PowerFlex
The CSI Driver for Dell PowerFlex can be deployed by using the provided Helm v3 charts and installation scripts on both Kubernetes and OpenShift platforms. For more detailed information on the installation scripts, review the script documentation.
Prerequisites
The following are requirements that must be met before installing the CSI Driver for Dell PowerFlex:
- Install Kubernetes or OpenShift (see supported versions)
- Install Helm 3.x
- Enable Zero Padding on PowerFlex
- Mount propagation is enabled on container runtime that is being used
- Install PowerFlex Storage Data Client
- If using Snapshot feature, satisfy all Volume Snapshot requirements
- A user must exist on the array with a role >= FrontEndConfigure
- If enabling CSM for Authorization, please refer to the Authorization deployment steps first
- If multipath is configured, ensure CSI-PowerFlex volumes are blacklisted by multipathd. See troubleshooting section for details
- Secure boot is not supported; ensure that secure boot is disabled in the BIOS.
Install Helm 3.x
Install Helm 3.x on the master node before you install the CSI Driver for Dell PowerFlex.
Steps
Run the command to install Helm 3.x.
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
Enable Zero Padding on PowerFlex
Verify that zero padding is enabled on the PowerFlex storage pools that will be used. Use PowerFlex GUI or the PowerFlex CLI to check this setting. For more information to configure this setting, see Dell PowerFlex documentation.
Install PowerFlex Storage Data Client
The CSI Driver for PowerFlex requires you to have installed the PowerFlex Storage Data Client (SDC) on all Kubernetes nodes which run the node portion of the CSI driver. SDC could be installed automatically by CSI driver install on Kubernetes nodes with OS platform which support automatic SDC deployment; for Red Hat CoreOS (RHCOS) and RHEL. On Kubernetes nodes with OS version not supported by automatic install, you must perform the Manual SDC Deployment steps below. Refer to https://hub.docker.com/r/dellemc/sdc for supported OS versions. Please visit E-Lab Navigator for specific Dell Storage platform host operating system level support matrices.
NOTE: To install CSI driver for Powerflex with automated SDC deployment, you need below two packages on worker nodes.
- libaio
- numactl-libs
Optional: For a typical install, you will pull SDC kernel modules from the Dell FTP site, which is set up by default. Some users might want to mirror this repository to a local location. The PowerFlex KB article has instructions on how to do this.
Manual SDC Deployment
For detailed PowerFlex installation procedure, see the Dell PowerFlex Deployment Guide. Install the PowerFlex SDC as follows:
Steps
- Download the PowerFlex SDC from Dell Online support. The filename is EMC-ScaleIO-sdc-*.rpm, where * is the SDC name corresponding to the PowerFlex installation version.
- Export the shell variable MDM_IP in a comma-separated list using
export MDM_IP=xx.xxx.xx.xx,xx.xxx.xx.xx
, where xxx represents the actual IP address in your environment. This list contains the IP addresses of the MDMs. - Install the SDC per the Dell PowerFlex Deployment Guide:
- For Red Hat Enterprise Linux and CentOS, run
rpm -iv ./EMC-ScaleIO-sdc-*.x86_64.rpm
, where * is the SDC name corresponding to the PowerFlex installation version.
- For Red Hat Enterprise Linux and CentOS, run
- To add more MDM_IP for multi-array support, run
/opt/emc/scaleio/sdc/bin/drv_cfg --add_mdm --ip 10.xx.xx.xx.xx,10.xx.xx.xx
Installation Wizard prerequisite, secret update:
When the driver is installed using values generated by installation wizard, then the user needs to update the secret for driver by patching the MDM keys, as follows:
Steps
echo -n '<MDM_IPS>' | base64
kubectl patch secret vxflexos-config -n vxflexos -p "{\"data\": { \"MDM\": \"<GENERATED_BASE64>\"}}"
(Optional) Volume Snapshot Requirements
For detailed snapshot setup procedure, click here.
