Red Hat SummitOpenShift Container Storage is now OpenShift Data Foundation starting with version 4.9.
Chapter 1. Preparing to deploy OpenShift Data Foundation
Deploying OpenShift Data Foundation on OpenShift Container Platform using dynamic storage devices provides you with the option to create internal cluster resources.
Before you begin the deployment of Red Hat OpenShift Data Foundation, follow these steps:
For Red Hat Enterprise Linux based hosts for worker nodes, enable file system access for containers on Red Hat Enterprise Linux based nodes.
NoteSkip this step for Red Hat Enterprise Linux CoreOS (RHCOS).
Optional: If you want to enable cluster-wide encryption using an external Key Management System (KMS):
- Ensure that a policy with a token exists and the key value backend path in Vault is enabled. See enabled the key value backend path and policy in Vault.
- Ensure that you are using signed certificates on your Vault servers.
Minimum starting node requirements [Technology Preview]
An OpenShift Data Foundation cluster is deployed with minimum configuration when the standard deployment resource requirement is not met. See Resource requirements section in the Planning guide.
Regional-DR requirements [Developer Preview]
Disaster Recovery features supported by Red Hat OpenShift Data Foundation require all of the following prerequisites in order to successfully implement a Disaster Recovery solution:
- A valid Red Hat OpenShift Data Foundation Advanced entitlement
A valid Red Hat Advanced Cluster Management for Kubernetes subscription
To know how subscriptions for OpenShift Data Foundation work, see knowledgebase article on OpenShift Data Foundation subscriptions.
For detailed requirements, see Regional-DR requirements and RHACM requirements.
1.1. Enabling file system access for containers on Red Hat Enterprise Linux based nodes
Deploying OpenShift Data Foundation on an OpenShift Container Platform with worker nodes on a Red Hat Enterprise Linux base in a user provisioned infrastructure (UPI) does not automatically provide container access to the underlying Ceph file system.
Skip this step for hosts based on Red Hat Enterprise Linux CoreOS (RHCOS).
Procedure
- Log in to the Red Hat Enterprise Linux based node and open a terminal.
For each node in your cluster:
Verify that the node has access to the rhel-7-server-extras-rpms repository.
subscription-manager repos --list-enabled | grep rhel-7-server
# subscription-manager repos --list-enabled | grep rhel-7-serverCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you do not see both
rhel-7-server-rpmsandrhel-7-server-extras-rpmsin the output, or if there is no output, run the following commands to enable each repository:subscription-manager repos --enable=rhel-7-server-rpms
# subscription-manager repos --enable=rhel-7-server-rpmsCopy to Clipboard Copied! Toggle word wrap Toggle overflow subscription-manager repos --enable=rhel-7-server-extras-rpms
# subscription-manager repos --enable=rhel-7-server-extras-rpmsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Install the required packages.
yum install -y policycoreutils container-selinux
# yum install -y policycoreutils container-selinuxCopy to Clipboard Copied! Toggle word wrap Toggle overflow Persistently enable container use of the Ceph file system in SELinux.
setsebool -P container_use_cephfs on
# setsebool -P container_use_cephfs onCopy to Clipboard Copied! Toggle word wrap Toggle overflow
1.2. Enabling key value backend path and policy in Vault
Prerequisites
- Administrator access to Vault.
-
Carefully, choose a unique path name as the backend
paththat follows the naming convention since it cannot be changed later.
Procedure
Enable the Key/Value (KV) backend path in Vault.
For Vault KV secret engine API, version 1:
vault secrets enable -path=odf kv
$ vault secrets enable -path=odf kvCopy to Clipboard Copied! Toggle word wrap Toggle overflow For Vault KV secret engine API, version 2:
vault secrets enable -path=odf kv-v2
$ vault secrets enable -path=odf kv-v2Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a policy to restrict users to perform a write or delete operation on the secret using the following commands.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a token matching the above policy.
vault token create -policy=odf -format json
$ vault token create -policy=odf -format jsonCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}