Installing the IBM Cloud Pak for Multicloud Management

Follow these steps to perform an offline installation of the IBM Cloud Pak for Multicloud Management. During this install, IBM Multicloud Manager is installed, and you have the option to install the additional components.

  1. Configure Red Hat® OpenShift® Container Platform
  2. Configure IBM Multicloud Manager
  3. Verify the installation
  4. Post installation

Before you begin, you must have OpenShift Container Platform version 3.11 installed. For more information, see Preparing to install the IBM Cloud Pak for Multicloud Management, and System requirements.

Configure the Red Hat® OpenShift® Container Platform

Ensure that the OpenShift Container Platform registry has a valid route

If the Docker registry isn't exposed, you must expose the Docker registry before you start the installation.

  1. Obtain the existing route information. For example:

     oc -n default get routes
    

    Example output:

    
     NAME               HOST/PORT                                                                                                         PATH      SERVICES           PORT               TERMINATION   WILDCARD
     registry-console   registry-console-default.mcmresidency1-6550a99fb8cff23207ccecc2183787a9-0001.us-east.containers.appdomain.cloud             registry-console   registry-console   passthrough   None
    
  2. Create a Docker registry route to the registry.

     oc -n default create route --service=docker-registry --hostname=docker-registry.mcmresidency1-6550a99fb8cff23207ccecc2183787a9-0001.us-east.containers.appdomain.cloud reencrypt
    

    Example output:

     route.route.openshift.io/docker-registry created
    
  3. If the Docker registry has multiple pods, add the annotation haproxy.router.openshift.io/balance: source into the route.

    oc -n default annotate route/docker-registry haproxy.router.openshift.io/balance=source
    

    Example output:

    route.route.openshift.io/docker-registry annotated
    

Ensure that the OpenShift Container Platform image registry has enough space

You must make sure that the image registry has enough space for IBM Multicloud Manager images. The minimum requirement of the volume of the Docker register is 100 GB. For the production environment, it is ideal to have at least 400 GB of space for the Docker register volume.

Follow these steps to check your Docker registry volume space:

  1. Obtain the Docker registry pods:

     oc -n default get po
    

    Example output:

     NAME                       READY     STATUS    RESTARTS   AGE
     docker-registry-1-vsmn2    1/1       Running   0          6h
     registry-console-1-7rk5k   1/1       Running   0          6h
     router-1-7w86c             1/1       Running   0          6h
    

    Note: docker-registry-1-vsmn2 is the pod that you need.

  2. Enter the pod by command:

     oc exec -it docker-registry-1-vsmn2 bash
    
  3. Check the disk usage statistics and find the server path:

     df -h
    

    Example output:

     Filesystem      Size  Used Avail Use% Mounted on
     overlay         100G  9.4G   91G  10% /
     tmpfs            16G     0   16G   0% /dev
     tmpfs            16G     0   16G   0% /sys/fs/cgroup
     /dev/nvme0n1p2  100G  9.4G   91G  10% /registry
     tmpfs            16G  8.0K   16G   1% /etc/secrets
     shm              64M     0   64M   0% /dev/shm
     tmpfs            16G   16K   16G   1% /run/secrets/kubernetes.io/serviceaccount
     tmpfs            16G     0   16G   0% /proc/acpi
     tmpfs            16G     0   16G   0% /proc/scsi
     tmpfs            16G     0   16G   0% /sys/firmware
    

    In this example, the mount directory is /registry and has 91 GB of disk space.

    For Red Hat OpenShift on IBM Cloud, you can follow Increase OpenShift volume size Opens in a new tab to increase the volume size.

Install IBM Multicloud Manager

As the IBM Cloud Pak for Multicloud Management cannot install natively on the OpenShift Container Platform, the services must be installed before other Cloud Pak components.

  1. Download the Docker package ibm-cloud-private-rhos-3.2.1.tar.gz from the IBM Passport Advantage® Opens in a new tab website.

