Linux Prerequisites

Learn about prerequisites for installing Oracle Communications Unified Assurance on Linux environments.

Choosing an Operating System Installation Type

Unified Assurance requires various components that are installed as part of the base operating system, and a minimal installation has been shown to be missing one or more important applications. Oracle recommends using either a Base or Cloud installation type, depending on the operating system.

The following command can be used to update to a Base installation, as well as verify that all needed base packages have been installed:

yum groupinstall "Base"

Configuring FIPS 140-2 Compliance in Oracle Linux 8

Unified Assurance installed on Oracle Linux 8 supports FIPS 140-2 compliance. Customers installing Unified Assurance 6.0.4 must use Oracle Linux 8 and can optionally configure FIPs mode for Linux as described in FIPS 140-2 Compliance in Oracle Linux 8 in Oracle Linux 8 Enhancing System Security.

Customers updating or upgrading to 6.0.4 can optionally remain on Linux 7, where FIPS compliance is not supported.

Configuring SELinux

Unified Assurance version 6.0.4 does not support setting SELinux to enforcing mode. To use Unified Assurance when SELinux is set to enforcing, use Unified Assurance version 6.0.5.

Installing NTP

Before installing Unified Assurance, install and configure the Network Time Protocol (NTP) on all servers that will be part of your Unified Assurance environment. It is essential that all servers have the time synchronized to ensure proper functionality. Consult with your operating system documentation to determine the best NTP strategy for your organization.

Setting Up and Testing DNS Entries

Before installing Unified Assurance, you must set up DNS for your environment. All Unified Assurance servers must be able to communicate with one another using the Host FQDN entries and Web FQDN entry (or entries) from each server to each server.

You can test server communication by doing the following:

• From the presentation servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.

• From the database servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.

• From the collection servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.

Opening Ports

Unified Assurance uses several network ports for communication between components. These need to be opened bidirectionally through your local operating system firewall, network firewalls, and network access control lists (ACLs).

Open the following ports in firewalls:

• To allow HTTP communication and cross server communication with the presentation servers:

  • Port TCP/80: Standard Web (HTTP)

  • Port TCP/443: Secure Web (HTTPS)

  • Port TCP/5671: RabbitMQ

  • Port TCP/5601: Kibana

• To allow communication with the databases:

  • Port TCP/3306: MySQL (presentation server and database server)

  • Port TCP 5000, TCP/7473, TCP/7687: Neo4j (database server)

  • Port TCP/8086: InfluxDB (database server)

  • Port TCP/9200: Elasticsearch (database server)

  • Port TCP/9093: Kafka (database server)

• To support data collection:

  • Port UDP/161: SNMP Monitoring (all servers)

  • Port UDP/162: Trapd (collection servers)

  • Port UDP/514: Syslog (collection servers)

  • Port TCP/10080: WebHook Aggregator (collection servers)

• To support database redundancy and file synchronization:

  • Port TCP/4369, TCP/25671: RabbitMQ (presentation servers)

  • Port TCP/8055, TCP/8056: Redundancy Wizard (presentation servers and database servers)

  • Port TCP/8873: Unison file synchronization (presentation servers)

  • Port TCP/9093: Kafka (InfluxDB redundancy on database servers)

• To support Docker and microservices:

  • Port TCP/179: Kubernetes Calico BGP

  • Port TCP/2379: Kubernetes etcd client

  • Port TCP/2380: Kubernetes etcd peer

  • Port TCP/5005: Docker Registry

  • Port TCP/6443: Kubernetes API controlplane

  • Port TCP/8080: Helm ChartMuseum

  • Port TCP/8081: Apache Guacamole

  • Port UDP/8472: Flannel/VxLAN overlay network

  • Port TCP/9080: Kubernetes HTTP ingress control

  • Port TCP/9443: Kubernetes HTTPS ingress control

  • Port TCP/10250: Kubernetes kubelet controlplane

  • Port TCP/10251: Kubernetes kube-scheduler

  • Port TCP/10252: Kubernetes kube-controller-manager

  • Port TCP/10255: Kubernetes kubelet API server for read-only access with no authentication

  • Port TCP/30000-30127: Kubernetes NodePort range for dynamic port assignment

• To support Apache Pulsar:

  • Port TCP/2181: Pulsar ZooKeeper

  • Port TCP/3181: Pulsar BookKeeper

  • Port TCP/6550: Pulsar Broker

  • Port TCP/6551: Pulsar Broker TLS

  • Port TCP/8080: Pulsar Web Service

  • Port TCP/8443: Pulsar Web Service SSL

Configuring firewalld

You configure firewalld to open the ports described in Opening Ports and perform other configurations required for communication within the Unified Assurance cluster.

