IBM Cloud Docs
Creating Instances for a High Availability Cluster on IBM Power Virtual Server

Creating Instances for a High Availability Cluster on IBM Power Virtual Server

Use the following information and procedures to create the Power Virtual Server instances that are required for a high availability cluster implementation.

Before you begin

Review the general requirements, product documentation, support articles, and SAP notes listed in Implementing High Availability for SAP Applications on IBM Power Virtual Server References.

Creating a workspace

A workspace is an environment that acts as a folder for all Power Virtual Server resources in a geographical region. These resources include compute, network, and storage volumes. Resources cannot be moved or shared between different workspaces. Each workspace is bound to a single data center.

To create a workspace, follow the steps that are described in Creating a Power Virtual Server workspace.

The created workspaces are listed under Workspaces on the left navigation pane of the Power Virtual Server user interface.

Creating private network subnets

A virtual server instance is connected to the network and is assigned an IP address from the defined range of IP addresses. It is recommended that you connect the cluster nodes to a private network rather than a public network.

Follow the steps in Configuring a private network subnet to create a subnet.

You need at least one private subnet in the workspace.

Reserving virtual IP addresses

A high availability cluster typically requires virtual IP addresses that must move with the application in a failover scenario.

Reserve the required IP addresses in the subnet to prevent Power Virtual Server from assigning a specific IP address to another virtual server instance. See Reserving IP addresses.

Make sure that the IP address you want to reserve is within the CIDR range of the subnet and within the IP range that you previously restricted.

Exploring more network architecture options

If your Power Virtual Server workspace is enabled for Power Edge Router (PER), you already have network communication with parts of the IBM Cloud network. The PER solution creates a direct connection to the IBM Cloud Multi Protocol Label Switching (MPLS) backbone, making it easier for different parts of the IBM network to communicate with each other. For more information, see Getting started with the Power Edge Router.

Otherwise, create IBM Cloud® connections to connect your Power Virtual Server instances to other IBM Cloud resources within your account. IBM Cloud connections are not required to configure a Red Hat High Availability cluster in Power Virtual Server. They might be required for integration scenarios with the IBM Cloud Classic network and Virtual Private Cloud (VPC) infrastructures. For more information, see IBM Power Virtual Server Cloud Connections.

Use IBM Transit Gateway to connect your Power Virtual Server to IBM Cloud classic and Virtual Private Cloud (VPC) infrastructures outside your account or region. For more information about integrating the on-premises network and Power Virtual Server, see Network architecture diagrams.

Creating an SSH key

Use the following steps to create one or more SSH keys for root login.

Create a keypair and load the public key to the SSH keys store in Power Virtual Server. During deployment of the virtual server instance, specify one or more keys from the keystore. These keys are added to the authorized_keys file of the root user, and allow you to securely log in to the virtual server instance by using your private key.

For more information, see Generating an SSH key.

The preferred choice is the ed25519 key type. It offers both security and performance advantages.

  1. Log in to Workspaces.
  2. Click the workspace name and View virtual servers.
  3. Click SSH keys.
  4. Click Create SSH key.
  5. Enter a Key name. Then, copy and paste the public key that you generated earlier into the field.
  6. Click Add SSH key.

Selecting a boot image

You have several options to obtain operating system images for the cluster nodes. Use the following steps to select a boot image.

You can choose from several types of stock images that are already prepared for Power Virtual Server. Images are available in the IBM Provided Subscription and Client Provided Subscription sections of the Power Virtual Server provisioning page. For more information, see Full Linux® subscription for IBM Power Virtual Server (Off-premises).

If you want to import a custom Linux image, you must first upload the image to the IBM Cloud Object Storage in OVA format.

Before you begin, make sure that the OVA image is loaded in the storage bucket.

Creating virtual server instances for the cluster

Complete the following steps to create the virtual server instances that you want to use as high availability cluster nodes.

  1. Log in to Workspaces.

  2. Click the workspace name and View virtual servers.

  3. Click Virtual server instances > Create Instance. You need to step through the subsections General, Boot Image, Profile, Storage Volume, Network Interfaces.

  4. In subsection General, enter the Instance name.

  5. For a singlezone implementation, click + to increase the Number of instances to 2. Select Numerical postfix as Instance naming convention, and select Different server as Placement group colocation policy. A placement group with colocation policy Different server is automatically created as part of the virtual server instances deployment.

