Setting up the environment

Deployment options: Netezza Performance Server for Cloud Pak for Data

Learn how to set up your environment if you plan to install Netezza Performance Server 11.2.3.3-IF1 or later on AWS.

Ensure that your local machine meets the following requirements.
1. For RHEL and Centos bastion nodes, Podman must be installed before the installation or upgrade. Docker is supported only on other operating systems.
2. The machine is a 64-bit Linux machine and has internet access.
3. The operating system of your Linux machine is:
  - CentOS Stream 8
  - Ubuntu 22.04.1 LTS
  - Red Hat Enterprise Linux 8.6 (Ootpa)
  To check the operation system, you can run one of the commands:
  - ```
  cat /etc/os-release
```
- ```
hostnamectl
```
4. Helm CLI 3 is installed.
  If it is not installed, run the following commands:
```
curl -Ls https://get.helm.sh/helm-v3.2.1-linux-amd64.tar.gz -o helm_client.tar.gz

tar -xf helm_client.tar.gz

mv -f linux-amd64/helm $HOME/bin/helm3

helm3 version --short
```
5. unzip and Python are installed.
  The version of Python must be 3.
6. The most recent version of the AWS CLI is installed.
  For more information, see AWS Command Line Interface.
7. Terraform is installed.
  Run the command to check whether Terraform is installed:
```
terraform -help
```
  - If Terraform is installed, proceed to step 4.
  - If Terraform is not installed, run the following commands:
```
curl -Ls https://releases.hashicorp.com/terraform/0.12.23/terraform_0.12.23_linux_amd64.zip -o terraform_client.zip

unzip -oq terraform_client.zip

mv -f terraform $HOME/bin/terraform

terraform version
```

Ensure that the AWS user account has the following minimal permissions.

Check IAM (Identity Access Management) for the AWS user from the AWS console.

{
            "Sid": "NzcloudAdditionalPermissions",
            "Effect": "Allow",
            "Action": [
                "ebs:*",
                "elasticfilesystem:*",
                "iam:SimulatePrincipalPolicy",
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:GetPolicy",
                "route53domains:ListDomains",
                "route53domains:CheckDomainAvailability",
                "support:DescribeTrustedAdvisorCheckResult",
                "support:DescribeTrustedAdvisorChecks",
                "s3:GetBucketEncryption",
                "s3:GetBucketLifecycle",
                "servicequotas:ListServiceQuotas"
            ],
            "Resource": "*"
        }

Create the necessary resources for deploying Netezza Performance Server by using the AWS Console or AWS CLI.

For more information, see Installing Red Hat OpenShift on AWS.

Following is an example of the infrastructure that you need to deploy Red Hat OpenShift, Cloud Pak for Data, and Netezza Performance Server on AWS.

A VPC with DNS support and a DNS hostname.

aws ec2 create-vpc --cidr-block ${VPC_CIDR}

aws ec2 modify-vpc-attribute \
	  --vpc-id ${VPC_ID} \
	  --enable-dns-support "{\"Value\":true}"
aws ec2 modify-vpc-attribute \
	  --vpc-id ${VPC_ID} \
	  --enable-dns-hostnames "{\"Value\":true}"

An internet gateway that is attached to the VPC.

aws ec2 create-internet-gateway

aws ec2 attach-internet-gateway \
    --vpc-id ${VPC_ID} \
    --internet-gateway-id ${INTERNETGATEWAY_ID}

A Public Route Table that is associated with the VPC, and a Route in that Route Table to the Internet Gateway.

aws ec2 create-route-table --vpc-id ${VPC_ID}

---

aws ec2 create-route \

--route-table-id ${ROUTE_TABLE_PUBLIC} \

--destination-cidr-block 0.0.0.0/0 \

--gateway-id ${INTERNETGATEWAY_ID}

A Public Subnet for the VPC in the wanted ZONE that needs to be mapped to a REGION and associated with the Public Route Table.

aws ec2 create-subnet \
    --vpc-id ${VPC_ID} \
    --availability-zone ${SUBNET_PUBLIC_1_ZONE} \
    --cidr-block ${SUBNET_PUBLIC_1_CIDR}

aws ec2 associate-route-table \
    --subnet-id ${SUBNET_PUBLIC_1_ID} \
    --route-table-id ${ROUTE_TABLE_PUBLIC}
aws ec2 modify-subnet-attribute \
    --subnet-id ${SUBNET_PUBLIC_1_ID} \
    --map-public-ip-on-launch \
    --region $REGION

An address allocation (Elastic IP), and NAT Gateway for the public subnet that is attached to the address allocation.

