBM CIC Environment. By default, OpenStack checks the~/.config/openstackdirectory for the configuration file.mkdir -p ~/.config/openstack touch ~/.config/openstack/clouds.yamlvi clouds.yaml clouds: icic_cloud: auth: auth_url: <Authentication url for the OenStack keytone service(eg:IBM_CIC_url:5000/v3> username: <Username> password: <Password> project_name: <IBM CIC Project name> user_domain_name: Default // OprnStack login project_domain_name: Default // OprnStack login region_name: RegionOne //region optional identity_api_version: 3 verify: false // optional to skip the certification process should be used just for testing.Verification: To verify the connection to the IBM CIC, run the command below and ensure you receive a SUCCESS message.
ansible localhost -m openstack.cloud.auth -a "cloud=icic_cloud"Output:
ansible localhost -m openstack.cloud.auth -a "cloud=icic_cloud" [ WARNING]: No inventory was parsed, only implicit localhost is available localhost | SUCCESS => { "auth_token": "xxxxxxxxxxxxx", "changed": false} -
Create a YAML file named ansible_rich_rule_playbook.yaml, paste the sample playbook below into it, and modify it as needed. Install
sshpassso that Ansible can use it to connect to your virtual machines.dnf install sshpassvi ansible_rich_rule_playbook.yaml# This section connects to the IBM CIC environment mentioned in the previous step, retrieves all VM information, and adds their IP addresses to vm_groups.. name: IBM CIC connection and collecting all the VMs hosts: localhost gather_facts: false tasks: - name: List of VMs in IBM CIC openstack.cloud.server_info: cloud: icic_cloud register: icic_vm_info - name: Adding VMs to group add_host: name: "{{ item.hostname }}" ansible_host: "{{ item.access_ipv4 }}" groups: vm_groups loop: "{{ icic_vm_info.servers }}" # Uses SSH to connect to each VM and execute the rich rule firewall command.. - name: Adding rich text command all the IBM CIC VMs hosts: vm_groups gather_facts: false become: yes vars: ansible_user: <User_ID of IBM CIC VM> ansible_ssh_pass: <Password of IBM CIC VM> ips_ports: - ip: 100.0.0.50 # RedHat OpenShift compute node ip port: 25010 # IBM Db2 Database port - ip: 100.0.0.60 # RedHat OpenShift compute node ip port: 25010 # IBM Db2 Database port tasks: - name: Adding rich text rule in IBM CIC VMs command: > firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="{{ item.ip }}" port protocol="tcp" port="{{ item.port }}" accept' loop: "{{ ips_ports }}" - name: Firewall reload command: firewall-cmd --reload - name: rich text rule verification command command: firewall-cmd --zone=public --list-rich-rules register: ips_port_check - name: Verification results debug: msg: > {% for rule in ips_ports %} {% if 'source address="' ~ rule.ip ~ '"' in ips_port_check.stdout and 'port="' ~ rule.port ~ '"' in ips_port_check.stdout %} Rule for {{ rule.ip }}:{{ rule.port }} is present. {% else %} Rule for {{ rule.ip }}:{{ rule.port }} is missing. {% endif %} {% endfor %} -
Run the following command to run the Ansible playbook.
ansible-playbook ansible_rich_rule_playbook.yaml