Installing HPE Ezmeral Unified Analytics Software on OpenShift

Provides the prerequisites and steps for installing HPE Ezmeral Unified Analytics Software in an OpenShift cluster and also lists the current limitations.

To install HPE Ezmeral Unified Analytics Software in an OpenShift cluster, complete the following steps:

1. Complete the Prerequisites.
2. Install HPE Ezmeral Unified Analytics Software.
NOTICE
Temporary Limitations
Upcoming releases will address the following temporary limitations:
  • Some Pods in the HPE Ezmeral Unified Analytics Software platform must run as root. To avoid permission-denied errors, the HPE Ezmeral Unified Analytics Software installation process sets the anyuidsecurity context in some namespaces to allow root-based execution.
  • Some Pods in the HPE Ezmeral Unified Analytics Software platform require HostPath-based volume mounts, which OpenShift denies by default. These Pods need permission to mount HostPath volumes. Permission to mount these volumes is granted by the securityContext parameter, with privileged set to true.
  • Read more about OpenShift security context constraints here.

A. Verify that the VMs (nodes) in the OpenShift cluster meet the installation requirements

The following table lists the requirements:
Prerequisite Details
Operating System RHEL8.8 based RHCOS
OpenShift An OpenShift 4.12.x cluster must be dedicated to HPE Ezmeral Unified Analytics Software.
Storage

Minimum of 3 nodes, each with at least:

  • 32 vCPUs
  • 128 GB RAM
  • 2 additional disks with a minimum of 500 GB
    NOTE
    Currently, HPE Ezmeral Unified Analytics Software does not natively support three-node compact cluster mode. HPE does not recommend using three-node compact cluster mode; however, it is possible with manual intervention.
GPU
  • Install the NFD and GPU operators and then create instances of these through the OpenShift console.
  • Verify that the GPU is active.
  • For the supported GPU models, see GPU Models.
Configure private image registry access To configure access to the private image registry:
  1. Update the CA certificate to make HTTPS access possible.
  2. Append a new pull secret to the existing pull secret:
    1. To download the pull secret, run:
      oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' \
<pull_secret_location> 

//<pull_secret_location> = path to the pull secret file
    2. To add the new pull secret, run:
      oc registry login --registry="<registry>" --auth-basic="<username>:<password>" --to=<pull_secret_location>

//<registry> = new registry; you can enter multiple repositories w/in the same registry;
//for example: --registry="<registry/my-namespace/my-repository>"
//<username>:<password> = credentials for the new registry
//<pull_secret_location> = path to the pull secret file
  3. To update the global pull secret for your cluster, run:
    oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> 

//<pull_secret_location> = path to the new pull secret file
    This update occurs on all nodes and takes some time to complete.
  4. On all nodes, view the /var/lib/kubelet/config.json file to verify that your private registry was added.

For additional information, see Using image pull secrets.

B. Apply labels to the storage nodes

Tag your storage nodes (non-GPU worker nodes) with the "hpe.com/dataplatform"="true" label, as shown in the following example that uses generic DNS names: 
kubectl label no worker0.user01.ezfab.local "hpe.com/dataplatform"="true" 
kubectl label no worker1.user01.ezfab.local "hpe.com/dataplatform"="true" 
kubectl label no worker2.user01.ezfab.local "hpe.com/dataplatform"="true" 
kubectl label no worker3.user01.ezfab.local "hpe.com/dataplatform"="true"
NOTE
You need at least three storage nodes in your cluster that meet this requirement. This is not required for all nodes. Refer to the section A (above) for details about the required configuration for each storage node.

C. (Air-Gapped Only) Inject HPE Ezmeral Unified Analytics Software images into your local repository

For an air-gapped installation, you must inject the HPE Ezmeral Unified Analytics Software images into a local repository that you will use to bootstrap the installation process. For this purpose:
  • HPE recommends having an empty dedicated image registry. You can also use an existing image registry with other pre-existing images.
  • Run the HPE Ezmeral Airgap Utility from a connected host. The Airgap Utility connects to the HPE Greenlake image repository marketplace to download the images into your local registry.

    To inject images into your local repository, create a local registry (optional) and download the images (required):

    (Optional) Create a local registry.

    You have many options to create a local registry. If you already have a registry or want to follow your own procedure to set one up, skip to step 2 (Download Images).

    The registry can be hosted on a container, virtual machine, or BareMetal. This document describes how to set up a registry inside a container using the podmanutility. The container OS is RHEL8.

