Linux Prerequisites

Learn about prerequisites for installing Oracle Communications Unified Assurance on Linux environments.

Choosing an Operating System Installation Type

Unified Assurance requires various components that are installed as part of the base operating system. Because a minimal installation is missing one or more important applications, Oracle recommends using either a Base or Cloud installation type, depending on the operating system.

You can use the following command to update to a Base installation, and verify that all required base packages have been installed:

dnf groupinstall "Base"

Configuring FIPS 140-2 Compliance in Oracle Linux 8

Unified Assurance installed on Oracle Linux 8 supports FIPS 140-2 compliance. Customers installing Unified Assurance on Oracle Linux 8 can optionally configure FIPs mode for Linux as described in FIPS 140-2 Compliance in Oracle Linux 8 in Oracle Linux 8 Enhancing System Security.

Installing Required Package Dependencies

The Unified Assurances installation RPM has dependencies on the following packages:

selinux-policy-targeted version 3.14.3 or later
policycoreutils version 2.9 or later
policycoreutils-python-utils version 2.9 or later

Although these packages are required to support SELinux, you must install them regardless of whether you are enabling SELinux or not.

To install the packages, run the following command:

dnf install selinux-policy-targeted policycoreutils policycoreutils-python-utils

Configuring SELinux

Before installing Unified Assurance on an SELinux-enabled system, you must:

Prepare security contexts by:
- Using the semanage tool to allow the Unified Assurance parent directory (by default, this is opt) to be a valid parent directory for home directories. By default, SELinux does not allow the Unified Assurance assure1 user, created by the installer with the useradd command, to have a home directory other than /home.
- Removing any security context conflicts and existing security contexts from the Unified Assurance parent directory. The Unified Assurance RPM sets up new security contexts, which may conflict with any existing security contexts already on the system, or left from previous Unified Assurance installations.
See Preparing Security Contexts.
Install the correct SELinux container package for servers that will run Docker. See Installing the Docker SELinux Package.

Note:

Unified Assurance versions earlier than 6.0.5 do not support setting SELinux to enforcing mode.

Preparing Security Contexts

Open the /etc/selinux/semanage.conf file in a text editor. The semanage tool is included in the Python policy core utilities package.
Change the usepasswd setting from false to true:
```
usepasswd=true
```
Save and close the file.
Set the file context for the Unified Assurance parent directory to the same as the home directory and check for security context conflicts by running the following command:
```
semanage fcontext -a -e /home /<parent_directory>
```
where <parent_directory> is the Unified Assurance parent directory (by default, opt).

Any conflicts appear as errors similar to the following:
```
ValueError: File spec /<parent_directory> conflicts with equivalency rule '/<parent_directory>/<path_to_conflict> /'
```

Remove any conflicts by running the following command:

semanage fcontext -d /<parent_directory>/<path_to_conflict>

Remove any existing local security contexts and resetting the defaults by running the following command:
```
semanage fcontext -d /<parent_directory>
restorecon -R /<parent_directory>
```

Installing the Docker SELinux Package

Servers that will run Docker require version 2.229.0 or later of the container-selinux package.

To install the package, run the following command:

dnf install container-selinux

You can run the ConfigSELinuxDocker application with the check argument to confirm which versions of required packages are installed.

Installing NTP

Before installing Unified Assurance, install and configure the Network Time Protocol (NTP) on all servers that will be part of your Unified Assurance environment. It is essential that all servers have the time synchronized to ensure proper functionality. Consult with your operating system documentation to determine the best NTP strategy for your organization.

You can use the chrony suite to configure network time. See Configuring Network Time in Oracle Linux 8 Setting Up Networking for more information.

Setting Up and Testing DNS Entries

Before installing Unified Assurance, you must set up DNS for your environment. All Unified Assurance servers must be able to communicate with one another using the Host FQDN entries and Web FQDN entry (or entries) from each server to each server.

Caution:

Do not configure environments using /etc/hosts entries or other manually-configured local services. DNS is required for all functionality to work properly across all servers in an installation.

You can test server communication by doing the following:

From the presentation servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
From the database servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.
From the collection servers, ping the HostFQDN entries for each server (including the local one), and make sure the WebFQDN is also resolving properly.

Opening Ports

Unified Assurance uses several network ports for communication between components. These need to be opened bidirectionally through your local operating system firewall, network firewalls, and network access control lists (ACLs).

