Understanding the cloudkit installation options
This topic covers comprehensive command options available for deploying and managing IBM Storage Scale cluster on public cloud.
The cloudkit provides an interactive experience guiding the user through its prompts, the list of commands outlined below are the starting points. Use these commands to start the interaction with the cloudkit.
Preparation
The cloudkit needs to be installed on a Linux-based host before it can be used for an IBM Storage Scale deployment on public cloud. Such Linux-based host is referred to as installer node. For information about setting up an installer node, see Preparing the installer node. After the cloudkit setup is complete, log in to the installer node.
The cloudkit binary is found at the /usr/lpp/mmfs/release_version/cloudkit directory. In this directory, the IBM Storage Scale cloudkit can be invoked through the cloudkit command. Optionally, this directory can be added to the path.
Before attempting to create an IBM Storage Scale cluster on a public cloud, the cloudkit must be configured as described in the next sections.
Initialization
- Use the
cloudkit init
command to install the prerequisites needed for the utility.To configure, run thecloudkit init
command:$ ./cloudkit init I: Logging at /root/scale-cloudkit/logs/cloudkit-25-10-2023_0-11-59.log ? Passphrase file path for encrypting DB contents: /root/secrets/cloudkit_config.ini
The passPhrase file need to pass during the init command run. For more information, see Preparing the cloudkit environment file.
Note: When a new version of IBM Storage Scale data bundle is downloaded from IBM Fix Central and extracted to a node, it is mandatory to rerun the cloudkit init command even if the command was previously run for a different version of IBM Storage Scale. - Use the
cloudkit configure
command to configure local machine to use your cloud account. For more information, see Configuring the cloudkit. - Use the
cloudkit validate
command to check permission needed to deploy the cluster and verify cloud quota for cluster install.The following permissions are required for executing the cloudkit:- AWS permissions
iam:ListAttachedUserPoliciesservicequotas:ListServiceQuotas ec2:AuthorizeSecurityGroupIngress ec2:ModifyVpcAttribute ec2:CreateInternetGateway ec2:CreateSecurityGroup ec2:CreateVpcEndpoint iam:PutRolePolicy iam:GetRole logs:DeleteLogGroup ec2:DescribeVpcs ec2:DescribeSecurityGroupRules autoscaling:DescribeScalingActivities ec2:DescribePlacementGroups ec2:DescribeVpcClassicLink iam:CreateRole s3:ListAllMyBuckets s3:DeleteBucket ec2:DeleteRouteTable iam:GetInstanceProfile ec2:DisassociateAddress ec2:DescribeInternetGateways ec2:CreateVpc ec2:CreateLaunchTemplateVersion ec2:CreateRouteTable ec2:DescribeNatGateways s3:CreateBucket ec2:DeleteSecurityGroup iam:AddRoleToInstanceProfile ec2:DeleteKeyPair ec2:RevokeSecurityGroupIngress ec2:RunInstances iam:DeleteRolePolicy ec2:DescribeNetworkInterfaces ec2:DeregisterImage iam:ListInstanceProfilesForRole ec2:DescribeLaunchTemplateVersions iam:DeleteRole ec2:DescribeDhcpOptions ec2:DescribeVpcClassicLinkDnsSupport ec2:GetLaunchTemplateData ec2:DescribePrefixLists ec2:DisassociateRouteTable s3:PutBucketPolicy ec2:DeletePlacementGroup SNS:DeleteTopic autoscaling:CreateAutoScalingGroup ec2:DetachInternetGateway ec2:DeleteNetworkAclEntry ec2:DescribeKeyPairs ec2:RevokeSecurityGroupEgress autoscaling:DeleteAutoScalingGroupautoscaling:CreateLaunchConfiguration ec2:ModifyVpcEndpoint autoscaling:SetInstanceProtection ec2:DescribeVpcEndpoints iam:GetRolePolicy ec2:DeleteNatGateway iam:CreateInstanceProfile SNS:ListTagsForResource ec2:DescribeImages s3:GetBucketLocation logs:ListTagsLogGroup iam:PassRole ec2:CreatePlacementGroup ec2:AssociateRouteTable ec2:DeleteVpc logs:CreateLogGroup ec2:DeleteInternetGateway ec2:DescribeNetworkAcls