Qumulo in AWS: Qumulo Sidecar

REQUIREMENTS

Cloud Cluster with Qumulo Core 3.1.1 or above
Privileges to create users and roles in your Qumulo cluster
AWS Console access to use the following services:
- Secrets Manager—Securely stores information and credentials about the cluster/input params
- CloudWatch Metrics—Stores and allows viewing of cluster metrics
- CloudWatch Events—Invokes the scripts at a regular interval
- IAM—Gives the scripts permissions to access AWS resources
- Lambda—Runs the scripts
- EC2/EBS—Replaces EBS volumes
IAM permissions for full access to EC2, CloudFormation, Lambda, and Secrets Manager

IAM PERMISSIONS

The table below lists the required IAM permissions for deploying the Qumulo Sidecar with Qumulo cloud clusters in AWS.

cloudformation:CreateStack	cloudformation:DeleteStack	ec2:DescribeNetworkInterfaces
ec2:DescribeSecurityGroups	ec2:DescribeSubnets	ec2:DescribeVpcs
events:DeleteRule	events:DescribeRule	events:PutRule
events:PutTargets	events:RemoveTargets	iam:AttachRolePolicy
iam:CreateRole	iam:DeleteRole	iam:DeleteRolePolicy
iam:DetachRolePolicy	iam:GetRole	iam:GetRolePolicy
iam:PassRole	iam:PutRolePolicy	lambda:AddPermission
lambda:GetFunction	lambda:CreateFunction	lambda:DeleteFunction
lambda:DeleteFunctionEventInvokeConfig	lambda:GetFunctionConfiguration	lambda:RemovePermission
lambda:PutFunctionEventInvokeConfig	lambda:PutFunctionConcurrency	s3:GetObject
secretsmanager:CreateSecret	secretsmanager:DeleteSecret	secretsmanager:TagResource

Sending cluster metrics to AWS CloudWatch with Qumulo Sidecar requires the following permissions:

cloudwatch:PutMetricData

secretsmanager:GetSecretValue

sns:Publish

Detecting and repairing EBS volume failures with Qumulo Sidecar requires the following permissions:

ec2:AttachVolume	ec2:CreateTags	ec2:CreateVolume
ec2:DescribeImages	ec2:DescribeInstances	ec2:DescribeVolumes
ec2:DetachVolume	ec2:ModifyInstanceAttribute	sns:Publish

DETAILS

The Qumulo Sidecar is a Qumulo tool that can deploy AWS services that are useful in monitoring and maintaining a Qumulo cloud cluster in AWS. The tool operates as an always-active service alongside the cluster and can be activated once your AWS cluster is up and running in order to perform the following:

Send Cluster Metrics to AWS CloudWatch

The Sidecar deploys an AWS Lambda Function that collects cluster metrics once every minute and then sends them to AWS CloudWatch. For more information on these metrics and how to find them in the CloudWatch console, check out the Qumulo in AWS: Monitoring with a CloudWatch Dashboard article.

Detect and Repair EBS Volume Failures

The Sidecar deploys an AWS Lambda Function that polls the Qumulo cluster for disk failures every 10 minutes. Once a disk failure is detected, the lambda automatically replaces the corresponding EBS volume. Check out the Qumulo in AWS: Automatic EBS Volume Replacement article for more details.

Create a Sidecar Local User Account

Several configurations must be made in the Qumulo Core Web UI prior to activating Qumulo Sidecar, including creating a user account and role for it to access Qumulo data.

Login to the Qumulo Core Web UI.
Hover over the Cluster menu and select Local Users & Groups.
Click Create to create a new user.
Specify a name and password for the user. Leave the NFS UID field blank.
NOTE: The user name can be anything; the examples below use 'SidecarUser'.
Click the Groups tab and select the check box in the Primary column in the Guests group row. Leave all other fields unchecked.
Click Create to save the user account.

Now that the Sidecar has a local account, you can configure the appropriate permissions for it to access Qumulo data.

Configure a Sidecar Custom Role

Login to the Qumulo Core Web UI.
Hover over the Cluster menu and click Role Management.
Click Create Role.
Enter a name for the role and a description if desired.
Select the following Privileges:
- ANALYTICS_READ
- CLUSTER_READ
- FS_ATTRIBUTES_READ
- NETWORK_READ
Leave all other boxes unchecked and c lick Save.
Click Add Member under the new role you created on the Role Management page.
Enter the name of the local user you created in the previous section.
Click Yes, Add Member to assign the custom role.

Deploy Qumulo Sidecar

Click the Qumulo Sidecar link provided in the product release notes for the version of Qumulo Core your cluster is running. A browser window will open to configure your Sidecar.
NOTE: You can find Product Release Notes for all versions of Qumulo Core in the Product Releases section of Qumulo Care.
Fill out the Stack details form with the information for your AWS cluster, including the details for the local user account you created for the Sidecar service under the Login Information section.
Enter the details for the user account you created for the Sidecar service in Create a Sidecar Local User Account earlier in this document under the Login Information section.
NOTE: See Setting Up Amazon SNS Notifications for details on creating SNS notifications.
Click Create Stack to deploy the Qumulo Sidecar.

Upgrade Qumulo Sidecar

In order to make sure you have access to the latest Qumulo Sidecar features, we recommend you use the Sidecar version that matches your cluster's version of Qumulo Core. For full details on upgrading CloudFormation templates, refer to Updating Stacks Directly.

Select the Qumulo Sidecar stack you wish to upgrade from the CloudFormation Stacks list.
Click Update.
Select Replace current template in the Update stack box.
Copy the Qumulo Sidecar Upgrade link provided in the product release notes for the version of Qumulo Core your cluster is running.
Paste the link in the Amazon S3 URL field and click Next.
Review the existing stack configuration details and make any changes needed (if any).
Click Update stack.