On this Page:
Service Account with custom roles needed for HA configuration only. |
Check the service account permissions that was used to deploy MayaNAS instances. MayaNAS requires a service account with sufficient permissions to manipulate disk attachments for proper sharing and fencing, and also storage read-write access to object storage. It also needs sufficient permission to float the virtual IP across multiple instances. If the default service account lacks these permission a separate service account is needed for proper HA configuration
From Google cloud shell or from computer where gcloud CLI is available create a new service account as follows
PROJECT=$(gcloud info --format='value(config.project)')
gcloud config set project YOUR_PROJECT
gcloud iam service-accounts create $SA --display-name "mayanas service account"
SA_EMAIL=$(gcloud iam service-accounts list --filter="displayName:mayanas service account" \
--format='value(email)')
-or-Set the variable
@${PROJECT}.iam.gserviceaccount.com
Add relevant permissions to the newly created service account with the role scope limited to this project only. Your other instances in different projects will not be affected by these changes.
# permission to create/modify instances in your project
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
--role roles/compute.instanceAdmin
# permission to create/modify network settings in your project
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
--role roles/compute.networkAdmin
# permission to create/modify images & disks in your project
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
--role roles/compute.storageAdmin
Update MayaNAS instances with the newly created service account. Unfortunately the instances have to be stopped to attach service account in Google Cloud.
gcloud compute instances set-service-account YOUR_INSTANCE --zone us-west1-b \
--service-account=$SA_EMAIL
Unfortunately Google Cloud does not allow changing Service Account on a running instance. The instance has to be stopped and then edit settings to attach the newly created Service account for MayaNAS. |
For MayaNAS to be configured with cloud object storage (S3) a valid Access Key and Secret is required. This can be generated from
Google Cloud Console → Cloud Storage → Settings → INTEROPERABILITY tab → CREATE A KEY
Keys are listed under Access keys for your user account
MayaNAS requires one of the cache disk to be attached and configured before creating ZFS storage pool over high-latency S3 object storage. The cache disk can be configured as
Purpose | Size |
---|---|
ZIL Log device Recommended if object storage is used | 1.5 times Instance RAM size |
Bcache Cache device Only if Bcache is preferred instead of ZIL | Size of the expected workset |
L2ARC Read Cache (optional) | Twice the instance RAM size |
MayaNAS supports creating ZFS storage pool on multiple S3 object storage directly. It is recommended to create the desired number of storage buckets before Getting Started wizard.
Any other disks needed has to be created and attached to the instance before starting the configuration.
gcloud compute instances attach-disk MAYANAS_INSTANCE --zone=${CLOUDSDK_COMPUTE_ZONE} --disk=DISK_NAME --device-name DISK_NAME |
Make sure the device name is same as the disk name used for the disk if using the GCP Console. The Google Cloud Web close by default uses device name to be the disk name which is needed for MayaNAS. |
To provide virtual IP address for HA operation assign suitable secondary address range to your network subnet
For example to assign virtual IP addresses in 10.9.0.0 network range to default
network in the region us-west1
gcloud compute networks subnets update default \ --region us-west1 --add-secondary-ranges range1=10.9.0.0/24 |
After this virtual IP address 10.9.0.100 can be used for MayaNAS HA configuration.
Check the service account permissions that was used to deploy MayaNAS instances. MayaNAS requires a service account with sufficient permissions to manipulate disk attachments for proper sharing and fencing, and also storage read-write access to object storage. It also needs sufficient permission to float the virtual IP across multiple instances. If the default service account lacks these permission a separate service account is needed for proper HA configuration
From Google cloud shell or from computer where gcloud CLI is available create a new service account as follows
PROJECT=$(gcloud info --format='value(config.project)')
gcloud config set project YOUR_PROJECT
gcloud iam service-accounts create $SA --display-name "mayanas service account"
SA_EMAIL=$(gcloud iam service-accounts list --filter="displayName:mayanas service account" \
--format='value(email)')
-or-Set the variable
@${PROJECT}.iam.gserviceaccount.com
Add relevant permissions to the newly created service account with the role scope limited to this project only. Your other instances in different projects will not be affected by these changes.
# permission to create/modify instances in your project
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
--role roles/compute.instanceAdmin
# permission to create/modify network settings in your project
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
--role roles/compute.networkAdmin
# permission to create/modify images & disks in your project
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
--role roles/compute.storageAdmin
Update MayaNAS instances with the newly created service account. Unfortunately the instances have to be stopped to attach service account in Google Cloud.
gcloud compute instances set-service-account YOUR_INSTANCE --zone us-west1-b \
--service-account=$SA_EMAIL
Unfortunately Google Cloud does not allow changing Service Account on a running instance. The instance has to be stopped and then edit settings to attach the newly created Service account for MayaNAS. |
Change the MayaNAS Administration GUI default password to something random by running
# /opt/mayastor/web/genrandpass.sh |
Or to set your own password
# /opt/mayastor/web/changepass.sh Login name (default admin): Login password: Password again: |
And then restart the web server for password changes to take effect
# /opt/mayastor/web/stop # /opt/mayastor/web/start |
Now you can proceed with High-Availability setup using the Getting Started wizard from Administration Web console available on http://<MayaNAS1-ip>:2020
To avoid public network exposure of port 2020 it is recommended to use ssh tunneling with port forwarding as follows gcloud compute ssh --zone YOUR_ZONE MayaNAS1" --project YOUR_PROJECT -L 2020:localhost:2020 |
Proceed to Configure MayaNAS