    • For a Linux x86_64 cluster, download the ibm-cloud-private-rhos-3.2.1.tar.gz file.
    • For a Linux on Power (ppc64le) cluster, download the ibm-cloud-private-ppc64le-3.2.1.tar.gz file.
  2. If there are no OpenShift Container Platform CLI tools on the boot node, you need to download, decompress, and install the OpenShift Container Platform CLI tools oc from OpenShift Container Platform client binaries Opens in a new tab.

  3. Load the container images into the local registry:

    • For Linux x86_64:

      tar xf ibm-cloud-private-rhos-3.2.1.tar.gz -O | sudo docker load
      
    • For Linux on Power (ppc64le):

      tar xf ibm-cloud-private-ppc64le-3.2.1.tar.gz -O | sudo docker load
      
  4. Create an installation directory on the boot node:

       mkdir /opt/ibm-multicloud-manager-3.2.1; cd /opt/ibm-multicloud-manager-3.2.1
    
  5. Extract the cluster directory:

    • For Linux x86_64:

      sudo docker run --rm -v $(pwd):/data:z -e LICENSE=accept --security-opt label:disable ibmcom/icp-inception-amd64:3.2.1-rhel-ee cp -r cluster /data
      
    • For Linux on Power (ppc64le):

      sudo docker run --rm -v $(pwd):/data:z -e LICENSE=accept --security-opt label:disable ibmcom/icp-inception-ppc64le:3.2.1-ee cp -r cluster /data
      
  6. Create cluster configuration files.

    • Obtain the kubeconfig from the OpenShift Container Platform. Copy the kubeconfig file to the installation directory.

      The OpenShift configuration files can be found on the OpenShift master node.

      • If your IBM Cloud Pak for Multicloud Management boot node is the same as the OpenShift master node, copy the OpenShift admin.kubeconfig file to the cluster directory. The OpenShift admin.kubeconfig file can be found in the /etc/origin/master/admin.kubeconfig directory:

          sudo cp /etc/origin/master/admin.kubeconfig /opt/ibm-multicloud-manager-3.2.1/cluster/kubeconfig
        
      • If your IBM Cloud Pak for Multicloud Management boot node is different from the OpenShift master node, then kubeconfig file must be copied to the boot node.
        Note: For an OpenShift on IBM Cloud cluster, you can obtain or generate its Kubernetes configuration by following the steps in Creating a cluster with the console Opens in a new tab.
        Copy the kubeconfig file that was generated by the OpenShift installer to the cluster directory:

        cp /<OpenShift-installation-directory>/auth/kubeconfig /opt/ibm-multicloud-manager-3.2.1/cluster/kubeconfig
        
    • For Red Hat OpenShift on IBM Cloud, you can use the oc login command to update $KUBECONFIG to point to a file that can hold the profile information.

      The default location for the kubernetes config file is ~/.kube/config unless you override it.

      1. From your boot node terminal run the following commands:

         export KUBECONFIG=$(pwd)/myclusterconfig
        
         oc login --token=EtZqGLpwxpL8b6CAjs9Bvx6kxe925a1HlB__AR3gIOs --server=https://c100-e.us-east.containers.cloud.ibm.com:32653
        

        You can see that $(pwd)/myclusterconfig has been populated.

      2. Copy the kubeconfig file:

        cp $KUBECONFIG /opt/ibm-multicloud-manager-3.2.1/cluster/kubeconfig
        

Update the installation config.yaml

You must update the config.yaml file or use the power.openshift.config.yaml file to replace the config.yaml for Linux on Power (ppc64le) before you deploy the services.

  1. Add the OpenShift Container Platform nodes in the cluster, which you want to deploy services on, to the config.yaml file.

    1. Collect information for the config.yaml file. Run oc get nodes to get all the cluster node names. Use these OpenShift Container Platform worker node names to select master, proxy, and management targets. Assign any of the OpenShift Container Platform worker nodes to each of the cluster_nodes.

