LVM procedure for encrypted HA systems

You can extend storage capacity of encrypted High Availability (HA) systems by using Logical Volume Manager (LVM) procedure on both primary and secondary hosts.

Before you begin

Warning:
  • Changing LVM configuration on a QRadar system might result in data loss and data corruption. Always take a full back up of the system before you start LVM procedure.
  • Extending storage on /store logical volume (LV) in a high availability pair triggers a full synchronization. This can take a significant amount of time depending on the size of /store and network configuration of the HA pair. High Availability feature is not available during the synchronization.
  • Ensure that High Availability pair is in a Primary/Active – Secondary/Standby state before you apply the LVM procedure.
  • The LVM procedures only support LVM expansion for systems with logical volume level encryption. Do not perform these procedures on systems with partition or disk level encryption.
Identifying encryption level
The following command helps to identify the encryption level on the system for the /store logical volume:
xfs_info /store | grep meta-data | sed "s/meta-data=//" | cut -d " " -f1
Logical volume encryption gives an output similar to the following:
/dev/mapper/luks-86ceb52c-d656-42f3-b2a3-6157a4ffa7cd
Partition or disk level encryption givez an output similar to the following:
/dev/mapper/rhel-store

Procedure

The following procedures are for systems that are already in a High Availability (HA) pair and are to be performed on both primary and secondary hosts.

  1. Check the HA pair status by entering the following command: 
    /opt/qradar/ha/bin/ha cstate
  2. Add a hard disk to the system and ensure the same size hard disk is added to both primary and secondary hosts. Find the hard disk name by entering the following command: 
    lsblk
    For example, sdb
  3. Create a partition table on the new hard disk by entering the following command: 
    parted /dev/<HD name> mktable gpt
  4. Create a partition for the whole disk by entering the following command: 
    parted /dev/<HD Name> mkpart xfs 1.00Mib 100%
  5. Search for the name of the new partition by entering the following command: 
    lsblk
    Typically, the device name with the number 1 at the end is the partition name.
    For example, sdb1
  6. Create the physical volume (PV) for this hard disk by entering the following command: 
    pvcreate /dev/<Partition name>
  7. To add the storage, locate the volume group (VG). For example, storerhel is the VG for the /store and /transient directories. Locate VG by entering the following command: 
    vgs
  8. Extend the VG to include the space from the new partition by entering the following command: 
    vgextend <Volume Group Name> /dev/<Partition name>
  9. Note: This step is only required for all-in-one consoles and console devices.
    It is recommended that all-in-one consoles and consoles devices have more storage on the transient and store volume. The transient volume should occupy 20% of the available space and the store volume should occupy 80% of the remaining space. This step is not required for any other type of appliances.
    Warning: If you are extending the transient logical volume, you must complete this step before you extend the store logical volume.

    Extend the transient logical volume by using 20% of the free space in the VG by entering the following command:

    lvextend -l +20%FREE /dev/<VG Name>/transient
  10. Extend the space for store LV by 100% of the remaining space by entering the following command: 
    lvextend -l +100%FREE /dev/<VG Name>/store
  11. You can search for the path for each file system. Generally, the path is for encrypted logical volume is /dev/mapper/luks-<LUKS UUID>.

    For example, path for the file system is /dev/mapper/luks- 87186a37-0b3e-4019-afa8-7bc1bc8c8bd2.

    To find the file system path of the /store directory, enter the following command:
    xfs_info /store | grep meta-data | sed "s/meta-data=//" | cut -d " " -f1
    Note: For all-in-one consoles and console devices you need to find the path to /transient directory as well.
  12. This step will resize the LUKS encrypted space to include the space from the store logical volume, this is not resizing the file system only the LUKS encrypted space, you will have to enter the passphrase for the encrypted volume: 
    cryptsetup resize /dev/mapper/luks-<LUKS UUID>
    Note: If storage was extended on the transient volume, then you will have to resize the LUKS encrypted space on that volume as well.
  13. Note: This step is only required for all-in-one consoles and console devices.
    For all-in-one consoles and console devices, grow the transient file system to fill free space only on the transient LV by entering the following command: 
    xfs_growfs /dev/mapper/luks-<UUID>

    Unlike non-HA systems, do not grow the file system to fill the space on the /store logical volume. Distributed Replicated Block Device (DRBD) does this work.

  14. Note: Perform this step is only on the primary/active host after the LVM procedure is completed on both primary and secondary hosts. This step triggers a full synchronization. This can take a significant amount of time depending on the size of /store and network configuration of the HA pair. During this time the high availability feature is not available.
    Resize the DRBD device by entering the following command: 
    drbdadm resize store