"the Block Storage CSI driver documentation"
https://www.ibm.com/docs/en/stg-block-csi-driver/1.4.0?topic=installation-compatibility-requirements

This should be written as "the IBM block storage CSI driver documentation". "block storage" isn't capitalized.
In addition, please refer to the general or at least the latest links, if possible.
www.ibm.com/docs/en/stg-block-csi-driver/
www.ibm.com/docs/en/stg-block-csi-driver/latest?topic=installation-compatibility-requirements.

Thank you,
Rivka Pollack
CSS ID Team Lead and Writer

Hello,

in the Disconnected use for Satellite components we explain how to change the accessTokenMaxAgeSeconds to 168h, the maximum we support.

We don't mention the default value, if someone want's to switch back to the default value.
Also the default value is not shown in the show command, it just shows default.

This might lead to the Question: What is the default value for accessTokenMaxAgeSeconds? (Example in Slack)

Solution: Can we add a sentence like

You can modify this setting by changing the accessTokenMaxAgeSeconds value for all your OAuth clients.
The default value for accessTokenMaxAgeSeconds is 86400 seconds.

Reference: 3.4. Configuring the internal OAuth server’s token duration

Hey all.
Reading the documentation here https://cloud.ibm.com/docs/satellite?topic=satellite-host-not-attaching it's not clear if the requirement is for the ids in /etc/machine-id and /var/lib/dbus/machine-id to be unique across all hosts AND in both files or just unique in both files.

The following bulletpoint didn't fit to the config file example in the code box.
URL: https://cloud.ibm.com/docs/satellite?topic=satellite-config-http-proxy&locale=en#http-proxy-config
Section: Configuring your HTTP proxy
Bulletpoint Nr. 4:
"Navigate to the /etc/environment file on your host. Enter the for NO_PROXY from step 2. If that file does not exist, create it."

The bullet point named /etc/environment but the content within the code example refers to "/etc/profile.d/ibm-proxy.sh". This didn't fit together.

The doc is confusing regarding setting up the mirror location ($REDHAT_PACKAGE_MIRROR_LOCATION) for an ibmcloud satellite location on premise (RHEL 8.7). There is no ENV $REDHAT_PACKAGE_MIRROR_LOCATION defined. The only repo config we have is /etc/yum.repos.d/redhat.repo, with entries like this:

baseurl = https://cdn.redhat.com/content/dist/layered/rhel8/x86_64/sat-tools/6.7/source/SRPMS
enabled = 0
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sslverify = 1
sslcacert = /etc/rhsm/ca/redhat-uep.pem
sslclientkey = /etc/pki/entitlement/8454176169347351717-key.pem
sslclientcert = /etc/pki/entitlement/8454176169347351717.pem
metadata_expire = 86400
enabled_metadata = 0

Do we need to set "cdn.redhat.com" for NO_PROXY?

Also there is a typo in the Note at step 8, refering to REDHHAT_PACKAGE_MIRROR_LOCATION instead of REDHAT_PACKAGE_MIRROR_LOCATION

Today, the model stays N/A for IBM Responsibility.
In reality, IBM is responsible of keeping the Satellite Link UP and applying changes to Satellite Link and recovering if there is a 7 days disconnections.

https://cloud.ibm.com/docs/satellite?topic=satellite-responsibilities

@davetropeano

In

Destination hostnames: c-01-ws.us-east.link.satellite.cloud.ibm.com, c-02-ws.us-eat.link.satellite.cloud.ibm.com, c-03-ws.us-east.link.satellite.cloud.ibm.com, c-04-ws.us-east.link.satellite.cloud.ibm.com, api.link.satellite.cloud.ibm.com

c-02-ws.us-eat.link.satellite.cloud.ibm.com

is wrong, s is missing

must be

c-02-ws.us-east.link.satellite.cloud.ibm.com

Hi folks,

I spotted a minor typo in the docs at https://cloud.ibm.com/docs/satellite?topic=satellite-sat-regions

• that runs in the IBM Cloud regiono that you choose

Regards,

Matt

In Disconnected use for Satellite components we mention a yaml file called accessTokenMaxAgeSeconds.yaml. But the file is not any more in the document.

We had posted a yaml file in a previous version, but then changed it to a edit command.
We should now change this sentence.

How do I set how long my location can run disconnected from IBM Cloud?
Update and apply the accessTokenMaxAgeSeconds.yaml file to set the time. For more information, see Setting the disconnected usage time.

How do I set how long my location can run disconnected from IBM Cloud?
Add the accessTokenMaxAgeSeconds: 604800parameter by using the oc edit oauthclients command.
For more information, see Setting the disconnected usage time.

