How To
Summary
Summary of the newer command for PowerVC the Power System enhanced OpenShift
Objective
Steps
I am just using this blog as somewhere to store my reminders and notes for this major PowerVC release.
Editions
PowerVC now has two Editions:
- PowerVC Standard for PowerKVM
- PowerVC Standard for PowerVM
- Cloud PowerVC Manager for PowerVM
You can upgrade from PowerVC Standard Edition for PowerVM to Cloud PowerVC Manager for PowerVM.
There is already a PowerVC 1.3.1.1 update - recommended.
Also you need HMC 850 and VIOS 2.2.4.22 - recommended.
At the time of the latest review: PowerVC is a version 1.4.4, VIOS 3.1, and HMC 900 series are available.
Database
When upgrading to PowerVC 1.3.1 the underlying database will be changed from DB2 to MariaDB, which is Open Source and has other advantages too. The upgrade is done automatically behind the covers.
You can't save and restore from PowerVC on Intel to PowerVC on Power nor between Big Endian (BE) to Little Endian (LE) images.
Standard Editions new features:
- AIX Active Memory Expansion
- Dynamic Resource Optimiser – can be scheduled
- Remove a VM but keep the storage “just in case”
- Novalink improvements
- Project & user role admin for separating resources: VMs, Disks, Images
- Hitachi Storage Provider: This feature was postponed. It is best to ask Hitachi why?
Prices
Prices are not covered on a technical website. The Cloud PowerVC Edition has a higher price than the Standard Edition that we have had a number of years.
Warning: Only do this upgrade to Cloud AFTER you have paid up to stay legal.
Useful weblinks:
- Know
ledg ecen ter Top Menu for Sta ndar d Ed itio n - Know
ledg ecen ter Top menu for Clo ud P ower VC M anag er E diti o n - Know
ledg ecen ter Stan dard Edi tion Wha t is Ne w - Know
ledg ecen ter inst all clou dini t on Lin ux o n Po we r - Know
ledg ecen ter inst all clou dini t on AIX on Powe r - Know
ledg ecen ter Powe rVC 131 Clou d Ma nagi ng A dmi n - Know
ledg ecen ter Powe rVC 131 Clou d Me teri ng - Onl y fo r th e br ave "old sch ool hack er "
Videos on YouTube
- YouT
ube Powe rVC 1.3. 1 pa rt 1 Sta ndar d Ed itio n Up date and Ins tall in g - YouT
ube Powe rVC 1.3. 1 pa rt 2 Pro ject s an d Ro le s
Projects and User Roles
The commands used in the second YouTube video are here. It might help you get started.
Adding a user to access the PowerVC GUI, instead of root
# adduser powervc -p SECRET
# source /opt/ibm/powervc/powervcrc
# export OS_USERNAME=root
# export OS_PASSWORD=SECRET <-- actual password
# openstack role add --project ibm-default --user powervc admin
Add a project and list it
# openstack project create --description "Six Project" six
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Six Project |
| domain_id | default |
| enabled | True |
| id | 4e5ed9491daf44319eab573ebd0825e6 |
| is_domain | False |
| name | six |
| parent_id | default |
+-------------+----------------------------------+
# openstack project list
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 135537788461455183a90a4886142a65 | powervm |
| 1f0ca545a81a4fffa8af6cf5fd2bea91 | ibm-default |
| 4e5ed9491daf44319eab573ebd0825e6 | six |
| aa0ed38f28154f0aaac3c0e60decfb65 | service |
+----------------------------------+-------------+
Create users and roles for access to a project
# adduser sixadmin -p 666 ? NOT good password
# adduser halfdozen -p 666 ? NOT good password
#
# openstack role add --project six --user sixadmin admin
# openstack role add --project six --user halfdozen admin
# openstack user list
+--------------------------+-------------------+
| ID | Name |
+--------------------------+-------------------+
. . .
| 1dd45dfca1d83b0e38 . . . | powervc |
| 79d13683f8ab37b1d5 . . . | sixadmin |
| 897db369914c6109c4 . . . | halfdozen |
+--------------------------+-------------------+
Ooops - Fixing a Role
# openstack role remove --project six --user halfdozen admin
# openstack role add --project six --user halfdozen deployer
How do you list the resulting Projects and User assignments?
