Preparing Your Environment

• Checking Your Firewall Settings
• Enabling the Masquerade Setting in the Firewall
• Modifying the System Clock
• Checking Password Authentication Settings
• Ensuring That Required OS Packages Are Installed
• Checking MAC and Cipher Algorithms
• Setting System Parameters (Network Bridging)
• Understanding Example Files
• Removing Libraries to Prevent Ingress
• Configuring Elasticsearch Settings

 

Checking Your Firewall Settings

Ensure that the firewalld.service is enabled and running on all nodes.

# systemctl start firewalld

# systemctl enable firewalld

 

Enabling the Masquerade Setting in the Firewall

You must enable the masquerade setting only when the firewall is enabled.

Run the following command on all master and worker nodes to check whether the masquerade setting is enabled:

# firewall-cmd --query-masquerade

• If the returned value is yes, the masquerade setting is enabled.
• If the returned value is no, run the following commands to enable the masquerade setting in the firewall.

# firewall-cmd --add-masquerade --permanent
# firewall-cmd --reload

 

Modifying the System Clock

A network time server must be available. chrony implements this protocol and is installed by default on some versions of RHEL and CentOS. chrony must be installed on every node.

Verify the chrony configuration by using the command:

# chronyc tracking

To install chrony, start the chrony daemon, then verify operation with these commands:

# yum install chrony 
# systemctl start chronyd
# systemctl enable chronyd
# chronyc tracking

 

Checking Password Authentication Settings

If you use a user name and password authentication for adding cluster nodes during the installation, ensure that the PasswordAuthentication parameter in the /etc/ssh/sshd_config file is set to "yes."

There is no need to check the password authentication setting when you add the cluster nodes using a user name and key authentication.

To ensure the password authentication is enabled, perform the following steps on every master and worker node:

1. Log on to the cluster node.
2. Open the following file:

/etc/ssh/sshd_config

3. Check if the parameter PasswordAuthentication is set to yes. If not, set the parameter to yes as below.

PasswordAuthentication yes

4. Run the following command to restart the sshd service:

systemctl restart sshd.service

 

Ensuring That Required OS Packages Are Installed

The packages listed in the following table are required on one or more node types, as shown here. These packages are available in the standard yum repositories.

Additional Information

• tar is required for tar images. If you do not have tar installed, the following error displays during installation:
2020-12-22T20:37:47.380684729-06:00 FATAL The metadata package metadata/arcsight-installer-metadata-22.1.0.16.tar does not have the correct internal structure. Refer to /tmp/install.20201222203742.log file for detail information. If need, please contact system administrator or Micro Focus support.
• Below are yum example lines including all the required packages for each node type.
  • Master Nodes
  # yum install conntrack-tools container-selinux curl device-mapper-libs httpd-tools java-1.8.0-openjdk openssl libgcrypt libseccomp libtool-libs libtool-ltdl lvm2 net-tools nfs-utils rpcbind socat systemd-libs unzip bind-utils tar
  • Worker Nodes
  # yum install conntrack-tools container-selinux curl device-mapper-libs httpd-tools libgcrypt openssl libseccomp libtool-libs libtool-ltdl lvm2 net-tools nfs-utils rpcbind socat systemd-libs unzip tar
  • NFS
  yum install nfs-utils rpcbind

 

Package Name	Required by Master Nodes?	Required by Worker Nodes?	Required by NFS Server?
conntrack-tools	Yes	Yes	No
container-selinux (package version 2.74 or later)	Yes	Yes	No
curl	Yes	Yes	No
device-mapper-libs	Yes	Yes	No
httpd-tools	Yes	Yes	No
java-1.8.0-openjdk	Yes	No	No
libgcrypt	Yes	Yes	No
libseccomp	Yes	Yes	No
libtool-ltdl	Yes	Yes	No
lvm2	Yes	Yes	No
net-tools	Yes	Yes	No
nfs-utils	Yes	Yes	Yes
rpcbind	Yes	Yes	Yes
socat	Yes	Yes	No
systemd-libs (version >= 219)	Yes	Yes	No
unzip	Yes	Yes	No
bind-utils	Yes	Yes	No
openssl	Yes	Yes	No

To check for prior installation of any of these packages:

1. Set up the yum repository on your server.
2. Run this command:

# yum list installed <package name>

3. This command returns an exit status code where:

0 indicates the package is installed

1 indicates the package is not installed (does not check whether the package is valid)

To install a required package:

Run the following command:

# yum -y install <package name>

 

Checking MAC and Cipher Algorithms

Ensure that the /etc/ssh/sshd_config files on every master and worker nodes are configured with at least one of the following values, which lists all supported algorithms. Add only the algorithms that meet the security policy of your organization.

To verify configurations:

• For MAC algorithms:

hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-96

• For Cipher algorithms:

3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,blowfish-cbc

For example, you could add the following lines to the /etc/ssh/sshd_config files on all master and worker nodes:

MACs hmac-sha2-256,hmac-sha2-512
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr

 

Setting System Parameters (Network Bridging)

1. Log in to the node.
2. Run the following command:

# echo -e "\nnet.bridge.bridge-nf-call-ip6tables=1\nnet.bridge.bridge-nf-call-iptables=1" >> /etc/sysctl.conf

3. Run the following command:

   echo "br_netfilter" > /etc/modules-load.d/br_netfilter.conf

4. Run the following commands:

# modprobe br_netfilter && sysctl -p
# echo -e '\nmodprobe br_netfilter && sysctl -p' >> /etc/rc.d/rc.local# chmod +x /etc/rc.d/rc.local

5. Open the following file in a text editor:

/etc/sysctl.conf

6. (Conditional) If installing on RHEL or CentOS earlier than version 8.1, change the following if the line exists.

net.ipv4.tcp_tw_recycle=1 to net.ipv4.tcp_tw_recycle=0

7. (Conditional) If installing on RHEL or CentOS 8.1 or later, remove or comment out this line, if it exists.

net.ipv4.tcp_tw_recycle=

8. Save your changes and close the file.
9. Run this command to apply your updates to the node:

# sysctl -p

 

Understanding Example Files

To view example files:

Example sysctl.conf file for RedHat/CentOS version 7.x:

net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
kernel.sem=50100 128256000 50100 2560

Example sysctl.conf file for RedHat/CentOS 8.1 or later:

net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
kernel.sem=50100 128256000 50100 2560

 

Removing Libraries to Prevent Ingress

You must remove any libraries that will prevent ingress from starting.

1. Run the following command:

# yum remove rsh rsh-server vsftpd

2. Confirm the removal when prompted.

 

Configuring Elasticsearch Settings

To ensure the Elasticsearch pods run after deployment and the Elasticsearch cluster is accessible:

1. Launch a terminal session and log in to a worker node.
2. Change to the following directory:

cd /etc/

3. In the sysctl.conf file, add the following:

vm.max_map_count=262144

4. Restart the node:

reboot

5. Repeat steps 1-4 on all worker nodes.