Open the following ports in firewalls:

To allow HTTP communication and cross server communication with the presentation servers:
- Port TCP/80: Standard Web (HTTP)
- Port TCP/443: Secure Web (HTTPS)
- Port TCP/4601: Kibana (used temporarily for migration to OpenSearch Dashboards after updating Unified Assurance)
- Port TCP/5671: RabbitMQ
- Port TCP/5601: OpenSearch Dashboards
To allow communication with the databases:
- Port TCP/3306: MySQL (presentation server and database server)
- Port TCP 5000, TCP/7473, TCP/7687: Neo4j (database server)
- Port TCP/8086: InfluxDB (database server)
- Port TCP/8200: Elasticsearch (database server, used temporarily for migration to OpenSearch after updating Unified Assurance)
- Port TCP/9200: OpenSearch (database server)
- Port TCP/9093: Kafka (database server)
To support data collection:
- Port UDP/161: SNMP Monitoring (all servers)
- Port UDP/162: Trapd (collection servers)
- Port UDP/514: Syslog (collection servers)
- Port TCP/10080: WebHook Aggregator (collection servers)
To support database redundancy and file synchronization:
- Port TCP/4369, TCP/25671: RabbitMQ (presentation servers)
- Port TCP/8055, TCP/8056: Redundancy Wizard (presentation servers and database servers)
- Port TCP/8873: Unison file synchronization (presentation servers)
- Port TCP/9093: Kafka (InfluxDB redundancy on database servers)
To support Docker and microservices:
- Port TCP/179: Kubernetes Calico BGP
- Port TCP/2379: Kubernetes etcd client
- Port TCP/2380: Kubernetes etcd peer
- Port TCP/5005: Docker Registry
- Port TCP/6443: Kubernetes API controlplane
- Port TCP/8080: Helm ChartMuseum
- Port TCP/8081: Apache Guacamole
- Port UDP/8472: Flannel/VxLAN overlay network
- Port TCP/9080: Kubernetes HTTP ingress control
- Port TCP/9443: Kubernetes HTTPS ingress control
- Port TCP/10250: Kubernetes kubelet controlplane
- Port TCP/10251: Kubernetes kube-scheduler
- Port TCP/10252: Kubernetes kube-controller-manager
- Port TCP/10255: Kubernetes kubelet API server for read-only access with no authentication
- Port TCP/30000-30127: Kubernetes NodePort range for dynamic port assignment
To support Apache Pulsar:
- Port TCP/2181: Pulsar ZooKeeper
- Port TCP/3181: Pulsar BookKeeper
- Port TCP/6550: Pulsar Broker
- Port TCP/6551: Pulsar Broker TLS
- Port TCP/8080: Pulsar Web Service
- Port TCP/8443: Pulsar Web Service SSL

To support Vision, open the following ports internally:

Port TCP/80: Vision web UI
Port TCP/9000: Vision API
Port TCP/9002: Vision scheduler
Port TCP/9006: Vision I/O

Configuring firewalld

You configure firewalld to open the ports described in Opening Ports and perform other configurations required for communication within the Unified Assurance cluster.

To configure firewalld, on all cluster nodes:

Create the ocua service file containing the ports to open externally:

cat <<'EOM' >/etc/firewalld/services/ocua.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>OCUA</short>
  <description>Ports needed for OCUA</description>
  <port protocol="tcp" port="80"/>
  <port protocol="udp" port="161"/>
  <port protocol="udp" port="162"/>
  <port protocol="tcp" port="179"/>
  <port protocol="tcp" port="443"/>
  <port protocol="udp" port="514"/>
  <port protocol="tcp" port="2181"/>  
  <port protocol="tcp" port="2379"/>
  <port protocol="tcp" port="2380"/>
  <port protocol="tcp" port="2424"/>
  <port protocol="tcp" port="2425"/>
  <port protocol="tcp" port="2426"/>
  <port protocol="tcp" port="2427"/>
  <port protocol="tcp" port="2428"/>
  <port protocol="tcp" port="2429"/>
  <port protocol="tcp" port="2430"/>
  <port protocol="tcp" port="2434"/>
  <port protocol="tcp" port="2486"/>
  <port protocol="tcp" port="2487"/>
  <port protocol="tcp" port="2488"/>
  <port protocol="tcp" port="2489"/>
  <port protocol="tcp" port="2490"/>
  <port protocol="tcp" port="3181"/>
  <port protocol="tcp" port="3306"/>
  <port protocol="tcp" port="4369"/>
  <port protocol="tcp" port="5000"/>
  <port protocol="tcp" port="5005"/>
  <port protocol="tcp" port="5601"/>
  <port protocol="tcp" port="5671"/>
  <port protocol="tcp" port="6443"/>
  <port protocol="tcp" port="6550"/>
  <port protocol="tcp" port="6551"/>      
  <port protocol="tcp" port="7473"/>
  <port protocol="tcp" port="7687"/>
  <port protocol="tcp" port="8055"/>
  <port protocol="tcp" port="8056"/>
  <port protocol="tcp" port="8080"/>
  <port protocol="tcp" port="8081"/>      
  <port protocol="tcp" port="8086"/>
  <port protocol="tcp" port="8443"/>
  <port protocol="udp" port="8472"/>      
  <port protocol="tcp" port="8873"/>
  <port protocol="tcp" port="9080"/>   
  <port protocol="tcp" port="9093"/>
  <port protocol="tcp" port="9200"/>
  <port protocol="tcp" port="9443"/>   
  <port protocol="tcp" port="10080"/>
  <port protocol="tcp" port="10250"/>
  <port protocol="tcp" port="10251"/>
  <port protocol="tcp" port="10252"/>
  <port protocol="tcp" port="10255"/>      
  <port protocol="tcp" port="25671"/>
  <port protocol="tcp" port="30000-30127"/>   
</service>
EOM

