Understanding the cloudkit installation options

This topic covers comprehensive command options available for deploying and managing IBM Storage Scale cluster on public cloud.

The cloudkit provides an interactive experience guiding the user through its prompts, the list of commands outlined below are the starting points. Use these commands to start the interaction with the cloudkit.

Preparation

The cloudkit needs to be installed on a Linux-based host before it can be used for an IBM Storage Scale deployment on public cloud. Such Linux-based host is referred to as installer node. For information about setting up an installer node, see Preparing the installer node. After the cloudkit setup is complete, log in to the installer node.

The cloudkit binary is found at the /usr/lpp/mmfs/release_version/cloudkit directory. In this directory, the IBM Storage Scale cloudkit can be invoked through the cloudkit command. Optionally, this directory can be added to the path.

Before attempting to create an IBM Storage Scale cluster on a public cloud, the cloudkit must be configured as described in the next sections.

Initialization

  1. Use the cloudkit init command to install the prerequisites needed for the utility.
    To configure, run the cloudkit init command:
    $ ./cloudkit init
I: Logging at /root/scale-cloudkit/logs/cloudkit-25-10-2023_0-11-59.log
? Passphrase file path for encrypting DB contents: /root/secrets/cloudkit_config.ini

    The passPhrase file need to pass during the init command run. For more information, see Preparing the cloudkit environment file.

    Note: When a new version of IBM Storage Scale data bundle is downloaded from IBM Fix Central and extracted to a node, it is mandatory to rerun the cloudkit init command even if the command was previously run for a different version of IBM Storage Scale.
  2. Use the cloudkit configure command to configure local machine to use your cloud account. For more information, see Configuring the cloudkit.
  3. Use the cloudkit validate command to check permission needed to deploy the cluster and verify cloud quota for cluster install.
    The following permissions are required for executing the cloudkit:
    • AWS permissions
      iam:ListAttachedUserPoliciesservicequotas:ListServiceQuotas
ec2:AuthorizeSecurityGroupIngress
ec2:ModifyVpcAttribute
ec2:CreateInternetGateway
ec2:CreateSecurityGroup
ec2:CreateVpcEndpoint
iam:PutRolePolicy
iam:GetRole
logs:DeleteLogGroup
ec2:DescribeVpcs
ec2:DescribeSecurityGroupRules
autoscaling:DescribeScalingActivities
ec2:DescribePlacementGroups
ec2:DescribeVpcClassicLink
iam:CreateRole
s3:ListAllMyBuckets
s3:DeleteBucket
ec2:DeleteRouteTable
iam:GetInstanceProfile
ec2:DisassociateAddress
ec2:DescribeInternetGateways
ec2:CreateVpc
ec2:CreateLaunchTemplateVersion
ec2:CreateRouteTable
ec2:DescribeNatGateways
s3:CreateBucket
ec2:DeleteSecurityGroup
iam:AddRoleToInstanceProfile
ec2:DeleteKeyPair
ec2:RevokeSecurityGroupIngress
ec2:RunInstances
iam:DeleteRolePolicy
ec2:DescribeNetworkInterfaces
ec2:DeregisterImage
iam:ListInstanceProfilesForRole
ec2:DescribeLaunchTemplateVersions
iam:DeleteRole
ec2:DescribeDhcpOptions
ec2:DescribeVpcClassicLinkDnsSupport
ec2:GetLaunchTemplateData
ec2:DescribePrefixLists
ec2:DisassociateRouteTable
s3:PutBucketPolicy
ec2:DeletePlacementGroup
SNS:DeleteTopic
autoscaling:CreateAutoScalingGroup
ec2:DetachInternetGateway
ec2:DeleteNetworkAclEntry
ec2:DescribeKeyPairs
ec2:RevokeSecurityGroupEgress
autoscaling:DeleteAutoScalingGroupautoscaling:CreateLaunchConfiguration
ec2:ModifyVpcEndpoint
autoscaling:SetInstanceProtection
ec2:DescribeVpcEndpoints
iam:GetRolePolicy
ec2:DeleteNatGateway
iam:CreateInstanceProfile
SNS:ListTagsForResource
ec2:DescribeImages
s3:GetBucketLocation
logs:ListTagsLogGroup
iam:PassRole
ec2:CreatePlacementGroup
ec2:AssociateRouteTable
ec2:DeleteVpc
logs:CreateLogGroup
ec2:DeleteInternetGateway
ec2:DescribeNetworkAcls
ec2:DescribeInstanceCreditSpecifications
ec2:CreateDhcpOptions
iam:ListGroupPolicies
ec2:DeleteVpcEndpoints
ec2:DeleteRoute
ec2:DescribeVolumes
autoscaling:DescribeAutoScalingGroups
iam:DeleteInstanceProfile
s3:DeleteObject
autoscaling:UpdateAutoScalingGroup
ec2:DeleteDhcpOptions
s3:PutObject
ec2:CreateKeyPair
ec2:DescribeRouteTables
ec2:AssociateDhcpOptions
iam:ListAttachedRolePolicies
ec2:TerminateInstances
s3:DeleteBucketPolicy
ec2:DescribeVpcAttribute
iam:ListRolePolicies
ec2:DescribeAddresses
ec2:ModifyImageAttribute
ec2:AllocateAddress
ec2:CreateNatGateway
ec2:DescribeInstances
ec2:DescribeSubnets
iam:ListAttachedGroupPolicies
ec2:DescribeInstanceAttribute
SNS:Subscribe
logs:DeleteMetricFilter
ec2:CreateImage
s3:ListBucket
ec2:DescribeInstanceTypes
ec2:DescribeLaunchTemplates
ec2:DescribeSecurityGroups
ec2:CreateSubnet
ec2:StopInstances
SNS:CreateTopic
ec2:CreateNetworkAclEntry
SNS:SetTopicAttributes
SNS:Unsubscribe
ec2:DeleteSubnet
s3:GetBucketWebsite
ec2:ReleaseAddress
iam:RemoveRoleFromInstanceProfile
ec2:AttachInternetGateway
logs:PutMetricFilter
SNS:GetTopicAttributes
ec2:DescribeRegions
ec2:AuthorizeSecurityGroupEgress
ec2:DescribeInstanceStatus
ec2:DescribeAvailabilityZones
ec2:CreateLaunchTemplate
ec2:DescribeTags
ec2:DeleteSnapshot
logs:DescribeMetricFilters
SNS:GetSubscriptionAttributes
logs:DescribeLogGroups
ec2:CreateRoute
ec2:CreateTags
ec2:DescribeIamInstanceProfileAssociations
iam:ListGroupsForUser
ec2:DeleteLaunchTemplate
s3:ListBucketVersions
s3:PutBucketWebsite
autoscaling:SuspendProcesses
kms:*
    • GCP role permissions
      Note: To run validate permission, GCP requires at least a browser role permission .
      
