Setting up Amazon Elastic File System
Amazon Elastic File System (EFS) does not support dynamic storage provisioning by default, and Red Hat® OpenShift® does not include a provisioner plug-in to create an NFS-based storage class. Therefore, you must set up dynamic storage provisioning on your Amazon Elastic File System.
- Installation phase
- Setting up a client workstation
- Who needs to complete this task?
- A cluster administrator or a storage administrator must complete this task.
- When do you need to complete this task?
- If you plan to use EFS storage,
you must set up dynamic provisioning before you install Cloud Pak for Data.
If you plan to install Cloud Pak for Data from the AWS Marketplace, you can skip this task.
Before you begin
Ensure that you source the environment variables before you run the commands in this task.
About this task
The steps in this procedure use the Kubernetes NFS-Client Provisioner (from the Kubernetes SIGs organization) to set up dynamic provisioning with EFS storage.
Creating an EFS file system
Use the following guidance to create an EFS file system that is accessible from the cluster.
From your EC2 dashboard:
- From the navigation menu, select Instances.
- Identify a
worker
node and click the Instance ID of the node. - Obtain the VPC ID and security group for the worker node:
- In the instance summary for the node, locate the VPC ID. Save the ID in a text file.
- Open the Security tab, and locate the Security groups. Save the ID to the text file.
- Obtain the CIDR for the VPC:
- From the instance summary, click the VPC ID to open the VPC Management Console.
- From the VPC Management Console, locate the CIDR for the VPC. Save the CIDR to the text file.
- Close the VPC Management Console.
- Edit the inbound rules for the security group:
- From the navigation menu, select Security Groups.
- Search for the security group that you identified in the preceding steps.
- Click the Security group ID.
- On the Inbound rules tab, click Edit inbound rules.
- Scroll to the end of the rules and click Add rule.
- Specify the following values:
- For the Type, specify NFS.
- For the Source, specify Custom.
- In the search field, enter the CIDR value that you identified in the preceding steps.
- Click Save rules.
- Create the EFS file system:
- Go to https://console.aws.amazon.com/efs.
- Click Create file system. Then, click Customize
- On the File system settings page, give the file system a name. Then, click Next.
- On the Network access page, select the VPC that you identified in the preceding steps.
- For each availability zone in the VPC:
- Select a private subnet ID.
- Remove the default security group and replace it with the security group that you identified in the preceding steps.
- Click Next. Then, click Next again.
- On the Review and create page, click Create.
- Wait for the file system to be created. Write down the ID of the file system.
Mirroring the provisioner images to a private container registry
- If your client workstation can connect to the internet and to the private container registry, you can mirror the images directly to your private container registry.
- If your client workstation cannot connect to the internet and to the private container registry, you must mirror images to an intermediary container registry before you can mirror the images to your private container registry.
Mirroring the provisioner images directly to a private container registry
To mirror the images for the Kubernetes NFS-Client Provisioner to your private container registry:
- Log in to your private container
registry:
cpd-cli manage login-private-registry \ ${PRIVATE_REGISTRY_LOCATION} \ ${PRIVATE_REGISTRY_PUSH_USER} \ ${PRIVATE_REGISTRY_PUSH_PASSWORD}
If your private registry is not secured, see
cpd-cli manage login-private-registry
for additional options. - Mirror the images to the private container
registry:
cpd-cli manage mirror-nfs-provisioner \ --target_registry=${PRIVATE_REGISTRY_LOCATION} \ --source_registry=k8s.gcr.io/sig-storage
Mirroring the provisioner images using an intermediary container registry
To mirror the images for the Kubernetes NFS-Client Provisioner to your private container registry:
- Mirror the images to the intermediary container
registry:
cpd-cli manage mirror-nfs-provisioner \ --target_registry=127.0.0.1:12443 \ --source_registry=k8s.gcr.io/sig-storage
- Move the intermediary container registry behind the firewall.
- Log in to your private container
registry:
cpd-cli manage login-private-registry \ ${PRIVATE_REGISTRY_LOCATION} \ ${PRIVATE_REGISTRY_PUSH_USER} \ ${PRIVATE_REGISTRY_PUSH_PASSWORD}
If your private registry is not secured, see
cpd-cli manage login-private-registry
for additional options. - Mirror the images to the private container
registry:
cpd-cli manage mirror-nfs-provisioner \ --target_registry=${PRIVATE_REGISTRY_LOCATION} \ --source_registry=127.0.0.1:12443
Getting the connection details for your Amazon Elastic File System
Before you can set up dynamic provisioning, you must obtain the DNS name or IP address of your Amazon Elastic File System:
- DNS name (recommended)
- You can obtain the DNS name from the AWS Console on the
.