Create the ocuainternal service file containing the ports to open internally:

cat <<'EOM' >/etc/firewalld/services/ocuainternal.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>OCUA internal</short>
  <description>Internal ports needed for OCUA</description>
  <port protocol="tcp" port="80"/> 
  <port protocol="tcp" port="9000"/>
  <port protocol="tcp" port="9002"/>
  <port protocol="tcp" port="9006"/>
</service>
EOM

Enable firewalld:
```
systemctl enable firewalld
```

Enable the ocua firewalld service:

firewall-cmd --zone=public --permanent --add-service=ocua

Enable the ocuainternal firewalld service:

firewall-cmd --zone=internal --permanent --add-service=ocuainternal

Enable transparent masquerading:
```
modprobe br_netfilter
```

Enable IP masquerading:

firewall-cmd --add-masquerade --permanent

If you are using Tigera Calico or flannel for networking between microservices, add the interfaces to the trusted zone:

firewall-cmd --permanent --zone=trusted --add-interface="flannel+"
firewall-cmd --permanent --zone=trusted --add-interface="cali+"

Repeat the following command, changing the IP address for each node in the cluster, to allow each other node to access the current node:
```
firewall-cmd --zone=public --permanent --add-rich-rule 'rule source address=<other_node_IP_address>/32 accept'
```
Tip:

You can get node IP addresses by running the ifconfig command.
If you are using Virtual Router Redundancy Protocol (VRRP) and keepalived for load balancing, on the primary and secondary presentation server, add the following rich rule to allow VRRP traffic between keepalived nodes:
```
firewall-cmd --zone=public --add-rich-rule='rule protocol value="vrrp" accept' --permanent
```
Reload firewalld:
```
firewall-cmd --reload
```

Set bridged packets to traverse iptables rules by creating the /etc/sysctl.d/a1cluster.conf file:

touch /etc/sysctl.d/a1cluster.conf
cat <<'EOM' > /etc/sysctl.d/a1cluster.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOM

Load the new system rules:
```
sysctl --system
```
Reboot all cluster nodes.

Setting Up Proxies

This is an optional configuration, to be done only if required for your environment.

Set the following environment variables:

https_proxy: Set to the proxy connection string detailing the proxy server, username and password, port, and so on. For example, http://myproxy.example.com:3128/
no_proxy: Set to the comma-separated list of domains or IP addresses that should NOT be proxied. For example, .example.com,localhost,127.0.0.1,WEBFQDN.

To prevent proxied API requests between Unified Assurance servers, this should at least contain the server's local domain.

You can set these in either of the following files:

/etc/environment: Used by non-interactive sessions like daemons. You must restart or log in again for the file to take effect. Add the following variables to the file:
```
https_proxy=PROXYSTRING
no_proxy=NOPROXYSTRING
```
/etc/profile.d/proxy.sh: Used by interactive sessions. You must create the file, then restart or log in again for the file to take effect. Add the following to the file:
```
export https_proxy=PROXYSTRING
export no_proxy=NOPROXYSTRING
```

Setting Up the System User Group

The Unified Assurance installer creates a user group called assure1 with ID 60 by default. If another user group already uses that ID, you must manually create the assure1 user group with a different ID.

To check whether a system user group is already using ID 60, run the following command on each Unified Assurance server:

getent group 60

If an existing group is returned, create the assure1 group by running the following command:

/usr/sbin/groupadd -r -g <group_id> assure1

where <group_id> is an unused ID.

Tip:

To find which IDs are in use, run the getent group command.

Configuring fapolicyd

Oracle does not typically recommend enabling the File Access Policy Daemon (fapolicyd) in Unified Assurance environments. If you enable fapolicyd, you must add a policy rule to allow files in the $A1BASEDIR/tmp directory to be run. Some Unified Assurance components, such as SetupWizard and SVN, need to extract and run files in this directory.

See Managing Policies in Oracle Linux 8 Configuring the File Access Policy Daemon for more information about policy rules and fapolicyd.

Title and Copyright Information

Installation Guide

G18218-02