Artifact Registry Administrator 
Cloud KMS CryptoKey Encrypter/Decrypter 
Compute Instance Admin (v1) 
Compute Network Admin 
Compute Security Admin 
DNS Administrator 
Service Account User 
Storage Admin
Browser

Deployment

Before deploying IBM Storage Scale on a public cloud, make sure to complete the procedures described in Initialization.

To understand the deployment option provided by the cloudkit, you need to know the way cloudkit deploys IBM Storage Scale on a cloud and the stages it goes through:

  1. Cloudkit uploads require a GPFS binary to cloud repository.
    • Use the cloudkit create repository command to optionally create a package repository on the cloud object store.
  2. Cloudkit prepares the cloud operating system image based on a cloud repository.
    • Use the cloudkit create image command to optionally create a virtual machine image containing all IBM Storage Scale packages preinstalled.
  3. Cloudkit deploys a IBM Storage Scale cluster using the previously created operating system image.
    • Use the cloudkit create cluster command to create an IBM Storage Scale cluster. This command can be used to create a IBM Storage Scale storage, compute or combined cluster.

To help you plan your requirement deployment architecture, refer to Planning the virtual private cloud (VPC) architecture for AWS and Planning the virtual private cloud (VPC) architecture for GCP.

Administering

The cloudkit can be used to manage a previously deployed cloudkit cluster using the following options.
  1. Use the cloudkit grant filesystem command to remote mount a filesystem from a storage cluster to a compute cluster previously created by the same instance of cloudkit.
  2. Use the cloudkit grant repository command to provide access to a package repository located on the cloud object store to a specific Virtual Private Cloud.
  3. Use the cloudkit grant guiaccess command to provide scale storage GUI access through jump host.
  4. Use the cloudkit revoke filesystem command to remove a previous remote mount configuration.
  5. Use the cloudkit revoke repository command to remove the access from a Virtual Private Cloud to a repository.
  6. Use the cloudkit revoke guiaccess command to remove scale storage GUI access through jump host.
  7. Use the cloudkit edit cluster command to scale out cluster resources.

For more information, see Administering cloudkit.

To see an end-to-end process of using interactive command, see See the end-to-end process of using interactive command.End-to-end process of using interactive command .

Upgrade

The cloudkit can be used to upgrade existing package repository and an IBM Storage Scale cluster using the following options:
  1. Use cloudkit upgrade repository command to upgrade the existing repository to specified cloudkit version.
  2. Use cloudkit upgrade cluster command to upgrade the existing cluster to specified cloudkit version.
Note: Upgrade of IBM Storage Scale cluster is only supported on AWS.

