Ondat Best Practices

Use an external Etcd cluster

Ondat uses the etcd distributed key-value store to store essential cluster metadata and manage distributed configuration state. For production environments and testing of production workloads, we recommend deploying an external etcd cluster. For more details about, and an example of, how to run etcd, see the External etcd Operations page.

It is highly recommended to use external etcd for cloud environments and place the etcd cluster on stable nodes. Placing the etcd on nodes that are recycled often might affect the normal operations of Ondat.

Setup of storage on the hosts

We recommend creating a separate filesystem for Ondat to mitigate the risk of filling the root filesystem on nodes. This has to be done for each node in the cluster.

Follow the managing host storage best practices page for more details.

Resource reservations

Ondat resource consumption depends on the workloads and the Ondat features in use.

The recommended minimum memory reservation for the Ondat Pods is 512MB for non-production environments. However it is recommended to prepare nodes so Ondat can operate with at least with 1-2GB of memory. Ondat frees memory when possible.

For production environments, we recommend 4GB of Memory and 1 CPU as a minimum and to test Ondat using realistic workloads and tune resources accordingly.

Ondat Pods resource allocation will impact directly on the availability of volumes in case of eviction or resource limit triggered restart. It is recommended to not limit Ondat Pods.

Ondat implements a storage engine, therefore limiting CPU consumption might affect the I/O throughput of your volumes.

Ondat API username/password

The API grants full access to Ondat functionality, therefore we recommend that the default administrative password of ‘storageos’ is reset to something unique and strong.

You can change the default parameters by encoding the apiUsername and apiPassword values (in base64) into the storageos-api secret.

To generate a unique password, a technique such as the following, which generates a pseudo-random 24 character string, may be used:

# Generate strong password
PASSWORD=$(cat -e /dev/urandom | tr -dc 'a-zA-Z0-9-!@#$%^&*()_+~' | fold -w 24 | head -n 1)

# Convert password to base64 representation for embedding in a K8S secret
BASE64PASSWORD=$(echo -n $PASSWORD | base64)

Note that the Kubernetes secret containing a strong password must be created before bootstrapping the cluster. Multiple installation procedures use this Secret to create a Ondat account when the cluster first starts.

Ondat Pod placement

Ondat must run on all nodes that will contribute storage capacity to the cluster or that will host Pods which use Ondat volumes. For production environments, it is recommended to avoid placing Ondat Pods on Master nodes.

Ondat is deployed with a DaemonSet controller, and therefore tolerates the standard unschedulable (:NoSchedule) action. If that is the only taint placed on master or cordoned nodes Ondat pods might start on them (see the Kubernetes docs for more details). To avoid scheduling Ondat pods on master nodes, you can add an arbitrary taint to them for which the Ondat DaemonSet won’t have a toleration.

Dedicated instance groups

Cloud environments give users the ability to quickly scale the number of nodes in a cluster in response to their needs. Because of the ephemeral nature of the cloud, Ondat recommends setting conservative downscaling policies.

For production clusters, it recommended to use dedicated instance groups for Stateful applications that allow the user to set different scaling policies and define Ondat pools based on node selectors to collocate volumes.

Losing a few nodes at the same time could cause the loss of data even when volume replicas are being used.

Port blocking

Ondat exposes ports to operate. It is recommended that the ports are not accessible from outside the scope of your cluster.

Ondat in Docker EE

Ondat does not support running on Swarm nodes nor on mixed (Kubernetes and Swarm) nodes. Ondat volumes have to be provisioned and used from Kubernetes nodes.