SevOne Data Insight Migrate Operating System & Data Guide

SevOne Documentation

All documentation is available from the IBM SevOne Support customer portal.

© Copyright International Business Machines Corporation 2023.

All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of IBM and its respective licensors. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of IBM.

IN NO EVENT SHALL IBM, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF IBM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND IBM DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.

IBM, the IBM logo, and SevOne are trademarks or registered trademarks of International Business Machines Corporation, in the United States and/or other countries. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/trademark.

About

This guide applies only if you are on SevOne Data Insight >= 3.0.0 and SevOne Data Insight <= 3.4.x. The operating system changed from Red Hat Enterprise Linux (RHEL) to CentOS 7 in SevOne Data Insight 3.5. This guide provides details on how to migrate the operating system and data.

IMPORTANT: PLEASE READ BEFORE CONTINUING...
As of SevOne Data Insight 3.5 release, the operating system has been changed from Red Hat Enterprise Linux (RHEL) to CentOS 7. You will not be able to rollback the operating system once you install SevOne Data Insight 3.5 or higher version.
Please do not run sevone-cli command from a subdirectory under /opt/SevOne/upgrade. It can be run from any directory except for from subdirectories under /opt/SevOne/upgrade.

For details on sevone-cli, please refer to SevOne Data Insight Troubleshooting / Debug / Tools Guide > section Tools > subsection SevOne CLI.
Terminology usage...
In this guide if there is,
  • [any reference to master] OR
  • [[if a CLI command (for NMS or Kubernetes or Redis) contains master] AND/OR
  •  [its output contains master]],
   it means leader or control plane.

And, if there is any reference to slave or worker, it means follower or agent.

Pre-Upgrade Checklist

  1. Using ssh , log into SevOne Data Insight as sevone.

    $ ssh sevone@<SevOne Data Insight 'control plane' node IP address or hostname>
    
  2. Change directory to /home/sevone.

    $ cd /home/sevone
    

    Migrate the operating system from RHEL to CentOS 7 using the latest unrhel-v<#.#.#>.tgz file. Please replace <#.#.#> with the build number. For example, unrhel-v5.2.9.tgz. The latest file can be downloaded from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do not have access to IBM Passport Advantage but have an active Support contract, please contact IBM SevOne Support for the file. Place the file in /home/sevone.

  3. Download the following (latest) files from IBM Passport Advantage via Passport Advantage Online or contact the IBM SevOne Support if you have an active Support contract. You must place these files in /home/sevone directory of the control plane node.

    1. sdi-v6.6.0-build.139.tgz
    2. sdi-v6.6.0-build.139.tgz.sha256.txt
    3. signature-tools-<latest version>-build.<###>.tgz
      For example, signature-tools-2.0.1-build.1.tgz
    4. signature-tools-<latest version>-build.<###>.tgz.sha256.txt
      For example, signature-tools-2.0.1-build.1.tgz.sha256.txt
  4. Migrate the operating system from RHEL to CentOS 7 using the latest unrhel-v<#.#.#>.tgz file. Please replace <#.#.#> with the build number. For example, unrhel-v5.2.9.tgz. Download the latest file from IBM Passport Advantage via Passport Advantage Online or contact the IBM SevOne Support if you have an active Support contract. Place the file in /home/sevone.

    $ ls -lah /home/sevone
    

    You should see all the files mentioned in steps 3 and 4 above in this directory.

Migrate from RHEL to CentOS 7

This section applies only if you have SevOne Data Insight >= 3.0.0 and SevOne Data Insight <= 3.4.1 already installed.< em>

Pre-Migration Checklist

Before proceeding with the migration of the operating system, please check the following.

Database Backup

Execute the following commands to backup all of the data that is critical for a healthy running SevOne Data Insight deployment.