  6. Select an SSH key and click Continue.

  7. In the Boot image section, select the Operating system according to your subscription model. Use one of the Linux selections either from the IBM-provided subscription or through your Client-provided subscription. In the *Tier section, select the desired storage tier. Keep Auto-select pool for selecting the Storage Pool. Click Continue.

  8. In Profile, select Machine type, Core type, and the virtual server instance profile to match your workload requirements. Click Continue.

  9. In Storage volumes, click Continue.

    When you deploy multiple instances, the storage volumes that are created are shared by all instances. Certain high availability cluster scenarios require shared volumes. In these cases, create the shared volumes later. For SAP HANA, see Storage configuration for SAP HANA. These volumes must be created later for the individual server instances after their deployment is complete.

  10. In the Network Interfaces subsection, it is preferable that the cluster nodes are not directly accessible from a public network, so leave the Public networks configuration as Off.

  11. Click Attach to attach the virtual server instances to an existing subnet.

  12. In the Attach an existing network screen, select one of the Existing networks. You can either select Automatically assign IP address from IP range, or Manually specify an IP address from IP range to specify an available IP address.

  13. Click Attach.

  14. Click Finish, check the I agree to the Terms and Conditions flag, and click Create.

The deployment of the virtual server instances starts.

For a multizone region deployment, repeat the same steps to create the second virtual server instance in a different workspace.

Preparing the operating system for installating an SAP solution

If you deployed a virtual server instance from a stock image, you need to perform extra configuration tasks before you can install SAP software. For more information, see Configuring a Power Virtual Server instance.

Creating a Custom Role, Service ID, and API key in IBM Cloud

A Service ID in IBM Cloud identifies a service or an application in a similar way as a user ID identifies a user. Create a service ID for the fencing agent to allow access to IBM Power Cloud actions such as monitoring or controlling the virtual server instances. Create a custom role in advance to limit the allowed IBM Power Cloud API actions to only those actions that are required for fencing.

Managing Custom Roles, Service IDs, and API keys are part of IBM Cloud Identity and Access Management (IAM). Navigate to the IAM for the following steps.

Log in to IBM Cloud Identity and Access Management

Go to the IBM Cloud Identity and Access Management (IAM) console.

  1. Log on to IBM Cloud.
  2. On the menu bar, click Manage and select Access (IAM).

Creating a custom role for the fencing agent

Create a custom role in IAM and assign the set of actions that are required for a fencing operation to the role. You must grant access for the following actions.

  • reading objects in the cloud_instance or workspace
  • listing virtual server instances
  • getting information about a virtual server instance
  • performing an action on a virtual server instance

The action set of a custom role must be unique within the account. You cannot create multiple custom roles with the same action set.

Create a custom role in IAM.

  1. Click Roles > Create.

  2. Enter the Name, ID, and Description for the custom role.

  3. Select Workspace for Power Virtual Server from the Service drop-down list.

  4. Select Manager from the View the actions for drop-down list.

  5. In the Actions list, locate the following actions. Click Add for each of them.

    • power-iaas.pvm-instance.list
    • power-iaas.pvm-instance.read
    • power-iaas.pvm-instance.action

  6. Click Create to save the role.

Creating a custom role for the powervs-subnet resource agent

This step is only required if you are implementing a cluster in a multizone region environment with the powervs-subnet resource agent.

Create a custom role in IAM and assign the set of actions that are required for a subnet move operation in the role. You must grant access for the following actions.

  • reading objects in the cloud_instance or workspace
  • listing and getting information for subnets in the workspace
  • creating and deleting subnets in the workspace
  • attaching and detaching subnets to or from a virtual server instance
  • deleting network ports

Create a custom role in IAM.

  1. Click Roles > Create.
  2. Enter the Name, ID, and Description for the custom role.
  3. Select Workspace for Power Virtual Server in the Service drop-down list.
  4. Select Manager from the View the actions for drop-down list.
  5. In the Actions list, locate the following actions. Click Add for each of them.
    • power-iaas.cloud-instance.read
    • power-iaas.pvm-instance-network.list
    • power-iaas.pvm-instance-network.read
    • power-iaas.network.list
    • power-iaas.network.create
    • power-iaas.network.delete
    • power-iaas.network-port.delete
    • power-iaas.pvm-instance-network.create
    • power-iaas.pvm-instance-network.delete
  6. Click Create to save the role.

Creating a Service ID

Create a Service ID for the fencing agent and assign one or more custom roles to it. In a multizone region implementation, you can create a second Service ID for the powervs-subnet resource agent. It is also possible to use a common Service ID for both agents (see the note in the previous section). If you are using a common Service ID, assign both the custom role for fencing and the custom role for the powervs-subnet resource agent.

