Overview of the cloudkit installation options

This topic covers comprehensive command options available for deploying and managing IBM Storage Scale cluster on public cloud.

The cloudkit provides an interactive experience guiding the user through its prompts, the list of commands outlined below are the starting points. Use these commands to start the interaction with the cloudkit.

Preparation

The cloudkit needs to be installed on a Linux-based host before it can be used for an IBM Storage Scale deployment on public cloud. Such Linux-based host is referred to as installer node. For information about setting up an installer node, see Preparing the installer node. After the cloudkit setup is complete, log in to the installer node.

The cloudkit binary is found at the /usr/lpp/mmfs/<release_version>/cloudkit directory. In this directory, the IBM Storage Scale cloudkit can be invoked through the cloudkit command. Optionally, this directory can be added to the path.

Before attempting to create an IBM Storage Scale cluster on a public cloud, the cloudkit must be configured as described in the next sections.

Initialization

  1. Use the cloudkit init command to install the prerequisites needed for the utility.
    To configure, run the cloudkit init command:
    ./cloudkit init
I: Logging at /root/scale-cloudkit/logs/cloudkit-25-11-2024_0-11-59.log
? Passphrase file path for encrypting DB contents: /root/secrets/cloudkit_config.ini

    The passPhrase file need to pass during the init command run. For more information, see Preparing the cloudkit environment file.

    Note: When a new version of IBM Storage Scale data bundle is downloaded from IBM Fix Central and extracted to a node, it is mandatory to rerun the cloudkit init command even if the command was previously run for a different version of IBM Storage Scale.
  2. Use the cloudkit configure command to configure local machine to use your cloud account. For more information, see Configuring the cloudkit.
  3. Use the cloudkit validate command to check permission needed to deploy the cluster and verify cloud quota for cluster install.
    The following permissions are required for executing the cloudkit:
    • AWS permissions: 
      cloudkit-afm-cos
               s3:GetBucketLocation

cloudkit-bastion
               logs:ListTagsLogGroup
               iam:CreateInstanceProfile
               ec2:DescribeInstances
               ec2:DescribeInstanceAttribute
               iam:RemoveRoleFromInstanceProfile
               iam:CreateRole
               logs:DescribeMetricFilters
               iam:PutRolePolicy
               iam:AddRoleToInstanceProfile
               iam:ListInstanceProfilesForRole
               logs:DeleteMetricFilter
               iam:PassRole
               ec2:GetLaunchTemplateData
               autoscaling:DescribeScalingActivities
               ec2:CreateSecurityGroup
               iam:ListAttachedRolePolicies
               iam:DeleteRolePolicy
               autoscaling:DescribeAutoScalingGroups
               ec2:DescribeVolumes
               autoscaling:UpdateAutoScalingGroup
               iam:ListRolePolicies
               iam:DeleteInstanceProfile
               iam:GetRole
               ec2:DeleteLaunchTemplate
               logs:DescribeLogGroups
               ec2:DescribeIamInstanceProfileAssociations
               iam:GetInstanceProfile
               logs:DeleteLogGroup
               ec2:DescribeLaunchTemplates
               ec2:CreateTags
               ec2:DescribeLaunchTemplateVersions
               ec2:RunInstances
               iam:DeleteRole
               autoscaling:SuspendProcesses
               logs:CreateLogGroup
               logs:ListTagsForResource
               ec2:DescribeInstanceCreditSpecifications
               ec2:CreateLaunchTemplateVersion
               logs:PutMetricFilter
               ec2:CreateLaunchTemplate
               autoscaling:SetInstanceProtection
               ec2:DeleteSecurityGroup
               ec2:DescribeInstanceTypes
               autoscaling:DeleteAutoScalingGroup
               iam:GetRolePolicy
               autoscaling:CreateAutoScalingGroup

cloudkit-dns
               route53:ListHostedZonesByVPC
               route53:CreateHostedZone
               route53:GetChange
               route53:GetHostedZone
               route53:ListHostedZones
               route53:ChangeResourceRecordSets
               route53:ChangeTagsForResource
               route53:ListResourceRecordSets
               route53:DeleteHostedZone
               route53:ListTagsForResource