$ sdi-cli exec mysql -- mysqldump -uroot -pdatainsight \
--databases datainsight reportscheduler | \
grep -v "Using a password" > /home/sevone/sdidata-$(date +%d-%m-%Y).sql

$ sdi-cli backup-securitykeys -okeys.json -P /home/sevone

Disk Usage

If your disk usage is at or above 65%, consider cleaning up your Hard Disk Drive (HDD).

DNS Config

Kubernetes requires a valid DNS config on all the nodes.

This can be done by adding your DNS servers via nmtui or editing the /etc/resolv.conf file directly. For details on nmtui, please refer to SevOne Data Insight Pre-Installation Guide. For details on /etc/resolv.conf, please refer to SevOne Data Insight Troubleshooting / Debug / Tools Guide.

Ensure createKeys is Enabled

If you have /opt/datainsight/values-override.yaml file present, ensure that the following section is removed as it is detrimental to the upgrade.

serviceAccount:
  createKeys:
    enabled: false

Kubernetes Certificates

If the command below fails with the following (or something similar) message, you will need to rotate your Kubernetes certificates first.

$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

Kubernetes Config

Ensure that the root user's Kubernetes config is set properly.

$ sudo mkdir /root/.kube

$ sudo cp /etc/kubernetes/admin.conf /root/.kube/config

Set a Default Route

Check if there is a default route added to the routing table.

$ ip route | grep default

If it returns empty, add the default route using the command below.

$ ip route add default via <default_gateway>

TLS Certificates

If TLS is enabled in /opt/datainsight/values-override.yaml file, ensure that the certificate is called datainsightcerts.

If not, please refer to SevOne Data Insight Administration Guide > Configuration > TLS Certificates > section Fix an Invalid TLS Secret Name.

Migrate Operating System

SevOne Data Insight operating system has migrated from RHEL to CentOS 7.

  1. Using ssh, log into SevOne Data Insight as sevone.

    $ ssh sevone@<SevOne Data Insight IP address or hostname>
    
  2. Execute the following steps to migrate the operating system.

    $ screen -S unrhel
    
    $ tar xvfz /home/sevone/unrhel-*.tgz -C /home/sevone
    
    $ sudo bash /home/sevone/unrhel/scripts/migrate os 2>&1 | \
    tee -a /home/sevone/unrhel_os.log
    
    If you are using unrhel_v5.1.1.tgz or above, the script will automatically remove configshell from /usr/local/bin directory.
    After the migration completes successfully, nodes will restart.

    Perform the following 3 checks:

    • Did the migration from RHEL to CentOS 7 complete successfully?
    • When you run sudo nmcli dev | grep -i ^eth, does the command return anything?
    • When you run sudo grep 'biosdevname=0 net.ifnames=0' /etc/default/grub, is it empty?
    If the answer is yes to all the 3 checks, please execute the following commands.

        $ sudo -i
        
        $ sed -i 's/GRUB_CMDLINE_LINUX="[^"]*/& biosdevname=0 net.ifnames=0/' \ 
        /etc/default/grub
        
        $ grub2-mkconfig --output=/boot/grub2/grub.cfg
    

    You are now ready to migrate your data.


Migrate Data

Before proceeding with data migration, verify that your /etc/resolv.conf file is properly configured and that its search domains resolve via nslookup.

After the migration completes successfully and the nodes are backed up, you may proceed to restore your data. You will require the latest SevOne Data Insight build. For example, sdi-v6.6.0-build.139.tgz file. Download the latest file from IBM Passport Advantage via Passport Advantage Online or contact the IBM SevOne Support if you have an active Support contract. Place it in /home/sevone.

Please execute the following steps.

  1. Using ssh, log into SevOne Data Insight as sevone.

    $ ssh sevone@<SevOne Data Insight IP address or hostname>
    
  2. If you have any agent nodes, please make sure your SSH keys are still valid. If not, run the following command to set the SSH keys.