Can you please check that this documentation is correct?
https://cloud.ibm.com/docs/satellite?topic=satellite-reqs-host-network

What is if I have a Control Plane and 3 Openshift Clusters. I want to ensure a secure environment.
Do all of the Clusternodes need to be able to communicate to the other cluster nodes even from different clusters?

Update we got from a customer that had much difficulty with deploying ODF to their Satellite cluster:

"First the ODF add-on is NOT SUPPORTED with IBM Cloud Satellite. Plus the API-Key I was using was still not correct. Baker walked me through creating a new API-Key. With that and JUST deploying the storage configuration using the ODF and local storage, the ODF deployed as expected."

This is for case CS3544384. Thanks!

Hi Team,
please define and descripe the filter option for the source endpoints (https://cloud.ibm.com/docs/satellite?topic=satellite-link-endpoint-secure). The current documentatoin just describes the way how to do this with help of the UI. Please add a description for a possibility to do this with help of the cli.

I try to do this with help of classic and vpc hosts within the IBM Cloud infrastructure. It just works if I do classic. If VPC is not possible please describe this as well.

The Debugging Host Health page includes a table of possible status for the hosts. It is missing "Location Critical" as a valid status. Here is an example below. Also, the table description for the "Unknown" status includes a link that just takes you back to the top anchor of the page.

Documentation says "All Satellite control plane and cluster data." which is causing lot of concern to customers and creating a blind spot on whats being backed up.

Please update documentation to clearly WHAT Data is being backedup and do not leave for interpretation.

We need this updated by 8/27/2021

https://cloud.ibm.com/docs/satellite?topic=satellite-locations#satloc-template

Does not include GCP in the list of quickstart templates

URL: https://cloud.ibm.com/docs/satellite?topic=satellite-attach-hosts#attach-rhcos-hosts

Bullet point nr2 is totally unclear:
Boot your RHCOS host and include the file path to the ignition script as the --user-data. For example: --user-data @/tmp/attach_hypershift.ign.

Can you please describe the command in detail (and not just one parameter?)

https://cloud.ibm.com/docs/satellite?topic=satellite-ssh-login-denied

The documentation says 3 control plane hosts are only for demonstration purposes meaning you need at least 6 for customer workloads. Is this really correct?

https://cloud.ibm.com/docs/satellite?topic=satellite-locations#control-plane-scale

Hi,

In the documentation https://cloud.ibm.com/docs/satellite?topic=satellite-azure#azure-host-attach (step 6)

It is explained that the script must be passed in the property "custom-data" of the VM created in Azure.

But it is also possible to execute this script manually after the VM creation instead as using it as custom-data.

Customer does not want to provision their VMs this way as they are running the template from a centralized repo and do not want dependencies with any other repo/script.

We should add this to the documentation.

CASE: CS2489524

Thank you.

Hello,

we use tugboats for our satellite-link service.
To reduce costs, we will scale-down / delete some of the tugboats on the 23th Feb 2023.
(See Second round Link Tugboat scale down)

This means that the Documentation under https://cloud.ibm.com/docs/satellite?topic=satellite-reqs-host-network-outbound for each region, the list under Allow Link connectors to connect to the Link tunnel server endpoint needs to change.

US East will still have 2 tugboats, all other regions will only one.

Can you please update the documentation on 25th Feb 2023?

URL: https://cloud.ibm.com/docs/satellite?topic=satellite-config-http-proxy&locale=en#common-mirror-locations
Section: Common mirror locations

For the Satellite locations that are connected via direct link to the IBM Cloud it makes sense to use the IBM Cloud Mirrors instead the public RedHat one. Can you please add them here?

It would really be helpful if you can provide details about the impact of higher latency and any possible workarounds

Currently SELinux is required on OpenShift worker nodes due to this issue:
https://github.ibm.com/alchemy-containers/satellite-planning/issues/1080

It should be explicitly written in host requirements on cloud docs.

all MZRs with Satellite managed from control planes should have their IPs listed so that clients around the world can test latency. I work for IBM.

Host Latency doc page

Hi

1. in the section Allow Hosts to Connect to IBM, for hosts cloud.ibm.com, containers.cloud.ibm.com, protocol is missing port is mentioned
   Suggestion: Please add Protocol whether TCP or HTTPS or both
2. For NTP protocol and UDP port 123, could be interpreted incorrectly as if both protocols NTP and UDP to be allowed on port 123.
   Suggestion: Provide UDP on port 123
3. In section Allow control plane worker nodes to back up control plane etcd data to IBM Cloud Object Storage, port is missing
   Suggestion : add port no 443 or something else
4. Overall advice to provide a FW template file or a script

Hi,

In the documentation https://cloud.ibm.com/docs/satellite?topic=satellite-locations#location-create-console

"Create a bucket in this service instance to back up your Satellite location control plane. The IBM Cloud Object Storage bucket must be in the same region as your Satellite location. The bucket endpoint must match the instance endpoint, such as a Cross Region bucket for a Global instance."

