Prepare your Environment for Installation of Portworx with Everpure Cloud Dedicated

This page includes detailed system requirements that are specific to Everpure Cloud Dedicated to ensure a seamless deployment and optimal performance of Portworx Enterprise in your Kubernetes environment.

Before you begin preparing your environment, ensure that you have an Azure Kubernetes Service (AKS) Cluster that meets the system requirements for installing Portworx Enterprise.

The following collection of tasks describe how to prepare your environment for Portworx installation.

Complete all the tasks to prepare your environment for installation.

Software requirements

Install the following system packages on all nodes, including the control plane node, to support storage provisioning and data path operations when using Everpure Cloud Dedicated.

Category	Requirement
Packages	Ensure that the latest versions of the following packages are installed on nodes where you plan to run Portworx Enterprise: RHEL iscsi-initiator-utils device-mapper-multipath kpartx (installed as part of device-mapper-multipath) Ubuntu open-iscsi multipath-tools kpartx (installed as part of multipath-tools) Debian open-iscsi multipath-tools kpartx (installed as part of multipath-tools) SUSE Linux Enterprise Server open-iscsi multipath-tools kpartx (installed as part of multipath-tools) Note: For NVMe-oF/TCP protocol, you need multipath version 0.8.7 or later.
Red Hat Systems	Ensure that the second action, CAPACITY_DATA_HAS_CHANGED, is uncommented in the 90-scsi-ua.rules file, and restart the udev service.
CSI Snapshot Feature	To use the CSI snapshot feature, install the Snapshot controller and deploy the CRDs available here in your Kubernetes cluster.

Physical network requirements

This section outlines the physical network prerequisites for Portworx to communicate with Everpure Cloud Dedicated.

Ensure proper connectivity and protocol configuration for optimal performance and compatibility

• Ensure the Everpure Cloud Dedicated management IP address is accessible by all nodes.
• Verify that your cluster has an operational Everpure Cloud Dedicated with a configured dataplane connectivity layout.
• Use one of the following storage networking protocols supported by Portworx Enterprise:
  • iSCSI: For block storage over IP networks.
  • NVMe-oF RoCE or NVMe-oF TCP: For high-performance and low-latency storage access.
  • Fibre Channel (FC): For dedicated storage area networks.
• If using iSCSI:
  • Ensure that the storage node iSCSI initiators are on the same VLAN as the Everpure Cloud Dedicated iSCSI target ports.
  • If using multiple NICs to connect to an iSCSI host, ensure all NICs are accessible from the Everpure Cloud Dedicated management IP address.
• If using Fibre Channel:
  • Verify that the storage node Fibre Channel WWNs are correctly zoned to the Everpure Cloud Dedicated Fibre Channel WWN ports.

Disable secure boot mode

Portworx Enterprise requires the secure boot mode to be disabled to ensure it can operate without restrictions. Here's how to disable secure boot mode across different platforms:

RHEL/CentOS

For REHL/CentOS you can perform the following steps to check and disable the secure boot mode:

1. Check the status of secure boot mode:

   /usr/bin/mokutil --sb-state

2. If secure boot is enabled, disable it:

   /usr/bin/mokutil --disable-validation

3. Apply changes by rebooting your system:

   reboot 

VMware

For VMware, navigate to the Edit Setting window of the virtual machine on which you are planning to deploy Portworx Enterprise. Ensure that the checkbox against the Secure Boot option under VM Options is not selected, as shown in the following screenshot:

Verify the status of the secure boot mode

Run the following command to ensure that the secure boot mode is off:

/usr/bin/mokutil --sb-state

SecureBoot disabled

Multipath configuration

• Everpure Cloud Dedicated and Portworx Enterprise do not support user-friendly names. Set user_friendly_names to no before installing Portworx Enterprise on your cluster. This ensures consistent device naming conventions between Portworx and Everpure Cloud Dedicated.
• Add polling_interval 10 as recommended by RHEL Linux settings. This defines how often the system checks for path status updates.
• To avoid interference from the multipathd service during Portworx volume operations, set the pxd device denylist rule.

Your /etc/multipath.conf file should follow this structure:

important

Set find_multipaths to no in the defaults section because each controller has only one iSCSI path.

blacklist {
  devnode "^pxd[0-9]*"
  devnode "^pxd*"
  device {
    vendor "VMware"
    product "Virtual disk"
  }
}

defaults {
  polling_interval 10
  find_multipaths no
}

devices {
  device {
    vendor                "NVME"
    product               "FlashArray"
    path_selector         "queue-length 0"
    path_grouping_policy  group_by_prio
    prio                  ana
    failback              immediate
    fast_io_fail_tmo      10
    user_friendly_names   no
    no_path_retry         0
    features              0
    dev_loss_tmo          60
  }
  device {
    vendor                "PURE"
    product               "FlashArray"
    path_selector         "service-time 0"
    hardware_handler      "1 alua"
    path_grouping_policy  group_by_prio
    prio                  alua
    failback              immediate
    path_checker          tur
    fast_io_fail_tmo      10
    user_friendly_names   no
    no_path_retry         0
    features              0
    dev_loss_tmo          600
  }
}

Configure Udev rules

Configure queue settings with Udev rules on all nodes. For recommended settings for Everpure Cloud Dedicated, refer to Applying Queue Settings with Udev.

