Storage considerations

Guardium Insights platform storage requirements

A Guardium Insights deployment requires several types of storage:

Storage for images in the private container registry
Depending on your environment, you might need to store images in a private container registry rather than pulling them directly from the IBM® Entitled Registry.

If you use a private container registry, you must have sufficient space for the Guardium Insights control panel images and the images for the services that you plan to install.

Sizing
A minimum of 300 GB of storage space in the private container registry.
Tip: You can use the cpd-cli manage delete-images command to remove unused images from the private container registry.
Local storage for container images
Each node on your cluster must have local storage for the container images that are running on that node.
Storage location
The container images are stored in the root file system on the nodes.

On Red Hat OpenShift Container Platform, local copies of the images are stored in /var/lib/containers.

Sizing
A minimum of 300 GB of storage space per node.
Persistent storage
Guardium Insights supports and is optimized for several types of persistent storage:
Table 1. Validated storage options
Platform Block storage File storage
AWS IaaS Amazon Elastic Block Store (EBS) - gp3-csi Amazon Elastic File System (EFS)
Openshift Data Foundation (ODF) ODF
AWS ROSA Amazon Elastic Block Store (EBS) - gp3-csi EFS
GCP IaaS ODF ODF
Azure IaaS ODF ODF
Azure ARO ODF ODF
IBM Cloud Classic Block Storage for Classic File Storage for Classic
IBM Virtual Private Cloud (VPC) ODF ODF
IBM Storage Fusion Global Data Platform IBM Storage Fusion Global Data Platform
vSphere ODF ODF
thin-csi nfs-client (NFS version 3)
Tip: The preceding storage options have been evaluated by IBM. You can run the Guardium Insights storage validation tool to assess storage that is provided by other vendors. However, this tool does not guarantee support for other types of storage. You can use other storage environments at your own risk.
Sizing
The minimum amount of storage depends on the type of storage that you plan to use. For details, see the Resource requirements section under Storage comparison.

As a general rule, Guardium Insights with all services installed can use up to 700 GB of storage space. Review the Storage comparison to ensure that you have sufficient storage space available for user data based on the type of storage that you select. You can add additional capacity depending on your user data volume requirements.

Version 3.3.x Recommended storage classes for the shared components

If you use different storage class names on your cluster, ensure that you specify equivalent storage classes.

Note: The scheduling service is not included in this list because it does not require persistent storage.

The following storage classes are recommended for common core services. The storage classes are used when the common core services are installed.

Storage Storage classes
OpenShift Data Foundation (ODF)
  • ocs-storagecluster-cephfs
  • ocs-storagecluster-ceph-rbd
IBM Spectrum Fusion ibm-spectrum-scale-sc
IBM Spectrum® Scale Container Native ibm-spectrum-scale-sc
Portworx
  • portworx-rwx-gp3-sc

    (Equivalent to portworx-shared-gp3 in older installations)

  • portworx-couchdb-sc
  • portworx-elastic-sc
  • portworx-gp3-sc
NFS managed-nfs-storage
Amazon Elastic Block Store gp2-csi or gp3-csi

Block storage is supported but not required. If you specify block storage, you must also specify file storage is also required.

Amazon Elastic File System efs-nfs-client
IBM Cloud Block Storage ibmc-file-gold-gid

Block storage is supported but not required. If you specify block storage, you must also specify file storage is also required.

IBM Cloud File Storage ibmc-file-gold-gid or ibm-file-custom-gold-gid

Version 3.3.x Service persistent storage requirements

The following table indicates the type of storage that each component supports. Additional information about the recommended storage classes for each component are provided after the table.

