Enabling Container Mode

The Container Mode guide details the process of enabling Container Mode on an IBM COS system.

The common process for both new and existing systems includes:
  • Creating a service vault
  • Configure Container Mode, such as with DNS compliant only container names
  • Enabling Container Mode
  • Enabling service API ports
Existing systems must complete the following additional items:
  • Ensure the correct bucket owner
  • Control owner S3 operations
  • Configure Container Mode conversion options
    • DNS compliant only containers
    • Create only container vaults
    • Whether to restrict the container management only to the service API
  • Progressive conversion of these standard vaults of Container Mode.

These steps must be followed, in order, to successfully enable Container Mode. The steps can completed through the Manager Web Interface or the Manager REST API. See the relative chapters for specific examples.

The service vault is a critical vault that impacts system reliability and availability. Several workflows are impacted when a service vault is unavailable. Service vault availability is critical for the following use cases.
  • Storage account and AWS credentials management
  • Container related operations
  • Generation of usage reports for billing
A system administrator must ensure that the service vault has the highest reliability and availability that the system can support. Several restrictions must also be addressed before Container Mode can be turned on for an IBM COS system. Some of these restrictions are enforced when Container Mode is being enabled on the system. The following restrictions are enforced when Container Mode is being enabled.
  • The IBM COS system will not allow an operator or administrator to enable Container Mode if there exists vaults on the system. Any vault and their data must be deleted before Container Mode can be enabled.
  • The IBM COS system will require an operator or an administrator to create a service vault that will contain the system data required to support Container Mode service, before enabling container mode
The following steps have to be taken by an operator or an administrator before end users are able to make requests to an IBM COS system:
  • Appropriate service account roles must be created on the Manager. The service roles accounts can then be used to make service API requests. For example, a self-service portal built by the operator could use these accounts to provision users.
  • The storage accounts and credentials for users have to be created via service API by a service account on the Manager, before any IO is possible in Container Mode.
Other restrictions will have to be understood by the system administrator and addressed appropriately before enabling Container Mode.
Table 1. Functions and level of support in Container Mode
Function Container Vault Level Container Level
IP allow and disallow Yes Yes
Device ACLs Yes No
User ACLs No Yes
Versioning Yes Yes
Delete restrictions No No
Quotas Yes Yes
Mirror No No
Proxy No No