Setting up IBM Cloud File Storage

If you are installing services that depend on NFS and you are planning to use IBM Cloud File Storage on NFS 4 for persistent storage, you must configure ID mapping, which enables no_root_squash. Configuring no_root_squash allows root clients to retain root permissions on the remote NFS share.

About this task

If you are installing any of the following services on Cloud Pak for Data, you must configure ID mapping:
  • Db2®
  • Db2 Warehouse
  • Watson™ Knowledge Catalog
  • OpenPages®
  • DataStage®
  • Big SQL
  • Watson Query

You can configure ID mapping through a daemon set or by running manual commands on worker nodes. These steps also enable no_root_squash in the IBM Cloud environment. For more details, see Implementing no_root_squash for NFS in the IBM Cloud documentation.


Configuring ID mapping through a daemon set
  1. Set the DOMAIN_NAME environment to slnfsv4.com:
    export DOMAIN_NAME=slnfsv4.com
  2. Create a service account called norootsquash by running the following command:
    cat <<EOF | oc create -f -
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: norootsquash
      namespace: kube-system
    EOF
  3. Give the service account privileged security context constraints (SCC) by running the following command:
    oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:norootsquash
    
  4. Create the daemon set by running the following command:
    cat <<EOF | oc create -f -
    apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: norootsquash
      namespace: kube-system
      labels:
        tier: management
        app: norootsquash
    spec:
      selector:
        matchLabels:
          name: norootsquash
      template:
        metadata:
          labels:
            name: norootsquash
        spec:
          serviceAccountName: norootsquash
          initContainers:
            - resources:
                requests:
                  cpu: 0.1
              securityContext:
                privileged: true
              image: alpine:3.6
              name: unrootsquash
              command: ["chroot", "/host", "sh", "-c"]
              args:
                - >
                  grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf;
                  if [ "\$?" -ne "0" ] ; then
                    sed -i 's/.*Domain =.*/Domain = ${DOMAIN_NAME}/g' /etc/idmapd.conf;
                    nfsidmap -c;
                    rpc.idmapd
                  fi;
              volumeMounts:
                - name: host
                  mountPath: /host
          containers:
            - resources:
                requests:
                  cpu: 0.1
              image: alpine:3.6
              name: sleep
              command: ["/bin/sh", "-c"]
              args:
                - >
                  while true; do
                    sleep 100000;
                  done
          volumes:
            - hostPath:
                path: /
                type: Directory
              name: host
    EOF


Configuring ID mapping by running manual commands on worker nodes
  1. Set the DOMAIN_NAME environment to slnfsv4.com:
    export DOMAIN_NAME=slnfsv4.com
  2. Run the following command to manually configure ID mapping on each worker node.

    It takes approximately 30 seconds per node for the command to take effect.

    oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} --  oc debug {} -- chroot /host sh -c 'grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf || ( sed -i "s/.*Domain =.*/Domain = slnfsv4.com/g" /etc/idmapd.conf; nfsidmap -c; rpc.idmapd )'
    
    Important: This setting is not automatically applied to new nodes. If you add worker nodes to your cluster, you must re-run this command to apply the setting to the new nodes.