Setting up IBM Cloud File Storage

If you are installing services that depend on Db2® and you are planning to use IBM® Cloud File Storage on NFS 4 for persistent storage, you must configure ID mapping, which enables no_root_squash. Configuring no_root_squash allows root clients to retain root permissions on the remote NFS share.

About this task

If you are installing any of the following services on Cloud Pak for Data, you must configure ID mapping:
  • Db2
  • Db2 Warehouse
  • Watson Knowledge Catalog
  • OpenPages®
  • DataStage®
  • Big SQL
  • Data Virtualization

You can configure ID mapping through a daemon set or by running manual commands on worker nodes. These steps also enable no_root_squash in the IBM Cloud environment. For more details, see Implementing no_root_squash for NFS in the IBM Cloud documentation.

Configuring ID mapping through a daemon set
  1. Create a service account called norootsquash by running the following command:
    oc create -f - << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: norootsquash
  namespace: kube-system
EOF
  2. Give the service account privileged security context constraints (SCC) by running the following command:
    oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:norootsquash
  3. Create the daemon set by running the following command:
    export DOMAIN_NAME=<>

oc create -f - << EOF
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: norootsquash
  namespace: kube-system
  labels:
    tier: management
    app: norootsquash
spec:
  selector:
    matchLabels:
      name: norootsquash
  template:
    metadata:
      labels:
        name: norootsquash
    spec:
      serviceAccountName: norootsquash
      initContainers:
        - resources:
            requests:
              cpu: 0.1
          securityContext:
            privileged: true
          image: alpine:3.6
          name: unrootsquash
          command: ["chroot", "/host", "sh", "-c"]
          args:
            - >
              grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf;
              if [ "\$?" -ne "0" ] ; then
                sed -i 's/.*Domain =.*/Domain = ${DOMAIN_NAME}/g' /etc/idmapd.conf;
                nfsidmap -c;
                rpc.idmapd
              fi;
          volumeMounts:
            - name: host
              mountPath: /host
      containers:
        - resources:
            requests:
              cpu: 0.1
          image: alpine:3.6
          name: sleep
          command: ["/bin/sh", "-c"]
          args:
            - >
              while true; do
                sleep 100000;
              done
      volumes:
        - hostPath:
            path: /
            type: Directory
          name: host
EOF
Configuring ID mapping by running manual commands on worker nodes
  • Run the following command to perform the same task as the daemonset. The command takes about 30 seconds per node. Note that these settings do not apply to new worker nodes, so you must add them.
    oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} --  oc debug {} -- chroot /host sh -c 'grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf || ( sed -i "s/.*Domain =.*/Domain = slnfsv4.com/g" /etc/idmapd.conf; nfsidmap -c; rpc.idmapd )'
    Note: The DOMAIN_NAME for ibm-cloud-file-storage would be slnfsv4.com