aws ec2 allocate-address \
    --domain vpc \
    --network-border-group $REGION

aws ec2 create-nat-gateway \
    --subnet-id ${SUBNET_PUBLIC_1_ID} \
    --allocation-id $ELASTIC_IP_NAT_GATEWAY

A Private Route Table and a route for the NAT Gateway.

aws ec2 create-route-table 
    --vpc-id ${VPC_ID}
          
aws ec2 create-route \
    --route-table-id ${ROUTE_TABLE_PRIVATE} \
    --destination-cidr-block 0.0.0.0/0 \
    --nat-gateway-id ${NATGATEWAY_ID}

Create at least three subnets with a different CIDR BLOCK and ZONE that are associated with the Private Route Table.

aws ec2 create-subnet \
    --vpc-id ${VPC_ID} \
    --availability-zone ${SUBNET_PRIVATE_1_ZONE} \
    --cidr-block ${SUBNET_PRIVATE_1_CIDR}
aws ec2 associate-route-table --route-table-id ${ROUTE_TABLE_PRIVATE} --subnet-id ${SUBNET_PRIVATE_1_ID}

aws ec2 create-subnet \
    --vpc-id ${VPC_ID} \
    --availability-zone ${SUBNET_PRIVATE_2_ZONE} \
    --cidr-block ${SUBNET_PRIVATE_2_CIDR}
aws ec2 associate-route-table --route-table-id ${ROUTE_TABLE_PRIVATE} --subnet-id ${SUBNET_PRIVATE_2_ID}

aws ec2 create-subnet \
    --vpc-id ${VPC_ID} \
    --availability-zone ${SUBNET_PRIVATE_3_ZONE} \
    --cidr-block ${SUBNET_PRIVATE_3_CIDR}
aws ec2 associate-route-table --route-table-id ${ROUTE_TABLE_PRIVATE} --subnet-id ${SUBNET_PRIVATE_3_ID}

Create a Route53.

aws route53 create-hosted-zone \
    --name ${HOSTED_ZONE_PRIVATE_NAME} \
    --vpc VPCRegion=$REGION,VPCId=${VPC_ID} \
    --caller-reference ${HOSTED_ZONE_PRIVATE_CALLER_REF} \
    --hosted-zone-config PrivateZone=true

Create a Bastion Node with an SSH Key, a Security Group, and an ingress rule for SSH Access.

aws ec2 create-key-pair \
		--key-name $SSH_KEY_NAME \
		--query 'KeyMaterial' \
		--output text \
		--region $REGION > $SSH_KEY

aws ec2 create-security-group \
    --group-name SSHAccess \
    --description $DESCRIPTION \ # e.g. "SSH Access"
    --vpc-id $VPC_ID \
    --region $REGION
    
aws ec2 authorize-security-group-ingress \
		--group-id $SECURITY_GROUP_ID_BASTION \
		--protocol tcp \
		--port 22 \
		--cidr $INGRESS_CIDR \ # e.g 0.0.0.0/0
		--region $REGION

aws ec2 run-instances \
    --image-id $AMI_ID \
    --count 1 \
    --instance-type $INSTANCE_TYPE \ # e.g. t2.medium
    --key-name $SSH_KEY_NAME \
    --security-group-ids $SECURITY_GROUP_ID_BASTION \
    --subnet-id ${SUBNET_PUBLIC_1_ID}

Optional: For a private cluster installation, follow these steps:
1. Make sure the necessary URLs are open.
  Carefully review any changes in URLs between different Red Hat OpenShift releases.
  - For Red Hat OpenShift, see the list at https://docs.openshift.com/container-platform/4.14/installing/install_config/configuring-firewall.html#configuring-firewall_configuring-firewall.
  - For Cloud Pak for Data:
    1. cp.icr.io/cp
    2. cp.icr.io/cp/cpd
    3. icr.io/cpopen
    4. quay.io/opencloudio
  - For Netezza Performance Server:
    1. storage.googleapis.com
    2. gcr.io
    3. quay.io/external_storage
    4. registry.access.redhat.com/ubi8
    5. quay.io/k8scsi
    6. k8s.gcr.io/sig-storage
    7. gcr.io/kubebuilder
2. If a firewall is present, do the following:
  1. Configure the firewall so that Red Hat OpenShift Container Platform can access the sites that it requires to function. For more information, see Configuring your firewall.
  2. Verify whether the URLs are in the allow list.
    You can check the connection by using the netcat or telnet command with gcr.io at port 443:.
```
nc -zv gcr.io 443
```
    Example:
```
$ nc -zv gcr.io 443
Connection to gcr.io port 443 [tcp/https] succeeded!
```
3. Verify that the following ports are opened:
  - Ports 80, 443, 6443, 22623
  - Inbound on 2049 (NFS)