Install Portworx on VMWare PKS running on cloud environments

Perform the steps in this document to install Portworx on VMWare Pivotal Container Service (PKS) running on cloud environments.

NOTE: If you have a compute load that can elastically increase or decrease based on workload demand, you might want to learn how to install Portworx in disaggregated mode.

Step 1: PKS preparation

Before installing Portworx, let’s ensure the PKS environment is prepared correctly.

Enable privileged containers and kubectl exec

Ensure that following options are enabled on all plans on the PKS tile:

  • Enable Privileged Containers
  • Disable DenyEscalatingExec (This is useful to run kubectl exec to run pxctl commands)

Enable zero downtime upgrades for Portworx PKS clusters

Use the following steps to add a runtime addon to the Bosh Director to stop the Portworx service.

Why is this needed ? When stopping and upgrading instances bosh attempts to unmount /var/vcap/store. Portworx has its root filesystem for its OCI container mounted on /var/vcap/store/opt/pwx/oci and the runc container is running using it. So one needs to stop Portworx and unmount /var/vcap/store/opt/pwx/oci in order to allow bosh to proceed with stopping the instances. The addon ensures this is done automatically and enables zero downtime upgrades.

Perform these steps on any machine where you have the bosh CLI.

  1. Create and upload the release.

    Replace director-environment below with the environment which points to the Bosh Director.

    git clone
    cd portworx-stop-bosh-release
    mkdir src
    bosh create-release --final --version=1.0.0
    bosh -e director-environment upload-release
  2. Add the addon to the Bosh Director.

    First let’s fetch your current Bosh Director runtime config.

    bosh -e director-environment runtime-config

    If this is empty, you can simply use the runtime config at runtime-configs/director-runtime-config.yaml.

    If you already have an existing runtime config, add the release and addon in runtime-configs/director-runtime-config.yaml to your existing runtime config.

    Once we have the runtime config file prepared, let’s update it in the Director.

    bosh -e director-environment update-runtime-config runtime-configs/director-runtime-config.yaml
  3. Apply the changes

    After the runtime config is updated, go to your Operations Manager Installation Dashboard and click “Apply Changes”. This will ensure bosh will add the addon on all new vm instances.

    If you already have an existing Portworx cluster, you will need to recreate the VM instances using the bosh recreate command.

Step 2: Install Etcd

Portworx uses a key-value store for it’s clustering metadata. There are couple of options here:

2a: Install etcd your own way

If you are planing to install Etcd your own way, you can skip this section and proceed to Step 3: Installing Portworx.

2b: Install using bosh CFCR etcd release

Follow Installing Etcd using CFCR etcd release and return here once done.

After the above steps, you should have all the etcd certs in the etcd-certs directory. These need to put in a Kubernetes secret so that Portworx can consume it.

kubectl -n kube-system create secret generic px-kvdb-auth --from-file=etcd-certs/
kubectl -n kube-system describe secret px-kvdb-auth

This should output the below and shows the etcd certs are present in the secret.

Name:         px-kvdb-auth
Namespace:    kube-system
Labels:       <none>
Annotations:  <none>

Type:  Opaque

etcd-ca.crt:      1679 bytes
etcd.crt:  1680 bytes
etcd.key:  414  bytes

Step 3: Installing Portworx

Portworx supports PKS (Pivotal Container Service) on various platforms.

If running on AWS, continue at Portworx install with AWS Auto Scaling Groups.

If running on GCP, continue at Portworx install on Google Cloud Platform.

If running on VMware vSphere, continue at Portworx install on PKS on vSphere.

Last edited: Monday, Aug 15, 2022