For more information, see Upgrading IBM Storage Scale on cloud.

Cleanup

The cloudkit can be used to delete the resources which we provisioned:
  1. Use the cloudkit delete cluster command to delete the cluster.
  2. Use the cloudkit delete repo command to delete the repository.
  3. Use the cloudkit delete image command to delete the image.
Note: Cloudkit keeps track of resources created using it. When the 'cluster with a new vpc' is created by cloudkit, make sure this VPC does not contain any active resources before proceeding with deletion of cluster. As this cluster stack contains VPC resources and if there are other resources created beyond cloudkit using this VPC resources could block the cluster deletion.

In scenarios of cluster with jumphost created via cloudkit, it will be deleted as part of cluster deletion operation. If this jumphost is being used by other clusters, their access might be impacted. Hence it is advised to verify the usage of jumphost before proceeding with deletion.

The following table lists the command options to perform cloud resource provisioning, IBM Storage Scale install and configuration.

Table 1. cloudkit command options
cloudkit command option Purpose
configure Configure local machine to use your cloud account
create Create a resource from stdin
delete Delete a specific resource
describe Show details of a specific resource
grant Grant access to a specific resource
help Help about any command
init Installs prerequisite(s) required for the utility
list List a resource from stdin
revoke Revoke filesystem mount access
validate Validate resources
edit Edit a specific resource
upgrade Upgrade a resource from stdin
version Prints the version number of the tool

Other Considerations

Firewall ports that cloudkit adds to its ingress

Compute cluster with bastion:


-1      icmp    Allow ICMP traffic from bastion to compute instances
22      TCP     "Allow SSH traffic from bastion to compute instances"
-1      icmp    "Allow ICMP traffic within compute instances"
22      TCP     "Allow SSH traffic within compute instances"
1191    TCP     "Allow GPFS intra cluster traffic within compute instances"
60000-61000     TCP     "Allow GPFS ephemeral port range within compute instances"
47080   TCP     "Allow management GUI (http/localhost) TCP traffic within compute instances"
47443   UDP     "Allow management GUI (https/localhost) TCP traffic within compute instances"
4444    TCP     "Allow management GUI (https/localhost) TCP traffic within compute instances"
4739    TCP     "Allow management GUI (localhost) TCP traffic within compute instances"
4739    "UDP"   "Allow management GUI (localhost) UDP traffic within compute instances"
9080    TCP     "Allow performance monitoring collector traffic within compute instances"
9081    TCP     "Allow performance monitoring collector traffic within compute instances"
80      TCP     "Allow http traffic within compute instances"
443     TCP     "Allow https traffic within compute instances"
443     TCP     "Allow GUI traffic from bastion/jumphost"
Note: "Allow ICMP traffic from bastion to compute instances" and "Allow SSH traffic from bastion to compute instances" are not added if direct connect is used.
Storage cluster with bastion:

-1      icmp    Allow ICMP traffic from bastion to storage instances
22      TCP     "Allow SSH traffic from bastion to storage instances"
-1      icmp    "Allow ICMP traffic within storage instances"
22      TCP     "Allow SSH traffic within storage instances"
1191    TCP     "Allow GPFS intra cluster traffic within storage instances"
60000-61000     TCP     "Allow GPFS ephemeral port range within storage instances"
47080   TCP     "Allow management GUI (http/localhost) TCP traffic within storage instances"
47443   UDP     "Allow management GUI (https/localhost) TCP traffic within storage instances"
4444    TCP     "Allow management GUI (https/localhost) TCP traffic within storage instances"
4739    TCP     "Allow management GUI (localhost) TCP traffic within storage instances"
4739    UDP     "Allow management GUI (localhost) UDP traffic within storage instances"
9080    TCP     "Allow performance monitoring collector traffic within storage instances"
9081    TCP     "Allow performance monitoring collector traffic within storage instances"
80      TCP     "Allow http traffic within storage instances"
443     TCP     "Allow https traffic within storage instances"
443     TCP     "Allow GUI traffic from bastion/jumphost"
Note: "Allow ICMP traffic from bastion to storage instances" and "Allow SSH traffic from bastion to storage instances" are not added if direct connect is used.
Compute cluster with remote mount:
-1, ICMP, Allow ICMP traffic from spectrum scale cluster
1191, TCP, Allow GPFS intra cluster traffic from spectrum scale cluster
443, TCP, Allow management GUI (http/localhost) TCP traffic from spectrum scale cluster
60000-61000, TCP, Allow spectrum scale ephemeral port range