Install the Driver
Steps
-
Run
git clone -b v2.11.0 https://github.com/dell/csi-powerflex.git
to clone the git repository. -
A namespace for the driver is expected prior to running the command below. If one is not created already, you can run
kubectl create namespace vxflexos
to create a new one. Note that the namespace can be any user-defined name that follows the conventions for namespaces outlined by Kubernetes. In this example we assume that the namespace is ‘vxflexos’ -
Collect information from the PowerFlex SDC by executing the
get_vxflexos_info.sh
script located in thescripts
directory. This script shows the VxFlex OS system ID and MDM IP addresses. Make a note of the values for these parameters as they must be entered intosamples/secret.yaml
. -
Prepare
samples/secret.yaml
for driver configuration. The following table lists driver configuration parameters for multiple storage arrays.Parameter Description Required Default username Username for accessing PowerFlex system. If authorization is enabled, username will be ignored. true - password Password for accessing PowerFlex system. If authorization is enabled, password will be ignored. true - systemID PowerFlex system name or ID. true - allSystemNames List of previous names of powerflex array if used for PV create false - endpoint REST API gateway HTTPS endpoint/PowerFlex Manager public IP for PowerFlex system. If authorization is enabled, endpoint should be the HTTPS localhost endpoint that the authorization sidecar will listen on true - skipCertificateValidation Determines if the driver is going to validate certs while connecting to PowerFlex REST API interface. true true isDefault An array having isDefault=true is for backward compatibility. This parameter should occur once in the list. false false mdm mdm defines the MDM(s) that SDC should register with on start. This should be a list of MDM IP addresses or hostnames separated by comma. true - nasName nasName defines what NAS should be used for NFS volumes. NFS volumes are supported on arrays version >=4.0.x false ""
Example: samples/secret.yaml
- username: "admin"
password: "Password123"
systemID: "2b11bb111111bb1b"
endpoint: "https://127.0.0.2"
skipCertificateValidation: true
isDefault: true
mdm: "10.0.0.3,10.0.0.4"
Example: samples/secret.yaml
for PowerFlex storage system v4.0.x
- username: "admin"
password: "Password123"
systemID: "2b11bb111111bb1b"
endpoint: "https://127.0.0.2"
skipCertificateValidation: true
isDefault: true
mdm: "10.0.0.3,10.0.0.4"
nasName : "nasServer"
NOTE: To use multiple arrays, copy and paste section above for each array. Make sure isDefault is set to true for only one array.
If replication feature is enabled, ensure the secret includes all the PowerFlex arrays involved in replication.
After editing the file, run the below command to create a secret called vxflexos-config
. This assumes vxflexos
is release name, but it can be modified during install:
kubectl create secret generic vxflexos-config -n vxflexos --from-file=config=samples/secret.yaml
Use the below command to replace or update the secret:
kubectl create secret generic vxflexos-config -n vxflexos --from-file=config=samples/secret.yaml -o yaml --dry-run=client | kubectl replace -f -
NOTE:
- It is mandatory to use SDC 4.5.2.1 for OpenShift 4.16 and above.
- The user needs to validate the YAML syntax and array-related key/values while replacing the vxflexos-creds secret.
- If you want to create a new array or update the MDM values in the secret, you will need to reinstall the driver. If you change other details, such as login information, the secret will dynamically update – see dynamic-array-configuration for more details.
- Old
json
format of the array configuration file is still supported in this release. If you already have your configuration injson
format, you may continue to maintain it or you may transfer this configuration toyaml
format and replace/update the secret. - “insecure” parameter has been changed to “skipCertificateValidation” as insecure is deprecated and will be removed from use in config.yaml or secret.yaml in a future release. Users can continue to use any one of “insecure” or “skipCertificateValidation” for now. The driver would return an error if both parameters are used.
- Please note that log configuration parameters from v1.5 will no longer work in v2.0 and higher. Please refer to the Dynamic Logging Configuration section in Features for more information.
- If the user is using complex K8s version like “v1.21.3-mirantis-1”, use this kubeVersion check in helm/csi-unity/Chart.yaml file. kubeVersion: “>= 1.21.0-0 < 1.29.0-0”
-
Default logging options are set during Helm install. To see possible configuration options, see the Dynamic Logging Configuration section in Features.
-
If using automated SDC deployment:
- Check the SDC container image is the correct version for your version of PowerFlex.