Apply Multipath and Udev configurations

Apply the Multipath and Udev configurations created in the previous sections for the changes to take effect.

OpenShift Container Platform

Use a MachineConfig in OpenShift to apply multipath and Udev configuration files consistently across all nodes.

1. Encode the configuration files in base64 format and add them to the MachineConfig, as shown in the following example:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     creationTimestamp:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: <your-machine-config-name>
   spec:
     config:
       ignition:
         version: 3.2.0
       storage:
         files:
         - contents:
             source: data:text/plain;charset=utf-8;base64,<base64-encoded-multipath-conf>
           filesystem: root
           mode: 0644
           overwrite: true
           path: /etc/multipath.conf
         - contents:
             source: data:text/plain;charset=utf-8;base64,<base64-encoded-udev_conf>
           filesystem: root
           mode: 0644
           overwrite: true
           path: /etc/udev/rules.d/99-pure-storage.rules
       systemd:
         units:
         - enabled: true
           name: iscsid.service
         - enabled: true
           name: multipathd.service

2. Apply the MachineConfig to your cluster:

   oc apply -f <your-machine-config-name>.yaml

Other Kubernetes platforms

1. Update the multipath.conf file as described in the Configure multipath.conf file section and restart the multipathd service on all nodes:

   systemctl restart multipathd.service

2. Create the Udev rules as described in the Configure Udev rules section and apply them on all nodes:

   udevadm control --reload-rules && udevadm trigger

Set up user access in Everpure Cloud Dedicated

To establish secure communication between Portworx and Everpure Cloud Dedicated, you should create a user account and generate an API token. This token acts as an authentication key, allowing Portworx to interact with Everpure Cloud Dedicated and perform storage operations on behalf of the authorized user. This section provides the steps to generate an API token, which serves as your authorization within the Everpure Cloud Dedicated environment.

Secure multi-tenancy

If multiple users share a single Everpure Cloud Dedicated, you can enable secure multi-tenancy using Everpure Cloud Dedicated realms and pods. A realm isolates tenant-specific storage, and a pod groups volumes within that realm.

To enable this feature:

1. Create a realm and pod on the Everpure Cloud Dedicated.
2. Add the realm to the px-pure-secret file.
3. Reference the pod name in the StorageCluster specification.

note

A Everpure Cloud Dedicated pod is a logical grouping on the storage array and is not related to Kubernetes pods.

This configuration ensures that each tenant can access only their assigned storage volumes.

Everpure Cloud Dedicated without secure multi-tenancy

1. Create a user:

   1. In your Everpure Cloud Dedicated dashboard, select Settings in the left pane.
   2. On the Settings page, select Access.
   3. In the Users section, click the vertical ellipsis in the top-right corner and select Create User: ![Everpure Cloud Dedicated create user][/img/3-5/flassarray-create-user.png)
   4. In the Create User window, enter your details and set the role to Storage Admin.
   5. Select Create to add the new user.

2. Generate an API token:

   1. To create a token for the user you created, select the user from the Users list, click the vertical ellipsis in the right-hand corner of the username, and select Create API Token: ![Generate an API token][/img/3-5/flasharray-generate-api-token.png)
   2. In the API Token window, leave the Expires in field blank if you want to create a token that never expires, and click Create.
   3. Save this information to avoid the need to recreate the token.

Everpure Cloud Dedicated with secure multi-tenancy

info

The following steps must be performed on the Everpure Cloud Dedicated CLI.

1. Create a realm for each customer: All volumes from the Portworx Enterprise installation will be placed within this realm, ensuring customer-specific data isolation.

   purerealm create <customer1-realm>

   Name                Quota Limit
   <customer1-realm>   -

2. Create a pod inside the realm: A pod in Everpure Cloud Dedicated defines a boundary where specific volumes are placed.

   purepod create <customer1-realm>::<fa-pod-name>

   note

   Stretched Everpure Cloud Dedicated pods (pods spanning multiple Everpure Cloud Dedicated) are not supported.

   By assigning realms and pods in Everpure Cloud Dedicated, you ensure that different users interact only with the specific storage resources allocated to them.