  • Combo pref indicates that a service can be installed with only the specified block storage but it is not recommended. A combination of file storage and block storage is preferred.
  • Block req indicates that a service can use the specified file storage only if block storage is also provided.
  • File pref indicates that a service can be installed with only the specified block storage but that file storage is preferred and is used instead of block storage when provided.
  • File req indicates that a service can use the specified block storage only if file storage is also provided.
  • CCS indicates that the service uses the specified block storage only to install the common core services.
    Remember: Common core services require a combination of block and file storage.
  • Reuse indicates that a service uses the storage that is provisioned by another service.
Component OpenShift Data Foundation (ODF) IBM Spectrum Fusion IBM Spectrum Scale Container Native Portworx NFS Amazon Elastic Block Store Amazon Elastic File System IBM Cloud Block Storage IBM Cloud File Storage
Anaconda Repository for IBM Cloud Pak® for Data                  
Analytics Engine Powered by Apache Spark    
Cognos® Analytics CCS CCS
Cognos Dashboards CCS CCS
Data Privacy Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse
Data Refinery Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse
Data Virtualization CCS CCS
DataStage® CCS CCS
Db2® Combo pref  
Db2 Big SQL    
Db2 Data Gate File pref File pref
Db2 Data Management Console File req File req
Db2Warehouse Combo pref  
Component OpenShift Data Foundation (ODF) IBM Spectrum Fusion IBM Spectrum Scale Container Native Portworx NFS Amazon Elastic Block Store Amazon Elastic File System IBM Cloud Block Storage IBM Cloud File Storage
Decision Optimization Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse
EDB Postgres      
Execution Engine for Apache Hadoop      
Guardium External S-TAP®        
IBM Match 360 with Watson™ File req Block req File req Block req
Informix®      
MongoDB      
Open Data for Industries      
OpenPages® File req    
Planning Analytics    
Product Master File req Block req File req Block req
RStudio® Server with R 3.6 Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse
SPSS® Modeler Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse Reuse
Voice Gateway        
Component OpenShift Data Foundation (ODF) IBM Spectrum Fusion IBM Spectrum Scale Container Native Portworx NFS Amazon Elastic Block Store Amazon Elastic File System IBM Cloud Block Storage IBM Cloud File Storage
Watson Assistant      
Watson Discovery      
Watson Knowledge
Catalog File req File req
Watson Knowledge Studio      
Watson Machine Learning File req File req
Watson Machine Learning Accelerator      
Watson OpenScale    
Watson Speech Services        
Watson Studio CCS CCS
Watson Studio Runtimes Reuse Reuse Reuse Reuse Reuse   Reuse   Reuse

What storage options are supported for the platform?

Guardium Insights supports dynamic storage provisioning. A Red Hat OpenShift cluster administrator must properly configure storage before Guardium Insights is installed.

As you plan your system, remember that not all services support all types of storage.

If the services that you want to install don't support the same type of storage, you can have a mixture of different storage types on your cluster.

Guardium Insights supports and is optimized for several types of persistent storage:

Table 2. Validated storage options
Platform Block storage File storage
AWS IaaS Amazon Elastic Block Store (EBS) - gp3-csi Amazon Elastic File System (EFS)
Openshift Data Foundation (ODF) ODF
AWS ROSA Amazon Elastic Block Store (EBS) - gp3-csi EFS
GCP IaaS ODF ODF
Azure IaaS ODF ODF
Azure ARO ODF ODF
IBM Cloud Classic Block Storage for Classic File Storage for Classic
IBM Virtual Private Cloud (VPC) ODF ODF
IBM Storage Fusion Global Data Platform IBM Storage Fusion Global Data Platform
vSphere ODF ODF
thin-csi nfs-client (NFS version 3)
Note: The preceding storage options have been evaluated by IBM. However, you should run the Guardium Insights storage validation tool on your Red Hat OpenShift cluster to:
  • Evaluate whether the storage on your cluster is sufficient for use with Guardium Insights.
  • Assess storage provided by other vendors. This tool does not guarantee support for other types of storage. You can use other storage environments at your own risk.
Storage Options tested for Guardium Insights 3.2:
  • AWS with gp2 and OCS
  • GCP with standard and OCS
  • Azure on-prem with managed-premium and OCS
  • Azure ARO with managed-premium and OCS
  • IBM Cloud vpc gen2 with IBM-vac-block-10iops-tier and OCS

What storage options are supported on my cloud deployment environment?

Some storage options are supported only on a specific deployment environment. Ensure that you select a storage option that works on your chosen cloud deployment environment.

For clusters hosted on third-party infrastructure, such as IBM Cloud or Amazon Web Services, it is recommended that you use storage that is native to the infrastructure, if possible.

Restriction: Some services support a subset of the storage options that are supported by the platform.
Deployment environment Managed OpenShift Self-managed OpenShift
On-premises IBM Cloud Satellite supports the following storage options:
  • OpenShift Data Foundation
  • Portworx
The following storage options are supported on bare metal and VMware infrastructure:
  • OpenShift Data Foundation
  • IBM Spectrum Fusion
  • IBM Spectrum Scale Container Native
  • Portworx
  • NFS
IBM Cloud Red Hat OpenShift on IBM Cloud supports the following storage options:
  • OpenShift Data Foundation
  • Portworx
The following storage options are supported on classic IBM Cloud infrastructure:
  • IBM Cloud File Storage
  • IBM Cloud Block Storage
  • Portworx
  • NFS

The following storage options are supported on VPC IBM Cloud infrastructure:

  • Portworx
  • NFS
Amazon Web Services (AWS) Red Hat OpenShift Service on AWS (ROSA) supports the following storage options:
  • Amazon Elastic Block Store (EBS)
  • Amazon Elastic File System (EFS)
  • OpenShift Data Foundation as a Service

    Contact IBM Support to set up OpenShift Data Foundation as a Service.

