Use Pure Cloud Block Store as Backend Storage

Pure Cloud Block Store is a storage solution from Pure Storage that delivers enterprise-grade block storage capabilities within both Microsoft Azure and Amazon Web Services (AWS). It enables consistent operations and seamless workload mobility across on-premises, AWS, and Azure environments.

Key features include:

• Data mobility for disaster recovery and cloud migration
• Built-in data services, including compression, deduplication, and snapshots
• High availability through deployment across multiple availability zones
• Cost efficiency via thin provisioning and flexible pricing models

This combination of unified management and robust fault tolerance makes Pure Cloud Block Store well-suited for mission-critical applications, ensuring business continuity, data protection, and operational resilience.

Architecturally, Pure Cloud Block Store is based on Pure Storage’s FlashArray technology and delivers high availability and performance through a software-defined design optimized for cloud environments. It maintains consistent IOPS, low latency, and built-in redundancy across cloud infrastructure. For more information, see the Pure Cloud Block Store documentation.

Before you begin preparing your environment, ensure that all system requirements are met.

Install Pure Cloud Block Store

PX-CSI supports deploying Pure Cloud Block Store on both Amazon Web Services (AWS) and Microsoft Azure. To deploy CBS, refer to the following documentation:

• Pure Cloud Block Store for Azure
• Pure Cloud Block Store for AWS

Configure your Cloud Block Store

Before you install PX-CSI, verify network connectivity between your cluster nodes and CBS.

• Ensure that each node can access the Cloud Block Store management IP address.
• Ensure your cluster has an operational Cloud Block Store with an existing data plane connectivity layout (iSCSI).
• Ensure that storage node iSCSI initiators are on the same VLAN as the Cloud Block Store iSCSI target ports.
• Obtain an API token for a user on your Cloud Block Store with at least storage_admin permissions. See your array documentation for instructions.

Configure the multipath.conf file

• FlashArray and PX-CSI do not support user-friendly names. Set user_friendly_names to no before installing PX-CSI to keep device names consistent.
• Add polling_interval 10 as recommended in RHEL settings. This defines how often the system checks for path status updates.
• To avoid interference from the multipathd service during PX-CSI volume operations, set the pxd device denylist rule.

Your /etc/multipath.conf file should follow this structure:

important

Set find_multipaths to no in the defaults section because each controller has only one iSCSI path.

blacklist {
  devnode "^pxd[0-9]*"
  devnode "^pxd*"
  device {
    vendor "VMware"
    product "Virtual disk"
  }
}

defaults {
  polling_interval 10
  find_multipaths no
}

devices {
  device {
    vendor                "NVME"
    product               "Pure Storage FlashArray"
    path_selector         "queue-length 0"
    path_grouping_policy  group_by_prio
    prio                  ana
    failback              immediate
    fast_io_fail_tmo      10
    user_friendly_names   no
    no_path_retry         0
    features              0
    dev_loss_tmo          60
  }
  device {
    vendor                "PURE"
    product               "FlashArray"
    path_selector         "service-time 0"
    hardware_handler      "1 alua"
    path_grouping_policy  group_by_prio
    prio                  alua
    failback              immediate
    path_checker          tur
    fast_io_fail_tmo      10
    user_friendly_names   no
    no_path_retry         0
    features              0
    dev_loss_tmo          600
  }
}

Configure udev rules

Configure queue settings with udev rules on all nodes. For recommended FlashArray settings, see Applying Queue Settings with udev.

Apply multipath and udev configurations

Apply the multipath and udev configurations created in the previous sections so the changes take effect.

Kubernetes

1. Update the multipath.conf file as described in Configure the multipath.conf file and restart the multipathd service on all nodes:

   systemctl restart multipathd.service

2. Create the udev rules as described in Configure udev rules and apply them on all nodes:

   udevadm control --reload-rules && udevadm trigger

OpenShift

Use a MachineConfig in OpenShift to apply multipath and udev configuration files consistently across all nodes.

1. Encode the configuration files in base64 format and add them to the MachineConfig, as shown in the following example:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     creationTimestamp:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: <your-machine-config-name>
   spec:
     config:
       ignition:
         version: 3.2.0
       storage:
         files:
         - contents:
             source: data:text/plain;charset=utf-8;base64,<base64-encoded-multipath-conf>
           filesystem: root
           mode: 0644
           overwrite: true
           path: /etc/multipath.conf
         - contents:
             source: data:text/plain;charset=utf-8;base64,<base64-encoded-udev_conf>
           filesystem: root
           mode: 0644
           overwrite: true
           path: /etc/udev/rules.d/99-pure-storage.rules
       systemd:
         units:
         - enabled: true
           name: iscsid.service
         - enabled: true
           name: multipathd.service

2. Apply the MachineConfig to your cluster:

   oc apply -f <your-machine-config-name>.yaml

Set up user access in FlashArray

To establish secure communication between PX-CSI and FlashArray, create a user account and generate an API token. This token allows PX-CSI to perform storage operations on behalf of the authorized user.

FlashArray without secure multi-tenancy

1. Create a user:

   1. In the FlashArray dashboard, select Settings in the left pane.
   2. On the Settings page, select Access.
   3. In the Users section, select the vertical ellipsis in the top-right corner and choose Create User:
   4. In Create User, enter the details and set the role to Storage Admin.
   5. Select Create to add the user.

