Deploying Db2 on your OpenShift cluster

Before you can deploy Db2 on your cluster, you have to choose a custom resource, set up dedicated nodes within your cluster, accept license terms, and configure database storage.

Before you begin

When you have installed the Db2® Operator to your OpenShift® cluster, you use either the Db2uCluster custom resource (CR) or the Db2uInstance CR to deploy Db2. For successful deployment, you also need to set up any dedicated nodes within your cluster, accept the license terms, and configure database storage and security requirements. You may also add databases to your deployments using the manage_databases tools. For more information, see Adding multiple databases in a Db2 deployment.

The Db2uCluster CR and Db2uInstance CR

The Db2uCluster CR provides comparatively better performance on software-defined storage types, such as OpenShift Data Foundation (ODF) and Portworx. The Db2uInstance CR provides a significant performance increase on cloud platforms such as Amazon Web Services (AWS) and Azure.

Accepting the Db2 on OpenShift license terms

In order to successfully deploy Db2, the license terms detailed inside the Db2uCluster and Db2uInstance custom resource topics need to be reviewed and accepted inside the Db2 Custom Resource.

Storage requirements

The storage class must exist in the cluster or a supported storage class must be provided accordingly. To deploy Db2, you need a supported storage class.

During a Db2 deployment, storage can be dynamically created or pre-created PVs can be specified. Db2 needs the following storage locations:
  • System & Backup storage [Shared with RWX]
    • Db2 instance home directory
    • Diagnostic logs
    • Other global configuration directories
    • Backups, Restore or Load locations
  • User storage [Exclusive with RWO]
    • Database storage paths
    • Transaction logs
Software-defined Shared Zone [Meta] Data Zone [Data]
NFS Access Mode: RWX RWX (combined with Meta) or RWO
Portworx 2.9.1.3 Shared v4, RWX (based on NFS v4 protocol) io-profile: db_remote, RWO
ODF 4.12 or greater CephFS, RWX CephRBD(Block Device), RWO
Spectrum Scale CSI 2.1 or greater RWX RWO
Note: In cases where the storage layer supports it, a single storage location, defined as RWX, can be specified. Such a configuration would exhibit degraded performances.

PodSecurityPolicy Requirements

The Db2 deployment is currently only supported on Red Hat OpenShift.

SecurityContextConstraints Requirements

The Db2 or Db2 Warehouse service requires a custom security context constraint (SCC). When you create a Db2 or Db2 Warehouse SMP instance, an SCC named <NAMESPACE>-c-db2wh-<INSTANCE_ID>-scc is created automatically. The contents of the SCC depend on whether you change the node settings to allow Db2U to make unsafe sysctl changes.

Default SCC for SMP databases
You do not change the node settings:

allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- '*'
You change the node settings to allow Db2U to make unsafe sysctl changes:

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
allowedUnsafeSysctls:
- kernel.shmmni
- kernel.shmmax
- kernel.shmall
- kernel.sem
- kernel.msgmni
- kernel.msgmax
- kernel.msgmnb
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- '*'
Default SCC for MPP databases
You do not change the node settings:
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: false
allowHostPID: false
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- '*'
You change the node settings to allow Db2U to make unsafe sysctl changes:
allowHostDirVolumePlugin: false
allowHostIPC: true
allowHostNetwork: false
allowHostPID: false
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- FOWNER
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
- SYS_RESOURCE
- IPC_OWNER
- SYS_NICE
- FSETID
- SETFCAP
- SETPCAP
- SYS_CHROOT
- KILL
- AUDIT_WRITE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
kind: SecurityContextConstraints
metadata:
  name: ${SCC_NAME}
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:${SERVICE_ACCOUNT}
volumes:
- '*'
Extended description of the allowed capabilities
FOWNER
Bypasses permission checks on operations that normally require the file system UID of the process to match the UID of the file (for example, chmod(2), utime(2)), excluding those operations that are covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
SETGID
Necessary to run Db2 Warehouse engine processes with escalated group privileges.
SETUID
Necessary to run Db2 Warehouse engine processes with escalated user privileges.
CHOWN
Necessary to run chown to change ownership of files/directories in persistent volumes.
DAC_OVERRIDE
Bypasses permission checks for file read, write, and execute.
SYS_RESOURCE
Allows manipulation of reservations, memory allocations, and resource limits. Maximum memory allocation is still constrained by the memory cgroup (memcg) limit, which cannot be overridden by this sys-capability. The Db2 Warehouse database engine needs this sys-capability to increase the resource limits (IE.ulimits).
IPC_OWNER
Bypasses permission checks for operations on IPC objects. Even when the IPC kernel parameters are set to maximum values on the hosts/worker nodes, the Db2 Warehouse engine still tries to dynamically throttle those values. This system capability is provided in addition to sharing IPC namespace with the host.
SYS_NICE
Allows changing process priorities. Because each container has its own PID namespace, this capability applies to that container only. The Db2 Warehouse database engine relies on process thread prioritization to ensure that Work Load Management (WLM) and Fast Communications Manager (FCM) processing is prioritized over generic agent work.
FSETID
Prevents the clearing of the setuid and setgid mode bits when a file is modified.
SETFCAP
Used to set capabilities on files.
SETPCAP
Used to set capabilities on processes.
SYS_CHROOT
Necessary to use the chroot command.
KILL
Bypasses permission checks for sending signals. Necessary for signal handling during process management.
AUDIT_WRITE
Required to write records to the kernel auditing log when SELinux is enabled.

SecurityContextConstraints Requirements

The Db2 or Db2 Warehouse deployment requires the following SCC: 
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
apiGroup: security.openshift.io
metadata:
    name: db2u-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
# privileged container is only needed for the init container that sets the Db2 kernel parameters
allowPrivilegedContainer: true
allowedCapabilities:
- "SYS_RESOURCE"
- "IPC_OWNER"
- "SYS_NICE"
- "CHOWN"
- "DAC_OVERRIDE"
- "FSETID"
- "FOWNER"
- "SETGID"
- "SETUID"
- "SETFCAP"
- "SETPCAP"
- "SYS_CHROOT"
- "KILL"
- "AUDIT_WRITE"
priority: 10
runAsUser:
    type: RunAsAny
seLinuxContext:
    type: MustRunAs
fsGroup:
    type: RunAsAny
supplementalGroups:
    type: RunAsAny
version: v1