SevOne Data Insight Migrate Operating System & Data Guide
SevOne Documentation
All documentation is available from the IBM SevOne Support customer portal.
© Copyright International Business Machines Corporation 2023.
All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of IBM and its respective licensors. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of IBM.
IN NO EVENT SHALL IBM, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF IBM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND IBM DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
IBM, the IBM logo, and SevOne are trademarks or registered trademarks of International Business Machines Corporation, in the United States and/or other countries. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/trademark.
- About
- Pre-Upgrade Checklist
- Migrate from RHEL to CentOS 7
- Manage Disk Space Usage
- Rotate Kubernetes Certificates
About
This guide applies only if you are on SevOne Data Insight >= 3.0.0 and SevOne Data Insight <= 3.4.x. The operating system changed from Red Hat Enterprise Linux (RHEL) to CentOS 7 in SevOne Data Insight 3.5. This guide provides details on how to migrate the operating system and data.
As of SevOne Data Insight 3.5 release, the operating system has been changed from Red Hat Enterprise Linux (RHEL) to CentOS 7. You will not be able to rollback the operating system once you install SevOne Data Insight 3.5 or higher version.
For details on sevone-cli, please refer to SevOne Data Insight Troubleshooting / Debug / Tools Guide > section Tools > subsection SevOne CLI.
In this guide if there is,
- [any reference to master] OR
- [[if a CLI command (for NMS or Kubernetes or Redis) contains master] AND/OR
- [its output contains master]],
And, if there is any reference to slave or worker, it means follower or agent.
Pre-Upgrade Checklist
-
Using ssh , log into SevOne Data Insight as sevone.
$ ssh sevone@<SevOne Data Insight 'control plane' node IP address or hostname>
-
Change directory to /home/sevone.
$ cd /home/sevone
Migrate the operating system from RHEL to CentOS 7 using the latest unrhel-v<#.#.#>.tgz file. Please replace <#.#.#> with the build number. For example, unrhel-v5.2.9.tgz. The latest file can be downloaded from IBM Passport Advantage (https://www.ibm.com/software/passportadvantage/pao_download_software.html) via Passport Advantage Online. However, if you are on a legacy / flexible SevOne contract and do not have access to IBM Passport Advantage but have an active Support contract, please contact IBM SevOne Support for the file. Place the file in /home/sevone.
-
Download the following (latest) files from IBM Passport Advantage via Passport Advantage Online or contact the IBM SevOne Support if you have an active Support contract. You must place these files in /home/sevone directory of the control plane node.
- sdi-v6.6.0-build.139.tgz
- sdi-v6.6.0-build.139.tgz.sha256.txt
- signature-tools-<latest version>-build.<###>.tgz
For example, signature-tools-2.0.1-build.1.tgz - signature-tools-<latest version>-build.<###>.tgz.sha256.txt
For example, signature-tools-2.0.1-build.1.tgz.sha256.txt
-
Migrate the operating system from RHEL to CentOS 7 using the latest unrhel-v<#.#.#>.tgz file. Please replace <#.#.#> with the build number. For example, unrhel-v5.2.9.tgz. Download the latest file from IBM Passport Advantage via Passport Advantage Online or contact the IBM SevOne Support if you have an active Support contract. Place the file in /home/sevone.
$ ls -lah /home/sevone
You should see all the files mentioned in steps 3 and 4 above in this directory.
Migrate from RHEL to CentOS 7
Pre-Migration Checklist
Before proceeding with the migration of the operating system, please check the following.
Database Backup
Execute the following commands to backup all of the data that is critical for a healthy running SevOne Data Insight deployment.
$ sdi-cli exec mysql -- mysqldump -uroot -pdatainsight \
--databases datainsight reportscheduler | \
grep -v "Using a password" > /home/sevone/sdidata-$(date +%d-%m-%Y).sql
$ sdi-cli backup-securitykeys -okeys.json -P /home/sevone
Disk Usage
If your disk usage is at or above 65%, consider cleaning up your Hard Disk Drive (HDD).
DNS Config
Kubernetes requires a valid DNS config on all the nodes.
This can be done by adding your DNS servers via nmtui or editing the /etc/resolv.conf file directly. For details on nmtui, please refer to SevOne Data Insight Pre-Installation Guide.
For details on /etc/resolv.conf, please refer to SevOne Data Insight Troubleshooting / Debug / Tools Guide.
Ensure createKeys is Enabled
If you have /opt/datainsight/values-override.yaml file present, ensure that the following section is removed as it is detrimental to the upgrade.
serviceAccount:
createKeys:
enabled: false
Kubernetes Certificates
If the command below fails with the following (or something similar) message, you will need to rotate your Kubernetes certificates first.
