Configure the inventory file

the inventory file, hosts inv , sets the configuration properties for the installation the zettaset software includes an annotated sample file, hosts inv example additional information is provided here for the file sections all nodes \# all nodes target01 encrypted blockdev=/dev/sdb1 encrypted mountpoint=/data1 encrypted mountnames=crypt1 encrypted preserve=n fstype=ext4 newfsargs=none mountargs=none target02 encrypted blockdev=/dev/sdb1 encrypted mountpoint=/data1 encrypted mountnames=crypt1 encrypted preserve=n fstype=ext4 newfsargs=none mountargs=none target03 encrypted blockdev=/dev/sdb1 encrypted mountpoint=/data1 encrypted mountnames=crypt1 encrypted preserve=n fstype=ext4 newfsargs=none mountargs=none in this section, list each node in your deployment by using hostnames or ip addresses when encrypting multiple partitions on a node, use commas to separate values for each node, include the following variables variable description encrypted blockdev enter the block device to be encrypted (for example, /dev/sdb1 ) disk partition name is expected to use disk partition labels, set use labels=true encrypted mountpoint enter a mount point for the device (for example, /data1 ) the mount point must exist before the installation encrypted mountnames enter a partition name each name must be unique for each partition on the node (for example, crypt1 ) encrypted preserve use one of the following values y preserves existing data the file system must be mounted before the installation if the partition is not mounted, the data is overwritten the partition must also be unmountable if a process prevents the unmount, encryption cannot start only ext file systems can be preserved n does not preserve existing data the partition must be unmounted w securely wipes the partition before the new encrypted file system is created the partition must be unmounted fstype must be set to the type of file system to make when encrypted preserve is y or w must be set to the existing file system type when encrypted preserve=n typical file system types include ext4 and xfs newfsargs a string of arguments to pass to the mkfs command if spaces exist between multiple arguments, surround the string in double quotes (for example, " b 2048 d su=64k,sw=4 ") when no arguments are to be passed, set this value to none use colons to separate values mountargs a string of mount options to pass to the crypt mount sh script if spaces exist between multiple arguments, surround the string in double quotes (for example, " noatime,inode64,allocsize=16m ") when no arguments are to be passed, set this value to none kmip client jks the location of the keystore that contains the client certificate the keystore must be in this location on the installer node before installation kmip client jks password the password for the jks file include values for all settings in the following example, the hostnames provided must resolve if some nodes are separated by a proxy (such as if you deploy to nodes in skytap from your laptop), use the ansible ssh host and ansible ssh port variables otherwise, do not use those variables target03 encrypted blockdev=/dev/sdb1,/dev/sdb2 encrypted mountpoint=/data1,/ data2 encrypted mountnames=crypt1,crypt2 encrypted preserve=n,n fstype=ext4,xfs newfsargs=none " b size=2048 d su=64k,sw=4" mountargs=none "noatime,inode64" product name \# product name zts product=xcrypt full disk this line displays the product name software license \# software license license file=/path/to/your license in this line, include the full path to the license file fips mode \# fips mode fips mode=false if you use os versions 7 x and later, you can set fips mode to true to enable fips 140 mode all zts processes run in fips mode disk labels \# disk labels use labels=false by default, the zettaset software expects the encrypted blockdev value shown in the all nodes section to point to a disk partition, such as /dev/sdb to use disk partition labels instead, set use labels=true ca configuration \# ca configuration internal ca=false external ca cert source= ca org name= ca org unit= ca org email= ca org locale= ca org state= ca org country= you must have a ca to authenticate nodes within your deployment to use your pre defined ca, set internal ca=false and enter the full path to the ca pem file in external ca cert source this is the location of the ca pem file on the installer node while using an external ca, you can ignore the ca org values kmip server configuration \# kmip server configuration internal kmip=false kmip master ip=172 24 166 20 kmip server port=9000 kmip client timeout=300000 kmip compatible user=true install ha=false kmip client jks test= kmip client jks test passwd= you need a kmip server server to process key requests to use an external kmip server, set internal kmip=false and set the kmip master ip and kmip master port to point to your third party device use kmip client timeout to configure the timeout setting or keep the default value of 300000 when using an external kmip server, use kmip client jks test and kmip client jks passwd to enter the jks path and password and check the kmip server connectivity before installing xcrypt using these values installs a kmip client on the installation node leave these values blank if you do not need to check external kmip connectivity or install a kmip client on the installation node hsm configuration \# hsm configuration hsm so pin=safest hsm user pin=safest hsm slot=0 hsm lib cfg env var=compat mode=3 hsm lib file=/usr/local/bin/fxpkcs11/libfxpkcs11 so you need a software or hardware based hsm for key storage to use the {{vectera}} hsm for hardware based key storage, set the values for each of the following parameters variable description hsm so pin password of identity created on the {{vectera}} and set inside the {{futurex}} pkcs #11 ( fxpkcs11 ) configuration file hsm user pin password of identity created on the {{vectera}} and set inside the {{futurex}} pkcs #11 ( fxpkcs11 ) configuration file hsm slot slot number configured in the fxpkcs11 configuration file ( fxpkcs11 cfg ) the slot number is 0 by default hsm lib cfg env var specify compat mode=3 exactly hsm lib file path and filename for the fxpkcs11 module node functions \# node functions \[ca master] target01 \[kmip] target01 target02 \[kmip master] target01 \[slave] target01 target02 target03 \[license server] target04 \[zookeeper] target01 target02 target03 the values for the bracketed elements in this section indicate the function a node has in the deployment be sure that these settings agree with the other values in this file bracketed element description \[ca master] the node that stores licenses and generates the ca if using an external ca, set this value to a node within the cluster \[kmip] list of the kmip server and backup server nodes the first entry must be the kmip master ignore when using an external kmip server \[kmip master] the kmip master node must be the same as kmip master ip ignore when using an external kmip server \[slave] list of the nodes that have encrypted partitions \[license server] list of the nodes where the license server will be installed must not intersect with \[kmip] or \[slave] nodes \[zookeeper] list of the zookeeper nodes used when kmip ha is enabled list at least three nodes these nodes cannot be members of the \[kmip] group