    2. Update the cluster_nodes section of the config.yaml to identify your chosen OpenShift Container Platform worker nodes. For example:

       oc get nodes
       NAME            STATUS    ROLES                                AGE       VERSION
       10.148.87.135   Ready     compute,infra                        6h        v1.11.0+d4cacc0
       10.148.87.140   Ready     compute,infra                        6h        v1.11.0+d4cacc0
       10.148.87.186   Ready     compute,infra                        6h        v1.11.0+d4cacc0
      

      Notes: For Red Hat OpenShift on IBM Cloud, you see only the OpenShift Container Platform worker nodes in an IBM Cloud Kubernetes Service managed cluster. The node names are the same as the private IP address of their hosting VMs.

    3. Use the node information to create the following entries in the config.yaml:

       # A list of OpenShift nodes that used to run services components
       cluster_nodes:
         master:
           - 10.148.87.135
         proxy:
           - 10.148.87.135
         management:
           - 10.148.87.186
      

      Note: The value of the master, proxy, and management parameters is an array and can have multiple nodes; and the same node can be used for the master, management, and proxy. Due to a limitation from OpenShift, if you want to deploy IBM Multicloud Manager on any OpenShift master or infrastructure node, you must label the node as an OpenShift compute node with the following command:

       oc label node <master node host name/infrastructure node host name> node-role.kubernetes.io/compute=true
      
  2. Run oc get storageclass to identify an OpenShift Container Platform dynamic block storage class. You need some persistent storage for some of the service pods.

    Example output:

     oc get sc
     NAME                          PROVISIONER         AGE
     default                       ibm.io/ibmc-file    4h
     ibmc-block-bronze (default)   ibm.io/ibmc-block   4h
     ibmc-block-custom             ibm.io/ibmc-block   4h
     ibmc-block-gold               ibm.io/ibmc-block   4h
     ibmc-block-retain-bronze      ibm.io/ibmc-block   4h
     ibmc-block-retain-custom      ibm.io/ibmc-block   4h
     ibmc-block-retain-gold        ibm.io/ibmc-block   4h
     ibmc-block-retain-silver      ibm.io/ibmc-block   4h
     ibmc-block-silver             ibm.io/ibmc-block   4h
     ibmc-file-bronze              ibm.io/ibmc-file    4h
     ibmc-file-custom              ibm.io/ibmc-file    4h
     ibmc-file-gold                ibm.io/ibmc-file    4h
     ibmc-file-retain-bronze       ibm.io/ibmc-file    4h
     ibmc-file-retain-custom       ibm.io/ibmc-file    4h
     ibmc-file-retain-gold         ibm.io/ibmc-file    4h
     ibmc-file-retain-silver       ibm.io/ibmc-file    4h
     ibmc-file-silver              ibm.io/ibmc-file    4h
    

    If you want to use the default block class ibmc-block-bronze, Add storage_class: ibmc-block-bronze to the config.yaml.

    Note: Currently, there is a storage class requirement conflict between IBM Cloud App Management and the IBM Cloud Pak for Multicloud Management. IBM Cloud App Management needs a file type of storage class, such as ibmc-file-bronze; and the IBM Cloud Pak for Multicloud Management needs a block type of storage class, such as ibmc-block-bronze. If you want to install IBM Cloud App Management on the IBM Cloud Pak for Multicloud Management, you need to swith the storage class.

    For Linux on Power (ppc64le), update the config.yaml file with storage class parameter, you can use ibmc-powervc-k8s-volume-default for Linux on Power (ppc64le) environment. For more information on how to create ibmc-powervc-k8s-volume-default, see Creating a storage class for the IBM PowerVC FlexVolume Driver (IBM Power only) Opens in a new tab.

  3. Update the default password for the admin user. This password becomes the IBM Multicloud Manager login password for the admin user. This login is not an OpenShift Container Platform account.

    1. Set up a default password in the config.yaml file that meets the default password enforcement rule '^([a-zA-Z0-9\-]{32,})$'. You can also define a custom set of password rules.
    2. Open the /<installation_directory>/cluster/config.yaml file, and set the default_admin_password. The password must satisfy all regular expressions that are specified in password_rules.

