Skip to main content
Setup and administration

Manually install the Connector in Google Cloud

Contributors netapp-bcammett
PDFs

To manually install the Connector on your own Linux host, you need to review host requirements, set up your networking, prepare Google Cloud permissions, enable Google Cloud APIs, install the Connector, and then provide the permissions that you prepared.

Before you begin

You should review Connector limitations.

Step 1: Review host requirements

The Connector software must run on a host that meets specific operating system requirements, RAM requirements, port requirements, and so on.

Dedicated host

The Connector is not supported on a host that is shared with other applications. The host must be a dedicated host.

Supported operating systems

  • Ubuntu 22.04 LTS

  • CentOS 7.6 to 7.9

    NetApp will continue to support the Connector with CentOS 7 until June 30, 2024.

  • Red Hat Enterprise Linux

    • 7.6 to 7.9

      NetApp will continue to support the Connector with RHEL 7 until June 30, 2024.

    • 8.6 to 8.9

    • 9.1 to 9.3

      The host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during Connector installation.

      The Connector is supported on English-language versions of these operating systems.

Hypervisor

A bare metal or hosted hypervisor that is certified to run Ubuntu, CentOS, or Red Hat Enterprise Linux is required.

Red Hat Solution: Which hypervisors are certified to run Red Hat Enterprise Linux?

CPU

4 cores or 4 vCPUs

RAM

14 GB

Google Cloud machine type

An instance type that meets the CPU and RAM requirements above. We recommend n2-standard-4.

The Connector is supported in Google Cloud on a VM instance with an OS that supports Shielded VM features

Disk space in /opt

100 GiB of space must be available

BlueXP uses /opt to install the /opt/application/netapp directory and it's contents.

Disk space in /var

20 GiB of space must be available

BlueXP requires this space in /var because Docker or Podman are architected to create the containers within this directory. Specifically, they will create containers in the /var/lib/containers/storage directory. External mounts or symlinks do not work for this space.

Container orchestration tool

Depending on your operating system, either Podman or Docker Engine is required before you install the Connector.

  • Podman version 4.6.1 is required for Red Hat Enterprise Linux 8 and 9.

    The following prerequisites must be met for Podman:

    • The podman.socket service must be enabled and started

    • python3 must be installed

    • The podman-compose package version 1.0.6 must be installed

    • podman-compose must be added to the PATH environment variable

  • Docker Engine is required for Ubuntu, CentOS, and Red Hat Enterprise Linux 7.

    • The minimum supported version is 19.3.1.

    • The maximum supported version is 25.0.5.

Step 2: Install Podman or Docker Engine

Depending on your operating system, either Podman or Docker Engine is required before you install the Connector.

  • Podman is required for Red Hat Enterprise Linux 8 and 9.

  • Docker Engine is required for Ubuntu, CentOS, and Red Hat Enterprise Linux 7.

Example 1. Steps
Podman

Install Podman 4.6.1.

Steps

  1. Remove the podman-docker package if it's installed on the host.

    dnf remove podman-docker
rm /var/run/docker.sock

  2. Install Podman.

    Podman is available from official Red Hat Enterprise Linux repositories.

    For Red Hat Enterprise Linux 9:

    sudo dnf install podman-2:4.6.1

    For Red Hat Enterprise Linux 8:

    sudo dnf install podman-3:4.6.1

  3. Enable and start the podman.socket service.

    sudo systemctl enable --now podman.socket

  4. Install python3.

    sudo dnf install python3

  5. Install the EPEL repository package if it's not already available on your system.

    This step is required because podman-compose is available from the Extra Packages for Enterprise Linux (EPEL) repository.

    For Red Hat Enterprise Linux 9:

    sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

    For Red Hat Enterprise Linux 8:

    sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

  6. Install podman-compose package 1.0.6.

    sudo dnf install podman-compose-1.0.6
    Note Using the dnf install command meets the requirement for adding podman-compose to the PATH environment variable. The installation command adds podman-compose to /usr/bin, which is already included in the secure_path option on the host.
Docker Engine

Install a version of Docker Engine between 19.3.1 and 25.0.5.

Steps

  1. Install Docker Engine.

    View installation instructions from Docker

    Be sure to follow the steps to install a specific version of Docker Engine. Installing the latest version will install a version of Docker that BlueXP doesn't support.

  2. Verify that Docker is enabled and running.

    sudo systemctl enable docker && sudo systemctl start docker

Step 3: Set up networking

Set up your networking so the Connector can manage resources and processes within your hybrid cloud environment. For example, you need to ensure that connections are available to target networks and that outbound internet access is available.

Connections to target networks

A Connector requires a network connection to the location where you're planning to create and manage working environments. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.

Outbound internet access

The network location where you deploy the Connector must have an outbound internet connection to contact specific endpoints.