Create a Service ID in IAM.

  1. Click Service IDs > Create.
  2. Enter a Name and Description for the service ID.
  3. Click Create.
  4. In the Access policies section, click Assign access.
  5. In the Service section, select Workspace for Power Virtual Server and click Next.
  6. In the Resource section, select Specific Resources > Service Instance > string equals > name of the workspace that you created earlier. Click Next.
  7. In the Roles and actions section, select one or more of the custom roles that you created earlier in Custom access and click next.
  8. You can skip the Conditions (Optional) section.
  9. Click Add and then Assign to create the Service ID.

If you create a Service ID for the powervs-subnet resource agent in a multizone region implementation, you must grant access to both workspace resources. In the Access policies section, click Assign access again and follow the steps to assign access for the second workspace.

Creating an API key for the Service ID

When you configure the fencing agent in the Red Hat HA cluster or the powervs-subnet resource agent in a multizone region implementation, you must specify an API key. The API key authorizes the fencing agent or resource agent to use the IBM Power Cloud API to perform the actions that are defined in the Service ID.

Create the API Key for the Service ID in the IAM.

  1. Click Service IDs and select the Service ID that you created earlier.
  2. Click API Keys to switch to the Create and manage API keys for this service ID tab.
  3. Click Create.
  4. Enter a Name and a Description for the key.
  5. Click Create.

Click download to save the API key to a JSON file. Keep the downloaded file in a safe place.

The key is available for 300 seconds. After 300 seconds, you won't be able to view or retrieve the key.

Collecting parameters for configuring a RHEL HA Add-On cluster

Several parameters are required to set up a specific high availability scenario. These include the following parameters, which can be collected now.

  • Cloud Resource Name (CRN) of the Power Virtual Server workspace
  • Virtual server instance IDs
  • Extra parameters that must be derived from the CRN
  • API key for the fencing agent
  • API key for the powervs-subnet resource agent if you are implementing a multizone region environment

The uppercase variables in the following section indicate that these parameters are used as environment variables to simplify the cluster setup. Make a note of their contents now, as they will be needed in the setup instructions for a specific high availability scenario.

  1. CLOUD_REGION contains the geographical area of your virtual server instance and is used to target the correct Power Cloud API endpoint.

    CLOUD_REGION if you are using public endpoints
    Public endpoint URLs match the pattern https://<CLOUD_REGION>.power-iaas.cloud.ibm.com. For CLOUD_REGION, note the first word in the hostname in the public endpoint URL of the specific location. For example, sites syd04 and syd05 map to syd.
    CLOUD_REGION if you are using private endpoints
    Private endpoint URLs match the pattern https://private.<CLOUD_REGION>.power-iaas.cloud.ibm.com. For CLOUD_REGION, note the second word in the hostname in the private endpoint URL of the specific location. For example, sites syd04 and syd05 map to au-syd.

  2. Log in to Workspaces - Power Virtual Server. The list contains the name and CRN of the workspaces.

    Locate your Workspace, or both workspaces for a multizone region deployment. Click Copy next to the CRN and paste it into a temporary document.

    A CRN has multiple sections that are divided by a colon. The base format of a CRN is:

    crn:version:cname:ctype:service-name:location:scope:service-instance:resource-type:resource

    service-name
    The fifth field of the CRN of the workspace is always power-iaas, the service-name.
    location
    The sixth field is the location that needs to be mapped to a region.
    scope
    The seventh field is the Tenant ID.
    service-instance
    The eighth field is the Cloud Instance ID or GUID.

  3. IBMCLOUD_CRN_1 contains the full CRN.

  4. GUID_1 refers to the contents of the service-instance field in the CRN.

  5. In a multizone region deployment, use the CRN of the second workspace and note the contents for IBM_CLOUD_CRN_2 and GUID_2.

  6. Click the workspace name and then View virtual servers. Click the virtual server instance names and find their ID.

  7. Note these IDs for POWERVSI_1 and POWERVSI_2. In a multizone deployment, use the second workspace to find the ID of the second instance.

  8. APIKEY contains the API key for the fencing agent. Use the value of the apikey entry in the JSON file that was downloaded in the Creating an API key for the Service ID section.

    In a multizone region deployment, an API key is also required for the powervs-subnet cluster resource agent. As before, you can use the value of the apikey entry for the APIKEY variable. However, the preferred option is to place a copy of the downloaded JSON file on both nodes and set APIKEY to a string that starts with a @ sign followed by the full path to the key file.