    OpenShift Data Foundation as a Service is available as part of a special agreement between AWS and IBM Guardium Insights Product Managers. Contact the Product Management team for assistance.

The following storage options are supported on AWS infrastructure:
  • OpenShift Data Foundation
  • Amazon Elastic Block Store (EBS)
  • Amazon Elastic File System (EFS)
  • Portworx
  • NFS
Microsoft Azure Azure Red Hat OpenShift (ARO) supports the following storage options:
  • OpenShift Data Foundation
The following storage options are supported on Microsoft Azure infrastructure:
  • OpenShift Data Foundation
  • Portworx
  • NFS, specifically Microsoft Azure locally redundant Premium SSD storage
Google Cloud Managed OpenShift on Google Cloud is not supported. The following storage options are supported on Google Cloud infrastructure:
  • OpenShift Data Foundation
  • Portworx
  • NFS

What storage options are supported on my hardware?

Storage option x86-64 Power s390x
OpenShift Data Foundation    
OpenShift Data Foundation as a Service    
IBM Spectrum Fusion    
IBM Spectrum Scale Container Native    
Portworx    
NFS
Amazon Elastic Block Store (EBS)    
Amazon Elastic File System (EFS)    
IBM Cloud Block Storage  
IBM Cloud File Storage  

License requirements

The following table lists whether you need a separate license to use each storage option. In some cases, your Guardium Insights purchase includes limited entitlements to the storage.

a
Storage option Details
OpenShift Data Foundation  
OpenShift Data Foundation as a Service Contact IBM Support.
IBM Spectrum Fusion  
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface) You can use IBM Spectrum Scale Container Native as part of IBM Spectrum Fusion.
Portworx A separate license is required.
NFS No license is required.
Amazon Elastic Block Store (EBS) A separate subscription is required.
Amazon Elastic File System (EFS) A separate subscription is required.
IBM Cloud Block Storage A separate subscription is required.
IBM Cloud File Storage A separate subscription is required.

For details about the amount of storage you can use, see How many volumes can be ordered.

Storage classes

The person who installs Guardium Insights and the services on the cluster must know which storage classes to use during installation. The following table lists the required types of storage. When applicable, the table also lists the recommended storage classes to use and points to additional guidance on how to create the storage classes.

Storage option Details
OpenShift Data Foundation The recommended storage classes are automatically created when you install OpenShift Data Foundation.
Guardium Insights uses the following storage classes:
  • RWX file storage: ocs-storagecluster-cephfs
  • RWO block storage: ocs-storagecluster-ceph-rbd
OpenShift Data Foundation as a Service The recommended storage classes are automatically created by OpenShift Data Foundation as a Service .
Guardium Insights uses the following storage classes:
  • RWX file storage: ocs-storagecluster-cephfs
  • RWO block storage: ocs-storagecluster-ceph-rbd
IBM Spectrum Fusion The recommended RWX storage class is called ibm-spectrum-scale-sc.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface) The recommended RWX storage class is called ibm-spectrum-scale-sc.
Portworx The recommended storage classes are listed in Creating Portworx storage classes.
NFS The recommended RWX storage class is called managed-nfs-storage. .
Amazon Elastic Block Store (EBS) Use either of the following RWO storage classes:
  • gp2-csi
  • gp3-csi
Amazon Elastic File System (EFS) The recommended RWX storage class is called efs-nfs-client.
IBM Cloud Block Storage Use the following RWO storage class: ibmc-file-gold-gid
IBM Cloud File Storage Use either of the following RWX storage classes:
  • ibmc-file-gold-gid
  • ibmc-file-custom-gold-gid

Data replication for high availability

Storage option Details
OpenShift Data Foundation Supported

By default, all services use multiple replicas for high availability. OpenShift Data Foundation maintains each replica in a distinct availability zone.

OpenShift Data Foundation as a Service All data on the persistent volumes is replicated across multiple availability zones by default. Cross-cluster asynchronous replication is not supported.
IBM Spectrum Fusion Supported.

Replication is supported and can be enabled within the Spectrum Scale Storage Cluster in a variety of ways, see Data Mirroring and Replication in the IBM Spectrum Scale documentation.

IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface) Supported.

Replication is supported and can be enabled within the Spectrum Scale Storage Cluster in a variety of ways, see Data Mirroring and Replication in the IBM Spectrum Scale documentation.