    3. Optional: You can define one or more rules as regular expressions in an array list that the password must pass. For example, a rule can state that the password must be longer than a specified number of characters and or that it must contain at least one special character. The rules are written as regular expressions that are supported by the Go programming language. To define a set of password rules, add the following parameter and values to the config.yaml file:

      password_rules:
      - '^.{10,}'
      - '.*[!@#\$%\^&\*].*'
      

      To disable the password_rule, add (.*)

      password_rules:
      - '(.*)'
      

      Note: The default_admin_password must match all rules that are defined. If password_rules is not defined, the default_admin_password must meet the default passport enforcement rule '^([a-zA-Z0-9\-]{32,})$'.

  4. Define the management_services in the config.yaml appropriate to your Cloud Pak. For example:

       management_services:
         monitoring: enabled
         metering: enabled
         logging: disabled
         custom-metrics-adapter: disabled
         image-security-enforcement: disabled
    

    These Services are disabled by default. If you want to install these services during the installation, you need to add them into the management_services section. For example, if you want to enable kmsplugin during the installation.

       management_services:
         monitoring: enabled
         metering: enabled
         logging: disabled
         custom-metrics-adapter: disabled
         image-security-enforcement: disabled
         kmsplugin: enabled
    

    Note: To enable Vulnerability Advisor, see Enabling the Vulnerability Advisor (VA) for more information.

    You can disable the enabled Services by setting the values in the management_services section to disabled. For example, if you want to disable metering during the installation:

     management_services:
       monitoring: enabled
       metering: disabled
       logging: disabled
       custom-metrics-adapter: disabled
       image-security-enforcement: disabled
    

    Note: Disabling services can impact the installation of the IBM Cloud Pak for Multicloud Management}. Proceed with caution and refer to Enabling and disabling services.

Deploy IBM Multicloud Manager

  1. Run the deployment command:

    • For Linux x86_64:

       docker run -t --net=host -e LICENSE=accept -v $(pwd):/installer/cluster:z -v /var/run:/var/run:z -v /etc/docker:/etc/docker:z --security-opt label:disable ibmcom/icp-inception-amd64:3.2.1-rhel-ee install-with-openshift
      
    • For Linux on Power (ppc64le):

       sudo docker run -t --net=host -e LICENSE=accept -v $(pwd):/installer/cluster:z -v /var/run:/var/run:z -v /etc/docker:/etc/docker:z --security-opt label:disable ibmcom/icp-inception-ppc64le:3.2.1-ee install-with-openshift
      

Verify the installation

If the installation succeeded, the access information for your cluster is displayed. You can use the URL to connect to the IBM Multicloud Manager management console.

From a web browser, browse to the URL of your cluster. For a list of supported browsers, see Supported browsers.

Services disabled by default

cis-controller: disabled
kmsplugin: disabled
logging: disabled
mutation-advisor: disabled
notary: disabled
platform-pod-security: disabled
secret-encryption-policy-controller: disabled
vulnerability-advisor: disabled

Services enabled by default

auth-apikeys: enabled
auth-idp: enabled
auth-pap: enabled
auth-pdp: enabled
catalog-ui: enabled
cert-manager: enabled
cert-manager-webhook: enabled
cluster-api-provider-aks: enabled (disabled in Linux on Power (ppc64le))
cluster-api-provider-gke: enabled
cluster-api-provider-iks: enabled (disabled in Linux on Power (ppc64le))
cluster-api-provider-ocp: enabled
helm-api: enabled
helm-repo: enabled
iam-policy-controller: enabled
icp-management-ingress: enabled
image-security-enforcement: enabled (disabled in Linux on Power (ppc64le))
key-management: enabled
mcm-kui: enabled
metering: enabled
mgmt-repo: enabled
mongodb: enabled
monitoring: enabled
monitoring-crd: enabled
multicluster-hub: enabled
nginx-ingress: enabled
oidcclient-watcher: enabled
platform-api: enabled
platform-ui: enabled
search: enabled
secret-watcher: enabled
security-onboarding: enabled
system-healthcheck-service: enabled
tiller: enabled
web-terminal: enabled

Post installation tasks

Install the optional components in the IBM Cloud Pak for Multicloud Management.