Red Hat OpenShift configuration on AWS
Modify the Red Hat OpenShift Service on AWS (ROSA) platform for IBM Storage Scale container native to operate correctly.
Add Scale labels to the machine pool
-
Modify the default machine pool
ROSA provides a Command-Line Interface (CLI) which can be obtained from https://github.com/openshift/rosa/releases for editing node labels. This is needed to customize the machine pool that is used for running IBM Storage Scale container native. When you install ROSA, it creates a machine pool named "Default" that includes nodes with roles
worker
andworker,infra
.To use these nodes for running IBM Storage Scale container native, you can modify the "Default" machine pool as follows:
rosa edit machinepool -c <rosa-cluster-name> Default --labels node-role.kubernetes.io/scale=,scale.spectrum.ibm.com/daemon-selector= --replicas 3
It is recommended to configure a minimum of 3 replicas.
-
If you prefer to isolate your workload to a custom machine pool, you can create one and assign labels to the nodes by using the following command:
rosa create machinepool -c <rosa-cluster-name> --name=<custom-pool-name> --labels node-role.kubernetes.io/scale=,scale.spectrum.ibm.com/daemon-selector= --replicas 3
It is recommended to configure a minimum of 3 replicas.
Create a service account for applying Machine Config Operator (MCO)
As a regular user, you are prevented from modifying Red Hat managed resources. Therefore, it is advised to create a service account for Machine Config Operator (MCO) by following the provided steps:
-
Create a service account for Machine Config Operator (MCO):
oc create serviceaccount scale-mco-sa
-
Add a role to service account. To add a "cluster-admin" role to a service account "scale-mco-sa", execute the following command:
oc adm policy add-cluster-role-to-user cluster-admin -z scale-mco-sa
-
To create a new token for the service account (
scale-mco-sa
) and store it in theMCO_SA_TOKEN
environment variable, execute the following command:export MCO_SA_TOKEN=$(oc create token scale-mco-sa)
-
Log in to OpenShift using the new token.
oc login --token=$MCO_SA_TOKEN
For information on how to use service account in applications, see Using service accounts in applications in the Red Hat OpenShift documentation.
Create a new Machine Config Pool
To separate out nodes with labels "scale" and "worker" into a new machine pool, execute the following command:
echo '
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfigPool
metadata:
name: scale-mcp
spec:
machineConfigSelector:
matchExpressions:
- {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,scale]}
nodeSelector:
matchLabels:
node-role.kubernetes.io/scale: ""
' | oc apply -f -
Applying Machine Config Operator (MCO) settings
Apply the following MCO setting to install the kernel related packages for IBM Storage Scale to successfully build its portability layer.
echo '
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: "scale"
name: 00-worker-ibm-spectrum-scale-kernel-devel
spec:
selector:
matchLabels:
machineconfiguration.openshift.io/role: "scale"
config:
ignition:
version: 3.2.0
extensions:
- kernel-devel
' | oc apply -f -
To validate the kernel-devel packages have been installed onto the machines, see Validate kernel packages.
Cleanup the service account
Once the Machine Config Operator task has been successfully completed, complete the following steps to clean up the service account:
-
Log out of the OpenShift cluster:
oc logout
-
Log in to the OpenShift cluster as a regular user:
oc login <OpenShift_URL> -u <regular_user> -p <regular_user_password>
-
Delete the service account that was created for performing MCO task:
oc delete sa scale-mco-sa
Authorize ROSA worker security group to allow IBM Storage Scale container native ports
Complete the following steps to authorize ROSA worker security group:
-
In your AWS Management Console, navigate to the "EC2 Dashboard" in the region where ROSA is installed and select the "Security Groups" option from the navigation pane. Locate the Security Group for ROSA worker security group id and export the following variable.
export AWS_ROSA_WORKER_SECURITY_GROUP=<security_group_id>
-
Use the following commands to Authorize Ingress Traffic to allow ports needed by IBM Storage Scale container native.
aws ec2 authorize-security-group-ingress --group-id ${AWS_ROSA_WORKER_SECURITY_GROUP} --protocol tcp --port 12345 --source-group ${AWS_ROSA_WORKER_SECURITY_GROUP} aws ec2 authorize-security-group-ingress --group-id ${AWS_ROSA_WORKER_SECURITY_GROUP} --protocol tcp --port 1191 --source-group ${AWS_ROSA_WORKER_SECURITY_GROUP} aws ec2 authorize-security-group-ingress --group-id ${AWS_ROSA_WORKER_SECURITY_GROUP} --protocol tcp --port 60000-61000 --source-group ${AWS_ROSA_WORKER_SECURITY_GROUP}