Endpoints contacted during manual installation

When you manually install the Connector on your own Linux host, the installer for the Connector requires access to the following URLs during the installation process:

  • https://support.netapp.com

  • https://mysupport.netapp.com

  • https://cloudmanager.cloud.netapp.com/tenancy

  • https://stream.cloudmanager.cloud.netapp.com

  • https://production-artifacts.cloudmanager.cloud.netapp.com

  • https://*.blob.core.windows.net

  • https://cloudmanagerinfraprod.azurecr.io

    The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.

Endpoints contacted from the Connector

The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment for day-to-day operations.

Note that the endpoints listed below are all CNAME entries.

Endpoints Purpose

https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projects

To manage resources in Google Cloud.

https://support.netapp.com
https://mysupport.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.api.bluexp.netapp.com

https://api.bluexp.netapp.com

https://*.cloudmanager.cloud.netapp.com

https://cloudmanager.cloud.netapp.com

https://netapp-cloud-account.auth0.com

To provide SaaS features and services within BlueXP.

Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.

https://*.blob.core.windows.net

https://cloudmanagerinfraprod.azurecr.io

To upgrade the Connector and its Docker components.
Proxy server

If your organization requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.

  • IP address

  • Credentials

  • HTTPS certificate

Ports

There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.

  • HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.

  • SSH (22) is only needed if you need to connect to the host for troubleshooting.

  • Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.

    If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.

Enable NTP

If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification

Step 4: Set up permissions for the Connector

A Google Cloud service account is required to provide the Connector with the permissions that BlueXP needs to manage resources in Google Cloud. When you create the Connector, you'll need to associate this service account with the Connector VM.

It's your responsibility to update the custom role as new permissions are added in subsequent releases. If new permissions are required, they will be listed in the release notes.

Steps

  1. Create a custom role in Google Cloud:

    1. Create a YAML file that includes the contents of the service account permissions for the Connector.

    2. From Google Cloud, activate cloud shell.

    3. Upload the YAML file that includes the required permissions.

    4. Create a custom role by using the gcloud iam roles create command.

      The following example creates a role named "connector" at the project level:

      gcloud iam roles create connector --project=myproject --file=connector.yaml

      Google Cloud docs: Creating and managing custom roles

  2. Create a service account in Google Cloud and assign the role to the service account:

    1. From the IAM & Admin service, select Service Accounts > Create Service Account.

    2. Enter service account details and select Create and Continue.

    3. Select the role that you just created.

    4. Finish the remaining steps to create the role.

      Google Cloud docs: Creating a service account

  3. If you plan to deploy Cloud Volumes ONTAP systems in different projects than the project where the Connector resides, then you'll need to provide the Connector's service account with access to those projects.

    For example, let's say the Connector is in project 1 and you want to create Cloud Volumes ONTAP systems in project 2. You'll need to grant access to the service account in project 2.

    1. From the IAM & Admin service, select the Google Cloud project where you want to create Cloud Volumes ONTAP systems.

    2. On the IAM page, select Grant Access and provide the required details.

      • Enter the email of the Connector's service account.

      • Select the Connector's custom role.

      • Select Save.

    For more details, refer to Google Cloud documentation

Result

The service account for the Connector VM is set up.

Step 5: Set up shared VPC permissions

If you are using a shared VPC to deploy resources into a service project, then you'll need to prepare your permissions.

This table is for reference and your environment should reflect the permissions table when IAM configuration is complete.

View shared VPC permissions
Identity Creator Hosted in Service project permissions Host project permissions Purpose

Google account to deploy the Connector

Custom

Service Project

Connector deployment policy

compute.networkUser

Deploying the Connector in the service project

Connector service account

Custom

Service project

Connector service account policy

compute.networkUser

deploymentmanager.editor

Deploying and maintaining Cloud Volumes ONTAP and services in the service project

Cloud Volumes ONTAP service account

Custom

Service project

storage.admin

member: BlueXP service account as serviceAccount.user

N/A

(Optional) For data tiering and BlueXP backup and recovery

Google APIs service agent

Google Cloud

Service project

(Default) Editor

compute.networkUser

Interacts with Google Cloud APIs on behalf of deployment. Allows BlueXP to use the shared network.

Google Compute Engine default service account

Google Cloud

Service project

(Default) Editor

compute.networkUser

Deploys Google Cloud instances and compute infrastructure on behalf of deployment. Allows BlueXP to use the shared network.

Notes:

  1. deploymentmanager.editor is only required at the host project if you are not passing firewall rules to the deployment and are choosing to let BlueXP create them for you. BlueXP will create a deployment in the host project which contains the VPC0 firewall rule if no rule is specified.

  2. firewall.create and firewall.delete are only required if you are not passing firewall rules to the deployment and are choosing to let BlueXP create them for you. These permissions reside in the BlueXP account .yaml file. If you are deploying an HA pair using a shared VPC, these permissions will be used to create the firewall rules for VPC1, 2 and 3. For all other deployments, these permissions will also be used to create rules for VPC0.