-
Version 2 of this section after assistance from IBM developers (cheers team)
You do that with the command: openstack role assignment list but with a load of options and some scripting to remove "fluff" reorder and put back the columns . We what by project and by user listings.
Notes:
- -f value stops the ghastly ASCII Table look from the 1970's
- -c column-name selects what is output
- --name removes the massive hexadecimal id and gets you the user-friendly names (note the double"-")
Removing @Service lines removes Internal users and we don't need the output littered with the @Default domain.
By Project + Role + Username
# openstack role assignment list -c Project -c Role -c User --names -f value \
| grep -v @Service | sed 's/@Default//g' | \
awk '{ printf "%-15s %-15s %-15s\n", $3, $1, $2 }' | sort
eight admin eightadmin
eight admin nag
eight admin powervc
eight deployer eightdep
eight self_service eightself
eight self_service humble
ibm-default admin nag
ibm-default admin powervc
ibm-default admin root
ibm-default self_service humble
seven admin nag
seven admin powervc
seven admin sevenadmin
seven deployer sevendep
seven self_service humble
seven self_service selfish
seven self_service sevenself
six admin nag
six admin powervc
six admin sixadmin
six deployer halfdozen
six self_service humble
six self_service sixtine
six self_service sixtus
By Username + Project + Role:
# openstack role assignment list -c Project -c Role -c User \
--names -f value | grep -v @Service | sed 's/@Default//g' | \
awk '{ printf "%-15s %-15s %-15s\n", $2, $3, $1 }' | sort
eightadmin eight admin
eightdep eight deployer
eightself eight self_service
halfdozen six deployer
humble eight self_service
humble ibm-default self_service
humble seven self_service
humble six self_service
nag eight admin
nag ibm-default admin
nag seven admin
nag six admin
powervc eight admin
powervc ibm-default admin
powervc seven admin
powervc six admin
root ibm-default admin
selfish seven self_service
sevenadmin seven admin
sevendep seven deployer
sevenself seven self_service
sixadmin six admin
sixtine six self_service
sixtus six self_service
Two New Troublesome Commands
These two commands are difficult to understand due to their "quirky" design and lack of documentation.
Here are my notes - I hope it means you don't waste the hours I have to work them out.
powervc-config
Problem there is not overall documentation explaining the 13 things you can set. The only way to work it out what this command done is so run the command 20 times with different sub and sub-sub commands.
I am going to ignore the many audit and debug settings - I assume the settings are useful for diagnosing problems. I would expect PowerVC Support to tell me what to run. I guess audit would add information to logging files and debug increase the trace and error logs.
The following command finds the current settings with example output from my PowerVC 1.3.1.1 on RHEL7.1 BE on POWER8. Most of the settings are the default values except the network ones.
If you add a "-h" after the same command (not the double quotes), then it shows you how to set the same variable.
I had to use the command to set the network domain as follows as the root user:
# /usr/bin/powervc-config compute server-domain --set ats.uk.ibm.com
The default domain name was updated for the specified hosts.
Verify that no tasks are in-progress, then run the
'/opt/ibm/powervc/bin/powervc-services nova restart' command to
restart the nova services and complete the operation.
# powervc-config general ifconfig
PowerVC IP version : 4
PowerVC management address: vm17.ats.uk.ibm.com
PowerVC hostname: vm17
ifconfig Change the hostname or IP address of the PowerVC controller
# powervc-config general ipaddress
Current value: 9.137.62.17
ipaddress The IP address of the PowerVC controller Warning: This option will be deprecated in future releases.
# powervc-config general hostname
Current value: vm17
hostname The hostname of the PowerVC controller Warning: This option will be deprecated in future releases.
# powervc-config identity token_expiration
Current value: 6:00:00
Default value: 6:00:00
token_expiration Configure the expiration interval for the identity token
Note: It is not documented but I think this format is Hours:Minutes:Seconds - also used below.
# powervc-config identity repository
PowerVC is configured for operating system authentication.
repository Configure the repository for authentication credentials, for example an LDAP server.