What means "The bucket endpoint must match the instance endpoint, such as a Cross Region bucket for a Global instance" or what should I configure?

My understanding is that I have to create a Region bucket in the same region that the location. But I do not understand that second part. I'm not sure it adds something and it confuses.

Thank you.

Please add ibm-system-storage-block-csi-driver to the supported storage providers

In Step 3: Pulling the agent image

Pulling the latest version command is incomplete.

It shows icr.io/ibm/satellite-connector/satellite-connector-agent:latest

https://cloud.ibm.com/docs/satellite?topic=satellite-run-agent-locally&interface=ui#pull-agent-image

Related website: https://cloud.ibm.com/docs/satellite?topic=satellite-link-endpoint-secure

A very important information is the allowed cidr addresses. I tried to use a cidr which belongs to this subnet 192.168.x.x/24 and I received this error Message:

Unable to Add Source. IP/CIDR out of range. Service source should be subset of following CIDRs: '10.0.0.0/8, 161.26.0.0/16, 166.8.0.0/14, 172.16.0.0/12'.

Rather allow the 192.168.0.0/16 address space or at least document the allowed cidr in the documentation above

Hi,
How do i create a directory for the configuration files, in this example ~/agent/env-files and create a file in the ~/agent/env-files directory - with which commands in the terminal

In the documentation:

https://cloud.ibm.com/docs/satellite?topic=satellite-run-agent-locally&interface=ui

It notes:

Create a file in the ~/agent/env-files directory called apikey with a single line value of your IBM Cloud API Key that can access the Satellite Connector.

SATELLITE_CONNECTOR_IAM_APIKEY=~/agent/env-files/apikey

However in testing using a file with only the api key in it is not working, as a work around the SATELLITE_CONNECTOR_IAM_APIKEY was set to the actual api key instead of a file containing the api key and it worked. Here is an example according to the documentation:

Example:

SATELLITE_CONNECTOR_IAM_APIKEY=" ~/Development/cs01-connector/agent/env-files/apikey" 

Created env.txt file with the following values:
$ vi ~/Development/cs01-connector/agent/env-files/env.txt

Errors in log:

- ..."tOps","msgid":"O03-400","msg":"GetToken error","err":"status code: 400. Provided API key could not be found."
- ..."agent_tunnel","msgid":"LAT07","msg":"Failed to get configuration from API, will retry in 120 seconds","statusCode":401,"details":{"incidentID":"bfb28653-4037-4554-9dae-ec34cee14f81","code":"LA0001","description":"You must specify an IAM token as an Authorization header.","type":"Authentication"}
- ..."agent_tunnel","msgid":"LAT06","msg":"Failed to get configuration from API, will retry in 120 seconds"}

Can the documentation be updated to include using the api key by itself and could you verify this process works as expected when using a file containing the api key?

The question is awkwardly worded and difficult to understand. Even if it were to read, "Why doesn't cluster list or get updates to Kubernetes resources that are managed by Satellite Config?", it isn't quite asking the question that is being answered.

Perhaps it should read something more like, "Why isn't my Resources list updating after registering my cluster or creating a subscription?".

The first link on this page:
https://cloud.ibm.com/docs/satellite?topic=satellite-icsat_map

goes to the IKS CLI docs: https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli

But the link text says, a user will be taken to the Satellite CLI docs.

Copying the link text gives you this text:
[IBM Cloud Satellite CLI reference](https://cloud.ibm.com/docs/containers?topic=containers-kubernetes-service-cli).

Confirm that you have at least three host machines in separate zones that meet the minimum hardware requirements, such as 4 CPUs and 16 GB of memory with RHEL 7 packages and any provider-specific requirement from the guide.

Link to section

In your on-premises environment, identify or create at least three host machines in physically separate racks, which are called zones in Satellite, that meet the minimum hardware requirements, such as 4 CPUs and 16 GB of memory with RHEL 7 packages.

Link to section

I believe it should be "4 vCPUs" not "4 CPUs".

This sentence has an extra "to":

You choose when to apply to the host version updates.

Link: https://cloud.ibm.com/docs/satellite?topic=satellite-understand-connectors

A client has been through this and said that the information in IP adress is wrong. Please check?
Frankfurt

•   Destination IP addresses: 149.81.188.130, 158.177.75.210, 161.156.38.2
  

•   Destination hostnames: c-01-ws.eu-de.link.satellite.cloud.ibm.com, api.link.satellite.cloud.ibm.com
  

•   Protocol and ports: HTTPS 443
  

In High Availability, Disaster Recovery, and Disconnected Usage in the last chapter Disconnected Usage the indentation of the yaml file shown to change the accessTokenMaxAgeSeconds is wrong.