$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid
Kubernetes Config
Ensure that the root user's Kubernetes config is set properly.
$ sudo mkdir /root/.kube
$ sudo cp /etc/kubernetes/admin.conf /root/.kube/config
Set a Default Route
Check if there is a default route added to the routing table.
$ ip route | grep default
If it returns empty, add the default route using the command below.
$ ip route add default via <default_gateway>
TLS Certificates
If TLS is enabled in /opt/datainsight/values-override.yaml file, ensure that the certificate is called datainsightcerts.
If not, please refer to SevOne Data Insight Administration Guide > Configuration > TLS Certificates > section Fix an Invalid TLS Secret Name.
Migrate Operating System
SevOne Data Insight operating system has migrated from RHEL to CentOS 7.
-
Using ssh, log into SevOne Data Insight as sevone.
$ ssh sevone@<SevOne Data Insight IP address or hostname>
-
Execute the following steps to migrate the operating system.
$ screen -S unrhel $ tar xvfz /home/sevone/unrhel-*.tgz -C /home/sevone $ sudo bash /home/sevone/unrhel/scripts/migrate os 2>&1 | \ tee -a /home/sevone/unrhel_os.log
If you are using unrhel_v5.1.1.tgz or above, the script will automatically remove configshell from /usr/local/bin directory.After the migration completes successfully, nodes will restart.Perform the following 3 checks:
- Did the migration from RHEL to CentOS 7 complete successfully?
- When you run sudo nmcli dev | grep -i ^eth, does the command return anything?
- When you run sudo grep 'biosdevname=0 net.ifnames=0' /etc/default/grub, is it empty?
$ sudo -i $ sed -i 's/GRUB_CMDLINE_LINUX="[^"]*/& biosdevname=0 net.ifnames=0/' \ /etc/default/grub $ grub2-mkconfig --output=/boot/grub2/grub.cfg
You are now ready to migrate your data.
Migrate Data
After the migration completes successfully and the nodes are backed up, you may proceed to restore your data. You will require the latest SevOne Data Insight build. For example, sdi-v6.6.0-build.139.tgz file. Download the latest file from IBM Passport Advantage via Passport Advantage Online or contact the IBM SevOne Support if you have an active Support contract. Place it in /home/sevone.
Please execute the following steps.
-
Using ssh, log into SevOne Data Insight as sevone.
$ ssh sevone@<SevOne Data Insight IP address or hostname>
-
If you have any agent nodes, please make sure your SSH keys are still valid. If not, run the following command to set the SSH keys.
$ IFS=$'\n'; for line in $(cat /home/sevone/unrhel/backups/workers); \ do ip=${line##* }; ssh-copy-id sevone@$ip; \ ssh sevone@$ip 'sudo cp /home/sevone/.ssh/authorized_keys /root/.ssh/'; \ done
-
You are now ready to migrate your data.
$ screen -S unrhel $ sudo bash /home/sevone/unrhel/scripts/migrate \ kube $(ls -Art sdi-*.tgz | tail -n 1) 2>&1 | \ tee -a /home/sevone/unrhel_kube.log
You are now on SevOne Data Insight 6.6.
Upgrade SOA
-
Using ssh, log into SevOne Data Insight as sevone.
$ ssh sevone@<SevOne Data Insight IP address or hostname>
-
After unrhel completes migrating your data, you will notice the GraphQL pod is in a crash loop. Upgrade SOA to fix this.
If you are running a single-node NMS cluster, you may omit the --all-peers flag in the command below.$ sevone-cli soa upgrade /opt/SevOne/upgrade/utilities/SevOne-soa-*.rpm --all-peers
If a cluster is larger than ~20 peers, it is recommended that you only upgrade the datasource nms and schedule to run the upgrade on all peers at a later time.
Execute the following command to obtain the datasource IP address.$ sevone-cli mysql 'SELECT address from datasources WHERE \ dstype = "nms-datasource" OR dstype = "METRICS/FLOW"' | \ grep -oP 'https://\K\S+'
Once you have obtained the datasource IP address, execute the following command.
$ sevone-cli soa upgrade /opt/SevOne/upgrade/utilities/SevOne-soa-*.rpm \ <br /> <enter SevOne NMS IP address>
-
After SOA is updated, restart the GraphQL pod.
$ kubectl delete pods -l app.kubernetes.io/component=graphql
Verify Upgrade
Execute the following command to verify the upgrade.
-
Using ssh, log into SevOne Data Insight as sevone.
$ ssh sevone@<SevOne Data Insight IP address or hostname>
-
Check the status of the upgrade by running the following command. Ensure that everything is in Running status.
