Plan and deploy multisite EMC ViPR

TOC

BacktoTop

BacktoTop

Plan and deploy multisite EMC ViPR

This article lists planning considerations when setting up a multisite EMC ViPR and the step-by-step procedure for deploying it.

This article applies to EMC ViPR 2.0.

The multisite capabilities of ViPR controller provide:

  • Security configuration propagated across ViPR instances
  • Single sign-on access across ViPR instances
  • Tenants and projects are defined once and are accessible across ViPR instances
  • Consolidated monitoring of resources across ViPR instances through ViPR SolutionPack
Note that the multisite capabilities of ViPR controller do not provide the following:
  • provisioning, or any user service, initiated from one ViPR instance to be executed in another ViPR instance.
  • controller failover from one site to another.
BacktoTop

Plan the installation of a multisite EMC ViPR

This list summarizes the requirements for setting up a multisite ViPR configuration.

  • Minimum of 2 VDCs is required. Maximum is 8.
  • Verify that each VDC in the multisite configuration meets the requirements of a single-site ViPR VM, in addition to the several requirements specific to multisite. Refer to the EMC ViPR Support Matrix on support.EMC.com.

    Node counts do not need to match; you can link a 3+2 configuration to a 2+1, for example.

    If you plan to use ViPR data services in this system, do not use any IPv6 addresses in the controller VM deployments.

  • Each VDC in the multisite configuration requires IP connectivity to the other VDCs.
  • Each VDC must be at version 2.0.
  • Each VDC must be licensed.
  • Port 7101 (used for inter-VDC communication by Cassandra database) must be open at each site.
  • Deploy each VDC as described in Install EMC ViPR controller.

BacktoTop

Link multiple ViPR virtual data centers in a multisite configuration

This step-by-step procedure describes how to link up multiple ViPR virtual data centers in a geo-configuration. You can link up to 8 VDCs.

Before you begin

  • You need a non-local account on the initial VDC (that is, an account from the authentication provider) that has the Security Administrator role. The root user cannot be used for the main step of linking to another VDC.
  • You need to know the network virtual IP address (or its FQDN) for each ViPR VDC that you are adding.
  • If data services are used, you need to know the inter-VDC command endpoint and data endpoint for data services.
  • The VDC that you link to (VDC2, VDC3, etc.) must have no data, namely:
    • No data nodes
    • No physical assets
    • No virtual assets
  • Remove all tenant roles from the root user on the initial VDC (VDC1).
  • Remove all project ownership from the root user on the initial VDC (VDC1).

Procedure

  1. Deploy each ViPR virtual data center as an individual VDC, including the Initial Setup steps. The article Install EMC ViPR Controller describes the procedure. Be sure you add an authentication provider to the initial VDC (VDC1) because some of these steps cannot be done by root (and you should avoid routine use of the root user anyway).
    If you are installing ViPR data services nodes, install them only on VDC1 at this point. Do not install them on the other VDCs.
    Note: In a multisite configuration, changing the IP addresses of ViPR controller nodes is not supported.
  2. Log in to VDC1 as a user with the Security Administrator role (not root user).
  3. If VDC1 has ViPR data service nodes, enter the IP addresses for VDC1's data service endpoints:
    1. In Admin mode select Virtual Assets > Virtual Data Centers and click VDC1.
    2. Under Data Services, enter the IP addresses of VDC1's inter-VDC command and data endpoints. The values are the IP addresses of the data nodes (see System > Dashboard > System Health) and they might be the same values for both.
      The data endpoints are the IPs to which geo-replication data flows; all other geo-replication messages go through the command endpoints.
  4. Log in to VDC2 as root and in Admin view select Virtual Assets > Virtual Data Centers > Download Certificate Chain. This operation downloads a file that you will upload to VDC1 in a subsequent step.
  5. Remain on VDC2 in Admin view, and copy VDC2's secret key from Virtual Assets > Virtual Data Centers > Secret Key.
    In the next step you will paste the secret key when adding VDC2 to VDC1.
  6. Now go back to VDC1 as a user with the Security Administrator role (not root), and add VDC2: in Admin view, Virtual Assets > Virtual Data Centers > Add.
    1. Assign a name and enter a description.
    2. Enter the public virtual IP address of the VDC you are adding.
      Note the following limitations:
      • ViPR data services do not support IPv6. If you plan to add ViPR data services to the configuration, do not use IPv6 addresses.
      • Adding an IPv4 system to an IPv4 system, and vice versa: Supported.

      • Adding an IPv6 system to an IPv6 system, and vice versa: Supported.

      • Adding an IPv4 system to an IPv6 system, and vice versa: Not supported.

      • Adding an IPv6 system to a dual stack system, and vice versa: Not supported.

      • Adding an IPv4 system to a dual stack, and vice versa: Supported. Both systems are treated as IPv6 systems for inter-VDC connections; normal dual-stack is used for API calls, UI access.

      • Adding a dual stack to a dual stack system: Supported. Both systems are treated as IPv4 systems.

    3. Paste the secret key from the VDC that you copied earlier.
    4. Browse to and add the certificate chain file from VDC2 that you downloaded earlier.
    5. There are no data services installed on VDC2 at this point, so there are no values to add under Data Services.
      (When data nodes are installed, the data endpoint is the endpoint through which geo-protection chunk data flows; all other geo messages go through the command endpoint.)
    6. Save.
    At this point, a rolling reboot of VDCs in the configuration is initiated. After several minutes:
    • VDC status is Connected.
    • The authentication provider that was added to VDC1 is visible to VDC2 and users on VDC2 can authenticate through the authentication provider that was added to VDC1. Authentication providers that you add later are also visible to all linked VDCs.
    • Tenant roles from VDC1 automatically carry over to users on VDC2.
    • Virtual data center roles (Security Administrator and the System * roles) must be separately assigned to users on VDC2; they do not carry over automatically.
    • Tenants and projects created on one VDC are accessible from the other VDC.
    • Tenant user mappings and project ACLs are common across the linked VDCs.
    • The root user no longer has any tenant roles, nor project ACLs.
    Note Image
    If the connection status shows Connect Precheck Failed, select the VDC and click Remove. If any other connection failure is shown, the system may be left in an inconsistent state. Expand the message to see error details and refer to Recover from Add VDC failure in EMC ViPR.
  7. At this point, assets can be added to VDC2 as described in Step-by-Step: Set up a ViPR virtual data center.
  8. To add additional VDCs, repeat the above steps.

After you finish

Note that backups of a standalone VDC made with the ViPR bkutils backup utility cannot be used to restore the VDC after the VDC has become part of a multisite configuration. For this reason, you should consider backing up the VDCs immediately after linking them.