    To create a local registry, complete the following steps:
    1. On a fresh RHEL BareMetal/VM, deploy all the utilities required to create the container:
      yum module enable -y container-tools:rhel8

yum module install -y container-tools:rhel8
    2. Install the additional dependencies required for the process:
      yum install -y httpd-tools jq wget
    3. Create the following directories:
      • certs/: stores certificates to enable https access to the registry
      • auth/: authentication files for the registry
      • data/: location where the registry stores all the images
        To create the directories, run:
        mkdir -p /local_registry/{certs, auth, data}
        Later, you will mount these directories to the registry container.
    4. (Optional) Create self-signed certificates. Complete this step to make your registry accessible through HTTPS. You can also use a company-wide certificate. In that case, simply copy your certificate to the local_registry/certs directory and skip to the next step.
      NOTE
      You can use the same certificate across more than one registry.
      There are many ways to use openssl to create a self-signed certificate, for example: 
      openssl req -newkey rsa:4096 -nodes -sha256 -keyout <$KEY_FILE_LOCATION> -x509 -days 365 -subj "/CN=<$CERTIFICATE_NAME>" -addext "subjectAltName = DNS:<$FULL_DNS>" -out <$CRT_FILE_LOCATION>

//Example:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /local_registry/certs/domain.key -x509 -days 365 -subj "/CN=Myname" -addext "subjectAltName = DNS:*.example.com" -out /local_registry/certs/domain.crt
      You must copy this certificate file to the standard location of the operating system. For RHEL, the standard cert location is /etc/pki/ca-trust/source/anchors:
      cp /local_registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
      After you copy the file, run: 
      update-ca-trust
    5. Create access credentials to the registry to keep it secure. You can skip this step for anonymous access.
      htpasswd -bBc /local_registry/auth/<$PASSWORD_FILENAME> <$USERNAME> <$PASSWORD>

//Example:
htpasswd -bBc /local_registry/auth/htpd user01 admin123
    6. Expose the registry on port 5000. Add this rule to firewalld to open the port and make it available.
      firewall-cmd --zone=public --permanent --add-port=5000/tcp 
firewall-cmd reload
    7. Create the container to use as local registry. In this example, podman is used to create the container; however, you can use any container utility that you prefer: 
      podman run -d --name <$REGISTRY NAME> -p <$PORT>:<$PORT> \ 
-v <$DATA_DIRECTORY>:/var/lib/registry:z \ 
-v <$AUTH_DIRECTORY>:/auth:z \ 
-v <$CERT_DIRECTORY>:/certs:z \ 
-e "REGISTRY_AUTH=htpasswd" \ 
-e "REGISTRY_AUTH_HTPASSWD_REALM=<$REALM_NAME>" \ 
-e "REGISTRY_HTTP_SECRET=<$PHRASE_FOR_SECRET>" \ 
-e "REGISTRY_AUTH_HTPASSWD_PATH=<$PATH_TO_AUTH_FILE>" \ 
-e "REGISTRY_HTTP_TLS_CERTIFICATE=<$PATH_TO_CERT_FILE>" \ 
-e "REGISTRY_HTTP_TLS_KEY=<$PATH_TO_KEY_FILE>" \ 
<$REGISTRY_IMAGE>

//Example:
podman run -d --name local-registry -p 5000:5000 \ 
-v /local_registry/data:/var/lib/registry:z \ 
-v /local_registry/auth:/auth:z \ 
-v /local_registry/certs:/certs:z \ 
-e "REGISTRY_AUTH=htpasswd" \ 
-e "REGISTRY_AUTH_HTPASSWD_REALM=my-local-registry" \ 
-e "REGISTRY_HTTP_SECRET=ALongRandomSecretForLocalRegistry" \ 
-e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpd" \ 
-e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \ 
-e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \ 
docker.io/library/registry:2
    8. Use curl to access the registry and test that the registry is up and running: 
      curl  -u <$USERNAME>:<$PASSWORD> -k -X GET https://$(hostname -f):5000/v2/_catalog 

//Example:
curl -u user01:admin123 -k -X GET https://local-registry.example.com:5000/v2/_catalog

    (Required) Download the images.

    To download the images, refer to Using the Air Gap Utility for information about pulling HPE Ezmeral Unified Analytics Software images into the local registry.

D. (Air-Gapped Only) Apply the image registry certificate

You can configure your air-gapped registry with HTTP or HTTPS (see previous steps). To make it accessible using the HTTPS protocol, you need to add a certificate to the registry. This certificate can be a self-signed certificate (see previous steps) or a company-wide common certificate. The same certificate can be used for multiple registries. If there are multiple registries and all of them are configured with different certificates, the OpenShift configuration should be updated with all the certificates. Follow this procedure to update the registry certificate on your OpenShift cluster.