    $ IFS=$'\n'; for line in $(cat /home/sevone/unrhel/backups/workers); \
    do ip=${line##* }; ssh-copy-id sevone@$ip; \
    ssh sevone@$ip 'sudo cp /home/sevone/.ssh/authorized_keys /root/.ssh/'; \
    done
    
  3. You are now ready to migrate your data.

    $ screen -S unrhel
    
    $ sudo bash /home/sevone/unrhel/scripts/migrate \
    kube $(ls -Art sdi-*.tgz | tail -n 1) 2>&1 | \
    tee -a /home/sevone/unrhel_kube.log
    
    You are now on SevOne Data Insight 6.6.

Upgrade SOA

  1. Using ssh, log into SevOne Data Insight as sevone.

    $ ssh sevone@<SevOne Data Insight IP address or hostname>
    
  2. After unrhel completes migrating your data, you will notice the GraphQL pod is in a crash loop. Upgrade SOA to fix this.

    If you are running a single-node NMS cluster, you may omit the --all-peers flag in the command below.
    $ sevone-cli soa upgrade /opt/SevOne/upgrade/utilities/SevOne-soa-*.rpm --all-peers
    
    If a cluster is larger than ~20 peers, it is recommended that you only upgrade the datasource nms and schedule to run the upgrade on all peers at a later time.

    Execute the following command to obtain the datasource IP address.
    $ sevone-cli mysql 'SELECT address from datasources WHERE \ 
    dstype = "nms-datasource" OR dstype = "METRICS/FLOW"' | \ 
    grep -oP 'https://\K\S+'
    

    Once you have obtained the datasource IP address, execute the following command.

    $ sevone-cli soa upgrade /opt/SevOne/upgrade/utilities/SevOne-soa-*.rpm \ <br />
    <enter SevOne NMS IP address>
    
  3. After SOA is updated, restart the GraphQL pod.

    $ kubectl delete pods -l app.kubernetes.io/component=graphql
    

Verify Upgrade

Execute the following command to verify the upgrade.

  1. Using ssh, log into SevOne Data Insight as sevone.

    $ ssh sevone@<SevOne Data Insight IP address or hostname>
    
  2. Check the status of the upgrade by running the following command. Ensure that everything is in Running status.

    $ kubectl get pods
    NAME                                                      READY   STATUS      RESTARTS      AGE
    di-create-secrets-kxzkm                                   0/1     Completed   0             21h
    di-graphql-5879886c46-zshfr                               1/1     Running     1 (27m ago)   21h
    ingress-ingress-nginx-controller-f5fb79d48-fz7bl          1/1     Running     1 (27m ago)   21h
    ingress-ingress-nginx-defaultbackend-7f5fbcdcdc-jps25     1/1     Running     1 (27m ago)   21h
    di-kube-state-metrics-84f86b867b-r7xrg                    1/1     Running     1 (27m ago)   21h
    di-printer-68f6bddb6f-hkhdt                               1/1     Running     1 (27m ago)   21h
    di-redis-master-0                                         2/2     Running     2 (27m ago)   21h
    di-minio-cd4bc55fb-b649g                                  1/1     Running     1 (27m ago)   21h
    di-ui-58b687f949-x46ps                                    1/1     Running     1 (27m ago)   21h
    di-wdkserver-78c499cc8c-tsjzj                             1/1     Running     1 (27m ago)   21h
    datasource-operator-controller-manager-6c8fc59bb9-c7trt   2/2     Running     2 (27m ago)   21h
    di-prometheus-node-exporter-gwbjh                         1/1     Running     1 (27m ago)   21h
    di-mysql-0                                                2/2     Running     2 (27m ago)   21h
    di-migrator-69bc8dbbdc-jgms2                              1/1     Running     1 (27m ago)   21h
    di-prometheus-server-6797d7c66-sfg8m                      2/2     Running     2 (27m ago)   21h
    di-rabbitmq-0                                             1/1     Running     1 (27m ago)   21h
    di-scheduler-67b79494b9-4j9rr                             1/1     Running     1 (27m ago)   21h
    di-asset-sweeper-27949980-kcrh9                           0/1     Completed   0             15m
    di-user-sync-27949980-5v2dv                               0/1     Completed   0             15m
    di-asset-sweeper-27949985-f75cn                           0/1     Completed   0             10m
    di-user-sync-27949985-rm2rn                               0/1     Completed   0             10m
    di-asset-sweeper-27949990-xrgqq                           0/1     Completed   0             5m4s
    di-user-sync-27949990-p8zqb                               0/1     Completed   0             5m4s
    di-user-sync-27949995-2hj7c                               1/1     Running     0             4s
    di-asset-sweeper-27949995-nmx5b                           0/1     Completed   0             4s
    

