To establish an access point for BVQ, it's necessary to create user accounts on the respective systems you wish to monitor.
For instance, if you have three NetApp clusters, you'll need to create a user account on each cluster.
This procedure is applicable to all systems you aim to connect to BVQ.
After creating a specific new user on a system, proceed to set up a BVQ Scanner on your BVQ Server using that user account.
The BVQ Scanner will then establish a connection to the system to collect the requisite data.
IBM PowerVM
A user is required for the operation of the BVQ PowerVM Scanner who should at least have read-only (hmcviewer) access to the HMC.
Please create this user before configuring the BVQ Scanner. We recommend to name the user "bvq"
Please open the user properties dialogue and select "Allow remote access via the web"
Enable performance data collection
BVQ can only collect performance statistics if "Data Collection" is enabled on the managed systems and all LPARs.
Adjust System settings
Enable "Performance Monitoring Data Collection for Managed Servers"
To lower the system load and storage capacity usage on the HMC, we recommend to reduce the number of days to store performance data below the title "Performance Data Storage" to its minimum value of "1". BVQ takes over the role to store a longer history of that data.
Adjust LPAR settings
Switch on "Enable Performance Information Collection" on all LPARs
You can check the state of the "Performance Collection" enablement per LPAR easily. Run the following script on the HMC to show all LPARs without enabled collection:
bvq@hmc3:~> for SYS in $(lssyscfg -r sys -F name); do lssyscfg -r lpar -m $SYS -F name,allow_perf_collection ; done | grep ",0" rju_viot,0 IOS74DHP,0 HABS74D,0 HAQS74D,0 HAMS74D,0
BVQ Scanner configuration
To configure a PowerVM scanner in BVQ the following information is required:
IP address or hostname of the HMC
User and password of the HMC user for BVQ
Starting with BVQ 2023.H1: Redundant HMCs managing the same systems must be configured in the same PowerVM scanner. Otherwise, the managed systems will appear twice in BVQ. Define the most powerful HMC first, because the order of HMCs determines the order in which they are scanned by BVQ. Additional HMCs managing other systems should be configured in an additional PowerVM scanner.
Up to BVQ 2022.H2: Typically, two redundant HMCs manage the same IBM Power systems. Please ensure that only one scanner is created for one of the HMCs to avoid duplication in BVQ.
OS Agent for AIX & Linux
AIX and Linux are the first BVQ platforms where data is not pulled from the systems by the BVQ scanner. Instead, data is sent (pushed) from the OS on the LPARs to the BVQ Server by an BVQ OS Agent using SCP/SFTP. This means, an ssh-server on the BVQ Server is receiving data from the OS instances. Once an AIX or Linux BVQ Scanner is configured, the ssh-server is being started automatically and is listening on port 2222.
Important
Please ensure that port 2222 is not blocked by a firewall!
BVQ Scanner configuration
To configure an AIX or Linux BVQ scanner the following information is required:
NAME - Name of the AIX or Linux scanner
INSTANCE GROUP NAME - Select a name which is used to group all AIX or Linux Instances (=partitions) together that are running the BVQ OS Agent for AIX or Linux. The number of instances per instance group should not exceed 50.
USERNAME - This user authorizes the SCP/SFTP transfer from the AIX or Linux Instances to the BVQ Server. It will be configured during the installation process
SSH PUBLIC KEY - Optional. Leave empty if you want to use the default ssh key-pair included in bvq_agent.tar.gz. If you want to use a different ssh key-pair type, then enter the content of the public ssh key file here and adjust bvq_config.sh on the OS agent accordingly.
Supported key types are:ssh-rsa (default)
ecdsa-sha2
rsa-sha2-256
ssh-ed25519
OS Agent installation
The BVQ Agent for AIX or Linux RPM installation package is automatically generated once a new BVQ AIX or Linux scanner configuration is being created in the BVQ WebUI. After the "Save"-button is pressed, the RPM package is automatically generated and can be downloaded directly. Further installation instructions can be found in the scanner configuration page or the readme included in the RPM download package.