Create a config map with all the certificates for accessing multiple registries. The following syntax shows how to create one config map with one registry and one certificate.
kubectl create -n openshift-config cm <$REGISTRY_CONFIG_NAME> --from-file=<$REGISTRY_URL_WITHOUT_PROTOCOL>=<$CERTIFICATE_FILENAME>
If you have more than one registry and more than one certificate, run this instead: 
kubectl create -n openshift-config cm <$REGISTRY_CONFIG_NAME> \ 
      --from-file=<$REGISTRY_URL_WITHOUT_PROTOCOL>= <$CERTIFICATE_FILENAME> \ 
      --from-file=<$REGISTRY_URL_WITHOUT_PROTOCOL>= <$CERTIFICATE_FILENAME>

//Example: 
kubectl create -n openshift-config cm image-registry-config --from-file=image-registry.example.com=registry.crt 
kubectl create -n openshift-config cm multiple-registry-config -\
      --from-file=image-registry.example.com=registry.crt \ 
      --from-file=image-registry.example.com..5000=registry.crt \ 
      --from-file=new-image-registry.example.com=newCert.crt
Once the configmap is available, patch that configmap with the existing OpenShift config: 
kubectl patch image.config.openshift.io cluster --type merge -p '{"spec":{"additionalTrustedCA":{"name":"<$REGISTRY_CONFIG_NAME>"}}}' 

//Example: 
kubectl patch image.config.openshift.io cluster --type merge -p '{"spec":{"additionalTrustedCA":{"name":"multiple-registry-config"}}}'

E. Install the CertManager

Install the cert manager on the OpenShift cluster. The version should be higher than 1.10.

To install CertManager, run:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml

Install HPE Ezmeral Unified Analytics Software with the Installer Web UI

To install HPE Ezmeral Unified Analytics Software on OpenShift through the Installer Web UI, complete the followign steps:
  1. Run the installation script that was provided with the software bundle. The host on which you run this command must be connected to the internet (the Web UI image is public for the specific version of HPE Ezmeral Unified Analytics Software that you are installing) or must point to a local registry where you pre-pulled the Web UI image.

    Running the installation script opens the launcher that guides you through the prompts to start the Installer Web UI.

    • For a connected environment, run:
      ./start_ezua_installer_ui.sh
    • For an air-gapped environment, run the following command and provide the URL of the image repository that you configured as a prerequisite:
      ./start_ezua_installer_ui.sh --image <$PRIVATE_REGISTRY>/us.gcr.io/mapr-252711/hpe-ezua-installer-ui
  2. Copy the OpenShift admin kubeconfig (certificate-based kubeconfig) to the UI installer.
    NOTE
    • The UI installer is a container that accesses the OpenShift cluster via kubectl commands. You must give the UI installer container kubectl access to the OpenShift cluster.
    • In a connected environment, you can download the OpenShift admin kubeconfig from the OpenShift console.
    • In an air-gapped environment, use the admin kubeconfig that was generated during installation.
    1. Once you have the kubeconfig, run the following command to place it in the container running the HPE Ezmeral Unified Analytics Software Web UI Installer (located at ~/.kube/config):
      docker cp <$PATH_TO_ADMIN_KUBECONFIG><$CONTAINER_ID>:/root/.kube/config
    2. Update the hosts entries in the Web UI Installer so it can reach the OpenShift cluster.
      • In a connected environment, you can find the hosts entries of your OpenShift cluster in the OpenShift console. In the OpenShift console, go to Clusters on the left and then select the cluster on which you are installing HPE Ezmeral Unified Analytics Software. Under the Installation Progress card, click Not Able to Access the Web Console?. In the dialog that opens, copy the list of hosts:

        Example: Screenshot from the OpenShift console that shows the hosts of an example OpenShift cluster.

      • In an air-gapped environment, copy the DNS entries (used during installation) to the Web UI Installer:
        1. To exec into the Web UI Installer container, run:
          docker exec --it <$CONTAINER_ID> bash
        2. Edit the /etc/hosts file and add the host entries.
  3. Navigate back to the launcher that opened when you ran the installation script to start the Installer Web UI.
  4. Select Install in the OpenShift tile.

  5. On the OpenShift Setup screen, upload your OpenShift Admin Kubeconfig and then click Next.

  6. See Installing on User-Provided Hosts (Connected and Air-gapped Environments) to continue installation, starting with Installation Details on that page.
    TIP
    If installation fails, you can access the Installer Web UI logs in the live container at /root/ezua-installer-ui/log.

Creating a DNS Mapping

Change the istio-ingressgateway service object in the istio-system namespace from NodePort to LoadBalancer. Get the external IP of the LoadBalancer and then register the external IP as a CNAME certificate in the domain or an A certificate with the alias.

To successfully create the DNS mapping, you must complete the following steps after the istio installation completes and within 45 minutes of the start of the MLDE installation.
  1. To change the istio-ingressgateway service object in the istio-system namespace from NodePort to LoadBalancer, run:
    kubectl patch svc istio-ingressgateway  -p  '{"spec": {"type":"LoadBalancer"}}' -n istio-system
  2. To get the external IP of the LoadBalancer, run:
    kubectl get svc -n istio-system
  3. In your cloud domain service provider, use the external IP to create a DNS mapping using either of the following methods:
    • Register the external IP as a CNAME under the domain name.
    • Create an A certificate with the alias, as describe here for AWS and here for GCP.

    Note that the external IP is not an IPv4 address. An IPv4 address is typically used in A records.