Platform System Manager Operating System setup

Before you install the product, configure the disk partitions and optionally set up an encrypted partition or logical volume to encrypt all sensitive data on the Red Hat Enterprise Linux operating system.

Before you begin

The minimum size of the data disk partition is 1.5 TB and the runtime disk partition is 500 GB. The minimum size of the temporary file system is 5.5 GB. Create this file system as a separate disk partition from the root operating system partition, and mount it at /tmp. For more information, see System requirements.
Important:
  • Complete these steps for the Platform System Manager Operating System.
  • When you create the directories in the subsequent steps on the Platform System Manager Operating System, all directories must have 755 permission (read and execute for everyone).

Procedure

  1. Use the following procedure to complete the recommended disk partition encryption configuration steps:
    1. Create a physical volume on the two installation disk partitions, one for runtime and one for data:
      pvcreate /dev/<disk1_name>
      pvcreate /dev/<disk2_name>
    2. Create a volume group on each physical volume:
      vgcreate <volume_group_name> /dev/<disk1_name>
    3. Create a logical volume in each volume group:
      lvcreate --size <size> --name <logical_volume_name> <volume_group_name>
    4. Install the LUKS package if it is not already installed.
      yum install -y cryptsetup-luks
    5. Activate the LUKS module:
      modprobe dm_crypt
    6. Verify the module is running:
      lsmod | grep dm_crypt

      If the module is not running, check the installation of the LUKS package.

    7. Change the logical volume to the LUKS format.
      This command will prompt you to enter a passphrase. Create a new passphrase and make a note of it. You will need to re-enter the passphrase later in the process.
      cryptsetup luksFormat /dev/<volume_group_name>/<logical_volume_name>
    8. Name the LUKS logical volume, for example:
      cryptsetup luksOpen /dev/<volume_group_name>/<logical_volume_name> luks-runtime
    9. Create an ext4 file system on the LUKS logical volume:
      mkfs.ext4 /dev/mapper/luks-runtime
    10. Create the /etc/crypttab file and add the following line:
      luks-runtime /dev/<volume_group_name>/<logical_volume_name> /root/<luks_key_name>.key
    11. Create the /root/<luks_key_name>.key file to store the passphrase you specified when you ran the cryptsetup luksFormat command.
      This is a text file with a single line containing only the passphrase.
    12. Add the password to the LUKS logical volume:
      cryptsetup luksAddKey /dev/<volume_group_name>/<logical_volume_name> /root/<luks_key_name>.key
    13. Add the following link to thee /etc/fstab file:
      /dev/mapper/luks-runtime /cps-sw-runtime ext4 defaults 1 2
    14. Create the mount point and mount the LUKS logical volume:
      mkdir /cps-sw-runtime
      mount /cps-sw-runtime
    15. Verify the encryption is set up correctly:
      cryptsetup status /dev/mapper/luks-runtime
    16. Repeat steps 1g.- 1i. for the second logical volume.
      Instead of creating a new crypttab file, add the following line for second volume to the existing file:
      luks-data /dev/<volume_group_name_2>/<logical_volume_2> /root/<luks_key_name_2>.key
    17. Repeat steps 1k. - 1o. to complete the setup of the second encrypted volume.
  2. You must use the following steps to perform bind-mounts from the runtime disk partition and the data disk partition. You must use these steps regardless of whether or not you performed the recommended steps to set up disk partition encryption.
    Important: The examples used in the following steps are based off of the recommended encryption approach. Your disk partitions and their bind-mount points can be different. You must use the bind-mount points as described in these steps.
    1. Run the following commands to create directories in the runtime directory that is mounted on the encrypted volume.
      Cloud Pak System Software for Power organizes the production code and data into a specific directory structure. You do not need to set up separate encryption, because the directories are bound to the encrypted partitions. Make sure the runtime encrypted partition is bound first.
      mkdir -p /opt/ibm
      mkdir -p /data
      mkdir -p /home/iwd
      mkdir -p /var/log/purescale
      