-
Download the default values.yaml file
cd dell-csi-helm-installer && wget -O myvalues.yaml https://github.com/dell/helm-charts/raw/csi-vxflexos-2.11.0/charts/csi-vxflexos/values.yaml
-
If you are using custom images, check the fields under
images
inmy-vxflexos-settings.yaml
to make sure that they are pointing to the correct image repository. -
Look over all the other fields
myvalues.yaml
and fill in/adjust any as needed. All the fields are described here:
Parameter | Description | Required | Default |
---|---|---|---|
version | Set to verify the values file version matches driver version and used to pull the image as part of the image name. | Yes | 2.11.0 |
images | List all the images used by the CSI driver and CSM. If you use a private repository, change the registries accordingly. | Yes | "" |
images.powerflexSdc | Set to give the location of the SDC image used if automatic SDC deployment is being utilized. | Yes | dellemc/sdc:4.5.2.1 |
certSecretCount | Represents the number of certificate secrets, which the user is going to create for SSL authentication. | No | 0 |
logLevel | CSI driver log level. Allowed values: “error”, “warn”/“warning”, “info”, “debug”. | Yes | “debug” |
logFormat | CSI driver log format. Allowed values: “TEXT” or “JSON”. | Yes | “TEXT” |
kubeletConfigDir | kubelet config directory path. Ensure that the secret.yaml file is present at this path. | Yes | /var/lib/kubelet |
defaultFsType | Used to set the default FS type which will be used for mount volumes if FsType is not specified in the storage class. Allowed values: ext4, xfs. | Yes | ext4 |
fsGroupPolicy | Defines which FS Group policy mode to be used. Supported modes areNone, File, and ReadWriteOnceWithFSType. |
No | “ReadWriteOnceWithFSType” |
imagePullPolicy | Policy to determine if the image should be pulled prior to starting the container. Allowed values: Always, IfNotPresent, Never. | Yes | IfNotPresent |
enablesnapshotcgdelete | A boolean that, when enabled, will delete all snapshots in a consistency group everytime a snap in the group is deleted. | Yes | false |
enablelistvolumesnapshot | A boolean that, when enabled, will allow list volume operation to include snapshots (since creating a volume from a snap actually results in a new snap). It is recommend this be false unless instructed otherwise. | Yes | false |
allowRWOMultiPodAccess | Setting allowRWOMultiPodAccess to “true” will allow multiple pods on the same node to access the same RWO volume. This behavior conflicts with the CSI specification version 1.3. NodePublishVolume description that requires an error to be returned in this case. However, some other CSI drivers support this behavior and some customers desire this behavior. Customers use this option at their own risk. | Yes | false |
enableQuota | A boolean that, when enabled, will set quota limit for a newly provisioned NFS volume. | No | false |
externalAccess | Defines additional entries for hostAccess of NFS volumes, single IP address and subnet are valid entries | No | " " |
controller | This section allows the configuration of controller-specific parameters. To maximize the number of available nodes for controller pods, see this section. For more details on the new controller pod configurations, see the Features section for Powerflex specifics. | - | - |
volumeNamePrefix | Set so that volumes created by the driver have a default prefix. If one PowerFlex/VxFlex OS system is servicing several different Kubernetes installations or users, these prefixes help you distinguish them. | Yes | “k8s” |
controllerCount | Set to deploy multiple controller instances. If the controller count is greater than the number of available nodes, excess pods remain in a pending state. It should be greater than 0. You can increase the number of available nodes by configuring the “controller” section in your values.yaml. For more details on the new controller pod configurations, see the Features section for Powerflex specifics. | Yes | 2 |
snapshot.enabled | A boolean that enable/disable volume snapshot feature. | No | true |
resizer.enabled | A boolean that enable/disable volume expansion feature. | No | true |
nodeSelector | Defines what nodes would be selected for pods of controller deployment. Leave as blank to use all nodes. Uncomment this section to deploy on master nodes exclusively. | Yes | " " |
tolerations | Defines tolerations that would be applied to controller deployment. Leave as blank to install the controller on worker nodes only. If deploying on master nodes is desired, uncomment out this section. | Yes | " " |
healthMonitor | This section configures the optional deployment of the external health monitor sidecar, for controller side volume health monitoring. | - | - |
enabled | Enable/Disable deployment of external health monitor sidecar. | No | false |
interval | Interval of monitoring volume health condition. Allowed values: Number followed by unit (s,m,h) | No | 60s |
