Cloud Data Manager

Installing the Model9 management server

Prerequisites

Prepare the environment for installation of the server by following these steps:

License key

Obtain a license key from Model9 by opening a “new license request” in the Model9 service portal: https://model9.atlassian.net/servicedesk/customer/portals

The output of the z/OS command “D M=CPU” is required.

Firewall

Configure the local firewall to allow connections to ports needed by the Model9 containers. For a list of required ports, see the Model9 System Prerequisites 1.8.1 document.System Prerequisites

Modify the firewall settings to all the above-mentioned port connections, or make sure the local firewall is disabled, using the following commands:

#UBUNTU
sudo systemctl stop ufw
sudo systemctl disable ufw
#RHEL
sudo systemctl stop firewalld
sudo systemctl disable firewalld
#SUSE
sudo systemctl stop SuSEfirewall2
sudo systemctl disable SuSEfirewall2

If Docker is already installed, restart the Docker service using the following command:

sudo systemctl restart docker

System parameters

The management server implements a “keep-alive” mechanism to prevent the firewall from disconnecting because of long requests to the agent during policy execution. Add the following kernel parameters to your /etc/sysctl.conf file:

net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_intvl=30
net.ipv4.tcp_keepalive_probes=10

Apply the changes using the following command:

sudo sysctl -p

Docker

  1. Verify that the Docker is enabled using the following command:

  2. Verify that the Docker is “enabled” and “active (running)” as shown in the following example:

    image5.png
  3. If the Docker service is not enabled or active, use the following commands to enable and activate it:

    sudo systemctl enable docker
    sudo systemctl start docker
  4. Make sure that the expected output of Docker is displayed, by issuing the following command:

    sudo docker ps

    The following output is expected:

    image4.png

Note

The server installation is shipped as a Docker container, see the Docker Security documentation for additional information.

File system

The Model9 files should reside on a separate file system (other than the root file system) with enough free space to accommodate the Model9 management server and database. It is recommended to use the xfs filesystem type. Contact your Linux administrator to allocate adequate space and ensure it is mounted.

This procedure is intended for new and unmounted block devices only. It will overwrite any data that might already exist on the device.

Installation files

Upload the model9-server-home zip installation file to the designated server in binary mode. Select one of the two available files according to your environment:

Environment

Installation file

x86

model9-v1.8.1_build_48c2c57f-server.zip

Linux on z

model9-v1.8.1_build_48c2c57f-server-s390x.zip

Step 1: Unzip the installation file

Create the filesystem hierarchy using the following commands:

# Change user to root
sudo su -
# Define the path to model9 installation files you uploaded earlier
export M9INSTALL=/<path>
# If you haven’t done so already, set the model9 target installation path
export MODEL9_HOME=/data/model9
# Change the directory to $MODEL9_HOME
cd $MODEL9_HOME
# Unzip the server’s installation file
#on Linux on z issue:
unzip $M9INSTALL/model9-v1.8.1_build_48c2c57f-server-s390x.zip

#on Linux issue:
unzip $M9INSTALL/model9-v1.8.1_build_48c2c57f-server.zip

Step 2: Deploy the Model9 management server’s components

  1. Verify that the target storage is available and running. This can be done by running the Model9 pre-installation verification scripts, see document Model9 System Prerequisites 1.8.1. If the target storage to be used by Model9 is not object storage, a MinIO proxy must be installed. Proceed to Install MinIO S3-Proxy to install MinIO.

  2. Deploy the application components using the following commands:

    #on Linux on z issue:
    docker load -i $MODEL9_HOME/model9-v1.8.1_build_48c2c57f-s390x.docker
    docker load -i $MODEL9_HOME/postgres-s390x-12.3.docker.gz
    
    #on Linux issue:
    docker load -i $MODEL9_HOME/model9-v1.8.1_build_48c2c57f.docker
    docker load -i $MODEL9_HOME/postgres-x86-12.3.docker.gz

Optional: Replace the default self-signed certificate

The base installation provides a self-signed certificate for encrypting access to the user interface. To replace the default certificate for the WEB UI, see Secure web communication. Communications between the Model9 Server and the Model9 Agent are encrypted by default and further action should only be taken if site certificates are preferred.