  3. For data tiering, the tiering service account must have the serviceAccount.user role on the service account, not just at the project level. Currently if you assign serviceAccount.user at the project level, the permissions don't show when you query the service account with getIAMPolicy.

Step 6: Enable Google Cloud APIs

Several Google Cloud APIs must be enabled before you can deploy Cloud Volumes ONTAP systems in Google Cloud.

Step

  1. Enable the following Google Cloud APIs in your project:

    • Cloud Deployment Manager V2 API

    • Cloud Logging API

    • Cloud Resource Manager API

    • Compute Engine API

    • Identity and Access Management (IAM) API

    • Cloud Key Management Service (KMS) API

      (Required only if you are planning to use BlueXP backup and recovery with customer-managed encryption keys (CMEK))

Google Cloud documentation: Enabling APIs

Step 7: Install the Connector

After the pre-requisites are complete, you can manually install the software on your own Linux host.

Before you begin

You should have the following:

  • Root privileges to install the Connector.

  • Details about a proxy server, if a proxy is required for internet access from the Connector.

    You have the option to configure a proxy server after installation but doing so requires restarting the Connector.

    Note that BlueXP does not support transparent proxy servers.

  • A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.

About this task

The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Connector automatically updates itself if a new version is available.

Steps

  1. If the http_proxy or https_proxy system variables are set on the host, remove them:

    unset http_proxy
unset https_proxy

    If you don't remove these system variables, the installation will fail.

  2. Download the Connector software from the NetApp Support Site, and then copy it to the Linux host.

    You should download the "online" Connector installer that's meant for use in your network or in the cloud. A separate "offline" installer is available for the Connector, but it's only supported with private mode deployments.

  3. Assign permissions to run the script.

    chmod +x BlueXP-Connector-Cloud-<version>

    Where <version> is the version of the Connector that you downloaded.

  4. Run the installation script.

     ./BlueXP-Connector-Cloud-<version> --proxy <HTTP or HTTPS proxy server> --cacert <path and file name of a CA-signed certificate>

    The --proxy and --cacert parameters are optional. If you have a proxy server, you will need to enter the parameters as shown. The installer doesn't prompt you to provide information about a proxy.

    Here's an example of the command using both optional parameters:

     ./BlueXP-Connector-Cloud-v3.9.40--proxy https://user:password@10.0.0.30:8080/ --cacert /tmp/cacert/certificate.cer

    --proxy configures the Connector to use an HTTP or HTTPS proxy server using one of the following formats:

    • http://address:port

    • http://user-name:password@address:port

    • http://domain-name%92user-name:password@address:port

    • https://address:port

    • https://user-name:password@address:port

    • https://domain-name%92user-name:password@address:port

      Note the following:

      • The user can be a local user or domain user.

      • For a domain user, you must use the ASCII code for a \ as shown above.

      • BlueXP doesn't support user names or passwords that include the @ character.

      • If the password includes any of the following special characters, you must escape that special character by prepending it with a backslash: & or !

        For example:

        http://bxpproxyuser:netapp1\!@address:3128

    --cacert specifies a CA-signed certificate to use for HTTPS access between the Connector and the proxy server. This parameter is required only if you specify an HTTPS proxy server or if the proxy is an intercepting proxy.

  5. Wait for the installation to complete.

    At the end of the installation, the Connector service (occm) restarts twice if you specified a proxy server.

  6. Open a web browser from a host that has a connection to the Connector virtual machine and enter the following URL:

    https://ipaddress

  7. After you log in, set up the Connector:

    1. Specify the BlueXP account to associate with the Connector.

    2. Enter a name for the system.

    3. Under Are you running in a secured environment? keep restricted mode disabled.

      You should keep restricted mode disabled because these steps describe how to use BlueXP in standard mode. You should enable restricted mode only if you have a secure environment and want to disconnect this account from BlueXP backend services. If that's the case, follow steps to get started with BlueXP in restricted mode.

    4. Select Let's start.

Result

The Connector is now installed and is set up with your BlueXP account.

If you have Google Cloud Storage buckets in the same Google Cloud account where you created the Connector, you'll see a Google Cloud Storage working environment appear on the BlueXP canvas automatically. Learn how to manage Google Cloud Storage from BlueXP

Step 8: Provide permissions to BlueXP

You need to provide BlueXP with the Google Cloud permissions that you previously set up. Providing the permissions enables BlueXP to manage your data and storage infrastructure in Google Cloud.

Steps

  1. Go to the Google Cloud portal and assign the service account to the Connector VM instance.

    Google Cloud documentation: Changing the service account and access scopes for an instance

  2. If you want to manage resources in other Google Cloud projects, grant access by adding the service account with the BlueXP role to that project. You'll need to repeat this step for each project.

Result

BlueXP now has the permissions that it needs to perform actions in Google Cloud on your behalf.