# powervc-config image image_size_cap
Current value: 1099511627776 B
Default value: 1099511627776 B
image_size_cap Configure the maximum image size, which can be uploaded through PowerVC controller
# powervc-config image user_storage_quota
Current value: 0 B
Default value: 0 B
user_storage_quota Configure the maximum amount of per-user image storage.
# powervc-config storage portgroup
usage: powervc-config storage portgroup [-h] --arrayid ArrayID [--portgroup PortGroup] [--add] [--remove] [--list] [--restart]
portgroup Configure the EMC VMAX PortGroup list
Note: I don't have an EMC disk unit so I am not clear on the details.
# powervc-config compute server-domain
[global] ats.uk.ibm.com
828642A_100DC7V ats.uk.ibm.com
8408E8E_21A494V ats.uk.ibm.com
828422A_215E96V ats.uk.ibm.com
9117MMB_100C25P ats.uk.ibm.com
8231E2B_06FA44P ats.uk.ibm.com
8231E1C_0659GDR ats.uk.ibm.com
8233E8B_100W72P ats.uk.ibm.com
8233E8B_100S71P ats.uk.ibm.com
server-domain Display or set the default virtual machine domain name
# powervc-config metering meter_ttl
Current value: 14 days, 0:00:00
Default value: 14 days, 0:00:00
meter_ttl Configure the time to live interval for the meter data.
# powervc-config metering event_ttl
Current value: 270 days, 0:00:00
Default value: 270 days, 0:00:00
event_ttl Configure the time to live interval for the event data.
# powervc-config web inactivity_timeout
Current value: 2:00:00
Default value: 2:00:00
inactivity_timeout Time that UI users will be allowed to idle before being prompted and logged out. Value 0 or less will disable the timer.
# powervc-config web token_expiration_warning_time
Current value: 0:15:00
Default value: 0:15:00
token_expiration_warning_time Time before token expiration to prompt user for password to obtain new token. Value 0 or less will disable the timer.
powervc-cloud-config for Setting Policies on Projects
This command applies to the Cloud PowerVC 1.3.1.1+ manager Edition (I think). This command scores highly on my weird-command-o-meter and I am worried about the sanity of the developer!
First, you need to understand this command is using (as far as I can determine) the remote REST API to "talk" to the PowerVC/OpenStack running on the current system. For this function to work you have to set 14 shell variables. It also required to use the "openstack" command to control Cloud Edition Projects and User Roles - so it is not so strange.
As the root user, get your shell to read and set the shell variables in this powervcrc file:
source /opt/ibm/powervc/powervcrc
Then, you need to check the OS_USER_NAME and OS_PASSWORD variables have the correct settings as root:
env | egrep -e OS_USERNAME -e OS_PASSWORD
OS_PASSWORD=
OS_USERNAME=
If blank (like the previous example) set them on a default set up machine to the root user and password. As root:
export OS_USERNAME=root
export OS_PASSWD=SECRET
To list the options, you can set use the following:
# powervc-cloud-config list-policy-type
SUCCESS.
{
"policy_types": [
"expired_resources_lifetime",
"default_request_wait_time",
"extension_approval_limit",
"deploy_approval_limit",
"default_expiration_days",
"snapshot_approval_limit"
]
}
Yes it is odd - displaying the result in a Python program code style or JSON format!
The following panel lists of six items you can change.
Policy | Description | |
1 | expi |
After a virtual machine is expired, this is the number of days before the virtual machine is deleted |
2 | defa |
Days waiting for virtual machine approval before its automatically approved |
3 | exte |
Number of virtual machine user expire extensions before approval is needed |
4 | depl |
Number of virtual machines a user can have without needing approval |
5 | defa |
Number for the default days before the virtual machine is expired and a limit to the maximum days that can be requested |
6 | snap |
Number of virtual machine Captures before approval needed |
Fortunately, the Redbook guys cover these details in the PowerVC 1.3.1+ Redbook in Chapter 3
Now the bad news - the settings can be set to a value (by you) or not set at all. Not set at all is the default. If it is "not set" then it is assumed to have a special meaning and I don't see a way to get this out of the command. There are no details about the units used. A value of -1 and zero have special meanings for some variables.