OS User requirementsOS User Group Restrictions
AIX root system none
AIX other system No stats for FC adapters
AIX other staff No stats for FC adapters and LV, VG objects
Linux root root none (other uid / gid not supported)
Alternatively, the BVQ AIX agent can be rolled out automatically to many systems using an AIX NIM server. The download package for AIX includes a script that helps configuring the NIM server.
Important
It is essential that BVQ Server and AIX/Linux clocks are in sync. Please ensure that NTP is configured and active on all monitored systems and the BVQ Server!
The OS Agent cannot be installed or upgraded as long as NTP is not configured!
VMware vSphere
A user is required for the operation of the BVQ VMware Scanner, who should at least have read-only access to the VMware vCenter system. The read-only permission for the user must be defined at the vCenter level. Permissions in a lower level (e.g. Datacenter, Cluster, ...) will lead to scan errors.
Please create this user before configuring the BVQ Scanner. We recommend to name the user: bvq
Create or select the right user role
Go to user roles
Duplicate (1) the read-only role and store it as BVQ-Read-only (2) and add the following privileges (3)
Datastore - browse datastore
Profile driven storage - view
Storage views - view
Create the BVQ User for the vCenter
Create the bvq user with the role "BVQ-read-only"
create it as vsphere.local or as AD user - please remember to add it correctly into the scanner dialog laterAdd the user to the vCenter
Add the user to the vCenter (4) and do not forget to define it for all children
Add the right vCenter Statistics
Interval duration has to be 5 minutes
Level 2 is sufficient for standard VMware
Level 3 should be used for VSANs
High vCenter CPU usage during BVQ Performance scanDuring the BVQ performance scan of a vCenter server the CPU usage of the vCenter server will increase. Please monitor the vCenter server utilization depending on the workload to avoid performance degradation.
Gather information for BVQ Scanner configuration
BVQ scanners need the following information to be configured for each vCenter system:
vCenter IP address or hostname
vCenter user domain
vCenter ID and password of the bvq user
Preparation for the BVQ Server
For BVQ Servers which are gathering information from NetApps and vCenters, the correct DNS configuration is important.
Make sure that the BVQ Server, NetApp systems and vCenters are in the same domain and have the same DNS server configured.
This is required to match the DNS-Name of the NFS Datastores to the corresponding IP Adresses of the NFS file shares on NetApp systems.
Kubernetes
Kubernetes (k8s) clusters are scanned via 2 different methods:
Kubernetes API Server for topology information
BVQ Prometheus Server for topology & performance information
Kubernetes API Server
To gain access to the k8s API server the following preparations must be made:
Create a Compute_layer#CustomResourceDefinition (CRD) to set up a k8s cluster as master grouping object (MGO) definition for BVQ
Create a Compute_layer#MasterGroupingObject instance (binded to the CRD) for the k8s cluster
Create a Compute_layer#ClusterRole to get read-only (get, list, watch) access to the k8s cluster
Create a Compute_layer#ServiceAccount for authentication
Create a Compute_layer#ClusterRoleBinding to bind the ServiceAccount to the ClusterRole
ℹ Use kubectl apply -f
to create the expected objects. You can edit & use the all in one preparation YAML file to set up all requirements in one step.(make sure all 5 objects are created properly - sometimes Compute_layer#MasterGroupingObject creation fails due to the delayed creation of the Compute_layer#CustomResourceDefinition)
CustomResourceDefinition
Create a CustomResourceDefinition (CRD) to set up a k8s cluster as master grouping object (MGO) definition for BVQ
mgo-crd.yaml
apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: mastergroupingobjects.bvq.sva spec: group: bvq.sva versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: spec: type: object properties: clusterName: type: string description: Cluster-Name customer: type: string description: Customer-Name location: type: string description: Location where the Cluster is located at dc: type: string description: Datacenter-Name contact: type: string description: Customer-Contact-Name email: type: string description: E-Mail-Address of the Contact phone: type: string description: Phone-Number of the Contact scope: Cluster names: plural: mastergroupingobjects singular: mastergroupingobject kind: MasterGroupingObject shortNames: - mgo
ClusterRole
Create a ClusterRole to get read-only (get, list, watch) access to the k8s cluster
ℹ Read only permissions (get, list, watch) are required
apiGroups
may be applied via a wildcard ('*') to get access to all api groups, otherwise apiGroups given in the example must be set
cluster-role-bvqscan.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bvq-scanner-rl rules: - verbs: - get - watch - list apiGroups: - '' - apiextensions.k8s.io - apps - batch - bvq.sva - networking.k8s.io - storage.k8s.io - discovery.k8s.io - scheduling.k8s.io resources: - '*'
ServiceAccount
Create a ServiceAccount for authentication
ℹ The Token created for this ServiceAccount is needed to set up a BVQ scanner config for the k8s cluster
namespace
may be adjusted to another kubernetes namespace. Remember to edit the namspace set in the Compute_layer#ClusterRoleBinding
IMPORTANT: With k8s version 1.24 the LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default (see here). Use this guide to create a non-expiring token (recommended)
bvq-serviceaccount.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: bvqscan namespace: default
ClusterRoleBinding
Create a ClusterRoleBinding to bind the Compute_layer#ServiceAccount to the Compute_layer#ClusterRole
cluster-role-binding-bvqscan-sa.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bvq-scanner-sa-bnd subjects: - kind: ServiceAccount name: bvqscan namespace: default roleRef: kind: ClusterRole name: bvq-scanner-rl apiGroup: rbac.authorization.k8s.io
BVQ Prometheus Server
To get performance and topology data a custom bvq-prometheus stack must be deployed in the k8s cluster via helm. This helm chart will install a bvq-prometheus server as a deployment with a 8GB persistent volume (configurable via values.yaml
) and bvq-prometheus-node-erxprters as a DaemonSet (helm dependency).
See values.yaml
and other configuration files in the bvq-prometheus-helm.zip file for further information about the bvq-prometheus configuration.
Execute the following steps to deploy the bvq-prometheus helm chart to the k8s cluster:
Create a namespace (e.g. bvq-prometheus) for the prometheus stack:
kubectl create namespace bvq-prometheus
Unzip helm files → bvq-prometheus-helm.zip
For external communication an ingress for the bvq-prometheus server is needed. Edit
prometheus.ingress.hosts
invalues.yaml
to set a proper ingress.Run
helm dependency build / helm dependency update
Install the helm chart via
helm install -n bvq-prometheus -f values.yaml bvq-prometheus ./
helm install -n bvq-prometheus -f values.yaml bvq-prometheus ./ Quelle erweitern
▶ helm install -n bvq-prometheus -f values.yaml bvq-prometheus ./ NAME: bvq-prometheus LAST DEPLOYED: Thu Dec 15 11:00:08 2022 NAMESPACE: bvq-prometheus STATUS: deployed REVISION: 1 TEST SUITE: None
Check the installation with
kubectl get pods -n bvq-prometheus
- A pod called bvq-prometheus-* and a set of bvq-prometheus-bvq-node-exporter-* pods should be in running statekubectl get pods -n bvq-prometheus
▶ kubectl get pods -n bvq-prometheus NAME READY STATUS RESTARTS AGE bvq-prometheus-5b8cd79d79-r587m 1/1 Running 0 64s bvq-prometheus-bvq-node-exporter-jz46z 1/1 Running 0 2s
Gather information for BVQ Scanner configuration
BVQ scanners need the following information to be configured for each k8s cluster:
API server IP address or DNS name (FQDN) - Default TCP port: 6443
API Token of the bvqscan Compute_layer#ServiceAccount
Prometheus URL or IP (if NodePort service is used)
Prometheus user & password (optional, if BasicAuth of Prometheus is used)
Preparation for the BVQ Server
For BVQ Servers which are gathering information from Kubernetes clusters, the correct DNS configuration is important.