3. Create a policy for a realm: Ensure that you have administrative privileges on Everpure Cloud Dedicated before proceeding. This policy grants users access to their respective realms with defined capabilities.

   purepolicy management-access create --realm <customer1-realm> --role storage --aggregation-strategy all-permissions <realm-policy>

   For basic privileges, use the following command:

   purepolicy management-access create --realm <customer1-realm> --role storage --aggregation-strategy least-common-permissions <realm-policy>

4. Verify the created policy: This step ensures that the policy has been set up correctly with the right permissions.

   purepolicy management-access list 

   Name             Type         Enabled  Capability  Aggregation Strategy      Resource Name    Resource Type  
   <realm-policy>  admin-access  True     all         all-permissions           <customer1-realm>  realms

   This policy ensures that users linked to the specified realm can perform storage operations within their allocated realm.

5. Create a user linked to a policy: This command creates a user with the access rights defined by the policy. You must create a password that the user can use to log in to Everpure Cloud Dedicated, as shown in the output:

   pureadmin create --access-policy <realm-policy> <Everpure-Cloud-Dedicated-user>

   Enter password: 
   Retype password: 
   Name               Type   Access Policy
   <Everpure-Cloud-Dedicated-user>  local  <realm-policy>

   This step ensures that users are securely connected to their designated realms with appropriate access.

6. Sign in as the newly created user in the Everpure Cloud Dedicated CLI.

7. Run pureadmin create --api-token and copy the created token.

Create pure.json file

To integrate Portworx Enterprise with Everpure Cloud Dedicated, create a JSON configuration file (named pure.json) containing essential information about the Everpure Cloud Dedicated environment. This file should include the management endpoints and the API token you generated.

• Management endpoints: These are URLs or IP addresses that Portworx uses to communicate with Everpure Cloud Dedicated through API calls. To locate these, go to Settings > Network in your Everpure Cloud Dedicated dashboard. Note the IP addresses or hostnames of your management interfaces, prefixed with vir, indicating virtual interfaces.
  important

  • For an IPv6 address, ensure that the IP address is enclosed in square brackets. For example: "MgmtEndPoint": "[XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX]".
• API token: Generated in the previous section.
• Realm (secure multi-tenancy only): Realms define tenant boundaries within a secure multi-tenancy setup. When multiple Everpure Cloud Dedicated are attached to a cluster, the admin can specify a realm to ensure that storage volumes are isolated for each tenant. Everpure Cloud Dedicated volumes created through Portworx will be placed within the specified realm.
  note

  Each cluster can only support one realm per array, meaning a single Portworx deployment cannot use multiple realms on the same Everpure Cloud Dedicated.

Use the information above to create a JSON file. Below is a template for the configuration content, which you should populate with your specific information:

Everpure Cloud Dedicated without secure multi-tenancy

{
  "FlashArrays": [
    {
      "MgmtEndPoint": "<fa-management-endpoint>",
      "APIToken": "<fa-api-token>"
    }
  ]
}

Everpure Cloud Dedicated with secure multi-tenancy

{
  "FlashArrays": [
    {
      "MgmtEndPoint": "<fa-management-endpoint1>",
      "APIToken": "<fa-api-token>",
      "Realm": "<fa-realm>"
    }
  ]
}    

Add Everpure Cloud Dedicated configuration to a kubernetes secret

To enable Portworx Enterprise to access the Everpure Cloud Dedicated configuration, add the pure.json file to a Kubernetes secret by running the following command to create a secret named px-pure-secret:

OpenShift

oc create secret generic px-pure-secret --namespace <stc-namespace> --from-file=pure.json=<file path>

secret/px-pure-secret created

Kubernetes

kubectl create secret generic px-pure-secret --namespace <stc-namespace> --from-file=pure.json=<file path>

secret/px-pure-secret created

important

• The specific name px-pure-secret is required so that Portworx Enterprise can correctly identify and access the Kubernetes secret upon startup. This secret securely stores the Everpure Cloud Dedicated configuration details and allows Portworx Enterprise to access this information within the Kubernetes environment.
• Ensure that the px-pure-secret is in the same namespace where you plan to install Portworx Enterprise.

Verify the iSCSI Connection with Everpure Cloud Dedicated

Follow the instructions below to verify the iSCSI setup:

1. Run the following command from the node to discover your iSCSI targets:

   iscsiadm -m discovery -t st -p <flash-array-interface-endpoint>

   10.13.xx.xx0:3260,207 iqn.2010-06.com.purestorage:flasharray.xxxxxxx
   10.13.xx.xx1:3260,207 iqn.2010-06.com.purestorage:flasharray.xxxxxxx

2. Run the following command on each node to verify if each node has a unique initiator:

   cat /etc/iscsi/initiatorname.iscsi

   InitiatorName=iqn.1994-05.com.redhat:xxxxx

3. If the initiator names are not unique, assign a new unique initiator name using the following command:

   echo "InitiatorName=`/sbin/iscsi-iname`" > /etc/iscsi/initiatorname.iscsi

   important

   Replace the initiator names on any nodes that have duplicates with the newly generated unique names.

4. After making changes to the initiator names, restart the iSCSI service to apply the changes:

   systemctl restart iscsid