Manage Disk Space Usage

Over time, SevOne Data Insight installation may accumulate the old logs and files that can be cleaned up without any side-effects.

Old Installer Archives

SevOne Data Insight archives are approximately 1.5GB in size. Removing these archives can quickly clean up your Hard Disk Drive if you are running low on available disk space. Execute the following command to find the files.

Example

$ sdi-cli cluster exec --all 'find /opt/ -name "ins1ght-installer-*.tgz"'
/opt/datainsight/releases/ins1ght-installer-v1.6.0.tgz
/opt/datainsight/releases/ins1ght-installer-v1.6.1.tgz
/opt/datainsight/releases/ins1ght-installer-v1.6.1.1.tgz
/opt/datainsight/releases/ins1ght-installer-v2.0.0.tgz
/opt/datainsight/releases/ins1ght-installer-v2.1.0.tgz
/opt/datainsight/releases/ins1ght-installer-v2.2.0.tgz
/opt/datainsight/releases/ins1ght-installer-v3.0.0.tgz
/opt/datainsight/releases/ins1ght-installer-v3.1.0-build18.tgz
/opt/datainsight/releases/ins1ght-installer-v3.2.0-build14.tgz
/opt/datainsight/releases/ins1ght-installer-v3.3.0-build.19.tgz
/opt/datainsight/releases/ins1ght-installer-v3.4.0-build.21.tgz      <-- active version
It is always a good practice to keep the currently installed version.

Installer archives may erroneously be placed in / folder.

Unused elasticsearch Data

Elasticsearch was removed from SevOne Data Insight >= v1.6.1 and its persisted data can be found in /var/sdi-data. This is not removed automatically to preserve the option to rollback. If you are on newer versions of SevOne Data Insight, it is safe to remove this data. Execute the following command to find where this can be found in your setup.

$ sdi-cli cluster exec --all 'sudo find /var/sdi-data -type d -name elastic'
/var/sdi-data/elastic

Log Files

Kubernetes constantly outputs logs to /var/log/messages. Over time, this folder can accumulate several gigabytes worth of logs. Execute the following command to find the log files which can safely be removed.

Example

$ sdi-cli cluster exec --all 'sudo du -sh /var/log/* | grep messages'
27M   /var/log/messages
3.5G  /var/log/messages-20210430
1.4G  /var/log/messages-20210502
79M   /var/log/messages-20210509

Rotate Kubernetes Certificates

Kubernetes uses kubectl command to control the Kubernetes cluster. It works by sending a REST API command to API Server.

Example

During provisioning, the certificates necessary for this communication are generated with an expiry date of one-year. When that year is up, you will need to rotate your certificates.

$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

Find Expired Certificates

Kubernetes keeps its certificates in /etc/kubernetes/pki. In this directory, expired certificates can be isolated.

For the example below, let’s assume today’s date is Dec 15 2020.

IMPORTANT
You must be a root user.

Example

# log in as the root user
$ sudo -i
  
# find the expired certs
$ for i in $(ls /etc/kubernetes/pki/*.crt); \
do echo $i; openssl x509 -dates -noout -in $i | \
grep After; echo "---"; done

/etc/kubernetes/pki/apiserver.crt
notAfter=Dec 10 21:50:53 2020 GMT
---
/etc/kubernetes/pki/apiserver-kubelet-client.crt
notAfter=Dec 10 21:50:54 2020 GMT
---
/etc/kubernetes/pki/ca.crt
notAfter=Dec  7 21:50:53 2029 GMT
---
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Dec  7 21:50:54 2029 GMT
---
/etc/kubernetes/pki/front-proxy-client.crt
notAfter=Dec 10 21:50:54 2020 GMT

Based on this example, you will see that the following certificates expired in December 2020.