$ kubectl get pods NAME READY STATUS RESTARTS AGE di-create-secrets-kxzkm 0/1 Completed 0 21h di-graphql-5879886c46-zshfr 1/1 Running 1 (27m ago) 21h ingress-ingress-nginx-controller-f5fb79d48-fz7bl 1/1 Running 1 (27m ago) 21h ingress-ingress-nginx-defaultbackend-7f5fbcdcdc-jps25 1/1 Running 1 (27m ago) 21h di-kube-state-metrics-84f86b867b-r7xrg 1/1 Running 1 (27m ago) 21h di-printer-68f6bddb6f-hkhdt 1/1 Running 1 (27m ago) 21h di-redis-master-0 2/2 Running 2 (27m ago) 21h di-minio-cd4bc55fb-b649g 1/1 Running 1 (27m ago) 21h di-ui-58b687f949-x46ps 1/1 Running 1 (27m ago) 21h di-wdkserver-78c499cc8c-tsjzj 1/1 Running 1 (27m ago) 21h datasource-operator-controller-manager-6c8fc59bb9-c7trt 2/2 Running 2 (27m ago) 21h di-prometheus-node-exporter-gwbjh 1/1 Running 1 (27m ago) 21h di-mysql-0 2/2 Running 2 (27m ago) 21h di-migrator-69bc8dbbdc-jgms2 1/1 Running 1 (27m ago) 21h di-prometheus-server-6797d7c66-sfg8m 2/2 Running 2 (27m ago) 21h di-rabbitmq-0 1/1 Running 1 (27m ago) 21h di-scheduler-67b79494b9-4j9rr 1/1 Running 1 (27m ago) 21h di-asset-sweeper-27949980-kcrh9 0/1 Completed 0 15m di-user-sync-27949980-5v2dv 0/1 Completed 0 15m di-asset-sweeper-27949985-f75cn 0/1 Completed 0 10m di-user-sync-27949985-rm2rn 0/1 Completed 0 10m di-asset-sweeper-27949990-xrgqq 0/1 Completed 0 5m4s di-user-sync-27949990-p8zqb 0/1 Completed 0 5m4s di-user-sync-27949995-2hj7c 1/1 Running 0 4s di-asset-sweeper-27949995-nmx5b 0/1 Completed 0 4s
Manage Disk Space Usage
Over time, SevOne Data Insight installation may accumulate the old logs and files that can be cleaned up without any side-effects.
Old Installer Archives
SevOne Data Insight archives are approximately 1.5GB in size. Removing these archives can quickly clean up your Hard Disk Drive if you are running low on available disk space. Execute the following command to find the files.
Example
$ sdi-cli cluster exec --all 'find /opt/ -name "ins1ght-installer-*.tgz"'
/opt/datainsight/releases/ins1ght-installer-v1.6.0.tgz
/opt/datainsight/releases/ins1ght-installer-v1.6.1.tgz
/opt/datainsight/releases/ins1ght-installer-v1.6.1.1.tgz
/opt/datainsight/releases/ins1ght-installer-v2.0.0.tgz
/opt/datainsight/releases/ins1ght-installer-v2.1.0.tgz
/opt/datainsight/releases/ins1ght-installer-v2.2.0.tgz
/opt/datainsight/releases/ins1ght-installer-v3.0.0.tgz
/opt/datainsight/releases/ins1ght-installer-v3.1.0-build18.tgz
/opt/datainsight/releases/ins1ght-installer-v3.2.0-build14.tgz
/opt/datainsight/releases/ins1ght-installer-v3.3.0-build.19.tgz
/opt/datainsight/releases/ins1ght-installer-v3.4.0-build.21.tgz <-- active version
Installer archives may erroneously be placed in / folder.
Unused elasticsearch Data
Elasticsearch was removed from SevOne Data Insight >= v1.6.1 and its persisted data can be found in /var/sdi-data. This is not removed automatically to preserve the option to rollback. If you are on newer versions of SevOne Data Insight, it is safe to remove this data. Execute the following command to find where this can be found in your setup.
$ sdi-cli cluster exec --all 'sudo find /var/sdi-data -type d -name elastic'
/var/sdi-data/elastic
Log Files
Kubernetes constantly outputs logs to /var/log/messages. Over time, this folder can accumulate several gigabytes worth of logs. Execute the following command to find the log files which can safely be removed.
Example
$ sdi-cli cluster exec --all 'sudo du -sh /var/log/* | grep messages'
27M /var/log/messages
3.5G /var/log/messages-20210430
1.4G /var/log/messages-20210502
79M /var/log/messages-20210509
Rotate Kubernetes Certificates
Kubernetes uses kubectl command to control the Kubernetes cluster. It works by sending a REST API command to API Server.
