Mutation Advisor brings an automated prerequisite installation tool in IBM Cloud Pak for Multicloud Management 2.0
By Hirokuni Kitahara, Research Scientist: Cloud Programming Models & Runtimes, IBM Research
The Cloud Pak for Multicloud Management enables organization to securely manage applications, no matter how they are designed or where they are deployed. The Cloud Pak for Multicloud Management is a set of open, pluggable tools built around a core application and governance model. This core architecture helps organizations model applications and application dependencies, manage the lifecycles of both applications and infrastructure, consistently govern and secure applications and their deployment models; and deliver observability for the application’s full stack.
Mutation Advisor, a security function in IBM Cloud Pak for Multicloud Management, provides real-time integrity protection for running containers on your clusters.
You can enable auditing of any file change and any process execution inside your containers. You can also enforce its integrity on the container.
Before you install Mutation Advisor (using the Mutation Advisor operator), you must install the kernel-devel package on all worker nodes in your cluster. For more information about installing the kernel-devel package, see the following instructions Preparing to install Mutation Advisor.
The preceding instructions illustrate how to use the tool as a prerequisite.
If you are interested in just using the tool, follow the instructions provided in the preceding IBM Knowledge Center link.
The intent of this blog is to take a deeper look at what is actually happening when you execute the tool on your cluster.
When you execute the tool, if the prerequisite package is already there, the tool will show a message indicating that the kernel-devel package is already installed at /usr/src/kernels/<KERNEL_VERSION>, like this:
In this case, the kernel-devel package has already been installed and you can proceed with installing Mutation Advisor. If not, the tool will start to install the prerequisites.
First, it will create a writable overlay /opt/kernels which will be mounted to /usr/src/kernels/, to install the kernel-devel package. If the overlay is already created, you’ll get the following message:
Once the overlay has been created correctly, it will try to find the proper version of the package.
First, it tries to find the kernel-devel package which is exactly same as the the kernel version of your nodes. For example, if the your cluster kernel is 4.18.0–193.6.3.el8_2.x86_64, the tool tries to find kernel-devel-4.18.0–193.6.3.el8_2.x86_64.rpm in several public repositories.
In the most of cases, this step will successfully finish and the prerequisite will be installed. You’ll receive a message about the successful installation:
However, the tool has one additional trial step.
If the same version of package could not be found, it will try to find alternative version because the minor version difference does not cause any problem. In the above example case, the kernel was 4.18.0–193.6.3.el8_2.x86_64, so the tool will try to find kernel-devel-4.18.0–193.*.rpm.
As a result, you can use Mutation Advisor even if your nodes and their kernels are not updated to the latest ones, thanks to this additional step.
After completing the previous steps, you are now ready to install Mutation Advisor!