  • /etc/kubernetes/pki/apiserver.crt
  • /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • /etc/kubernetes/pki/front-proxy-client.crt

And, the two ca certificates expire in December 2029.

  • /etc/kubernetes/pki/ca.crt
  • /etc/kubernetes/pki/front-proxy-ca.crt

Remove Expired Certificates

As you can see in the example above, a few certificates expired in December. Execute the steps below to remove the expired certificates.

# backup the kubernetes folder
$ cp -r /etc/kubernetes /etc/kubernetes.bak

# remove the expired certs
$ rm -rf /etc/kubernetes/pki/apiserver* /etc/kubernetes/pki/front-proxy-client.*

The following expired certificates have been removed.

  • /etc/kubernetes/pki/apiserver.crt
  • /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • /etc/kubernetes/pki/front-proxy-client.crt

Execute the following command and you will see that now, only the two ca certificates (which are still valid and not expired) are available.

# this should show just the two CA certs
$ for i in $(ls /etc/kubernetes/pki/*.crt); \
do echo $i; openssl x509 -dates -noout -in $i | \
grep After; echo "---"; done

/etc/kubernetes/pki/ca.crt
notAfter=Dec  7 21:50:53 2029 GMT
---
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Dec  7 21:50:54 2029 GMT

Generate New Certificates

Execute the following step to generate new certificates for the ones expired and removed.

Backup the Kubernetes folder

$ cp -r /etc/kubernetes /etc/kubernetes.bak

Renew the certificates

$ kubeadm alpha certs renew all

Verify the certificates have been generated successfully

$ for i in $(ls /etc/kubernetes/pki/*.crt); \
do echo $i; openssl x509 -dates -noout -in $i | \
grep After; echo "---"; done
 
/etc/kubernetes/pki/apiserver.crt
notAfter=Dec 11 21:50:53 2021 GMT
---
/etc/kubernetes/pki/apiserver-kubelet-client.crt
notAfter=Dec 11 21:50:54 2021 GMT
---
/etc/kubernetes/pki/ca.crt
notAfter=Dec  7 21:50:53 2029 GMT
---
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Dec  7 21:50:54 2029 GMT
---
/etc/kubernetes/pki/front-proxy-client.crt
notAfter=Dec 11 21:50:54 2021 GMT

You will see that the following certificates now expire in December 2021.

  • /etc/kubernetes/pki/apiserver.crt
  • /etc/kubernetes/pki/apiserver-kubelet-client.crt
  • /etc/kubernetes/pki/front-proxy-client.crt

And, the two ca certificates will expire in December 2029.

  • /etc/kubernetes/pki/ca.crt
  • /etc/kubernetes/pki/front-proxy-ca.crt

Generate New Admin Configuration File

kubectl runs commands against the Kubernetes API Server. When sending the requests, it looks for the admin config file which contains the certificate data.

After rotating the certificates, the admin config file must be regenerated along with the config files for the other components.

You will need to copy the admin config over for the sevone user as well.
# generate the conf files
$ rm -rf /etc/kubernetes/{admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf}
$ kubeadm init phase kubeconfig all

# copy over the admin config for the root user
$ cp /etc/kubernetes/admin.conf ~/.kube/config

# copy over the admin config for the sevone user
$ cp /etc/kubernetes/admin.conf /home/sevone/.kube/config

$ chown -R sevone:sevone /home/sevone/.kube

Restart Services

Restart kubelet for the changes to take effect.

$ systemctl restart kubelet

At this point, you can now run Kubernetes commands. This will allow you to backup the important security keys in case you have not done so already.