Make sure that the BVQ Server & Kubernetes clusters are in the same domain and have the same DNS server configured.
Brocade SAN
Only one scanner configuration per SAN is required.
All switches that belong to the same fabric or are reachable by any virtual fabric on one of those switches will be detected and configured in a single scanner configuration. The switch IP used to discover the SAN must be one that has virtual fabrics feature in enabled - unless none of the switches in the fabric support this feature or have it enabled.
Switches in access gateway mode are not part of the fabric, and hence, have to be added to the configuration manually.
FOS REST API function calls are permitted or denied based on user privilege configurations determined by the role-based access control (RBAC) functionality in Fabric OS.
Implementing the following changes to your Brocade switches will not interrupt system operation or compromise performance.
Rest assured, these adjustments can be safely applied even on your running productive system.
Brocade REST API is supported on SAN switches running Fabric OS 8.2.1 and later but we recommend to use FOS 9 and higher. All switches running earlier versions cannot be monitored by BVQ! (see Supported Brocade systems).
Brocade SAN Switch User
For switches running FOS 9, the user needs at least the permissions of the default role basicswitchadmin for all virtual Switches and the chassis.
For switches running FOS 8.2.x, the user needs at least the permissions of the default role admin.
For all versions, there is no support for default switch role user, because it has no permission to observe the RBAC class configure, that BVQ needs to gather information about the switch configuration.
It is recommended to have the same user credentials and access configuration (https / http and SSL certificate) on all Switches belonging to the same SAN.
Depending on the specific FOS level, the following user has to be added on each and every switch you want to scan:
Add BVQ user via FOS CLI (switches with VF)
FOS 9.x: userconfig --add bvq -r basicswitchadmin -c basicswitchadmin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password> FOS 8.2.x: userconfig --add bvq -r admin -c admin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password>
Add BVQ user via FOS CLI (switches without VF)
FOS 9.x: userconfig --add bvq -r basicswitchadmin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password> FOS 8.2.x: userconfig --add bvq -r admin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd passwd bvq > <final_password>
Increase Rest sessions
It is also an essential requirement to increase the number of allowed REST sessions to 10 on each switch in the fabric. This adjustment is a necessary step to ensure efficient operation.
Increase the number of allowed Rest sessions to 10
mgmtapp --config -maxrestsession 10 mgmtapp --show REST Configuration: Interface State: Enabled Effective Protocol: HTTPS only HTTP State: Enabled Session Count: 10 Throttling Configurations: Sample Requests : 120 Sample Time (in sec) : 30 Idle Time (in sec) : 3
Gather information for BVQ Scanner configuration
BVQ scanner configurations need the following input:
Switch IP address or DNS name of one switch in the SAN. This does not need to be the principal but must be one that has virtual fabrics enabled if any of the switches in the SAN are using this feature.
Protocol - http or https
Switch username and password
Port number (if not default)
SSL / HTTPS certificate handling
Add BVQ user via FOS CLI (switches without VF)
seccertmgmt show -cert https
If you want to enable the BVQ Scanner Switch Check SSL certificate, you need to install a non-self-signed certificate on the switch.
Note:
If switches or virtual fabrics are added to or removed from the SAN, the scanner configuration needs to be adjusted manually. Edit the scanner configuration and select "Discover switches" to rediscover the SAN.
Cisco SAN
BVQ collects topology and performance data from Cisco MDS switches using the Cisco MDS NX-API. This feature needs to be enabled on all Cisco MDS switches that should be monitored by BVQ.
