Modifying QRadar EDR deployment resource specifications

QRadar® EDR provides a method to modify the deployment resource specifications by using the modify_deployment tool.

Install Red Hat OpenShift CLI 4.14 or later

The Red Hat® OpenShift® CLI client helps you develop, build, deploy, and run your applications on any Red Hat OpenShift or Kubernetes cluster. It also includes the administrative commands for managing a cluster under the adm subcommand.

Procedure

  1. Download Red Hat OpenShift CLI 4.14 or later from https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable-4.14/. The file to download is called openshift-client-<platform>-<version>.tar.gz.
  2. Extract the binary file that you downloaded by typing the following command, where <oc_cli_archive_file> is the name of the archive file that you downloaded.
    tar -xf <oc_cli_archive_file>
  3. Modify the permissions of the binary file by typing the following command, where <oc_cli_binary> is the name of the Red Hat OpenShift binary that you extracted from the archive.
  4. Move the binary file to the /usr/local/bin directory by typing the following command.
    mv <oc_cli_binary> /usr/local/bin/oc
    Tip: If this command returns a No such file or directory or Not a directory error message, create the /usr/local/bin directory by typing the following command.
    sudo mkdir /usr/local/bin
  5. Ensure that the Red Hat OpenShift CLI client is working by typing the following command.
    oc version
    Tip: MacOS users might see a message that this tool cannot be opened because it is from an unidentified developer. Close this message and go to System Preferences > Security & Privacy. On the General tab, click Open Anyway or Allow Anyway. Repeat the oc version command.

Modifying QRadar EDR deployment resource specifications

Modify the deployment resource specifications by using the modify_deployment tool.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform cluster as a cluster administrator by typing one of the following commands, where <openshift_url> is the URL for your Red Hat OpenShift Container Platform environment.
    • Using a username and password.
      oc login <openshift_url> -u <cluster_admin_user> -p <cluster_admin_password>
    • Using a token.
      oc login --token=<token> --server=<openshift_url>
  2. Ensure that you have the serviceability pod running by typing the following command.
    oc get pod -lrun=cp-serviceability -n <qradar_edr_namespace>
  3. Exec into the serviceability pod by typing the following command.
    oc exec -ti deploy/cp-serviceability -- bash
  4. Run the modify_deployment tool by typing the following command.
    /opt/bin/modify_deployment <arguments>
    The following table shows the arguments that are available.
    Table 1. modify_deployment arguments
    Argument Description
    -n The namespace. The default namespace is cp4s.
    --replicas The number of replicas.
    -k The middleware.
    -a The application to update.
    -c The container to update. The default is main.
    -p The middleware parameter name and value. Separate the name and value with a colon (:).
    -r The resource specification. Separate multiple resource specifications with a colon (:).
    -d Delete the entry for an application or a container.
    --force Ignore application or container checks.
    --token The Red Hat OpenShift admin token.
    --all-ns Set the scope for all namespaces.
    The following example command might be used to modify the CPU, memory, and replicas of the entitlements application.
    /opt/bin/modify_deployment -k default -a reaqta-hive-event-hive --replicas=1 -r requests.cpu:300m -r requests.memory:1536Mi -r limits.cpu:4000m -r limits.memory:4Gi --all-ns --token '<cluster_admin_token>'
    Important: If you are modifying the CPU or memory settings, you must specify all 4 resource requests and limits at the same time. The application CPU or memory requests and limits must have measurement units set. For example, -r requests.cpu:1000m is accepted but -r requests.cpu:1 is not.

    It is suggested to group parameters for the application into single command to avoid multiple redeployments every time parameters are changed.

    To modify application parameters, you can use the -p parameter. For example, you can increase postgres storage to 2048Gi by typing the following command.

    /opt/bin/modify_deployment -k postgres -a default -p storageSize:2048Gi --all-ns --token '<cluster_admin_token>'

    To change the configuration back to its original configuration, you can use the -d parameter.

    /opt/bin/modify_deployment -k postgres -a default -d --all-ns --token '<cluster_admin_token>'

    Any modification that is made by using the tool is stored in a custom configmap called cp4s-values in the QRadar EDR namespace. This configmap overrides default configuration and must not be deleted. If the configmap is deleted, QRadar EDR returns back to its original configuration.