Installation prerequisites overview

Google Distributed Cloud has the following sets of installation prerequisites:

• The prerequisites for the workstation machine running the bmctl tool.
• The prerequisites for the node machines that are part of the Google Distributed Cloud deployment.
• The prerequisites for the load balancer machines.
• The prerequisites for the Google Cloud project.
• The prerequisites for your service accounts.

If you use the workstation machine as a cluster node machine, it must meet the prerequisites for both.

Before you begin

During installation, you must provide the following credentials:

• The private SSH keys needed to access cluster node machines.
• If you are not using root, the cluster node machine login name.
• The Google Cloud service account keys. Go to Creating and managing service account keys to learn more.

Ensure you have all the necessary credentials before attempting to install Google Distributed Cloud.

Logging into gcloud

1. Login to gcloud as a user using gcloud auth application-default login:

gcloud auth application-default login

You need to have a Project Owner/Editor role to use the automatic API enablement and Service Account creation features, described below. You can also add the following IAM roles to the user:
• Service Account Admin
• Service Account Key Admin
• Project IAM Admin
• Compute Viewer
• Service Usage Admin
Alternatively, if you already have a service account with those roles, run:

export GOOGLE_APPLICATION_CREDENTIALS=JSON_KEY_FILE

JSON_KEY_FILE specifies the path to your service account JSON key file.
2. Get your Google Cloud project ID to use with cluster creation:

export CLOUD_PROJECT_ID=$(gcloud config get-value project)

Workstation prerequisites

The bmctl workstation must meet the following prerequisites:

• Operating system is the same supported Linux distribution running on the cluster node machines.
• Docker version 19.03 or later installed.
• Non-root user is member ofdocker group (for instructions, go to Manage Docker as a non-root user).
• gcloud installed.
• More than 50 GiB of free disk space.
• Layer 3 connectivity to all cluster node machines.
• Access to all cluster node machines through SSH via private keys with passwordless root access. Access can be either direct or through sudo.
• Access the control plane VIP.

Node machine prerequisites

The node machines have the following prerequisites:

• Their operating system is one of the supported Linux distributions.
• The Linux kernel version is 4.17.0 or newer. Ubuntu 18.04 and 18.04.1 are on Linux kernel version 4.15 and therefore incompatible.
• Meet the minimum hardware requirements.
• Internet access.
• Layer 3 connectivity to all other node machines.
• Access the control plane VIP.
• Properly configured DNS nameservers.
• No duplicate host names.
• One of the following NTP services is enabled and working:
  • chrony
  • ntp
  • ntpdate
  • systemd-timesyncd
• A working package manager: apt, dnf, etc.
• On Ubuntu, you must disable Uncomplicated Firewall (UFW). Run systemctl stop ufw to disable UFW.
• On Ubuntu and starting with Google Distributed Cloud 1.8.2, you aren't required to disable AppArmor. If you deploy clusters using earlier releases of Google Distributed Cloud disable AppArmor with the following command: systemctl stop apparmor
• If you choose Docker as your container runtime, you may use Docker version 19.03 or later installed. If you don't have Docker installed on your node machines or have an older version installed, Anthos on bare metal installs Docker 19.03.13 or later when you create clusters.
• If you use the default container runtime, containerd, you don't need Docker, and installing Docker can cause issues. For more information, see the known issues.

• Ensure the file systems backing the following directories have the required capacity and meet both of the following requirements whenever you install or re-install Google Distributed Cloud:

  • The overall disk space is under 90% utilization.

  • The directories have at least 128 GiB of free storage capacity.

    The installation creates the following directories, if necessary:

    • /var/lib/docker or /var/lib/containerd depending on the container runtime: 30 GiB (32,212,254,720 bytes)
    • /var/lib/kubelet: 10 GiB (10,737,418,240 bytes)
    • /mnt/anthos-system: 25 GiB (26,843,545,600 bytes)
    • /: 20 GiB (21,474,836,480 bytes)
    • /var/lib/etcd: 20 GiB (21,474,836,480 bytes, applicable to control plane nodes only)

• /var/lib/etcd and /etc/kubernetes directories are either non-existent or empty.

• You can create the directories in the same partition or filesystem. For more information, see our hardware requirements. The preceding individual storage requirements apply if the directories are in different partitions or filesystems.

In addition to the prerequisites for installing and running Google Distributed Cloud, customers are expected to comply with relevant standards governing their industry or business segment, such as PCI DSS requirements for businesses that process credit cards or Security Technical Implementation Guides (STIGs) for businesses in the defense industry.

Load balancer machines prerequisites

When your deployment doesn't have a specialized load balancer node pool, you can have worker nodes or control plane nodes build a load balancer node pool. In that case, they have additional prerequisites:

• Machines are in the same Layer 2 subnet.
• All VIPs are in the load balancer nodes subnet and routable from the gateway of the subnet.
• The gateway of the load balancer subnet should listen to gratuitous ARPs to forward packets to the master load balancer.

Google Cloud project prerequisites

Before you install Google Distributed Cloud, enable the following services for your associated GCP project:

• anthos.googleapis.com
• anthosaudit.googleapis.com
• anthosgke.googleapis.com
• cloudresourcemanager.googleapis.com
• container.googleapis.com
• gkeconnect.googleapis.com
• gkehub.googleapis.com
• iam.googleapis.com
• logging.googleapis.com
• monitoring.googleapis.com
• opsconfigmonitoring.googleapis.com
• serviceusage.googleapis.com
• stackdriver.googleapis.com

You can also use the bmctl tool to enable these services.

Service accounts prerequisites

In production environments, you should create separate service accounts for different purposes. Google Distributed Cloud needs the following different types of Google Cloud service accounts depending on their purpose:

• To access Container Registry (gcr.io), no special role is required.
• To register a cluster in a fleet, grant the roles/gkehub.admin IAM role to the service account on your Google Cloud project.
• To connect to fleets, grant the roles/gkehub.connect IAM role to the service account on your Google Cloud project.

• To send logs and metrics to Google Cloud Observability, grant the following IAM roles to the service account on your Google Cloud project:

  • roles/logging.logWriter
  • roles/monitoring.metricWriter
  • roles/stackdriver.resourceMetadata.writer
  • roles/monitoring.dashboardEditor
  • roles/opsconfigmonitoring.resourceMetadata.writer

You can also use the bmctl tool to create these service accounts.