Configuration Requirements

CAUTION
You must complete all configuration tasks prior to installing HPE Ezmeral Runtime Enterprise on the hosts.

Some configuration requirements for HPE Ezmeral Runtime Enterprise vary by OS.

SLES Requirements

When HPE Ezmeral Runtime Enterprise is running on SLES, the following general configuration is required on all hosts:

  • Sudo must be installed.
  • On SLES15 SP3 HPE Ezmeral Runtime Enterprise supports firewalld using the iptables backend. Edit /etc/firewalld/firewalld.conf to change the value of FirewallBackend to iptables, then restart the firewalld service.
  • SELinux, if enabled, must use the targeted policy, as described here (link opens an external website in a new browser tab or window).**
  • AppArmor is not supported.**
  • Systemd is supported in legacy mode.**
  • IPv6 is not supported and must be disabled.**

The following SLES kernel command line configures the preceding items marked with asterisks (**):

systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller=1 apparmor=0 cgroup_enable=memory swapaccount=1 ipv6.disable=1 security=selinux selinux=1

Also, the GRUB2 boot loader must be updated, as described here (link opens an external website in a new browser tab or window).

Common Host Packages (SLES)

All HPE Ezmeral Runtime Enterprise hosts that have SLES v15 SP5 must have the following modules enabled:

  • SUSEConnect --cleanup
  • SUSEConnect -p sle-module-containers/15.5/x86_64
  • SUSEConnect -p PackageHub/15.5/x86_64
  • SUSEConnect -p sle-module-legacy/15.5/x86_64
  • SUSEConnect -p sle-module-python2/15.5/x86_64
  • SUSEConnect -p sle-module-basesystem/15.5/x86_64
  • SUSEConnect -p sle-module-desktop-applications/15.5/x86_64
  • SUSEConnect -p sle-module-development-tools/15.5/x86_64

All HPE Ezmeral Runtime Enterprise hosts that have SLES v15 SP3 must have the following modules enabled:

  • SUSEConnect -p PackageHub/15.3/x86_64
  • SUSEConnect -p sle-module-legacy/15.3/x86_64
  • SUSEConnect -p sle-module-python2/15.3/x86_64
  • SUSEConnect -p sle-module-basesystem/15.3/x86_64
  • SUSEConnect -p sle-module-public-cloud/15.3/x86_64
  • SUSEConnect -p sle-module-desktop-applications/15.3/x86_64

All HPE Ezmeral Runtime Enterprise hosts that have SLES v15 SP2 must have the following modules enabled:

  • SUSEConnect -p PackageHub/15.2/x86_64
  • SUSEConnect -p sle-module-legacy/15.2/x86_64
  • SUSEConnect -p sle-module-python2/15.2/x86_64
  • SUSEConnect -p sle-module-basesystem/15.2/x86_64
  • SUSEConnect -p sle-module-public-cloud/15.2/x86_64
  • SUSEConnect -p sle-module-desktop-applications/15.2/x86_64

Primary Controller and Shadow Controller Host Packages (SLES)

The Controller host (and Shadow Controller host, if platform HA is enabled) must have the following SLES module enabled in addition to the common packages listed in Common Host Packages (SLES):

  • SP5: SUSEConnect -p sle-ha/15.5/x86_64
  • SP3: SUSEConnect -p sle-ha/15.3/x86_64
  • SP2: SUSEConnect -p sle-ha/15.2/x86_64

The Arbiter host does not require the preceding module to be enabled.

Additional Kubernetes Requirements (SLES)

The following additional requirement applies to Kubernetes within HPE Ezmeral Runtime Enterprise on SLES:

RHEL Requirements

When HPE Ezmeral Runtime Enterprise is running on RHEL, the following general configuration is required on all hosts:

User Account

For information about the requirements for the user account that will be installing HPE Ezmeral Runtime Enterprise, see User Account.

Console and SSH access to either the root account or a non-root user account with sudo privileges is required. See Restricted Sudo Requirements and Configuration Requirements.

SSHD

Controls how the Controller communicates with Workers. See SSHD.

ARP

Address Resolution Protocol. See ARP.

umask values

The supported umask values, are 022, 027, or 077.

SSL certificate

Install one if you will be accessing the web interface through HTTPS:// and not HTTP://. See SSL Certificate.

SELinux/IPtables

See SELinux/IPtables.

IPv6

IPv6 is not supported. However, the IPv6 module must be enabled but not used. Enabling the IPv6 module helps to avoid runtime errors and warnings.

