Install Portworx with Pure Storage FlashArray enabled with secure multi-tenancy
Prerequisites
- Have an on-premise Kubernetes cluster with FlashArray that meets the minimum requirements for Portworx.
- Have a Pure Storage FlashArray with Purity version 6.6.11 or newer.
- Use the FC, iSCSI,NVMe-oF/RoCE, or NVMe-oF/TCP protocol.
- Create a Pure secret
px-pure-secret
under the same namespace as Storage Cluster before installing Portworx. - Enable CSI for Portworx.
- Install the latest Linux multipath software package on your operating system that include these fixes. This package also must include
kpartx
. - Have the latest Filesystem utilities/drivers.
- Have the following latest package installed on all nodes (including master):
libStorageMgmt
device-mapper-multipath
libstoragemgmt-udev
iscsi-initiator-utils
noteRed Hat only: Ensure that the second action
CAPACITY_DATA_HAS_CHANGED
is uncommented in the 90-scsi-ua.rules file and you have restarted theudev
service. - Have the latest FC initiator software for your operating system (Optional; required for FC connectivity).
Configure your physical environment
Before you install Portworx, ensure that your physical network is configured appropriately and that you meet the prerequisites. You must provide Portworx with your FlashArray configuration details during installation.
- Each FlashArray management IP address can be accessed by each node.
- Your cluster contains an up-and-running FlashArray with an existing dataplane connectivity layout (iSCSI, Fibre Channel).
- If you're using iSCSI, the storage node iSCSI initiators are on the same VLAN as the FlashArray iSCSI target ports.
- If you are using multiple network interface cards (NICs) to connect to an iSCSI host, then all of them must be accessible from the FlashArray management IP address.
- If you're using Fibre Channel, the storage node Fibre Channel WWNs have been correctly zoned to the FlashArray Fibre Channel WWN ports.
- You have an API token for a user on your FlashArray with at least
storage_admin
permissions. Check the documentation on your device for information on generating an API token.
Configure your software environment
Configure your software environment within a computing infrastructure. It involves preparing both the operating system and the underlying network and storage configurations.
Follow the instructions below to set up CSI snapshot feature, disable secure boot mode, and configure the multipath.conf
file appropriately. These configurations ensure that the system's software environment is properly set up to allow Portworx to interact correctly with the hardware components, like storage devices (using protocols such as iSCSI or Fibre Channel), and to function correctly within the network infrastructure.
Set up your environment to use CSI snapshot feature
To use the CSI snapshot feature, install the following:
-
-
You can also install the snapshot controller by adding the following lines to your StorageCluster:
csi:
enabled: true
installSnapshotController: true
-
Disable secure boot mode
Portworx requires the secure boot mode to be disabled to ensure it can operate without restrictions. Here's how to disable secure boot mode across different platforms:
- RHEL/CentOS
- VMware
For REHL/CentOS you can perform the following steps to check and disable the secure boot mode:
-
Check the status of secure boot mode:
/usr/bin/mokutil --sb-state
-
If secure boot is enabled, disable it:
/usr/bin/mokutil --disable-validation
-
Apply changes by rebooting your system:
reboot
For VMware, navigate to the Edit Setting window of the virtual machine on which you are planning to deploy Portworx. Ensure that the checkbox against the Secure Boot option under VM Options is not selected, as shown in the following screenshot:

Verify the status of the secure boot mode
Run the following command to ensure that the secure boot mode is off:
/usr/bin/mokutil --sb-state
SecureBoot disabled
Configure the multipath.conf
file
- For
defaults
:- FlashArray and Portworx does not support user friendly names, disable it and set it to
no
before installing Portworx on your cluster. This ensures Portworx and FlashArray use consistent device naming conventions. - Add
polling 10
as per the RHEL Linux recommended settings. This defines how often the system checks for path status updates.
- FlashArray and Portworx does not support user friendly names, disable it and set it to
- To prevent any interference from
multipathd
service on Portworx volume operations, set the pxd device denylist rule.
Your multipath.conf
file should resemble the following structure:
- RHEL/CentOS
- Ubuntu
defaults {
user_friendly_names no
enable_foreign "^$"
polling_interval 10
find_multipaths yes
}
devices {
device {
vendor "NVME"
product "Pure Storage FlashArray"
path_selector "queue-length 0"
path_grouping_policy group_by_prio
prio ana
failback immediate
fast_io_fail_tmo 10
user_friendly_names no
no_path_retry 0
features 0
dev_loss_tmo 60
}
device {
vendor "PURE"
product "FlashArray"
path_selector "service-time 0"
hardware_handler "1 alua"
path_grouping_policy group_by_prio
prio alua
failback immediate
path_checker tur
fast_io_fail_tmo 10
user_friendly_names no
no_path_retry 0
features 0
dev_loss_tmo 600
}
}
blacklist_exceptions {
property "(SCSI_IDENT_|ID_WWN)"
}
blacklist {
devnode "^pxd[0-9]*"
devnode "^pxd*"
device {
vendor "VMware"
product "Virtual disk"
}
}
defaults {
user_friendly_names no
find_multipaths yes
}
devices {
device {
vendor "NVME"
product "Pure Storage FlashArray"
path_selector "queue-length 0"
path_grouping_policy group_by_prio
prio ana
failback immediate
fast_io_fail_tmo 10
user_friendly_names no
no_path_retry 0
features 0
dev_loss_tmo 60
}
device {
vendor "PURE"
product "FlashArray"
path_selector "service-time 0"
hardware_handler "1 alua"
path_grouping_policy group_by_prio
prio alua
failback immediate
path_checker tur
fast_io_fail_tmo 10
user_friendly_names no
no_path_retry 0
features 0
dev_loss_tmo 600
}
}
blacklist {
devnode "^pxd[0-9]*"
devnode "^pxd*"
device {
vendor "VMware"
product "Virtual disk"
}
}
Set up user access in FlashArray
Follow this sections to set up user access for your FlashArray.
Create realms in FlashArray
When multiple clusters are attached to a FlashArray, it's essential to define specific realms for organizing and separating storage. When multiple clusters are attached to a FlashArray, admin can specify the realm, and FlashArray volumes from Portworx install will be placed inside the realm. This way different users having access to the array and cluster, can only see their storage volumes. This method is particularly useful in multi-tenant environments where different customers share the same FlashArray.
To set up realms for different customers, follow these steps as an admin:
- Create a realm for each customer. All volumes from the Portworx installation will be placed within this realm, ensuring customer-specific data isolation:
purerealm create <customer1-realm>
Name Quota Limit
<customer1-realm> - - A pod in FlashArray defines a boundary where specific volumes are placed. Create a pod inside the realm you just defined:
purepod create <customer1-realm>::<fa-pod-name>
Stretched FlashArray pods (pods spanning multiple FlashArrays) are not supported.
By assigning realms and pods in a FlashArray, you can ensure that different users only interact with the specific storage resources allocated to them.