Enable nxapi
switch# show feature Feature Name Instance State -------------------- -------- ----- ... nxapi 1 disabled ... switch# conf t switch(config)# feature nxapi switch# show feature Feature Name Instance State -------------------- -------- ----- ... nxapi 1 enabled ...
Cisco SAN Switch User
The following user has to be added on each and every switch you want to scan:
Add BVQ User via CLI
cisco-BVQ-1# config terminal Enter configuration commands, one per line. End with CNTL/Z. cisco-BVQ-1(config)# role name bvq-role cisco-BVQ-1(config-role)# description Monitoring role for BVQ cisco-BVQ-1(config-role)# rule 1 permit show cisco-BVQ-1(config-role)# exit cisco-BVQ-1(config)# role show cisco-BVQ-1(config)# show role Role: bvq-role Description: Monitoring role for BVQ Vsan policy: permit (default) ------------------------------------------------- Rule Type Command-type Feature ------------------------------------------------- 1 permit show * cisco-BVQ-1(config)# username bvq-user password P@ssw0rd role bvq-role cisco-BVQ-1(config)# exit cisco-BVQ-1# show user-account user:bvq-user this user account has no expiry date roles:bvq-role
copy and paste following commands
config terminal role name bvq-role description Monitoring role for BVQ rule 1 permit show exit username bvq-user password P@ssw0rd role bvq-role exit
To establish an access point for BVQ, it's necessary to create user accounts on the respective systems you wish to monitor.
For instance, if you have three NetApp clusters, you'll need to create a user account on each cluster.
This procedure is applicable to all systems you aim to connect to BVQ.
After creating a specific new user on a system, proceed to set up a BVQ Scanner on your BVQ Server using that user account.
The BVQ Scanner will then establish a connection to the system to collect the requisite data.
IBM SVC
Create a BVQ user on the SVC system
For communication between a SVC system and BVQ, a user account with at least user group 'Monitor' is required on each SVC system.
svctask mkuser -name bvq -usergrp Monitor -password <my_secure_password>
Check NTP, time and time zone
Check if an NTP server is configured: it is mandatory to use NTP to synchronize the time of all systems (SVC Systems and BVQ Server):
svcinfo lssystem | grep 'ntp_IP_address'
Set your NTP Server: Synchronize your SVC cluster with a specific NTP server:
svctask chcluster -ntpip <IP address of NTP Server>
Adjust SVC cluster time zone: Set the time zone of your SVC cluster with:
svctask settimezone -timezone 360
Show SVC clock settings: Check the current time setting on your SVC:
svqueryclock
Check performance statistics interval
The SVC performance statistics are generated regularly (in intervals) by the SVC and picked up by the BVQ SVC Scanner. BVQ supports all intervals possible in the SVC (1min to 60min).
We recommend to set the time interval to 1 minute.
Check statistics status and frequency: Use this command to see if and how often your system collects statistics:
svcinfo lssystem | while read key value; do [[ "$key" =~ ^(statistics_status|statistics_frequency)$ ]]&& echo "$key $value"; done
Change statistics collection frequency: Define how often system statistics are collected:
startstats -interval <interval_in_minutes>
Dell EMC Unity
A user is required for the operation of the BVQ Scanner with at least Operator role permissions.
⚠ Please create this user on your Unity system prior to configuring the the BVQ Scanner.
Dell PowerStore
Configure a user with minimum role “Operator”
NetApp
A user with at least 'read-only' role permissions on the ONTAP Cluster is required to operate the BVQ Scanner.
Please create this user prior to configuring the BVQ Scanner.
We recommend using the name 'bvq' for this user.
sec login create -user-or-group-name bvq -application http -authentication-method password -role readonly
BVQ Version < 2024.H2.1 or ONTAP version < 9.11sec login create -user-or-group-name bvq -application ontapi -authentication-method password -role readonly
Pure Storage FlashArray
Configure a user with minimum role "read_only" and API token on each array.