ec2:DescribeInstanceCreditSpecifications ec2:CreateDhcpOptions iam:ListGroupPolicies ec2:DeleteVpcEndpoints ec2:DeleteRoute ec2:DescribeVolumes autoscaling:DescribeAutoScalingGroups iam:DeleteInstanceProfile s3:DeleteObject autoscaling:UpdateAutoScalingGroup ec2:DeleteDhcpOptions s3:PutObject ec2:CreateKeyPair ec2:DescribeRouteTables ec2:AssociateDhcpOptions iam:ListAttachedRolePolicies ec2:TerminateInstances s3:DeleteBucketPolicy ec2:DescribeVpcAttribute iam:ListRolePolicies ec2:DescribeAddresses ec2:ModifyImageAttribute ec2:AllocateAddress ec2:CreateNatGateway ec2:DescribeInstances ec2:DescribeSubnets iam:ListAttachedGroupPolicies ec2:DescribeInstanceAttribute SNS:Subscribe logs:DeleteMetricFilter ec2:CreateImage s3:ListBucket ec2:DescribeInstanceTypes ec2:DescribeLaunchTemplates ec2:DescribeSecurityGroups ec2:CreateSubnet ec2:StopInstances SNS:CreateTopic ec2:CreateNetworkAclEntry SNS:SetTopicAttributes SNS:Unsubscribe ec2:DeleteSubnet s3:GetBucketWebsite ec2:ReleaseAddress iam:RemoveRoleFromInstanceProfile ec2:AttachInternetGateway logs:PutMetricFilter SNS:GetTopicAttributes ec2:DescribeRegions ec2:AuthorizeSecurityGroupEgress ec2:DescribeInstanceStatus ec2:DescribeAvailabilityZones ec2:CreateLaunchTemplate ec2:DescribeTags ec2:DeleteSnapshot logs:DescribeMetricFilters SNS:GetSubscriptionAttributes logs:DescribeLogGroups ec2:CreateRoute ec2:CreateTags ec2:DescribeIamInstanceProfileAssociations iam:ListGroupsForUser ec2:DeleteLaunchTemplate s3:ListBucketVersions s3:PutBucketWebsite autoscaling:SuspendProcesses kms:*
- GCP role permissionsNote: To run validate permission, GCP requires at least a browser role permission .
Artifact Registry Administrator Cloud KMS CryptoKey Encrypter/Decrypter Compute Instance Admin (v1) Compute Network Admin Compute Security Admin DNS Administrator Service Account User Storage Admin Browser
- AWS permissions
Deployment
Before deploying IBM Storage Scale on a public cloud, make sure to complete the procedures described in Initialization.
To understand the deployment option provided by the cloudkit, you need to know the way cloudkit deploys IBM Storage Scale on a cloud and the stages it goes through:
- Cloudkit uploads require a GPFS binary to cloud repository.
- Use the
cloudkit create repository
command to optionally create a package repository on the cloud object store.
- Use the
- Cloudkit prepares the cloud operating system image based on a cloud repository.
- Use the
cloudkit create image
command to optionally create a virtual machine image containing all IBM Storage Scale packages preinstalled.
- Use the
- Cloudkit deploys an IBM
Storage Scale cluster using
the previously created operating system image.
- Use the
cloudkit create cluster
command to create an IBM Storage Scale cluster. This command can be used to create an IBM Storage Scale storage, compute or combined cluster.
- Use the
To help you plan your requirement deployment architecture, refer to Planning the virtual private cloud (VPC) architecture for AWS and Planning the virtual private cloud (VPC) architecture for GCP.
Administering
- Use the
cloudkit grant filesystem
command to remote mount a filesystem from a storage cluster to a compute cluster previously created by the same instance of cloudkit. - Use the
cloudkit grant repository
command to provide access to a package repository located on the cloud object store to a specific Virtual Private Cloud. - Use the
cloudkit grant guiaccess
command to providescale storage GUI
access through jump host. - Use the
cloudkit revoke filesystem
command to remove a previous remote mount configuration. - Use the
cloudkit revoke repository
command to remove the access from a Virtual Private Cloud to a repository. - Use the
cloudkit revoke guiaccess
command to removescale storage GUI
access through jump host. - Use the
cloudkit edit cluster
command to scale out cluster resources.
