Prerequisites for CentOS7 or RHEL7

Operating System Install Type

Assure1 requires various components that are installed as part of the base operating system, and a "minimal" installation has been shown to be missing one or more important applications. Federos recommends to use either a Base or Cloud installation type, depending on the operating system.

The following command can be used to update to a Base installation, as well as verify that all needed base packages have been installed:

yum groupinstall "Base"

SELinux

The Assure1 installer uses the useradd tool to create the user assure1. By default, SELinux does not allow this user to have a home directory outside of /home. The following steps show you how to configure SELinux to allow /opt to be treated as a valid parent directory for home directories.

1. Install RPM containing the semanage tool:

   yum install policycoreutils-python
   

2. Edit the semanage.conf file:

   nano /etc/selinux/semanage.conf
   

   Change the usepasswd setting from false to true:

   usepasswd=true
   

   Save the file.

3. Set /opt label to be the same as /home:

   semanage fcontext -a -e /home /opt
   

4. Update the labels for /opt:

   restorecon -R /opt
   

5. OPTIONAL: the following are needed on servers that will be running Docker:

   yum install container-selinux selinux-policy-targeted
   

DNS Entries

Before installing Assure1, all servers must be able to communicate with one another using the Host FQDN entries and Web FQDN entry (or entries) from each server to each server.

This can be tested by doing the following:

• From the presentation servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
• From the database servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
• From the collection servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.

Ports

Assure1 uses several network ports for inter-component communications. These need to be opened bi-bidirectionally via the local operating system firewall and/or network ACLs or firewalls.

Several ports must be opened in any firewalls to allow HTTP communication and cross server communication with the presentation servers:

• Port TCP/80 - Standard Web (HTTP).
• Port TCP/443 - Secure Web (HTTPS).
• Port TCP/5671 - RabbitMQ.
• Port TCP/5601 - Kibana.

Additional ports to allow communication with the databases:

• Port TCP/2424-2430, TCP/2486-2490 - OrientDB (database server).
• Port TCP/3306 - MariaDB (presentation server and database server).
• Port TCP/7473, TCP/7687 - Neo4j (database server).
• Port TCP/8086 - InfluxDB (database server).
• Port TCP/9200 - Elasticsearch (database server).

Additional ports may need to be opened for data collection purposes:

• Port UDP/161 - SNMP Monitoring (all servers).
• Port UDP/162 - Trapd (collection servers).
• Port UDP/514 - Syslog (collection servers).

Additional ports are required for database redundancy and file synchronization:

• Port TCP/2434 - OrientDB (database servers).
• Port TCP/4369, TCP/25671 - RabbitMQ (presentation servers).
• Port TCP/8055, TCP/8056 - Redundancy Wizard (presentation servers and database servers).
• Port TCP/8873 - Unison file synchronization (presentation servers).
• Port TCP/9093 - Kafka (InfluxDB redundancy on database servers).

Additional ports are required for docker and microservices:

• Port TCP/179 - Kubernetes Calico BGP.
• Port TCP/2379 - Kubernetes etcd client.
• Port TCP/2380 - Kubernetes etcd peer.
• Port TCP/6443 - Kubernetes API controlplane.
• Port TCP/10250 - Kubernetes kubelet controlplane.

The following is an example of creating an Assure1 firewalld service:

1. Create the firewalld service file:

   cat <<'EOM' >/etc/firewalld/services/assure1v5.xml
   <?xml version="1.0" encoding="utf-8"?>
   <service>
     <short>Assure1</short>
     <description>Ports needed for Assure1 v5</description>
     <port protocol="tcp" port="80"/>
     <port protocol="udp" port="161"/>
     <port protocol="udp" port="162"/>
     <port protocol="tcp" port="179"/>
     <port protocol="tcp" port="443"/>
     <port protocol="udp" port="514"/>
     <port protocol="tcp" port="2379"/>
     <port protocol="tcp" port="2380"/>
     <port protocol="tcp" port="2424"/>
     <port protocol="tcp" port="2425"/>
     <port protocol="tcp" port="2426"/>
     <port protocol="tcp" port="2427"/>
     <port protocol="tcp" port="2428"/>
     <port protocol="tcp" port="2429"/>
     <port protocol="tcp" port="2430"/>
     <port protocol="tcp" port="2434"/>
     <port protocol="tcp" port="2486"/>
     <port protocol="tcp" port="2487"/>
     <port protocol="tcp" port="2488"/>
     <port protocol="tcp" port="2489"/>
     <port protocol="tcp" port="2490"/>
     <port protocol="tcp" port="3306"/>
     <port protocol="tcp" port="4369"/>
     <port protocol="tcp" port="5601"/>
     <port protocol="tcp" port="5671"/>
     <port protocol="tcp" port="6443"/>
     <port protocol="tcp" port="7473"/>
     <port protocol="tcp" port="7687"/>
     <port protocol="tcp" port="8055"/>
     <port protocol="tcp" port="8056"/>
     <port protocol="tcp" port="8086"/>
     <port protocol="tcp" port="8873"/>
     <port protocol="tcp" port="9093"/>
     <port protocol="tcp" port="9200"/>
     <port protocol="tcp" port="10250"/>
     <port protocol="tcp" port="25671"/>
   </service>
   EOM
   

2. Enable the assure1v5 firewalld service:

   firewall-cmd --zone=public --permanent --add-service=assure1v5
   

3. Reload firewalld:

   firewall-cmd --reload
   

Proxy

Set the following environment variables:

https_proxy=PROXYSTRING
no_proxy=NOPROXYSTRING

• PROXYSTRING - The proxy connection string detailing the proxy server, user/pass, port, etc. For example: http://myproxy.example.com:3128/
• NOPROXYSTRING - Comma separated list of domains or IPs that should NOT be proxied such as .example.com, localhost,127.0.0.1,WEBFQDN, etc. This should at least be the server's local domain (e.g. example.com) to prevent proxied API requests between Assure1 servers.

These can be set in any of the following ways:

• /etc/environment (used by non-interactive sessions like daemons; requires restart or relogin of user) for example:

  https_proxy=PROXYSTRING
  no_proxy=NOPROXYSTRING
  

• /etc/profile.d/proxy.sh (used by interactive sessions; file must be created; requires restart or relogin of user) for example:

  export https_proxy=PROXYSTRING
  export no_proxy=NOPROXYSTRING