Step 3: Update the Model9 management server parameters file

The model9-local.yml file residing in the $MODEL9_HOME/conf/ path contains some of the default parameters. You can update them if necessary. Some of the parameters are explained below:

model9.licenseKey: <license-key>

model9.home: 'MODEL9_HOME'

model9.security.dataInFlight.skipAgentHostNameVerification: true

model9.security.dataInFlight.truststore.fileName: 'MODEL9_HOME/keys/model9-backup-truststore.jks'
model9.security.dataInFlight.truststore.type: "JKS"
model9.security.dataInFlight.truststore.password: "model9"
model9.security.dataInFlight.keystore.fileName: 'MODEL9_HOME/keys/model9-backup-server.p12'
model9.security.dataInFlight.keystore.type: "PKCS12"
model9.security.dataInFlight.keystore.password: "model9"

model9.session.timeout.minutes: 30

model9.master_agent.name: "<ip_address>"
model9.master_agent.port: <port>

# model9.objstore.resources.container.name: model9-data
# model9.objstore.endpoint.api.id: s3
model9.objstore.endpoint.url: http://minio:9000
model9.objstore.endpoint.userid: <object store access key>
model9.objstore.endpoint.password: <object store secret>

model9.runlogs.expirationScanIntervalMinutes: <min>
model9.runlogs.maxRetentionPeriodDays: <days>

dataSource.user: postgres
dataSource.password: model9
dataSource.url: jdbc:postgresql://model9db:5432/model9
  1. License Key – A valid Model9 license key as obtained in the prerequisites section. When using multiple keys for multiple CPCs, specify one of the keys in the server’s yml file. The server-initiated actions are carried out by the agent using its own defined license. The license key specified for the server is used for displaying a message regarding the upcoming expiration of the license.

  2. Session timeout minutes - Specify the number of minutes following which an inactive UI session will end. The default is 30 minutes.

  3. Master Agent – The agent running on z/OS which verifies the UI login credentials, hostname, IP address and port number.

    Note

    Specifying a distributed virtual IP address (Distributed VIPA) can provide high availability by allowing the use of agent groups and multiple agents. See the Administrator and User Guide for more details.

  4. Objstore endpoint – object storage information including:

    Parameter

    Description

    Required

    Value

    resources. container.name

    Container/bucket name

    no

    default: model9-data

    model9.objstore.endpoint.url

    URL address of local or remote object storage, both HTTP and HTTPS** are supported

    yes

    default: none

    Amazon AWS*: https://s3.amazonaws.com

    Google Cloud Storage: https://storage.googleapis.com

    model9.objstore.endpoint.userid

    Access key to object storage

    yes

    default: none

    model9.objstore.endpoint.password

    Secret key to object storage

    yes

    default: none

    model9.objstore.endpoint.api.id

    The object storage API name

    no

    default: s3

    Amazon AWS*: aws-s3

    Microsoft Azure: azureblob

    api.s3.v4signatures

    When using object storage that uses V4 signatures, set this parameter to ‘true’ in addition to api.id: s3

    no

    default: false Cohesity: true HCP-CS: true

    no.verify.ssl

    when using the HTTPS protocol, whether to avoid SSL certificate verifications

    no

    default: true

    * When using Amazon S3, see AWS S3 security considerations .