node | This section allows the configuration of node-specific parameters. | - | - |
healthMonitor.enabled | Enable/Disable health monitor of CSI volumes- volume usage, volume condition | No | false |
nodeSelector | Defines what nodes would be selected for pods of node daemonset. Leave as blank to use all nodes. | Yes | " " |
tolerations | Defines tolerations that would be applied to node daemonset. Leave as blank to install node driver only on worker nodes. | Yes | " " |
renameSDC | This section allows the rename operation for SDC. | - | - |
enabled | A boolean that enable/disable rename SDC feature. | No | false |
prefix | Defines a string for the prefix of the SDC. | No | " " |
approveSDC.enabled | A boolean that enable/disable SDC approval feature. | No | false |
storageCapacity | Enable/Disable storage capacity tracking | - | - |
enabled | A boolean that enables/disables storage capacity tracking feature. | Yes | true |
pollInterval | Configure how often the driver checks for changed capacity | No | 5m |
monitor | This section allows the configuration of the SDC monitoring pod. | - | - |
enabled | Set to enable the usage of the monitoring pod. | Yes | false |
hostNetwork | Set whether the monitor pod should run on the host network or not. | Yes | true |
hostPID | Set whether the monitor pod should run in the host namespace or not. | Yes | true |
vgsnapshotter | This section allows the configuration of the volume group snapshotter(vgsnapshotter) pod. | - | - |
enabled | A boolean that enable/disable vg snapshotter feature. | No | false |
image | Image for vg snapshotter. | No | " " |
podmon | Podmon is an optional feature to enable application pods to be resilient to node failure. | - | - |
enabled | A boolean that enables/disables podmon feature. | No | false |
authorization | Authorization is an optional feature to apply credential shielding of the backend PowerFlex. | - | - |
enabled | A boolean that enables/disables authorization feature. | No | false |
proxyHost | Hostname of the csm-authorization server. | No | Empty |
skipCertificateValidation | A boolean that enables/disables certificate validation of the csm-authorization proxy server. | No | true |
- Install the driver using
csi-install.sh
bash script by runningcd dell-csi-helm-installer && ./csi-install.sh --namespace vxflexos --values myvalues.yaml --helm-charts-version <version>
. You may modify the release name with the--release
arg. If arg is not provided, release will be namedvxflexos
by default. Alternatively, to do a helm install solely with Helm charts (without shell scripts), refer tohelm/README.md
.
NOTE:
-
The parameter
--helm-charts-version
is optional and if you do not specify the flag, by default thecsi-install.sh
script will clone the version of the helm chart that is specified in the driver’s csi-install.sh file. If you wish to install the driver using a different version of the helm chart, you need to include this flag. Also, remember to delete thehelm-charts
repository present in thecsi-powerflex
directory if it was cloned before. -
For detailed instructions on how to run the install scripts, refer to the README.md in the dell-csi-helm-installer folder.
-
Install script will validate MDM IP(s) in
vxflexos-config
secret and creates a new field consumed by the init container and sdc-monitor container -
This install script also runs the
verify.sh
script. You will be prompted to enter the credentials for each of the Kubernetes nodes. Theverify.sh
script needs the credentials to check if SDC has been configured on all nodes. -
It is mandatory to run install script after changes to MDM configuration in
vxflexos-config
secret. Refer dynamic-array-configuration -
If an extended Kubernetes version is being used (e.g.
v1.21.3-mirantis-1
) and is failing the version check in Helm even though it falls in the allowed range, then you must go intohelm/csi-vxflexos/Chart.yaml
and replace the standardkubeVersion
check with the commented-out alternative. Please note that this will also allow the use of pre-release alpha and beta versions of Kubernetes, which is not supported. -
(Optional) Enable additional Mount Options - A user is able to specify additional mount options as needed for the driver.
- Mount options are specified in storageclass yaml under mkfsFormatOption.
- WARNING: Before utilizing mount options, you must first be fully aware of the potential impact and understand your environment’s requirements for the specified option.
Certificate validation for PowerFlex Gateway REST API calls
This topic provides details about setting up the certificate for the CSI Driver for Dell PowerFlex.
Before you begin
As part of the CSI driver installation, the CSI driver requires a secret with the name vxflexos-certs-0 to vxflexos-certs-n based on the “.Values.certSecretCount” parameter present in the namespace vxflexos.