If I copy and paste the file and try to apply it I get an error.

# cat DisconnectedUsage.yaml

apiVersion: config.openshift.io/v1
kind: OAuth
  metadata:
    name: cluster
  spec:
    tokenConfig:
      accessTokenMaxAgeSeconds: 259200

# oc apply -f DisconnectedUsage.yaml
error: error parsing DisconnectedUsage.yaml: error converting YAML to JSON: yaml: line 3: mapping values are not allowed in this context

The correct file is

# cat accessTokenMaxAgeSeconds-72h.yaml

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  tokenConfig:
    accessTokenMaxAgeSeconds: 259200

# oc apply -f accessTokenMaxAgeSeconds-72h.yaml
oauth.config.openshift.io/cluster configured

Can you please correct this.

According to the documentation at https://cloud.ibm.com/docs/satellite?topic=satellite-host-reqs#reqs-host-packages-rhcos, I should be able to attach RHEL 7 hosts to a Satellite location. However, when I try this I get an error (see attached image).

In this section: https://cloud.ibm.com/docs/satellite?topic=satellite-config-storage-block-csi#storage-block-csi-app-deploy

Step 6 of this page https://cloud.ibm.com/docs/satellite?topic=satellite-config-storage-block-csi the name of the PVC is demo-pvc-file. This needs to match the name given for the PVC in step 9 but doesn't. In step 9 the name given is demo-pvc-file-system.

The name in step 6 or 9 needs to be changed so they match.

The following link under Non-Cloud provider section opens the same page. Is that correct?

Cloud infrastructure like AWS, Azure, and GCP.

In https://cloud.ibm.com/docs/satellite?topic=satellite-infrastructure-service there is a hyperlink "create clusters" to https://cloud.ibm.com/docs/satellite?topic=openshift-satellite-clusters that does not exist

In the table specified below, it refers to steps 3-5 in the Red Hat OpenShift on IBM Cloud firewall documentation. These steps do not appear to exist, although the information is correct. Might want to remove reference to the steps 3-5 since it is not present on the linked OpenShift documentation.

https://cloud.ibm.com/docs/satellite?topic=satellite-host-reqs#reqs-host-network-firewall-outbound

Allow IBM Cloud services to set up and manage your location

All IP addresses listed for US South (dal) in steps 3 - 5 of the Red Hat OpenShift on IBM Cloud firewall documentation

Hi, some comments to bring more clarity.

1. In the section "Basic Control Plane Worker setup - I think it refers to Satellite location then it should not be referred to as Master control plane, which most of us understand that Master control plane resides in IBM cloud but not in Satellite location.
   Suggestion: Change it to Satellite location Control plane
2. This page falls short of explaining Disaster recovery concepts with authenticity. DR should talk about RPO, RTO and other key metrics and in the context of business continuity not at a component level.
   Suggestion: Please change "Disaster Recovery" to "Backup and Recovery" as the description aptly describes procedures for backup and how it can be used for restoring the backup data. Also need to be careful to provide full clarity, as I dont think you can simply restore control plane data to create a new location. Also its confusing in the context of disaster, as when disaster happens we need to restore services in completely different physical location, which requires setting up new location as per our understanding.
3. High Availability section , should talk about SLAs, how much SLA does it improve by adding more hosts ? is it only for control plane ? or also to the workload clusters ? touch upon how it helps HA for customer applications too and add any caveats
   Suggestion: Show separate power, racks in the diagrams to support the text. Also highlight Satellite components that will benefit high availability and link to main arch diagram. HA is ideally explained as full technology stack for Satellite location and workload clusters and other satellite enabled services.

Originally submitted in CPD quality. https://github.ibm.com/PrivateCloud-analytics/CPD-Quality/issues/4268

https://cloud.ibm.com/docs/satellite?topic=satellite-ts-locations-debug#R0056

Just a suggestion but instead of replacing the control plane hosts a reboot seems to help as well, it may be a good idea to suggest a quick reboot of the control plane hosts in the R0056 section before replacing them.

Instead of a separate note above the table, we should put back the minimum of 3 nodes in the table on this page
https://cloud.ibm.com/docs/satellite?topic=satellite-location-sizing#control-plane-how-many-clusters-rhel

Before we had this table which was better to my mind

In the section "Security group settings"

the instructions could be more precise. Instead of

The following example is a security group that you might create for AWS.
and a textual description please add a screenshot with the recommended settings.

that it looks like
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroup

and is extended with the needed addtional settings.

scp <path_to_attachHost.sh> root@<ip_address>:/tmp/attach.sh

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
lost connection

I think the error is caused by the private key not being included in the root@ part of the code.