    ** Using HTTPS for the object storage URL parameter enables Data-in-Flight encryption.

  5. Run logs expiration - Setting these parameters will trigger an automatic deletion of run logs from the server. Please note that the deletion is non-recoverable. The automatic deletion will not be executed as long as one of the following parameters is set to (-1):

    Parameter

    Description

    Required

    Value

    model9.runlogs.expirationScanIntervalMinutes

    This parameter determines the frequency of running the deletion process of old run logs.

    no

    default: -1 (never)

    model9.runlogs.maxRetentionPeriodDays

    This parameter determines after how many days a run log will expire and can be deleted by the automatic deletion process.

    no

    default: -1 (never)

  6. DataSource - DB connection information.

Step 4: Start the Model9 management server

  1. Start the Model9 PostgreSQL database container using the following command:

    #on Linux on z issue:
    docker run -p 127.0.0.1:5432:5432 \ 
    -v $MODEL9_HOME/db/data:/var/lib/postgresql/data:z \ 
    --name model9db --restart unless-stopped \  
    -e POSTGRES_PASSWORD=model9 -e POSTGRES_DB=model9 -d s390x/postgres
    
    #on Linux issue:
    docker run -p
    127.0.0.1:5432:5432 \
    -v $MODEL9_HOME/db/data:/var/lib/postgresql/data:z \
    --name model9db --restart unless-stopped \
    -e POSTGRES_PASSWORD=model9 -e POSTGRES_DB=model9 -d postgres
  2. Verify the health status of the container and make sure it is ready to accept connections by issuing the following command and verifying its output as shown in the following example:

    docker logs model9db
    image3.png
  3. Start the server

    1. When running policies with over 100k objects, update the heap size to Xmx4096.

    2. Edit the time zone (TZ) setting to ensure proper scheduling.

    3. When using an object storage provider other than MinIO, remove the “--link minio:minio” definition from the command.

    Once the object storage is available and the PostgreSQL container is running, start the server using the following command:

    #on Linux on z issue:
    docker run -d -p 0.0.0.0:443:443 -p 0.0.0.0:80:80 \
    -v $MODEL9_HOME:/model9:z -h $(hostname) --restart unless-stopped \
    -e "TZ=America/New_York" \
    -e "CATALINA_OPTS=-Xmx2048m -Djdk.nativeCBC=false -Xjit:maxOnsiteCacheSlotForInstanceOf=0" \
    --link minio:minio --link model9db:model9db \
    --name model9-v1.8.1 model9:v1.8.1.48c2c57f
    
    #on Linux issue:
    docker run -d -p 0.0.0.0:443:443 -p 0.0.0.0:80:80 \
    -v $MODEL9_HOME:/model9:z -h $(hostname) --restart unless-stopped \
    -e "TZ=America/New_York" -e "CATALINA_OPTS=-Xmx2048m -Djdk.nativeCBC=false" \
    --link minio:minio --link model9db:model9db \
    --name model9-v1.8.1 model9:v1.8.1.48c2c57f

    View the PostgreSQL and Model9 Server logs using the following commands:

    # dump logs to screen
    cat /data/model9/logs/model9.*.log
    docker logs model9db
    docker logs minio
    # dump logs to screen and keep displaying new log messages as they arrive
    tail -f /data/model9/logs/model9.*.log
    docker logs -f model9db
    docker logs -f minio
  4. View the container’s logs by using the tail command to verify that the Model9 container has started up successfully. For example:

    2020-09-29 01:56:44,719 [main] INFO zosbackupserver.ApplicationLoader - The following profiles are active: production 2020-09-29 01:56:45,873 [main] INFO  zosbackupserver.Application - Loading external configuration from /model9/conf/model9-local.yml 2020-09-29 01:57:08,860 [main] INFO  z.l.AddProjectionsToAllLiveArchivesAndDeleteExpired - Using container: model9-ci 2020-09-29 01:57:09,929 [main] INFO  z.l.AddProjectionsToAllLiveArchivesAndDeleteExpired - Migration complete. Created 0 expiration projections. Deleted 0 archive versions 2020-09-29 01:57:09,937 [main] INFO  z.l.BlobRepositoryChangeDashMetadataKeysToUnderscore - Using container: model9-ci 2020-09-29 01:57:10,165 [main] INFO  i.m.b.c.o.BucketValidator - Object store connectivity has been established successfully 2020-09-29 01:57:10,413 [main] INFO  zosbackupserver.BootStrap - Model9 Version: v1.8.1 Build 48c2c57f Started 2020-09-29 01:57:13,799 [main] INFO  zosbackupserver.ApplicationLoader - Started ApplicationLoader in 30.488 seconds (JVM running for 39.514)[1] 

