Modifying QRadar EDR deployment resource specifications
QRadar® EDR provides a method to modify the deployment resource specifications by using the modify_deployment tool.
Install Red Hat OpenShift CLI 4.14 or later
The Red Hat® OpenShift® CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.
Procedure
- Download Red Hat OpenShift CLI 4.14 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.14/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
-
Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that
you downloaded.
tar -xf <oc_cli_archive_file>
- Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
-
Move the binary file to the /usr/local/bin directory by typing the
following command.
mv <oc_cli_binary> /usr/local/bin/oc
Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.sudo mkdir /usr/local/bin
-
Ensure that the Red Hat OpenShift CLI client is
working by typing the following command.
oc version
Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.
Modifying QRadar EDR deployment resource specifications
Modify the deployment resource specifications by using the modify_deployment tool.
Procedure
- Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the
following commands, where <openshift_url> is the URL for your
Red Hat OpenShift Container Platform environment.
- Using a username and
password.
oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
- Using a
token.
oc login --token=<token> --server=<openshift_url>
- Using a username and
password.
-
Ensure that you have the serviceability pod running by typing the following command.
oc get pod -lrun=cp-serviceability -n <qradar_edr_namespace>
- Exec into the serviceability pod by typing the following command.
oc exec -ti deploy/cp-serviceability -- bash
- Run the modify_deployment tool by typing the following
command.
The following table shows the arguments that are available./opt/bin/modify_deployment <arguments>
Table 1. modify_deployment arguments Argument Description -n The namespace. The default namespace is cp4s. --replicas The number of replicas. -k The middleware. -a The application to update. -c The container to update. The default is main. -p The middleware parameter name and value. Separate the name and value with a colon (:). -r The resource specification. Separate multiple resource specifications with a colon (:). -d Delete the entry for an application or a container. --force Ignore application or container checks. --token The Red Hat OpenShift admin token. --all-ns Set the scope for all namespaces. The following example command might be used to modify the CPU, memory, and replicas of the entitlements application./opt/bin/modify_deployment -k default -a reaqta-hive-event-hive --replicas=1 -r requests.cpu:300m -r requests.memory:1536Mi -r limits.cpu:4000m -r limits.memory:4Gi --all-ns --token '<cluster_admin_token>'
Important: If you are modifying the CPU or memory settings, you must specify all 4 resource requests and limits at the same time. The application CPU or memory requests and limits must have measurement units set. For example, -r requests.cpu:1000m is accepted but -r requests.cpu:1 is not.It is suggested to group parameters for the application into single command to avoid multiple redeployments every time parameters are changed.
To modify application parameters, you can use the -p parameter. For example, you can increase postgres storage to 2048Gi by typing the following command.
/opt/bin/modify_deployment -k postgres -a default -p storageSize:2048Gi --all-ns --token '<cluster_admin_token>'
To change the configuration back to its original configuration, you can use the -d parameter.
/opt/bin/modify_deployment -k postgres -a default -d --all-ns --token '<cluster_admin_token>'
Any modification that is made by using the tool is stored in a custom configmap called cp4s-values in the QRadar EDR namespace. This configmap overrides default configuration and must not be deleted. If the configmap is deleted, QRadar EDR returns back to its original configuration.