This secret contains the X509 certificates of the CA which signed PowerFlex gateway SSL certificate in PEM format.
The CSI driver exposes an install parameter in secret.yaml, skipCertificateValidation
, which determines if the driver performs client-side verification of the gateway certificates.
skipCertificateValidation
parameter is set to true by default, and the driver does not verify the gateway certificates.
If skipCertificateValidation
is set to false, then the secret vxflexos-certs-n must contain the CA certificate for the array gateway.
If this secret is an empty secret, then the validation of the certificate fails, and the driver fails to start.
If the gateway certificate is self-signed or if you are using an embedded gateway, then perform the following steps.
-
To fetch the certificate, run the following command.
openssl s_client -showcerts -connect <Gateway IP:Port> </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert_0.pem
Example:
openssl s_client -showcerts -connect 1.1.1.1:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert_0.pem
-
Run the following command to create the cert secret with index ‘0’:
kubectl create secret generic vxflexos-certs-0 --from-file=cert-0=ca_cert_0.pem -n vxflexos
Use the following command to replace the secret:
kubectl create secret generic vxflexos-certs-0 -n vxflexos --from-file=cert-0=ca_cert_0.pem -o yaml --dry-run | kubectl replace -f -
-
Repeat step 1 and 2 to create multiple cert secrets with incremental index (example: vxflexos-certs-1, vxflexos-certs-2, etc)
Notes:
- “vxflexos” is the namespace for Helm-based installation but namespace can be user-defined in operator-based installation.
- User can add multiple certificates in the same secret. The certificate file should not exceed more than 1Mb due to Kubernetes secret size limitation.
- Whenever certSecretCount parameter changes in
myvalues.yaml
user needs to uninstall and install the driver. - Updating vxflexos-certs-n secrets is a manual process, unlike vxflexos-config. Users have to re-install the driver in case of updating/adding the SSL certificates or changing the certSecretCount parameter.
Storage Classes
For CSI driver for PowerFlex version 1.4 and later, dell-csi-helm-installer
does not create any storage classes as part of the driver installation. A wide set of annotated storage class manifests have been provided in the samples
folder. Use these samples to create new storage classes to provision storage.
What happens to my existing storage classes?
Upgrading from an older version of the driver: The storage classes will be deleted if you upgrade the driver. If you wish to continue using those storage classes, you can patch them and apply the annotation “helm.sh/resource-policy”: keep before performing an upgrade.
Note: If you continue to use the old storage classes, you may not be able to take advantage of any new storage class parameter supported by the driver.
Steps to create storage class:
There are samples storage class yaml files available under samples/storageclass
. These can be copied and modified as needed.
- Edit
storageclass.yaml
if you need ext4 filesystem,storageclass-xfs.yaml
if you want xfs filesystem andstorageclass-nfs.yaml
if you need nfs filesystem - Replace
<STORAGE_POOL>
with the storage pool you have. - Replace
<SYSTEM_ID>
with the system ID you have. Note there are two appearances in the file. - Edit
storageclass.kubernetes.io/is-default-class
to true if you want to set it as default, otherwise false. - If using
storageclass-nfs.yaml
Replace"nas-server"
with the NAS server’s name you have. - Save the file and create it by using
kubectl create -f storageclass.yaml
/kubectl create -f storageclass-xfs.yaml
/kubectl create -f storageclass-nfs.yaml
NOTE:
- At least one storage class is required for one array.
- If you uninstall the driver and reinstall it, you can still face errors if any update in the
myvalues.yaml
file leads to an update of the storage class(es):
Error: cannot patch "<sc-name>" with kind StorageClass: StorageClass.storage.k8s.io "<sc-name>" is invalid: parameters: Forbidden: updates to parameters are forbidden
In case you want to make such updates, ensure to delete the existing storage classes using the kubectl delete storageclass
command.
Deleting a storage class has no impact on a running Pod with mounted PVCs. You cannot provision new PVCs until at least one storage class is newly created.
Volume Snapshot Class
Starting CSI PowerFlex v1.5, dell-csi-helm-installer
will not create any Volume Snapshot Class during the driver installation. There is a sample Volume Snapshot Class manifest present in the samples/ folder. Please use this sample to create a new Volume Snapshot Class to create Volume Snapshots.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.