Version-specific configuration requirements:

RHEL 7
  • On all hosts, you need the following subscriptions enabled:
    • rhel-7-server-rpms
    • rhel-7-server-optional-rpms
    • rhel-7-server-extras-rpms
  • Along with the preceding channels, on Controller and Shadow controller, you need the following subscription enabled:
    • rhel-ha-for-rhel-7-server-rpms

    The Arbiter host does not require the HA module to be enabled.

RHEL 8
  • On Kubernetes hosts, you need the following subscriptions enabled:
    • rhel-8-server-rpms
    • rhel-8-server-optional-rpms
  • Along with the preceding channels, on Controller and Shadow controller, you need the following subscription enabled:
    • rhel-8-for-x86_64-highavailability-rpms

    The Arbiter host does not require the HA module to be enabled.

OS Locale

To install HPE Ezmeral Runtime Enterprise on a host, the system locale setting must be set to United States English with UTF-8 encoding. For example:

LANG=en_US.UTF-8

User Account

Console and SSH access to either the root account, or a non-root user account with sudo privileges is required.

The user account requirements are the following:

  • The user account that is employed for the initial installation must also be available on all hosts that will be added as Worker hosts. Credentials for that account (either password or SSH key) must be available for all hosts.
  • If you are installing as the root user, then SSHD must be configured to allow root login on all hosts, as described in SSHD.
  • If you are installing as a non-root user, then that user (for example, the service user account) must have sudo permissions to execute the specific binaries listed in Restricted Sudo Requirements without restrictions on all hosts in the deployment.
    • By default, the sudoers file is configured to include files located in the /etc/sudoers.d directory. Do not change this default configuration.
    • The non-root service account user must be part of these groups: docker, nagios, and apache. If the user is not part of these groups, you must add the user to the groups manually.

SSHD

The SSHD service allows the Controller host to communicate directly with Worker hosts through passwordless SSH when adding the Worker hosts. If enabled, all hosts must have the OpenSSH server and client service running on port 22 on each host with a umask of either 022, 027, or 077.

The following configuration only affects how the Controller communicates with Workers. It does not affect user access to containers through SSH.

The following parameters must be set in /etc/ssh/sshd_config on the Controller host and on each Worker host:

  • PubkeyAuthentication=true
  • AuthorizedKeysFile=.ssh/authorized_keys
  • PermitRootLogin=yes (if the Controller will be accessing the Workers as the root user. If the Controller will be acting as a non-root user, then this parameter is not required.)

Thus:

  • If PermitRootLogin=yes and PubkeyAuthentication=true, then install as the root user.
  • If PermitRootLogin=no but PubkeyAuthentication=true, then install as a non-root user.
  • If PubkeyAuthentication=false, then use the --worker-agent-install option when installing the Controller host and the CLI agent when installing Worker hosts, as described in Standard Installation and Using the Pre-Check Script, respectively.

After you make changes to SSHD parameters, execute the service sshd restart command.

NOTE
If your environment does not permit passwordless SSH access for the installing user on all hosts in the deployment, then you must use the agent as described in Using the Pre-Check Script, Standard Installation, and Agent-Based Kubernetes Host Installation.

ARP

The ARP settings in the /etc/sysctl.conf configuration file for arp_announce and arp_ignore should be set to 0.

net.ipv4.conf.eth0.arp_ignore=0
net.ipv4.conf.eth0.arp_announce=0

SSL Certificate

If you want to access the web interface using a secure (https://) connection instead of a standard, non-secured connection (http://), then you must have both an SSL certificate and private key available when you install HPE Ezmeral Runtime Enterprise. You can use either a self-generated certificate or can obtain a certificate from a trusted Certificate Authority (CA). See Transport Layer Certificate (link opens an external website in a new browser/tab) for more information about SSL and certificates.

SELinux/IP Tables

For the Controller and any Worker hosts, you may choose to configure your deployment with or without these services. This decision cannot be changed after HPE Ezmeral Runtime Enterprise is installed.

SELinux is supported on HPE Ezmeral Runtime Enterprise 5.2 and later in Enforcing, Permissive, and Disabled mode as follows:

  • To enable Enforcing mode on nodes that are part of HPE Ezmeral Data Fabric on Kubernetes, contact Hewlett Packard Enterprise Support.
  • The mode cannot be changed after installing HPE Ezmeral Runtime Enterprise.
  • For SLES 15 SP2 and SLES 15 SP3, supported with HPE-installed policies only.

IPv6

HPE Ezmeral Runtime Enterprise does not support IPv6. For configuration requirements, see RHEL Requirements and SLES Requirements.

(Optional) Container Security (Falco) Support

HPE Ezmeral Runtime Enterprise supports the Container Security (Falco) service. For more information, see Falco Container Runtime Security.