To configure firewalld, on all cluster nodes:

1. Create the firewalld service file for Unified Assurance:

   cat <<'EOM' >/etc/firewalld/services/ocua.xml
   <?xml version="1.0" encoding="utf-8"?>
   <service>
     <short>OCUA</short>
     <description>Ports needed for OCUA</description>
     <port protocol="tcp" port="80"/>
     <port protocol="udp" port="161"/>
     <port protocol="udp" port="162"/>
     <port protocol="tcp" port="179"/>
     <port protocol="tcp" port="443"/>
     <port protocol="udp" port="514"/>
     <port protocol="tcp" port="2181"/>  
     <port protocol="tcp" port="2379"/>
     <port protocol="tcp" port="2380"/>
     <port protocol="tcp" port="2424"/>
     <port protocol="tcp" port="2425"/>
     <port protocol="tcp" port="2426"/>
     <port protocol="tcp" port="2427"/>
     <port protocol="tcp" port="2428"/>
     <port protocol="tcp" port="2429"/>
     <port protocol="tcp" port="2430"/>
     <port protocol="tcp" port="2434"/>
     <port protocol="tcp" port="2486"/>
     <port protocol="tcp" port="2487"/>
     <port protocol="tcp" port="2488"/>
     <port protocol="tcp" port="2489"/>
     <port protocol="tcp" port="2490"/>
     <port protocol="tcp" port="3181"/>
     <port protocol="tcp" port="3306"/>
     <port protocol="tcp" port="4369"/>
     <port protocol="tcp" port="5000"/>
     <port protocol="tcp" port="5005"/>
     <port protocol="tcp" port="5601"/>
     <port protocol="tcp" port="5671"/>
     <port protocol="tcp" port="6443"/>
     <port protocol="tcp" port="6550"/>
     <port protocol="tcp" port="6551"/>      
     <port protocol="tcp" port="7473"/>
     <port protocol="tcp" port="7687"/>
     <port protocol="tcp" port="8055"/>
     <port protocol="tcp" port="8056"/>
     <port protocol="tcp" port="8080"/>
     <port protocol="tcp" port="8081"/>      
     <port protocol="tcp" port="8086"/>
     <port protocol="tcp" port="8443"/>
     <port protocol="udp" port="8472"/>      
     <port protocol="tcp" port="8873"/>
     <port protocol="tcp" port="9080"/>   
     <port protocol="tcp" port="9093"/>
     <port protocol="tcp" port="9200"/>
     <port protocol="tcp" port="9443"/>   
     <port protocol="tcp" port="10080"/>
     <port protocol="tcp" port="10250"/>
     <port protocol="tcp" port="10251"/>
     <port protocol="tcp" port="10252"/>
     <port protocol="tcp" port="10255"/>      
     <port protocol="tcp" port="25671"/>
     <port protocol="tcp" port="30000-30127"/>   
   </service>
   EOM
   

2. Enable firewalld:

   systemctl enable firewalld
   

3. Enable the ocua firewalld service:

   firewall-cmd --zone=public --permanent --add-service=ocua
   

4. Enable transparent masquerading:

   modprobe br_netfilter
   

5. Enable IP masquerading:

   firewall-cmd --add-masquerade --permanent
   

6. Add a rich rule to allow the Docker container to access the node's local host:

   firewall-cmd --zone=public --permanent --add-rich-rule 'rule source address=<Docker_container_IP_address>/16 accept'
   

   By default, the rule is added for both IPv4 and IPv6. To limit the rule family to IPv4 or IPv6 only, include the family option to specify it. For example:

   firewall-cmd --zone=public --permanent --add-rich-rule 'rule family=ipv4 source address=<Docker_container_IP_address>/16 accept'
   

7. Repeat the following command, changing the IP address for each node in the cluster, to allow each other node to access the current node:

   firewall-cmd --zone=public --permanent --add-rich-rule 'rule source address=<other_node_IP_address>/32 accept'
   

   Tip:

   You can get node IP addresses by running the ifconfig command.

8. Reload firewalld:

   firewall-cmd --reload
   

9. Set bridged packets to traverse iptables rules by create the /etc/sysctl.d/a1cluster.conf file:

   touch /etc/sysctl.d/a1cluster.conf
   cat < /etc/sysctl.d/a1cluster.conf
   net.bridge.bridge-nf-call-ip6tables = 1
   net.bridge.bridge-nf-call-iptables = 1
   EOF
   

10. Load the new system rules:

    sysctl --system
    

11. Reboot all cluster nodes.

Setting Up Proxies

Set the following environment variables:

• https_proxy: Set to the proxy connection string detailing the proxy server, username and password, port, and so on. For example, http://myproxy.example.com:3128/

• no_proxy: Set to the comma-separated list of domains or IP addresses that should NOT be proxied. For example, .example.com,localhost,127.0.0.1,WEBFQDN.

  To prevent proxied API requests between Unified Assurance servers, this should at least contain the server's local domain.

You can set these in either of the following files:

• /etc/environment: Used by non-interactive sessions like daemons. You must restart or log in again for the file to take effect. Add the following variables to the file:

  https_proxy=PROXYSTRING
  no_proxy=NOPROXYSTRING
  

• /etc/profile.d/proxy.sh: Used by interactive sessions. You must create the file, then restart or log in again for the file to take effect. Add the following to the file:

  export https_proxy=PROXYSTRING
  export no_proxy=NOPROXYSTRING
  

Setting Up the System User Group

The Unified Assurance installer creates a user group called assure1 with ID 60 by default. If another user group already uses that ID, you must manually create the assure1 user group with a different ID.

To check whether a system user group is already using ID 60, run the following command on each Unified Assurance server:

getent group 60

If an existing group is returned, create the assure1 group by running the following command:

/usr/sbin/groupadd -r -g <group_id> assure1

where <group_id> is an unused ID.