For more information, see Administering cloudkit.
To see an end-to-end process of using interactive command, see .
Upgrade
- Use
cloudkit upgrade repository
command to upgrade the existing repository to specified cloudkit version. - Use
cloudkit upgrade cluster
command to upgrade the existing cluster to specified cloudkit version.
For more information, see Upgrading IBM Storage Scale on cloud.
Cleanup
- Use the
cloudkit delete cluster
command to delete the cluster. - Use the
cloudkit delete repo
command to delete the repository. - Use the
cloudkit delete image
command to delete the image.
In scenarios of cluster with jumphost created via cloudkit, it will be deleted as part of cluster deletion operation. If this jumphost is being used by other clusters, their access might be impacted. Hence it is advised to verify the usage of jumphost before proceeding with deletion.
The following table lists the command options to perform cloud resource provisioning, IBM Storage Scale install and configuration.
cloudkit command option | Purpose |
---|---|
configure | Configure local machine to use your cloud account |
create | Create a resource from stdin |
delete | Delete a specific resource |
describe | Show details of a specific resource |
grant | Grant access to a specific resource |
help | Help about any command |
init | Installs prerequisite(s) required for the utility |
list | List a resource from stdin |
revoke | Revoke filesystem mount access |
validate | Validate resources |
edit | Edit a specific resource |
upgrade | Upgrade a resource from stdin |
version | Prints the version number of the tool |
Other Considerations
Firewall ports that cloudkit adds to its ingress
Compute cluster with bastion:
-1 icmp Allow ICMP traffic from bastion to compute instances
22 TCP "Allow SSH traffic from bastion to compute instances"
-1 icmp "Allow ICMP traffic within compute instances"
22 TCP "Allow SSH traffic within compute instances"
1191 TCP "Allow GPFS intra cluster traffic within compute instances"
60000-61000 TCP "Allow GPFS ephemeral port range within compute instances"
47080 TCP "Allow management GUI (http/localhost) TCP traffic within compute instances"
47443 UDP "Allow management GUI (https/localhost) TCP traffic within compute instances"
4444 TCP "Allow management GUI (https/localhost) TCP traffic within compute instances"
4739 TCP "Allow management GUI (localhost) TCP traffic within compute instances"
4739 "UDP" "Allow management GUI (localhost) UDP traffic within compute instances"
9080 TCP "Allow performance monitoring collector traffic within compute instances"
9081 TCP "Allow performance monitoring collector traffic within compute instances"
80 TCP "Allow http traffic within compute instances"
443 TCP "Allow https traffic within compute instances"
443 TCP "Allow GUI traffic from bastion/jumphost"
-1 icmp Allow ICMP traffic from bastion to storage instances
22 TCP "Allow SSH traffic from bastion to storage instances"
-1 icmp "Allow ICMP traffic within storage instances"
22 TCP "Allow SSH traffic within storage instances"
1191 TCP "Allow GPFS intra cluster traffic within storage instances"
60000-61000 TCP "Allow GPFS ephemeral port range within storage instances"
47080 TCP "Allow management GUI (http/localhost) TCP traffic within storage instances"
47443 UDP "Allow management GUI (https/localhost) TCP traffic within storage instances"
4444 TCP "Allow management GUI (https/localhost) TCP traffic within storage instances"
4739 TCP "Allow management GUI (localhost) TCP traffic within storage instances"
4739 UDP "Allow management GUI (localhost) UDP traffic within storage instances"
9080 TCP "Allow performance monitoring collector traffic within storage instances"
9081 TCP "Allow performance monitoring collector traffic within storage instances"
80 TCP "Allow http traffic within storage instances"
443 TCP "Allow https traffic within storage instances"
443 TCP "Allow GUI traffic from bastion/jumphost"
-1, ICMP, Allow ICMP traffic from spectrum scale cluster
1191, TCP, Allow GPFS intra cluster traffic from spectrum scale cluster
443, TCP, Allow management GUI (http/localhost) TCP traffic from spectrum scale cluster
60000-61000, TCP, Allow spectrum scale ephemeral port range