Configuring Secure Service Container storage

Use this procedure to make resources like storage devices and network connections assigned to the Secure Service Container partition available in the Secure Service Container for IBM Cloud Private. These resources can then be utilized by the containerized applications running on worker nodes inside the Secure Service Container. This procedure is intended for users with role appliance administrator.

Before you begin

Procedure

  1. To match the disk space requirements of the containerized application, add storage disks to storage pool Appliance Data. For instructions, see the following topic in Secure Service Container User's Guide:

    • Chapter 14, "Using the Secure Service Container user interface", section "Viewing and managing storage resources"

    Note: If you have added the disks to the appliance on the Secure Service Container portal, go to step 3 to configure the data pool size by using the REST API.

  2. If required by the containerized application, additional network adapter can be configured for the Secure Service Container for IBM Cloud Private. For instructions, see the following topic in Secure Service Container User's Guide:

    • Chapter 14, "Using the Secure Service Container user interface", section "Viewing and managing network connections"
  3. Configure the data pool size by using the REST API. See the Secure Service Container for IBM Cloud Private System APIs for a full list of REST API endpoints. Note that for each worker or proxy node running on the Secure Service Container, you need to allocate at least 200 GB for the data pool.

    a. Generate the access token to the Secure Service Container by using the following command.

    curl --request POST --url https://<appliance_IP>/api/com.ibm.zaci.system/api-tokens \
    -H 'accept: application/vnd.ibm.zaci.payload+json' -H 'cache-control: no-cache' \
    -H 'content-type: application/vnd.ibm.zaci.payload+json;version=1.0' \
    -H 'zaci-api: com.ibm.zaci.system/1.0' --insecure \
    --data '{ "kind" : "request", "parameters" : { "user" : "<master_id>", "password" : "master_id_password" } }'
    

    Where:

    • appliance_IP is the Secure Service Container IP address.
    • master_id is the Master user ID in the image profile (standard mode system) or the partition definition (DPM-enabled system) for the Secure Service Container partition.
    • master_id_password is the Master password in the same profile or definition for the partition.

    b. For the disks identified in the worker or proxy node checklist in the Planning for Secure Service Container for IBM Cloud Private topic, run the following command to add disks to the data pool if those disks are not added on the Secure Service Container user interface. Note that you can remove --insecure option from the command if you import the self-signed SSL certificate. See SSL Certificate Verification for more information.

    curl -X POST https://<appliance_IP>/api/com.ibm.zaci.system/storagepools/lv_data_pool/<subresource> \
    -H 'accept: application/vnd.ibm.zaci.payload+json' -H 'cache-control: no-cache' \
    -H 'content-type: application/vnd.ibm.zaci.payload+json;version=1.0' \
    -H 'zaci-api: com.ibm.zaci.system/1.0' --insecure \
    -H 'authorization: Bearer '<TOKEN>'' -d '{ "kind": "request", "parameters": { "addDisks": [ "<disk_id1>", <"disk_id2"> ] } }'
    

    Where:

    • appliance_IP is the Secure Service Container IP address.
    • subresource is to identify the resource type to be added to the pool, which can be either storage-devices (to represent a DASD) or fcp-disks (to represent a SCSI disk/LUN).
    • TOKEN is the bearer token that you get in the previous step.
    • disk_id1 and disk_id2 are the disk identifiers to be added to the data pool. You can get the values from your Secure Service Container partition administrator.

    c. Check the status of the disks added to the data pool by using the following command. If the disks are successfully added to the pool, the status of each disk is shown as in used state.

    curl -X GET https://<appliance_IP>/api/com.ibm.zaci.system/storagepools/lv_data_pool \
    -H 'accept: application/vnd.ibm.zaci.payload+json' -H 'cache-control: no-cache' \
    -H 'content-type: application/vnd.ibm.zaci.payload+json;version=1.0' \
    -H 'zaci-api: com.ibm.zaci.system/1.0' --insecure \
    -H 'authorization: Bearer '<TOKEN>''
    

    Where:

    • appliance_IP is the Secure Service Container IP address.
    • TOKEN is the bearer token that you get in the previous step.

    d. Increase the data pool size by using the following command.

    curl -X PUT https://<appliance_IP>/api/com.ibm.zaas/quotagroups/appliance_data \
    -H 'Content-Type: application/vnd.ibm.zaci.payload+json;version=1.0' \
    -H 'zACI-API: com.ibm.zaci.system/1.0' --insecure \
    -H 'authorization: Bearer '<TOKEN>'' -d '{ "size": "<SIZE>", "size_unit": "GB"}'
    

    Where:

    • appliance_IP is the Secure Service Container IP address.
    • TOKEN is the bearer token that you get in the previous step.
    • SIZE is the number of disk size in GB that you want to allocate to the data pool. The minimal size is 50 GB.