Setting up IBM Cloud File Storage
If you are installing services that depend on NFS and you are planning to use IBM Cloud File
Storage on NFS 4 for persistent storage, you must configure ID
mapping, which enables no_root_squash
. Configuring no_root_squash
allows root clients to retain root permissions on the remote NFS share.
About this task
If you are installing any of the following services on Cloud Pak for Data, you must configure ID mapping:
- Db2®
- Db2 Warehouse
- Watson™ Knowledge Catalog
- OpenPages®
- DataStage®
- Big SQL
- Watson Query
You can configure ID mapping through a daemon set or by running manual commands on worker nodes.
These steps also enable no_root_squash
in the IBM Cloud environment. For more
details, see Implementing no_root_squash for NFS in the IBM Cloud
documentation.
Configuring ID mapping through a daemon set
- Set the
DOMAIN_NAME
environment toslnfsv4.com
:export DOMAIN_NAME=slnfsv4.com
- Create a service account called
norootsquash
by running the following command:cat <<EOF | oc create -f - apiVersion: v1 kind: ServiceAccount metadata: name: norootsquash namespace: kube-system EOF
- Give the service account privileged security context constraints (SCC) by running the following
command:
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:norootsquash
- Create the daemon set by running the following
command:
cat <<EOF | oc create -f - apiVersion: apps/v1 kind: DaemonSet metadata: name: norootsquash namespace: kube-system labels: tier: management app: norootsquash spec: selector: matchLabels: name: norootsquash template: metadata: labels: name: norootsquash spec: serviceAccountName: norootsquash initContainers: - resources: requests: cpu: 0.1 securityContext: privileged: true image: alpine:3.6 name: unrootsquash command: ["chroot", "/host", "sh", "-c"] args: - > grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf; if [ "\$?" -ne "0" ] ; then sed -i 's/.*Domain =.*/Domain = ${DOMAIN_NAME}/g' /etc/idmapd.conf; nfsidmap -c; rpc.idmapd fi; volumeMounts: - name: host mountPath: /host containers: - resources: requests: cpu: 0.1 image: alpine:3.6 name: sleep command: ["/bin/sh", "-c"] args: - > while true; do sleep 100000; done volumes: - hostPath: path: / type: Directory name: host EOF
Configuring ID mapping by running manual commands on worker nodes
- Set the
DOMAIN_NAME
environment toslnfsv4.com
:export DOMAIN_NAME=slnfsv4.com
- Run the following command to manually configure ID mapping on each worker node.
It takes approximately 30 seconds per node for the command to take effect.
oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} -- oc debug {} -- chroot /host sh -c 'grep "^Domain = ${DOMAIN_NAME}" /etc/idmapd.conf || ( sed -i "s/.*Domain =.*/Domain = slnfsv4.com/g" /etc/idmapd.conf; nfsidmap -c; rpc.idmapd )'
Important: This setting is not automatically applied to new nodes. If you add worker nodes to your cluster, you must re-run this command to apply the setting to the new nodes.