2. Generate an API token:

   1. Select the user in Users, open the vertical ellipsis for the username, and choose Create API Token:
   2. In API Token, leave Expires in blank if you want a token that never expires, then select Create.
   3. Save the token for later use.

FlashArray with secure multi-tenancy

1. Create a realm for each customer. Volumes created by PX-CSI will be placed in this realm.

   purerealm create <customer1-realm>

   Name                Quota Limit
   <customer1-realm>   -

2. Create a pod in the realm. A pod defines where volumes are placed.

   purepod create <customer1-realm>::<fa-pod-name>

3. Create a policy for the realm. Ensure you have administrative privileges.

   purepolicy management-access create --realm <customer1-realm> --role storage --aggregation-strategy all-permissions <realm-policy>

   For basic privileges:

   purepolicy management-access create --realm <customer1-realm> --role storage --aggregation-strategy least-common-permissions <realm-policy>

4. Verify the policy.

   purepolicy management-access list

   Name            Type          Enabled  Capability  Aggregation Strategy   Resource Name       Resource Type
   <realm-policy>  admin-access  True     all         all-permissions        <customer1-realm>   realms

5. Create a user linked to the policy.

   pureadmin create --access-policy <realm-policy> <flasharray-user>

   Enter password:
   Retype password:
   Name               Type   Access Policy
   <flasharray-user>  local  <realm-policy>

6. Sign in as the new user in the FlashArray CLI.

7. Create an API token.

   pureadmin create --api-token

Create the pure.json file

To integrate PX-CSI with FlashArray, create a JSON configuration file named pure.json that contains information about your FlashArray environment. Include management endpoints and the API token you generated.

• Management endpoints: URLs or IP addresses that PX-CSI uses to communicate with FlashArray. In the FlashArray dashboard, go to Settings > Network and note the IP addresses or hostnames of management interfaces (prefixed with vir, indicating virtual interfaces).
• API token: The token you generated in the previous section.
• Realm (secure multi-tenancy only): Realms define tenant boundaries. When multiple FlashArrays are attached to a cluster, specify a realm to isolate volumes per tenant.
• VLAN (only for VLAN binding): Specify the VLAN ID to which the host should be bound.

Use the information above to create a JSON file. Below is a template you can populate with your values:

FlashArray without secure multi-tenancy

{
  "FlashArrays": [
    {
      "MgmtEndPoint": "<fa-management-endpoint>",
      "APIToken": "<fa-api-token>",
      "VLAN": "<vlan-id>"
    }
  ]
}

FlashArray with secure multi-tenancy

{
  "FlashArrays": [
    {
      "MgmtEndPoint": "<first-fa-management-endpoint1>",
      "APIToken": "<first-fa-api-token>",
      "Realm": "<first-fa-realm>",
      "VLAN": "<vlan-id>"
    }
  ]
}

(Optional) CSI topology feature

PX-CSI supports topology-aware storage provisioning. By specifying topology information (node, zone, or region), you can control where volumes are provisioned to meet availability, performance, and fault-tolerance requirements. See CSI topology.

To prepare your environment for topology-aware provisioning:

1. Edit pure.json to define the topology for each FlashArray. For details, see pure.json with CSI topology.

2. Label your Kubernetes nodes with values that match the labels in pure.json. For example:

   kubectl label node <nodeName> topology.portworx.io/zone=zone-0
   kubectl label node <nodeName> topology.portworx.io/region=region-0

Add FlashArray configuration to a Kubernetes secret

To enable PX-CSI to access the FlashArray configuration, add pure.json to a Kubernetes secret named px-pure-secret:

Kubernetes

kubectl create secret generic px-pure-secret --namespace <stc-namespace> --from-file=pure.json=<file path>

secret/px-pure-secret created

OpenShift

oc create secret generic px-pure-secret --namespace <stc-namespace> --from-file=pure.json=<file path>

secret/px-pure-secret created

Volume attachment limits

PX-CSI supports up to 512 volume attachments per node** when using Pure Cloud Block Store (CBS), which communicates over the iSCSI transport. The effective limit depends on the Linux storage stack, host bus adapter (HBA), and driver configuration.

Before deploying PX-CSI, ensure that the operating system (OS) and HBAs are configured to support the number of attachments required for your workloads.

Use the following command to inspect the LUN limit on your nodes:

cat /sys/module/scsi_mod/parameters/max_luns

Verify the iSCSI connection with Cloud Block Store

If you use the iSCSI protocol, verify your setup:

1. Discover iSCSI targets from a node:

   iscsiadm -m discovery -t st -p <flash-array-interface-endpoint>

   10.13.xx.xx0:3260,207 iqn.2010-06.com.purestorage:flasharray.xxxxxxx
   10.13.xx.xx1:3260,207 iqn.2010-06.com.purestorage:flasharray.xxxxxxx

2. Verify that each node has a unique initiator:

   cat /etc/iscsi/initiatorname.iscsi

   InitiatorName=iqn.1994-05.com.redhat:xxxxx

3. If initiator names are not unique, assign a new unique initiator name:

   echo "InitiatorName=`/sbin/iscsi-iname`" > /etc/iscsi/initiatorname.iscsi

4. Restart the iSCSI service to apply changes:

   systemctl restart iscsid

important

Once you set up Pure Cloud Block Store, storage operations such as creating or resizing a PVC, and taking snapshots are the same as on FlashArray. Refer to the FlashArray sections in this documentation for guidance on performing these tasks.