  5. The installation is complete. To stop, start or restart the server:

    docker stop|start|restart model9-v1.8.1
    docker stop|start|restart model9db
    docker stop|start|restart minio
  6. Display the server’s resource consumption using the following commands:

    docker stats model9-v1.8.1
    docker stats model9db
    docker stats minio
  7. Display the containers’ health status with the following command, and check the relevant logs if necessary:

    docker ps -a

Optional: Install the Stand-Alone Program for Stand-Alone Restore

Model9 full volume dumps can be used for stand-alone restore. To prepare a Bare-Metal recovery restorable volume, the stand-alone program must be installed on the server. The UI provides a special action to prepare a stand-alone copyfrom a regular full volume dump. The installation guide describes the required steps for enabling the creation of stand-alone copies. See the Model9 Administrator and User Guide for:

  1. How to prepare a Stand-Alone copy.

  2. How to perform a Stand-Alone restore.

Creating a Stand-Alone Copy - Requirements

Creating a stand-alone copy requires the following DFDSS files to be saved in the $MODEL9_HOME/SAbackup path:

  • DFSMSDSS.ins

  • DFSMSDSS.IMAGE

  • DFSMSDSS.PREFIX

These files can be obtained from the IBM Customized Offering Driver which can be downloaded from Shopz free of charge.

Note

Do not change the names or letter case of the DFSMSDSS files.

Stand-Alone Restore using FTP - Requirements

To perform a stand-alone restore from removable media accessed via FTP, install the VSFTPD default server using the following command:

#Ubuntu
sudo apt-get install vsftpd

#RHEL
sudo yum install vsftpd

A local user with sudo permissions can run the following systemctl commands to enable and start the service:

sudo systemctl enable vsftpd
sudo systemctl start vsftpd

Note

The SAbackups directory should be used to IPL from the HMC.

Stand-Alone Restore from a USB - Requirements

The USB device should be formatted using the FAT32 file system and can reside in any directory except for the root path.

Optional: Install the Stand-Alone Program for Stand-Alone Restore

Model9 full volume dumps can be used for stand-alone restore. To prepare a Bare-Metal recovery restorable volume, the stand-alone program must be installed on the server. The UI provides a special action to prepare a stand-alone copyfrom a regular full volume dump. The installation guide describes the required steps for enabling the creation of stand-alone copies. See the Model9 Administrator and User Guide for:

  1. How to prepare a Stand-Alone copy.

  2. How to perform a Stand-Alone restore.

Creating a Stand-Alone Copy - Requirements

Creating a stand-alone copy requires the following DFDSS files to be saved in the $MODEL9_HOME/SAbackup path:

  • DFSMSDSS.ins

  • DFSMSDSS.IMAGE

  • DFSMSDSS.PREFIX

These files can be obtained from the IBM Customized Offering Driver which can be downloaded from Shopz free of charge.

Note

Do not change the names or letter case of the DFSMSDSS files.

Stand-Alone Restore using FTP - Requirements

To perform a stand-alone restore from removable media accessed via FTP, install the VSFTPD default server using the following command:

#Ubuntu
sudo apt-get install vsftpd

#RHEL
sudo yum install vsftpd

A local user with sudo permissions can run the following systemctl commands to enable and start the service:

sudo systemctl enable vsftpd
sudo systemctl start vsftpd

Note

The SAbackups directory should be used to IPL from the HMC.

Stand-Alone Restore from a USB - Requirements

The USB device should be formatted using the FAT32 file system and can reside in any directory except for the root path.