Skip to main content
Version: 2.9.2

Post-Deployment Hardware Setup

Introduction

Once DR is deployed, there are certain steps that must be taken to ensure that the Hardware will run the solution smoothly. This article outlines those steps.

Setup Time Zone and NTP

The virtual machines that make up the Superna solution are required to be time synchronized with the PowerScale OneFS clusters in the environment. Please make sure the Eyeglass appliance and the ECA nodes are connected to the same NTP server as the PowerScale OneFS clusters, and that the timezone is appropriately set on all.

Create local PowerScale OneFS Eyeglass user

  1. Start by logging into the PowerScale OneFS cluster via an SSH session using the root user credentials. This provides the necessary administrative privileges to create new user accounts.

  2. Run the following command to create the eyeglass service account:

    isi auth users create eyeglass --enabled yes --password 3y3gl4ss

    This command sets up the account with an initial password and enables it for immediate use.

warning
  • Restricted Characters: Ensure your password does not include restricted characters such as brackets, tilde, back quote, forward slash, ampersand, asterisk, and dollar sign. These characters can cause issues in scripting and command execution within the PowerScale OneFS environment.
  • Password Length: Ensure the password is no longer than 20 characters.

Update the Sudoers File

warning

Some critical administrative commands required for managing PowerScale OneFS clusters are not accessible through the PowerScale OneFS Platform API and must be executed directly via the command-line interface with root privileges.

Updating the sudoers file to allow these commands to be run without a password is essential for enabling efficient, automated disaster recovery processes.

Use the following instructions to update the sudoers file.

  1. Use the isi visudo command to safely open and edit the sudoers file.

    isi visudo
  2. Add the following lines to the sudoers file. These entries allow the eyeglass user to execute specific administrative commands without requiring a password:

    eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic auth ads*
    eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_classic domain info*
  3. Add the following lines to the sudoers file. These entries allow the eyeglass service account to manage SMB file operations without requiring a password:

    eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array -s isi_run -z ?* isi_classic smb file*
    eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi_run -z ?* isi_classic smb file*
    eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array -s isi smb openfiles list *
    eyeglass ALL=(ALL) NOPASSWD: /usr/bin/isi_for_array isi smb openfiles close *

Modify user account properties and create roles

  1. Disable the password expiration for the eyeglass account to ensure continuous access without the need for periodic password updates.

    isi auth users modify eyeglass --password-expires no
  2. Establish a role named EyeglassAdmin to centralize administrative privileges for managing the cluster.

    isi auth roles create --name EyeglassAdmin --description "EyeglassAdmin role"
  3. Add the eyeglass user to the EyeglassAdmin role to grant necessary administrative permissions.

    isi auth roles modify EyeglassAdmin --add-user eyeglass

Assign privileges to the admin role

Assign necessary privileges to the EyeglassAdmin role to ensure it has the required access across various system functionalities.

General Administrative Privileges: Provide broad administrative capabilities such as authentication, role management, and configuration oversight:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUTH
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_ROLE
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_CONFIGURATION

System and Network Management: Grant permissions related to network settings, NFS, SMB, and system quotas:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NFS
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SMB
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_NETWORK
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_QUOTA

Security and Compliance: Enable privileges related to security measures, audit capabilities, and compliance:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_AUDIT
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_HARDENING
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_WORM

Data Protection and Recovery: Add privileges for managing snapshots, disaster recovery, and data replication:

isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SNAPSHOT
isi auth roles modify EyeglassAdmin --add-priv ISI_PRIV_SYNCIQ
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_REMOTE_SUPPORT

Storage Optimization: Enhance the role with capabilities to manage storage pools, devices, and file filtering:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_SMARTPOOLS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_CLOUDPOOLS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_DEVICES
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_FILE_FILTER

Monitoring and Statistics: Provide read-only access for monitoring and statistics to support performance analysis:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_STATISTICS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_MONITORING
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HTTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NTP
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_EVENT
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_ANTIVIRUS

Specialized Access: Enable specialized access for system features such as HDFS and NDMP:

isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_HDFS
isi auth roles modify EyeglassAdmin --add-priv-ro ISI_PRIV_NDMP

Next Steps

From this point on the environment can be set up: Environment Setup