During provisioning, the certificates necessary for this communication are generated with an expiry date of one-year. When that year is up, you will need to rotate your certificates.
$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid
Find Expired Certificates
Kubernetes keeps its certificates in /etc/kubernetes/pki. In this directory, expired certificates can be isolated.
For the example below, let’s assume today’s date is Dec 15 2020.
You must be a root user.
Example
# log in as the root user
$ sudo -i
# find the expired certs
$ for i in $(ls /etc/kubernetes/pki/*.crt); \
do echo $i; openssl x509 -dates -noout -in $i | \
grep After; echo "---"; done
/etc/kubernetes/pki/apiserver.crt
notAfter=Dec 10 21:50:53 2020 GMT
---
/etc/kubernetes/pki/apiserver-kubelet-client.crt
notAfter=Dec 10 21:50:54 2020 GMT
---
/etc/kubernetes/pki/ca.crt
notAfter=Dec 7 21:50:53 2029 GMT
---
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Dec 7 21:50:54 2029 GMT
---
/etc/kubernetes/pki/front-proxy-client.crt
notAfter=Dec 10 21:50:54 2020 GMT
Based on this example, you will see that the following certificates expired in December 2020.
- /etc/kubernetes/pki/apiserver.crt
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/front-proxy-client.crt
And, the two ca certificates expire in December 2029.
- /etc/kubernetes/pki/ca.crt
- /etc/kubernetes/pki/front-proxy-ca.crt
Remove Expired Certificates
As you can see in the example above, a few certificates expired in December. Execute the steps below to remove the expired certificates.
# backup the kubernetes folder
$ cp -r /etc/kubernetes /etc/kubernetes.bak
# remove the expired certs
$ rm -rf /etc/kubernetes/pki/apiserver* /etc/kubernetes/pki/front-proxy-client.*
The following expired certificates have been removed.
- /etc/kubernetes/pki/apiserver.crt
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/front-proxy-client.crt
Execute the following command and you will see that now, only the two ca certificates (which are still valid and not expired) are available.
# this should show just the two CA certs
$ for i in $(ls /etc/kubernetes/pki/*.crt); \
do echo $i; openssl x509 -dates -noout -in $i | \
grep After; echo "---"; done
/etc/kubernetes/pki/ca.crt
notAfter=Dec 7 21:50:53 2029 GMT
---
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Dec 7 21:50:54 2029 GMT
Generate New Certificates
Execute the following step to generate new certificates for the ones expired and removed.
Backup the Kubernetes folder
$ cp -r /etc/kubernetes /etc/kubernetes.bak
Renew the certificates
$ kubeadm alpha certs renew all
Verify the certificates have been generated successfully
$ for i in $(ls /etc/kubernetes/pki/*.crt); \
do echo $i; openssl x509 -dates -noout -in $i | \
grep After; echo "---"; done
/etc/kubernetes/pki/apiserver.crt
notAfter=Dec 11 21:50:53 2021 GMT
---
/etc/kubernetes/pki/apiserver-kubelet-client.crt
notAfter=Dec 11 21:50:54 2021 GMT
---
/etc/kubernetes/pki/ca.crt
notAfter=Dec 7 21:50:53 2029 GMT
---
/etc/kubernetes/pki/front-proxy-ca.crt
notAfter=Dec 7 21:50:54 2029 GMT
---
/etc/kubernetes/pki/front-proxy-client.crt
notAfter=Dec 11 21:50:54 2021 GMT
You will see that the following certificates now expire in December 2021.
- /etc/kubernetes/pki/apiserver.crt
- /etc/kubernetes/pki/apiserver-kubelet-client.crt
- /etc/kubernetes/pki/front-proxy-client.crt
And, the two ca certificates will expire in December 2029.
- /etc/kubernetes/pki/ca.crt
- /etc/kubernetes/pki/front-proxy-ca.crt
Generate New Admin Configuration File
kubectl runs commands against the Kubernetes API Server. When sending the requests, it looks for the admin config file which contains the certificate data.
After rotating the certificates, the admin config file must be regenerated along with the config files for the other components.
# generate the conf files
$ rm -rf /etc/kubernetes/{admin.conf,kubelet.conf,controller-manager.conf,scheduler.conf}
$ kubeadm init phase kubeconfig all
# copy over the admin config for the root user
$ cp /etc/kubernetes/admin.conf ~/.kube/config
# copy over the admin config for the sevone user
$ cp /etc/kubernetes/admin.conf /home/sevone/.kube/config
$ chown -R sevone:sevone /home/sevone/.kube
Restart Services
Restart kubelet for the changes to take effect.
$ systemctl restart kubelet
At this point, you can now run Kubernetes commands. This will allow you to backup the important security keys in case you have not done so already.