Page tree
Skip to end of metadata
Go to start of metadata

On this Page:

Service Account

Service Account with custom roles needed for HA configuration only.


Check the service account permissions that was used to deploy MayaNAS instances. MayaNAS requires a service account with sufficient permissions to manipulate disk attachments for proper sharing and fencing, and also storage read-write access to object storage. It also needs sufficient permission to float the virtual IP across multiple instances. If the default service account lacks these permission a  separate service account is needed for proper HA configuration

From Google cloud shell or from computer where gcloud CLI is available create a new service account as follows

  1. Find the project name associated with the deployment and set it to shell variable PROJECT

    PROJECT=$(gcloud info --format='value(config.project)')

    If the PROJECT appears different then switch to the project name used for MayaNAS deployment
    gcloud config set project YOUR_PROJECT
  2. Create the service account

    SA="mayanas-service"

    gcloud iam service-accounts create $SA --display-name "mayanas service account"

  3. Find the email of the newly craeted service account and set it to shell variable SA_EMAIL
    SA_EMAIL=$(gcloud iam service-accounts list --filter="displayName:mayanas service account" \
        --format='value(email)')
    -or-

    Set the variable
    SA_EMAIL= ${SA}@${PROJECT}.iam.gserviceaccount.com
  4. Add relevant permissions to the newly created service account with the role scope limited to this project only. Your other instances in different projects will not be affected by these changes.

    # permission to create/modify instances in your project
    gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
        --role roles/compute.instanceAdmin
    
    # permission to create/modify network settings in your project
    gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
        --role roles/compute.networkAdmin
    # permission to create/modify images & disks in your project gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \ --role roles/compute.storageAdmin

Update MayaNAS instances with the newly created service account.  Unfortunately the instances have to be stopped to attach service account in Google Cloud.

gcloud compute instances set-service-account YOUR_INSTANCE --zone us-west1-b \

    --service-account=$SA_EMAIL


Unfortunately Google Cloud does not allow changing Service Account on a running instance. The instance has to be stopped and then edit settings to attach the newly created Service account for MayaNAS.


Cloud Storage Access Key

For MayaNAS to be configured with cloud object storage (S3) a valid Access Key and Secret  is required. This can be generated from

Google Cloud Console → Cloud Storage → Settings → INTEROPERABILITY tab → CREATE A KEY

Keys are listed under  Access keys for your user account

Cache Disk

MayaNAS requires one of the cache disk to be attached and configured before creating ZFS storage pool over high-latency S3 object storage. The cache disk can be configured as

PurposeSize

ZIL Log device

Recommended if object storage is used

1.5 times Instance RAM size

Bcache Cache device

Only if Bcache is preferred instead of ZIL

Size of the expected workset
L2ARC Read Cache (optional)Twice the instance RAM size

Backing Disk

MayaNAS supports creating ZFS storage pool on multiple S3 object storage directly. It is recommended to create the desired number of storage buckets before Getting Started wizard.

Any other disks needed has to be created and attached to the instance before starting the configuration.

gcloud compute instances attach-disk  MAYANAS_INSTANCE --zone=${CLOUDSDK_COMPUTE_ZONE}  --disk=DISK_NAME --device-name DISK_NAME

Make sure the device name is same as the disk name  used for the disk if using the GCP Console.  The Google Cloud Web close by default uses device name to be the disk name which is needed for MayaNAS.


Virtual IP address

To provide virtual IP address for HA operation assign suitable secondary address range to your network subnet

For example to assign virtual IP addresses in 10.9.0.0 network range to default network in the region us-west1

gcloud compute networks subnets update  default \
    --region us-west1 --add-secondary-ranges range1=10.9.0.0/24

After this virtual IP address 10.9.0.100 can be used for MayaNAS HA configuration.

Service Account

Check the service account permissions that was used to deploy MayaNAS instances. MayaNAS requires a service account with sufficient permissions to manipulate disk attachments for proper sharing and fencing, and also storage read-write access to object storage. It also needs sufficient permission to float the virtual IP across multiple instances. If the default service account lacks these permission a  separate service account is needed for proper HA configuration

From Google cloud shell or from computer where gcloud CLI is available create a new service account as follows

  1. Find the project name associated with the deployment and set it to shell variable PROJECT

    PROJECT=$(gcloud info --format='value(config.project)')

    If the PROJECT appears different then switch to the project name used for MayaNAS deployment
    gcloud config set project YOUR_PROJECT
  2. Create the service account

    SA="mayanas-service"

    gcloud iam service-accounts create $SA --display-name "mayanas service account"

  3. Find the email of the newly craeted service account and set it to shell variable SA_EMAIL
    SA_EMAIL=$(gcloud iam service-accounts list --filter="displayName:mayanas service account" \
        --format='value(email)')
    -or-

    Set the variable
    SA_EMAIL= ${SA}@${PROJECT}.iam.gserviceaccount.com
  4. Add relevant permissions to the newly created service account with the role scope limited to this project only. Your other instances in different projects will not be affected by these changes.

    # permission to create/modify instances in your project
    gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
        --role roles/compute.instanceAdmin
    
    # permission to create/modify network settings in your project
    gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \
        --role roles/compute.networkAdmin
    # permission to create/modify images & disks in your project gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$SA_EMAIL \ --role roles/compute.storageAdmin

Update MayaNAS instances with the newly created service account.  Unfortunately the instances have to be stopped to attach service account in Google Cloud.

gcloud compute instances set-service-account YOUR_INSTANCE --zone us-west1-b \

    --service-account=$SA_EMAIL


Unfortunately Google Cloud does not allow changing Service Account on a running instance. The instance has to be stopped and then edit settings to attach the newly created Service account for MayaNAS.


Change default GUI password

Change the MayaNAS Administration GUI default password to something random by running

# /opt/mayastor/web/genrandpass.sh

Or to set your own password

# /opt/mayastor/web/changepass.sh
Login name (default admin): 
Login password: 
Password again: 


And then restart the web server for password changes to take effect


# /opt/mayastor/web/stop

# /opt/mayastor/web/start

Connect to MayaNAS Web Console


Now you can proceed with High-Availability setup using the Getting Started wizard from Administration Web console available on http://<MayaNAS1-ip>:2020



To avoid public network exposure of port 2020 it is recommended to use ssh tunneling with port forwarding as follows

gcloud compute ssh --zone YOUR_ZONE MayaNAS1" --project YOUR_PROJECT -L 2020:localhost:2020
Then access web console as http://localhost:2020

Proceed to Configure MayaNAS