cloudkit-edit-elastic
               autoscaling:CreateLaunchConfiguration

cloudkit-encryption
               kms:*

cloudkit-image
               ec2:DeregisterImage
               ec2:DeleteSnapshot
               ec2:DescribeInstances
               ec2:TerminateInstances
               s3:GetBucketWebsite
               ec2:CreateKeyPair
               s3:ListBucketVersions
               ec2:CreateImage
               s3:CreateBucket
               ec2:RunInstances
               s3:ListBucket
               ec2:ModifyImageAttribute
               s3:DeleteBucketPolicy
               ec2:StopInstances
               s3:PutObject
               s3:ListAllMyBuckets
               s3:PutBucketWebsite
               ec2:CreateSecurityGroup
               ec2:DescribeVolumes
               ec2:DeleteSecurityGroup
               s3:PutBucketPolicy
               s3:DeleteObject
               s3:DeleteBucket
               ec2:DeleteKeyPair"

cloudkit-instance
               ec2:AuthorizeSecurityGroupIngress
               ec2:DescribeInstances
               SNS:CreateTopic
               iam:RemoveRoleFromInstanceProfile
               iam:CreateRole
               iam:PutRolePolicy
               SNS:ListTagsForResource
               ec2:DescribePlacementGroups
               iam:AddRoleToInstanceProfile
               SNS:Subscribe
               SNS:Unsubscribe
               ec2:DeleteVolume
               ec2:CreatePlacementGroup
               ec2:RevokeSecurityGroupEgress
               iam:ListAttachedRolePolicies
               ec2:DescribeVolumes
               SNS:SetTopicAttributes
               ec2:DescribeKeyPairs
               iam:ListRolePolicies
               ec2:DescribeRouteTables
               ec2:DetachVolume
               ec2:ModifyVolume
               iam:GetRole
               ec2:DescribeLaunchTemplates
               ec2:CreateTags
               ec2:DeleteNetworkInterface
               ec2:RunInstances
               iam:DeleteRole
               ec2:CreateVolume
               ec2:RevokeSecurityGroupIngress
               ec2:CreateNetworkInterface
               ec2:GetInstanceTypesFromInstanceRequirements
               ec2:DescribeSecurityGroupRules
               ec2:DescribeInstanceTypes
               ec2:DescribeSubnets
               iam:GetRolePolicy
               ec2:AttachVolume
               iam:CreateInstanceProfile
               ec2:DescribeInstanceAttribute
               ec2:DescribeRegions
               SNS:GetSubscriptionAttributes
               iam:ListInstanceProfilesForRole
               iam:PassRole
               ec2:DescribeNetworkInterfaces
               ec2:DescribeAvailabilityZones
               ec2:CreateSecurityGroup
               iam:DeleteRolePolicy
               SNS:GetTopicAttributes
               ec2:DescribeInstanceStatus
               iam:DeleteInstanceProfile
               ec2:AuthorizeSecurityGroupEgress
               SNS:DeleteTopic
               ec2:TerminateInstances
               ec2:DeletePlacementGroup
               iam:GetInstanceProfile
               ec2:DescribeTags
               ec2:DescribeSecurityGroups
               ec2:DescribeImages
               ec2:DescribeVpcs
               ec2:DeleteSecurityGroup"

cloudkit-permissions
               iam:ListGroupsForUser
               iam:ListAttachedGroupPolicies
               iam:ListGroupPolicies
               iam:ListAttachedUserPolicies"

cloudkit-quota
               servicequotas:ListServiceQuotas

cloudkit-vpc
               ec2:CreateDhcpOptions
               ec2:AuthorizeSecurityGroupIngress
               ec2:DeleteSubnet
               ec2:DeleteVpcEndpoints
               ec2:AttachInternetGateway
               ec2:ReplaceRoute
               ec2:AssociateRouteTable
               ec2:DeleteRouteTable
               ec2:DescribeInternetGateways
               ec2:RevokeSecurityGroupEgress
               ec2:CreateRoute
               ec2:CreateInternetGateway
               ec2:DeleteInternetGateway
               ec2:DescribeKeyPairs
               ec2:DescribeNetworkAcls
               ec2:DescribeRouteTables
               ec2:DescribeVpcClassicLinkDnsSupport
               ec2:CreateTags
               ec2:CreateRouteTable
               ec2:DetachInternetGateway
               ec2:DescribePrefixLists
               ec2:DisassociateRouteTable
               ec2:DescribeVpcClassicLink
               ec2:RevokeSecurityGroupIngress
               ec2:DescribeSecurityGroupRules
               ec2:DeleteDhcpOptions
               ec2:DeleteNatGateway
               ec2:DescribeVpcEndpoints
               ec2:DeleteVpc
               ec2:CreateSubnet
               ec2:DescribeSubnets
               ec2:DeleteNetworkAclEntry
               ec2:ModifyVpcEndpoint
               ec2:DisassociateAddress
               ec2:DescribeAddresses
               ec2:CreateNatGateway
               ec2:DescribeRegions
               ec2:CreateVpc
               ec2:DescribeDhcpOptions
               ec2:DescribeAddressesAttribute
               ec2:DescribeVpcAttribute
               ec2:DescribeNetworkInterfaces
               ec2:DescribeAvailabilityZones
               ec2:ModifyVpcAttribute
               ec2:ReleaseAddress
               ec2:AuthorizeSecurityGroupEgress
               ec2:AssociateDhcpOptions
               ec2:DeleteRoute
               ec2:DescribeNatGateways
               ec2:AllocateAddress
               ec2:DescribeSecurityGroups
               ec2:DescribeImages
               ec2:DescribeVpcs
               ec2:CreateVpcEndpoint
               ec2:CreateNetworkAclEntry
    • GCP role permissions:
      Note: To run validate permission, GCP requires at least a browser role permission.
      Artifact Registry Administrator  
Browser  
Cloud KMS CryptoKey Encrypter/Decrypter  
Compute Instance Admin (v1)  
Compute Network Admin  
Compute Security Admin  
DNS Administrator  
Service Account User  
Storage Admin  
Storage HMAC Key Admin
    • Azure role permissions:

      Create an Azure service principle with sufficient privileges. The minimum required role is Contributor, Storage Blob Data Owner.

Deployment

Before deploying IBM Storage Scale on a public cloud, make sure to complete the procedures described in Initialization.

To understand the deployment option provided by the cloudkit, you need to know the way cloudkit deploys IBM Storage Scale on a cloud and the stages it goes through:

  1. Cloudkit uploads require a GPFS binary to cloud repository.
    • Use the cloudkit create repository command to optionally create a package repository on the cloud object store.
  2. Cloudkit prepares the cloud operating system image based on a cloud repository.
    • Use the cloudkit create image command to optionally create a virtual machine image containing all IBM Storage Scale packages preinstalled.
  3. Cloudkit creates a virtual private network that is later used for the deployment of an IBM Storage Scale storage cluster.
    • Use the cloudkit create network command to optionally create a virtual private network.
  4. Cloudkit creates or associates a domain name system (DNS) to facilitate hostname resolution.
    • Use the cloudkit create dns command to optionally create a DNS domain.
  5. Cloudkit creates a jump host or bastion host by using the previously created virtual private network.
    • Use the cloudkit create jumphost command to optionally create a jump host.
  6. Cloudkit deploys an IBM Storage Scale cluster using the previously created operating system image.
    • Use the cloudkit create cluster command to create an IBM Storage Scale cluster. This command can be used to create an IBM Storage Scale storage, compute or combined cluster.

To help you plan your requirement deployment architecture, refer to Planning the virtual private cloud (VPC) architecture for AWS and Planning the virtual private cloud (VPC) architecture for GCP.

Administering

The cloudkit can be used to manage a previously deployed cloudkit cluster using the following options.
  1. Use the cloudkit grant filesystem command to remote mount a filesystem from a storage cluster to a compute cluster previously created by the same instance of cloudkit.
  2. Use the cloudkit grant repository command to provide access to a package repository located on the cloud object store to a specific Virtual Private Cloud.
  3. Use the cloudkit port-forward command to provide access to the IBM Storage Scale GUI through a jump host.
  4. Use the cloudkit revoke filesystem command to remove a previous remote mount configuration.
  5. Use the cloudkit revoke repository command to remove the access from a virtual private cloud to a repository.
  6. Use the cloudkit edit cluster command to scale out cluster resources.
  7. Use the cloudkit caching setup command to set up an AFM relationship from a local scale cluster to a remote cluster or cloud object storage.

For more information, see Administering cloudkit.

To see an end-to-end process of using interactive command, see See the end-to-end process of using interactive command.End-to-end process of using interactive command .

Upgrade

The cloudkit can be used to upgrade existing package repository and an IBM Storage Scale cluster using the following options:
  1. Use cloudkit upgrade repository command to upgrade the existing repository to specified cloudkit version.
  2. Use cloudkit upgrade cluster command to upgrade the existing cluster to specified cloudkit version.
Note: Upgrade of IBM Storage Scale cluster is only supported on AWS and GCP.

For more information, see Upgrading IBM Storage Scale on cloud.

Cleanup

The cloudkit can be used to delete the resources which we provisioned:
  1. Use the cloudkit delete cluster command to delete the cluster.
  2. Use the cloudkit delete jumphost command to delete the jump host.
  3. Use the cloudkit delete dns command to delete the DNS domain.
  4. Use the cloudkit delete network command to delete the virtual private cloud or virtual network.
  5. Use the cloudkit delete image command to delete the image.
  6. Use the cloudkit delete repo command to delete the repository.
  7. Use the cloudkit delete caching-target command to delete the caching target.
Note: Cloudkit keeps track of resources created using it. When the 'cluster with a new vpc' is created by cloudkit, make sure this VPC does not contain any active resources before proceeding with deletion of cluster. As this cluster stack contains VPC resources and if there are other resources created beyond cloudkit using this VPC resources could block the cluster deletion.

In scenarios of cluster with jumphost created via cloudkit, it will be deleted as part of cluster deletion operation. If this jumphost is being used by other clusters, their access might be impacted. Hence it is advised to verify the usage of jumphost before proceeding with deletion.

The following table lists the command options to perform cloud resource provisioning, IBM Storage Scale install and configuration.

Table 1. cloudkit command options
cloudkit command option Purpose
configure Configure local machine to use your cloud account
create Create a resource from stdin
delete Delete a specific resource
describe Show details of a specific resource
edit Edit a specific resource
grant Grant access to a specific resource
help Help about any command
init Installs prerequisite(s) required for the utility
list List a resource from stdin
port-forward Redirects the IBM Storage Scale GUI access through a jump host
revoke Revoke filesystem mount access
upgrade Upgrade a resource from stdin
validate Validate resources
setup Set up features related to IBM Storage Scale
version Prints the version number of the tool

Other Considerations

Compute cluster with bastion:


-1      icmp    Allow ICMP traffic from bastion to compute instances
22      TCP     "Allow SSH traffic from bastion to compute instances"
-1      icmp    "Allow ICMP traffic within compute instances"
22      TCP     "Allow SSH traffic within compute instances"
1191    TCP     "Allow GPFS intra cluster traffic within compute instances"
60000-61000     TCP     "Allow GPFS ephemeral port range within compute instances"
47080   TCP     "Allow management GUI (http/localhost) TCP traffic within compute instances"
47443   UDP     "Allow management GUI (https/localhost) TCP traffic within compute instances"
4444    TCP     "Allow management GUI (https/localhost) TCP traffic within compute instances"
4739    TCP     "Allow management GUI (localhost) TCP traffic within compute instances"
4739    "UDP"   "Allow management GUI (localhost) UDP traffic within compute instances"
9080    TCP     "Allow performance monitoring collector traffic within compute instances"
9081    TCP     "Allow performance monitoring collector traffic within compute instances"
80      TCP     "Allow http traffic within compute instances"
443     TCP     "Allow https traffic within compute instances"
443     TCP     "Allow GUI traffic from bastion/jumphost"
Note: "Allow ICMP traffic from bastion to compute instances" and "Allow SSH traffic from bastion to compute instances" are not added if direct connect is used.
Storage cluster with bastion:

-1      icmp    Allow ICMP traffic from bastion to storage instances
22      TCP     "Allow SSH traffic from bastion to storage instances"
-1      icmp    "Allow ICMP traffic within storage instances"
22      TCP     "Allow SSH traffic within storage instances"
1191    TCP     "Allow GPFS intra cluster traffic within storage instances"
60000-61000     TCP     "Allow GPFS ephemeral port range within storage instances"
47080   TCP     "Allow management GUI (http/localhost) TCP traffic within storage instances"
47443   UDP     "Allow management GUI (https/localhost) TCP traffic within storage instances"
4444    TCP     "Allow management GUI (https/localhost) TCP traffic within storage instances"
4739    TCP     "Allow management GUI (localhost) TCP traffic within storage instances"
4739    UDP     "Allow management GUI (localhost) UDP traffic within storage instances"
9080    TCP     "Allow performance monitoring collector traffic within storage instances"
9081    TCP     "Allow performance monitoring collector traffic within storage instances"
80      TCP     "Allow http traffic within storage instances"
443     TCP     "Allow https traffic within storage instances"
443     TCP     "Allow GUI traffic from bastion/jumphost"
Note: "Allow ICMP traffic from bastion to storage instances" and "Allow SSH traffic from bastion to storage instances" are not added if direct connect is used.
Compute cluster with remote mount:
-1, ICMP, Allow ICMP traffic from spectrum scale cluster
1191, TCP, Allow GPFS intra cluster traffic from spectrum scale cluster
443, TCP, Allow management GUI (http/localhost) TCP traffic from spectrum scale cluster
60000-61000, TCP, Allow spectrum scale ephemeral port range