Standard environment preparation

This topic provides guidance for preparing your environment before Standard installation.

Install requirements

Hardware requirements

• CPU - 4 cores

• 16GB RAM

• 1TB storage space

When partitioning space, allocate 20GB for /var/lib and the remaining 1TB for /opt/anaconda.

Warning

Our recommended storage space only accounts for Anaconda’s default channels; if you wish to mirror additional channels or upload additional packages, please allocate more storage accordingly.

Note

The installer provides a single-node installation process.

Software requirements

The installer is a self-extracting binary that contains the all of the necessary components to run Package Security Manager (On-prem) services. The basic requirements prior to installation are:

• Any Linux variant capable of supporting Docker

• Use a fully qualified domain name (FQDN) or Hostname

• DNS record and TLS/SSL certs (optional)

• Make sure that SELinux is not in enforcing mode, either by disabling it or putting it in permissive mode in the /etc/selinux/config file. If it is in enforcing mode, you will need to reboot your instance after updating. After rebooting, run the following command to verify that SELinux is not being enforced:

# The result should be either Disabled or Permissive
getenforce

Docker requirements

• Docker Engine 23.x+ (Supports Compose format 3.8)

• Docker Compose 2.1+ (Supports Compose format 3.8)

Podman requirements

• RHEL8+

• Package Security Manager version 6.3.0+

• Podman version 4.0.2+

• Netavark network plugin

• Docker Compose 2.1+ (Supports Compose format 3.8)

• podman-docker

Complete the Podman setup

Podman setup requires you to download and configure the podman-docker package. This package converts docker commands into their corresponding podman commands.

Note

You might need to work with your IT department to secure the podman-docker package.

1. Install the required software by running the following commands:

   sudo yum install -y podman-docker
   sudo yum install netavark
   curl -SL https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
   

2. Using your preferred file editor, open the usr/share/containers/containers.conf file and verify the network_backend= value is set to "netavark". If it is not, set the value now, and save your changes.

3. If necessary, make your docker-compose volume executable by running the following command:

   sudo chmod +x /usr/local/bin/docker-compose
   

4. Create a symbolic link by running the following command:

   sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
   

5. Enable the podman.socket by running the following commands:

   sudo systemctl enable --now podman.socket
   sudo systemctl status podman.socket
   

6. Verify that the podman socket works by running the following command:

   sudo curl -w "\n" -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping
   

Additional recommendations

• RHEL7/CentOS7: The most popular choice for most Package Security Manager users, and what Anaconda has the most experience supporting. The versions of Docker and Docker Compose available through the default yum package repository are sufficient.

• Ubuntu 20.04 LTS: This has proven to be a reliable choice for customers as well, using the versions of Docker and Docker Compose available in the default apt-get package repository.

• Other Linux variants that provide full support for Docker and Docker Compose are likely to work as well, but we invite you to inquire with the Anaconda implementation team for our most up-to-date experience.

For Docker, the default log driver must be configured to the json-file.

For Red Hat systems, please refer to the Default options for modifying docker daemon options. To verify that you’re running the json-file, run the following command:

docker info --format '{{.LoggingDriver}}'

DNS and TLS/SSL certificate requirements

Package Security Manager can use TLS/SSL certificates to provide transport layer security for the cluster. If you do not have these certs prior to installation, self-signed certificates can be generated during the initial installation. You can configure the platform to use organizational TLS/SSL certificates after completing the installation.

You may purchase certificates commercially, use Let’s Encrypt, or generate them using your organization’s internal public key infrastructure (PKI) system. When using an internal PKI-signed setup, the CA certificate is stored on the file system. You will need to make sure that the root certificate of your certificate authority is trusted by the server running the application and the workstations used by users of the application.

In either case, the configuration will include the following:

• A certificate for the root certificate authority (CA)

• An intermediate certificate chain

• A server certificate

• A private server key

DNS requirements

Web browsers use domain names and web origins to separate sites, so they cannot tamper with each other. If you want to use DNS, you must have it ready prior to installation. This DNS name is what users will use to access the application.

You must provide the SSL cert for the hostname your Package Security Manager instance is running on.

Security requirements

External — accessible outside of server

It is important to protect all services running on the node from outside access. The exceptions are as shown below:

• :443 nginx - only if you are using HTTPS

• :22 ssh - optional; only if you need SSH

Internal — accessible only within server

Note

This is only necessary in a multi-node install. Please contact your implementation representative for more information.

Package Security Manager uses several ports for internal communication between components. These ports do not need to be open to the end user.

• :5000 repo - Package Security Manager API

• :5002 repo-proxy - Package Security Manager file serving API proxy

• :5000 repo-dispatcher - Package Security Manager event dispatcher/handler (exposed only for prometheus metrics)

• :5000 repo-worker - Package Security Manager scheduled jobs worker (exposed only for prometheus metrics)

• :8080 keycloak - keycloak’s /auth/* endpoints are proxied in Nginx

• :5432 postgres - Postgresql database used by Package Security Manager and Keycloak

• :6379 redis - Redis instance used by Package Security Manager services

• :9090 prometheus - Prometheus is proxied in Nginx at /Prometheus

To change the postgres user password, run \password postgres when in the shell of the postgres container.

To change the redis user password, follow the instructions under Troubleshooting.

Enable IP address forwarding

Forwarding IP addresses allows containers to communicate with one another on your host. You’ll need to configure these settings to allow non-root users to perform installations of Package Security Manager.

sysctl net.ipv4.conf.all.forwarding=1
sysctl net.ipv6.conf.all.forwarding=1
iptables -P FORWARD ACCEPT

System validation checks

Once your environment is prepared, run the following commands to verify it is ready for installation of Package Security Manager.

System validation

To verify what type of processor your system is running and the number of CPUs present, run the command:

cat /proc/cpuinfo

To verify the amount of system memory is sufficient, run the command:

cat /proc/meminfo

To verify there is a sufficient amount of disk space for the installation, run the command:

df -h

To verify the kernel release version and processor type, run the command:

uname -a

To verify your operating system release version, run the command:

cat /etc/os-release

To verify your version of Docker, run the command:

docker version

To verify your version of docker-compose, run the command:

docker compose --version

---

After ensuring all requirements have been met, proceed to Standard installation to install Package Security Manager.