Select the file system that you want to use. The DNS name is in the General
section.
The DNS name has the following format:
<file-storage-id>.efs.<region>.amazonaws.com
. - IP address
- You can obtain the IP address from the AWS Console on the . Select the file system that you want to use. The IP address is on the Network tab.
Configuring dynamic storage
To configure dynamic storage:
-
Run the
cpd-cli manage login-to-ocp
command to log in to the cluster as a user with sufficient permissions to complete this task. For example:cpd-cli manage login-to-ocp \ --username=${OCP_USERNAME} \ --password=${OCP_PASSWORD} \ --server=${OCP_URL}
Tip: Thelogin-to-ocp
command takes the same input as theoc login
command. Runoc login --help
for details. - If you mirrored the images to a private container registry, update the global image pull secret
so that the cluster can access the Kubernetes NFS-Client Provisioner images.
The global image pull secret must contain the credentials of an account that can pull images from the private container registry:
cpd-cli manage add-cred-to-global-pull-secret \ ${PRIVATE_REGISTRY_LOCATION} \ ${PRIVATE_REGISTRY_PULL_USER} \ ${PRIVATE_REGISTRY_PULL_PASSWORD}
- Set the following environment variables:
- Set
EFS_LOCATION
to the DNS name or IP address EFS server:export EFS_LOCATION=<location>
- Set
EFS_PATH
to the EFS exported path. (The default path is /.)export EFS_PATH=/
- Set
PROJECT_NFS_PROVISIONER
to the project (namespace) where you want to deploy the Kubernetes NFS-Client Provisioner provisioner. The recommended project isnfs-provisioner
; however you can specify any project.Important: If you don't have the appropriate permissions to create projects, you must specify an existing project (namespace). If you have the appropriate permissions to create projects, the project is automatically created when you run thecpd-cli manage setup-nfs-provisioner
command.export PROJECT_NFS_PROVISIONER=<project-name>
- Set
EFS_STORAGE_CLASS
to the name that you want to use for the EFS storage class. The recommended name isefs-nfs-client
.export EFS_STORAGE_CLASS=efs-nfs-client
- Set the
NFS_IMAGE
to the correct value for your Red Hat OpenShift Container Platform architecture:Architecture Command x86-64 export NFS_IMAGE=k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2
ppc64le export NFS_IMAGE=gcr.io/k8s-staging-sig-storage/nfs-subdir-external-provisioner:v4.0.2
s390x export NFS_IMAGE=gcr.io/k8s-staging-sig-storage/nfs-subdir-external-provisioner:v4.0.2
Tip: If you don't know the architecture of your cluster, run the following commands:- Run the following command to get the list of nodes on the
cluster:
oc get nodes
Copy the name of one of the nodes.
- Run the following command to get information about the node.
Replace
<node-name>
with the appropriate name.oc get nodes <node-name> -o jsonpath='{.status.nodeInfo}' | jq
The output contains the
architecture
.
- Run the following command to get the list of nodes on the
cluster:
- Set
- Run the following command to set up dynamic
provisioning:
cpd-cli manage setup-nfs-provisioner \ --nfs_server=${EFS_LOCATION} \ --nfs_path=${EFS_PATH} \ --nfs_provisioner_ns=${PROJECT_NFS_PROVISIONER} \ --nfs_storageclass_name=${EFS_STORAGE_CLASS} \ --nfs_provisioner_image=${NFS_IMAGE}
- Confirm that dynamic provisioning is working:
- Confirm that the storage class was
created:
oc get sc
Review the list of storage classes to ensure that it contains the EFS storage class. The default storage class name is
efs-nfs-client
. - Confirm that the
nfs-client-provisioner
pod is running:oc get pods -n ${PROJECT_NFS_PROVISIONER}
The status of the pod should be
Running
. - Confirm that the test persistent volume claim (
pvc
) that is created by the provisioner is bound:oc get pvc -n ${PROJECT_NFS_PROVISIONER}
The status of the persistent volume claim should be
Bound
.
- Confirm that the storage class was
created: