IBM Cloud Object Storage considerations

The following information describes about the points that you need to consider before you use IBM Cloud® Object Storage as the object storage provider.

Note: IBM Cloud Object Storage 3.7.3.2 or above is required for the cloud services functions. If you are running an older version of IBM Cloud Object Storage, contact IBM® support for upgrading your version.

Before you begin, ensure that an access pool is created and available on the IBM Cloud Object Storage system. The access pool must have 'Cloud Storage Object' configured as the API type.

Before you configure cloud services with IBM Cloud Object Storage as the object storage provider, ensure that the following settings are done through IBM Cloud Object Storage dsNet Manager GUI. If these settings are not correctly set, the cloud account configuration or data migration fail.
  • During the cloud services setup process, two vaults are created on the IBM Cloud Object Storage system. One of the vaults is used for storing data and the other one is used for storing metadata. The data vault that is created by cloud services contains the “container-prefix” appended with a unique ID.
    Note: IBM Cloud Object Storage endpoint URL (“cloud_url” command-line option) must not have this container or vault name.
  • In order for cloud services to be able to create the vault, the user (whose access key is specified in the mmcloudgateway account create configuration command) must have the "Vault Provisioner" role that is assigned through the dsNet Manager UI.

    To create vaults, go to dsNet Manager UI > Security tab and click user > Roles > Add "Vault Provisioner" role.

    Make sure that either “Create Only” or “Create and Delete” permission is selected under Administration > Provisioning API configuration. Doing this enables cloud services to create vaults by using the IBM Cloud Object Storage vault provisioning APIs. It is not necessary to allow cloud services privileges to create the vault. You can create the vault separately by using IBM Cloud Object Storage management services.
    Note: Delete access is not required for the “Vault Provisioner”.
    Note: To specify the container name of an existing container, use the --data-name/--meta-container parameter of the mmcloudgateway command.
  • For IBM Cloud Object Storage deployed on public cloud and with container mode enabled, you must contact the cloud object storage admin to obtain the accessor IP address or hostname, S3 credentials, and provisioning code (location) for the container vault.
  • To create vaults through the provisioning API, IBM Cloud Object Storage uses provisioning templates. You can provide a provisioning template to the cloud services in two ways:
    Using default template
    A default vault template can be set on the dsNet Manager UI. Go to dsNet Manager UI > Configure tab > Storage pools > Create Vault template. Then, dsNet system > Default Vault template and then select the newly created template. The vault that is created by cloud services uses the default template.
    Note: The default template on the IBM Cloud Object Storage system must have index that is enabled.
    Using Provisioning code
    If the default vault template is not set or not preferred, then a provisioning code can be used. Ensure that during the creation of the vault template, a unique user-defined provisioning code is specified. The provisioning code is different from the name.
    To look up the provisioning code, go to dsNet Manager UI > Configure tab > Storage pools > Vault Templates > select the template, and look for “Provisioning Code”). Use the --location option in the mmcloudgateway account create command to specify the provisioning code. Using this mechanism, the vault template that is configured for cloud services is used for vault provisioning.
    Note: If there is no default provisioning template set on the IBM Cloud Object Storage system and a provisioning code is not specified to the mmcloudgateway account create command, the command fails. If the provisioning code specified is not found on the IBM Cloud Object Storage system, the command fails.

The following settings are recommended when you create a vault template on IBM Cloud Object Storage dedicated for transparent cloud tiering.

Table 1. Recommended settings when you create a vault template on IBM Cloud Object Storage
Configuration Recommended Values Comment
Width See IBM Cloud Object Storage documented configuration for production.  
Threshold See IBM Cloud Object Storage documented configuration for production.  
WriteThreshold See IBM Cloud Object Storage documented configuration for production.  
Alert Level See IBM Cloud Object Storage documented configuration for production.  
Alert Level See IBM Cloud Object Storage documented configuration for production.  
SecureSlice Technology Disabled When using cloud data sharing services, the user might consider enabling SecureSlice Technology encryption. If using the transparent cloud tiering services, encryption is not needed and is redundant since data is encrypted by the transparent cloud tiering service before the data is stored on object storage.
SecureSliceAlgorithm Not applicable since SecureSlice is disabled.  
Versioning Disabled transparent cloud tiering has built-in versioning capability, hence IBM Cloud Object Storage versioning can be unavailable. For the Cloud Data Sharing service, versioning might or might not be turned off depending on the needs for retaining versioning on the data.
DeleteRestricted Yes/No The gateway does not attempt to delete the vaults, so this setting can be set to yes or no.
Name Index Disabled Disabling this setting can result in improved vault performance.
Recovery Listing Enabled For performance reasons, the vault that is used for storing data has Name Index disabled and for searchability reasons, the other vault has index that is enabled. On the second provisioning template, Name Index is enabled and the rest of the settings are the same as above.

Essentially, IBM Cloud Object Storage needs two provisioning templates. One of them is used for storing data and the other one is used for metadata or book-keeping. This vault provisioning template must be set as default (Click the Configure tab and scroll down to see the option to set the default template). Pass the provisioning code ('demo' in the example) of the first vault provisioning template to the mmcloudgateway command during account creation by using the --location parameter.