Chapter 1. Preparing to deploy OpenShift Container Storage

Deploying OpenShift Container Storage on OpenShift Container Platform using dynamic storage devices provides you with the option to create internal cluster resources. This will result in the internal provisioning of the base services, which helps to make additional storage classes available to applications.

Before you begin the deployment of Red Hat OpenShift Container Storage, follow these steps:

  1. For Red Hat Enterprise Linux based hosts for worker nodes, enable file system access for containers on Red Hat Enterprise Linux based nodes.

    Note

    Skip this step for Red Hat Enterprise Linux CoreOS (RHCOS).

  2. Optional: If you want to enable cluster-wide encryption using an external Key Management System (KMS):

  3. Minimum starting node requirements [Technology Preview]

    An OpenShift Container Storage cluster will be deployed with minimum configuration when the standard deployment resource requirement is not met. See Resource requirements section in Planning guide.

1.1. Enabling file system access for containers on Red Hat Enterprise Linux based nodes

Deploying OpenShift Container Storage on an OpenShift Container Platform with worker nodes on a Red Hat Enterprise Linux base in a user provisioned infrastructure (UPI) does not automatically provide container access to the underlying Ceph file system.

Note

Skip this section for hosts based on Red Hat Enterprise Linux CoreOS (RHCOS).

Procedure

  1. Log in to the Red Hat Enterprise Linux based node and open a terminal.

  2. For each node in your cluster:

    1. Verify that the node has access to the rhel-7-server-extras-rpms repository. 

      # subscription-manager repos --list-enabled | grep rhel-7-server

      If you do not see both rhel-7-server-rpms and rhel-7-server-extras-rpms in the output, or if there is no output, run the following commands to enable each repository. 

      # subscription-manager repos --enable=rhel-7-server-rpms
# subscription-manager repos --enable=rhel-7-server-extras-rpms

    2. Install the required packages. 

      # yum install -y policycoreutils container-selinux

    3. Persistently enable container use of the Ceph file system in SELinux. 

      # setsebool -P container_use_cephfs on

1.2. Enabling key value backend path and policy in Vault

Prerequisites

  • Administrator access to Vault.
  • Choose a unique path name as the backend path that follows the naming convention since it cannot be changed later.

Procedure

  1. Enable the Key/Value (KV) backend path in Vault.

    For Vault KV secret engine API, version 1: 

    $ vault secrets enable -path=ocs kv

    For Vault KV secret engine API, version 2: 

    $ vault secrets enable -path=ocs kv-v2

  2. Create a policy to restrict users to perform a write or delete operation on the secret using the following commands: 

    echo '
path "ocs/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/mounts" {
capabilities = ["read"]
}'| vault policy write ocs -

  3. Create a token matching the above policy: 

    $ vault token create -policy=ocs -format json