Portworx  
NFS Replication support depends on your NFS server.
Amazon Elastic Block Store (EBS) Supported

When you create an EBS volume, it is automatically replicated within its Availability Zone to prevent data loss due to failure of any single hardware component.

Amazon Elastic File System (EFS) Supported

You can use EFS replication to create a replica of your EFS file system in the AWS Region of your choice. When you enable replication on an EFS file system, Amazon EFS automatically and transparently replicates the data and metadata on the source file system to the target file system. For details, see Amazon EFS replication.

IBM Cloud Block Storage Supported

You can create a snapshot schedule to automatically copy snapshots to a destination volume in a remote data center for Data replication. For details, see Replicating data in the IBM Cloud documentation.

IBM Cloud File Storage Supported, but not enabled by default.

You can enable replication from the IBM Cloud console. For details, see Replicating data.

Backup and restore

Storage option Details
OpenShift Data Foundation Container Storage Interface support for snapshots and clones.

Tight integration with Velero CSI plugin for Red Hat OpenShift Container Platform backup and recovery.

OpenShift Data Foundation as a Service Contact IBM Support.
IBM Spectrum Fusion IBM Spectrum Protect Plus is not supported for application-consistent backup and restore.

For storage level backup, see Back up and restore in the IBM Spectrum Fusion documentation.

IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface) IBM Spectrum Protect Plus is not supported for application-consistent backup and restore.

Use the IBM Spectrum Scale Container Storage Volume snapshot as the primary backup and restore method and combine it with Container Backup Support provided by IBM Spectrum Protect Plus.

Additionally, there are multiple methods you can use to backup the Spectrum Scale Storage Cluster.

For details, see Data protection and disaster recovery in the IBM Spectrum Scale documentation.
Portworx
On-premises
Limited support.
IBM Cloud
Supported with the Portworx Enterprise Disaster Recovery plan.
NFS Limited support.
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
IBM Cloud Block Storage
IBM Cloud File Storage Supported, but not enabled by default.

For details, see Backing up and restoring data.

Encryption of data at rest

Storage option Details
OpenShift Data Foundation Supported.

OpenShift Data Foundation uses Linux Unified Key System (LUKS) version 2 based encryption with a key size of 512 bits and the aes-xts-plain64 cipher.

You must enable encryption for your whole cluster during cluster deployment to ensure encryption of data at rest. Encryption is disabled by default. Working with encrypted data incurs a small performance penalty.

Support for FIPS cryptography
By storing all data in volumes that use RHEL-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion, or network data, are protected by FIPS Validated Modules in Process encryption. You can configure your cluster to encrypt the root filesystem of each node, as described in Customizing nodes.
 
OpenShift Data Foundation as a Service
IBM Spectrum Fusion Supported

For details, see Encryption in the IBM Spectrum Scale documentation.

IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface) Supported

For details, see Encryption in the IBM Spectrum Scale documentation.

Portworx Supported with Portworx Enterprise only.

Portworx uses the LUKS format of dm-crypt and AES-256 as the cipher with xts-plain64 as the cipher mode.

On-premises deployments
Refer to Enabling Portworx volume encryption in the Portworx documentation.
IBM Cloud deployments
To protect the data in your Portworx volumes, encrypt the volumes with IBM Key Protect or Hyper Protect Crypto Services.
NFS Check with your storage vendor on the steps to enable encryption of data at rest.
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
IBM Cloud Block Storage
IBM Cloud File Storage Supported

IBM Cloud File Storage supports provider-managed encryption of data at rest. This feature is only available in select data centers. All storage that is ordered in these data centers is automatically provisioned with encryption for data at rest. All snapshots and replicas of encrypted file storage are also encrypted by default in these select data centers.

Network and I/O requirements

Storage option Details
OpenShift Data Foundation
Network requirements
Your network must support a minimum of 10 Gbps.
I/O requirements
Each node must have at least one enterprise-grade SSD or NVMe device that meets the Disk requirements in the system requirements.

For more information, see Planning your deployment in the Openshift Data Foundation (previously OpenShift Container Storage) documentation.

If SSD or NVMe aren't supported in your deployment environment, use an equivalent or better device.

OpenShift Data Foundation as a Service
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
IBM Spectrum Fusion
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
Portworx
Network requirements
Your network must support a minimum of 10 Gbps.

For details, see Prerequisites in the Portworx documentation.