      mkdir -p /cps-sw-runtime/opt/ibm
      mkdir -p /cps-sw-runtime/data
      mkdir -p /cps-sw-runtime/home/iwd
      mkdir -p /cps-sw-runtime/var/log/purescale
    2. Run the following commands to bind-mount all of the directories to the corresponding mapping in /cps-sw-runtime:
      mount --bind /cps-sw-runtime/opt/ibm /opt/ibm
      mount --bind /cps-sw-runtime/data /data
      mount --bind /cps-sw-runtime/home/iwd /home/iwd
      mount --bind /cps-sw-runtime/var/log/purescale /var/log/purescale
    3. Run the following commands to bind-mount entries to the /etc/fstab file:
      echo "/cps-sw-runtime/opt/ibm /opt/ibm none bind 0 0" >> /etc/fstab
      echo "/cps-sw-runtime/data /data none bind 0 0" >> /etc/fstab
      echo "/cps-sw-runtime/home/iwd /home/iwd none bind 0 0" >> /etc/fstab
      echo "/cps-sw-runtime/var/log/purescale /var/log/purescale none bind 0 0" >> /etc/fstab
      
    4. Run the following commands to create directories in the data partition:
      mkdir -p /data/system
      mkdir -p /data/workload
      mkdir -p /drouter
      
      mkdir -p /cps-sw-data/data/system
      mkdir -p /cps-sw-data/data/workload
      mkdir -p /cps-sw-data/drouter
    5. Use the following commands to bind-mount all of the directories to the corresponding mapping in /cps-sw-data:
      mount --bind /cps-sw-data/data/system /data/system
      mount --bind /cps-sw-data/data/workload /data/workload
      mount --bind /cps-sw-data/drouter /drouter
    6. Run the following commands to add the /cps-sw-data bind-mount entries below the /cps-sw-runtime bind-mount entries in the /etc/fstab file:
      echo "/cps-sw-data/data/system /data/system none bind 0 0" >> /etc/fstab
      echo "/cps-sw-data/data/workload /data/workload none bind 0 0" >> /etc/fstab
      echo "/cps-sw-data/drouter /drouter none bind 0 0" >> /etc/fstab
  3. It is recommended that you restart your Red Hat Enterprise Linux operating system to verify the disk partition configuration. The following is an example of the contents of the /etc/fstab file after completing this procedure:
    /dev/mapper/luks-runtime /cps-sw-runtime  ext4  auto    1 2
    /dev/mapper/luks-data    /cps-sw-data     ext4  auto    1 2
    /cps-sw-runtime/opt/ibm  /opt/ibm  none bind    0 0
    /cps-sw-runtime/data     /data     none bind    0 0
    /cps-sw-runtime/home/iwd /home/iwd none bind    0 0
    /cps-sw-runtime/var/log/purescale /var/log/purescale none bind 0 0
    /cps-sw-data/data/system   /data/system    none bind    0 0
    /cps-sw-data/data/workload /data/workload  none bind    0 0
    /cps-sw-data/drouter       /drouter        none bind    0 0
  4. Enable ipv6 if it is not already enabled. To enable ipv6 , do these steps:
    • Open /etc/sysctl.conf configuration file.
    • Comment out the following lines by putting a # in the beginning:
      #net.ipv6.conf.all.disable_ipv6 = 1
      #net.ipv6.conf.default.disable_ipv6 = 1
      #net.ipv6.conf.lo.disable_ipv6 = 1
      
    • Add the following three lines after the commented lines:
      
      net.ipv6.conf.all.disable_ipv6 = 0
      net.ipv6.conf.default.disable_ipv6 = 0
      net.ipv6.conf.lo.disable_ipv6 = 0
  5. Open /etc/sysconfig/network file and do the following:
    • Add NETWORKING_IPV6=yes to the end of /etc/sysconfig/network file.
    • Restart network service to pick the changes by adding the systemctl restart network command.
    • Enable iptables if firewalld is enabled. To enable the iptables, do these steps:
      
      systemctl disable firewalld
      systemctl stop firewalld
      yum install iptables-services
      systemctl start iptables
      systemctl start ip6tables
      systemctl enable iptables
      systemctl enable ip6tables
      

What to do next

Install Cloud Pak System Software for Power.