Example: expired_resources_lifetime is in days. The resources are the virtual machines and not-set means "never expire the virtual machines" but you are never going to get these details out of the command.
Read the Redbook for what the six items mean and the special significance or not-set and -1. I am not going to copy it in to this blog.
Next, see that the current settings are using the policy-list. It is not obvious that command does not list the policy names:
# powervc-cloud-config policy-list
SUCCESS.
{
"policies": [ ]
}
Apparently, this command output means no policies have been set, so they all have the "not-set" defaults.
To set one of the policies, follow this example:
# powervc-cloud-config set-policy snapshot_approval_limit 88
Policy Created Successfully.
{
"policy": {
"project_id": "c511b521ca93498397f33f1fa4b16dfc",
"project_name": "ibm-default",
"policy_type": "snapshot_approval_limit",
"value": 88
}
}
Note: this setting was set for the "ibm-default" project. Which is in the shell variables?
# env | grep OS_
OS_REGION_NAME=RegionOne
OS_NETWORK_API_VERSION=2.0
OS_USER_DOMAIN_NAME=Default
OS_IMAGE_API_VERSION=2
OS_PROJECT_NAME=ibm-default
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=root
OS_AUTH_URL=https://vm17:5000/v3/
OS_COMPUTE_API_VERSION=2.25
OS_USERNAME=SECRET
OS_TENANT_NAME=ibm-default
OS_VOLUME_API_VERSION=2
OS_CACERT=/etc/pki/tls/certs/powervc.crt
OS_PROJECT_DOMAIN_NAME=Default
The command appears to be using these to log in with the username and password and the project to use.
Unfortunately, you can not override these shell variables with the command-line options -u (or --user) and -p (or --project).
So if you want to change the settings for different projects, then one way is to do the following. Remote the shell variable settings:
# unset OS_USERNAME
# unset OS_PASSWORD
# unset OS_PROJECT
Then, for my project called "six" and its admin user is "sixadmin" note I am setting a different value for this project:
# powervc-cloud-config --user sixadmin --project six set-policy snapshot_approval_limit 77
Enter password for sixadmin:
SSSSSS <-- password type here
Policy Updated Successfully.
Cool - now lets list the new values - unfortunately that takes two commands - one for each project (ibm-default and six).
# powervc-cloud-config policy-list
Enter password for root:
RRRRRR <-- password type here
SUCCESS.
{
"policies": [
{
"project_id": "c511b521ca93498397f33f1fa4b16dfc",
"project_name": "ibm-default",
"policy_type": "snapshot_approval_limit",
"value": "88"
}
]
}
So project ibm-default value is 88
# powervc-cloud-config --user sixadmin --project six policy-list
Enter password for sixadmin:
SSSSSS <-- password type here
SUCCESS.
{
"policies": [
{
"project_id": "3dcc355325584ddba56c45a96f1f9e79",
"project_name": "six",
"policy_type": "snapshot_approval_limit",
"value": "77"
}
]
}
#
So project "six" value is 77
That seems like hard work to set two numbers! Imagine 5 projects and six settings = 30 commands and passwords to type.
Sounds like a shell script is needed set everything the way you want.
It is easy to get caught out: If OS_TENANT_NAME="ibm-default" then the "--project six" in the following example, is ignored and you are setting the ibm-default project by mistake.!!
unset OS_TENANT_NAME
powervc-cloud-config --project six set-policy default_request_wait_time 5
powervc-cloud-config --project six set-policy deploy_approval_limit 3
powervc-cloud-config --project six set-policy expired_resources_lifetime 90
powervc-cloud-config --project six set-policy extension_approval_limit 4
powervc-cloud-config --project six set-policy default_expiration_days 30
powervc-cloud-config --project six set-policy snapshot_approval_limit 1
- - - The End - - -
Additional Information
Other places to find content from Nigel Griffiths IBM (retired)
- YouTube - YouTube Channel for Nigel Griffiths
- AIXpert Blog
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
14 June 2023
UID
ibm11166302