I/O requirements
For details, see the hardware cluster requirements.
NFS
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
Amazon Elastic Block Store (EBS)
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
Amazon Elastic File System (EFS)
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
IBM Cloud Block Storage
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.
I/O requirements
For details, see the hardware cluster requirements.
IBM Cloud File Storage
Network requirements
You must have sufficient network performance to meet the storage I/O requirements.

For details, see Network connection in the IBM Cloud File Storage documentation.

I/O requirements
For details, see the hardware cluster requirements.

The default I/O settings are typically lower than the minimums specified in the hardware cluster requirements section.

To improve the I/O performance for production environments, you must adjust the I/O settings. Contact IBM Software Support for guidance on how to adjust the settings according to Changing the size and IOPS of your existing storage device.

Resource requirements

This section describes the resource requirements for the various storage options.

Important: Work with your IBM Sales representative to ensure that you have sufficient storage for the services that you plan to run on Guardium Insights and for your expected workload.
Storage Option vCPU Memory Storage
OpenShift Data Foundation
  • 10 vCPU per node on three initial nodes.
  • 2 vCPU per node on any additional nodes

For details, see Resource requirements.

  • 24 GB of RAM on initial three nodes.
  • 5 GB of RAM on any additional nodes.

For details, see Resource requirements.

A minimum of three nodes.

On each node, you must have at least one SSD or NVMe device. Each device should have at least 1TB of available storage.

For details, see Storage device requirements.

OpenShift Data Foundation as a Service Contact IBM Support. Contact IBM Support. Contact IBM Support.
IBM Spectrum Fusion 8 vCPU on each worker node to deploy IBM Spectrum Scale Container Native and .

See the IBM Spectrum Scale Container Native hardware requirements.

16 GB of RAM on each worker node.

For details, see the IBM Spectrum Scale Container Native requirements

1 TB or more of available space
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface) 8 vCPU on each worker node to deploy IBM Spectrum Scale Container Native and IBM Spectrum Scale Container Storage Interface Driver.

See the IBM Spectrum Scale Container Native requirements.

16 GB of RAM on each worker node.

For details, see the IBM Spectrum Scale Container Native requirements

1 TB or more of available space
Portworx
On-premises
4 vCPU on each storage node
IBM Cloud
For details see the following sections of Storing data on software-defined-storage (SDS) with Portworx:
  • What worker node flavor in Red Hat OpenShift on IBM Cloud is the right one for Portworx?
  • What if I want to run Portworx in a classic cluster with non-SDS worker nodes?
4 GB of RAM on each storage node A minimum of three storage nodes.
On each storage node, you must have:
  • A minimum of 1 TB of raw, unformatted disk
  • An additional 100 GB of raw, unformatted disk for a key-value database.
NFS 8 vCPU on the NFS server 32 GB of RAM on the NFS server 1 TB or more of available space
Amazon Elastic Block Store (EBS)
Amazon Elastic File System (EFS)
IBM Cloud Block Storage
IBM Cloud File Storage Not applicable for managed services. Not applicable for managed services 500 GB or more

Storage is not automatically expanded and is created in smaller chunks.

Increasing the size of the volumes improves I/O performance for production environments. Contact IBM Software Support as indicated in the preceding row.

If you are running the Prometheus Cluster Monitoring stack on IBM Cloud, you might notice that pods consume more local storage. You can reduce the retention periods of your logs or you can configure logs to be saved in persistent storage instead of local storage. For more information, see Configuring the monitoring stack. To troubleshoot issues, see Worker nodes show status of disk pressure.

Additional documentation

Storage option Documentation links
OpenShift Data Foundation
Guardium Insights configuration guidance
For post-installation guidance, see .
Troubleshooting
Product documentation for Troubleshooting OpenShift Data Foundation 4.5
OpenShift Data Foundation as a Service
Guardium Insights configuration guidance
For post-installation guidance, see .
IBM Spectrum Fusion
Guardium Insights configuration guidance
For post-installation guidance, see .
Troubleshooting
IBM Spectrum Scale Container Native (with IBM Spectrum Scale Container Storage Interface)
Guardium Insights configuration guidance
For post-installation guidance, see .
Troubleshooting
Portworx
Troubleshooting
Troubleshoot Portworx on Kubernetes
NFS
Troubleshooting
Refer to the documentation from your NFS provider.
Amazon Elastic Block Store (EBS)
Troubleshooting
See the AWS documentation.
Amazon Elastic File System (EFS)
Troubleshooting
Troubleshooting Amazon EFS in the AWS documentation.
IBM Cloud Block Storage
Troubleshooting
Debugging Block Storage failures in the IBM Cloud documentation.
IBM Cloud File Storage
Troubleshooting
Troubleshooting persistent storage