InterSystems Cloud Manager Guide
Deploying on a Preexisting Cluster
ICM provides you with the option of allocating your own cloud or virtual compute nodes or physical servers to deploy containers on. The provisioning phase usually includes allocation and configuration subphases, but when the Provider
field is set to PreExisting
, ICM bypasses the allocation phase and moves directly to configuration. There is no unprovisioning phase for a preexisting cluster.
The preexisting compute nodes must satisfy the criteria listed in the following sections.
Supported operating systems include:
The following operating systems are not supported but have been tested:
ICM requires that SSH be installed and the SSH daemon running.
Additionally, a nonroot account must be specified in the SSHUser
field in the defaults file. This account should have the following properties:
It must provide sudo
access without requiring a password. You can enable this by creating or modifying a file in /etc/sudoers.d/
to contain the following line:
<accountname> ALL=(ALL) NOPASSWD:ALL
If the home directory is located anywhere other than /home
, it should be specified in the Home
field in the defaults file, for example:
Note that the home directory must not be a network directory shared among nodes (for example /nethome
), because this would cause configuration files to overwrite one another.
ICM can log in as SSHUser using SSH keys or password login. Even if password logins are enabled, ICM will always try to log in using SSH first.
If you've configured your machines with SSH keys, you must specify the SSH public/private key pair your configuration file using the SSHPublicKey
During the configuration phase, ICM configures SSH login and disables password login by default. If you don't wish password login to be disabled, you can touch
the following sentinel file in the home directory of the SSHUser account:
mkdir -p ICM
If you've configured your machines with a password, specify it using the SSHPassword
field in your configuration file. ICM assumes these credentials are insecure.
Enabling password login and specifying the SSHPassword
field does not remove the requirement that ICM be able to carry out all postconfiguration operations via SSH.
To avoid conflicting with local security policies and because of variations among operating systems, ICM does not attempt to open any ports. The following table contains the default ports that must be opened to make use of various ICM features. As described in General Parameters
, the ports are configurable, for example:
If you change one or more from the defaults in this way, you must ensure that the ports you specify are open.
||Docker (TLS mode)
||Required to access the public Apache web server on nodes of role WS (web server).
||Required for Weave DNS.
||Required for Overlay=Weave (default for all providers except PreExisting).
||Required for Weave monitoring.
||Required for Rancher monitoring.
|Required for web access to InterSystems IRIS+Spark containers. Different ports may be specified using the fields SparkMasterPort, SparkWorkerPort, SparkMasterWebUIPort, SparkWorkerWebUIPort, SparkRESTPort, SparkDriverPort, and SparkBlocKManagerPort, respectively.
||Required for web access to Spark containers. Different ports may be specified using the Spark*Port fields.
||InterSystems IRIS™ Superserver
||Required. A different port may be specified using the SuperServerPort field.
||InterSystems IRIS Webserver
||Required. A different port may be specified using the WebServerPort field.
||InterSystems IRIS ISCAgent
||Required for mirroring.A different port may be specified using the ISCAgentPort field.
||InterSystems IRIS License Server
||Required Note: A different port may be specified using the LicenseServerPort field.
||InterSystems IRIS JDBC Gateway Port
||Required to use the JDBC Gateway. A different port may be specified using the JDBCGatewayPort field.
As described in Storage Volumes Mounted by ICM
, ICM mounts storage volumes used by InterSystems IRIS and Docker under /dev
, using names specified by the fields listed in Device Name Parameters
. These fields have defaults for other providers, but not for PreExisting, so they must be included in your defaults file for PreExisting deployments.
For provider PreExisting, the device name null
(literal string) changes the behavior as follows:
The main difference between PreExisting and the other providers is the contents of the definitions file, which contains exactly one entry per node, rather than one entry per role with a Count
field to specify the number of nodes of that role. Each node is identified by its IP address or fully-qualified domain name. The fields shown in the following table are required for each node definition in a preexisting cluster deployment (along with other required fields described in other sections of this document):
||IP address of the preexisting node.
||Fully-qualified DNS name of the preexisting node; can be used in place of IPAddress. Must be resolvable by ICM and within the cluster. (For all other providers this is an output field, rather than an input field.)
||Nonroot user with passwordless sudo access.
Content Date/Time: 2019-07-17 06:06:47