Prerequisites
Audience: System Administrators
Content Summary: This page outlines the prerequisites for installing Enterprise Linux 6.
System Users
Service users need to be created on each node. The RPM installation scripts will create these users if they do not exist on the system when the RPM's are installed.
Web Service Nodes
The Immuta RPM installation will create an immuta group and user on the system. This step will be skipped if the user
and group already exist.
Database Node
The Immuta Query Engine RPM installation will create a immutaqe group and user on the system. This step will be
skipped if the user and group already exist.
Database Replica Node
The Immuta Query Engine RPM installation will create a immutaqe group and user on the system. This step will be
skipped if the user and group already exist.
Firewall Rules
The following describes the firewall rules that are required.
Metadata Database Node Firewall Rules
The Metadata Database needs to accept inbound traffic from the Web Service nodes. The table below lists required ports for inbound traffic:
| Port | Protocol | Source |
|---|---|---|
| 5432 | TCP | Web Service Nodes |
| 5432 | TCP | Database replica nodes |
The Metadata Database does not need to make any outbound connections, but ensure that all related and established traffic is allowed.
Query Engine Node Firewall Rules
The Query Engine needs to accept inbound traffic from the Web Service nodes and anywhere that users will be connecting using the SQL Access Pattern. The table below lists required ports for inbound traffic:
| Port | Protocol | Source |
|---|---|---|
| 5432 | TCP | Web Service Nodes or Load balancer, user workstations |
| 5432 | TCP | Database replica nodes |
The Query Engine needs to allow outbound traffic to all data sources that will be exposed through Immuta. The table below lists required (if conditions are met) ports for outbound traffic:
| Port | Protocol | Source | Condition |
|---|---|---|---|
| 443 | TCP | Web Service nodes or Load balancer | TLS Configured |
| 80 | TCP | Web Service nodes or Load balancer | TLS Not Configured |
| 5432 | TCP | Query Engine Replica nodes | Query Engine Replica nodes are being used |
| * | TCP | Any data source that is needed for data sources exposed through Immuta | Data source dependent |
In addition to the stated rules, ensure that all related and established traffic is allowed.
Database Replica Node Firewall Rules
The Database Replica needs to accept inbound traffic from the Web Service nodes and anywhere that users will be connecting using the SQL Access Pattern. The table below lists required ports for inbound traffic:
| Port | Protocol | Source |
|---|---|---|
| 5432 | TCP | Load balancer |
The Database Replica needs to allow outbound traffic to all data sources that will be exposed through Immuta. The table below lists required (if conditions are met) ports for outbound traffic:
| Port | Protocol | Source | Condition |
|---|---|---|---|
| 443 | TCP | Web Service nodes or Load balancer | TLS Configured |
| 80 | TCP | Web Service nodes or Load balancer | TLS Not Configured |
| 5432 | TCP | Database Replica nodes | Database Replica nodes are being used |
| * | TCP | Any data source that is needed for data sources exposed through Immuta | Data source dependent |
In addition to the stated rules, ensure that all related and established traffic is allowed.
Database Replica Load Balancer Node Firewall Rules
The Database Replica Load Balancer needs to accept inbound traffic from anywhere that users will be connecting using the SQL Access Pattern. The table below lists required ports for inbound traffic:
| Port | Protocol | Source |
|---|---|---|
| 5432 | TCP | user workstations |
The Database Replica Load Balancer needs to allow outbound traffic to all Database Replicas. The table below lists required ports for outbound traffic:
| Port | Protocol | Source |
|---|---|---|
| 5432 | TCP | Database Replica nodes |
In addition to the stated rules, ensure that all related and established traffic is allowed.
Web Service Nodes Firewall Rules
When used without a load balancer, the Web Service nodes must accept traffic on the configured service port from wherever users will be accessing it from. The node also needs to accept traffic from the Query Engine and HDFS cluster (if used).
When using a load balancer in front of the Immuta Web Service nodes, they need only accept inbound traffic from the load balancer.
The table below lists required (if conditions are met) ports for inbound traffic:
| Port | Protocol | Source | Condition |
|---|---|---|---|
| 443 | TCP | User workstations, Query Engine, HDFS (if used) or Load balancer | TLS Configured |
| 80 | TCP | User workstations, Query Engine, HDFS (if used) or Load balancer | TLS Not Configured |
The Web Service Nodes need to allow outbound traffic to all data sources that will be exposed through Immuta. The table below lists required (if conditions are met) ports for outbound traffic:
| Port | Protocol | Destination | Condition |
|---|---|---|---|
| 5432 | TCP | Metadata Database, Query Engine | |
| * | TCP | Any data source that is needed for data sources exposed through Immuta | Data source dependent |
In addition to the stated rules, ensure that all related and established traffic is allowed.
TLS Assumptions
This guide assumes that you are using certificates issued by a certificate authority (CA). Using self-signed certificates is not recommended or supported in production. All certificates and keys referenced in this guide should be in PEM format. Private key files must not be encrypted. Instead, restrictive file permissions will be used to protect the keys from unwanted access.
It is also assumed that the CA certificate bundle configured for services in this section contains the CA certificates
and is present in the same location on all nodes in the cluster.
The system CA bundle (/etc/pki/tls/certs/ca-bundle.crt)
can be used, or an alternate certificate bundle may be used.
To verify that your CA and TLS certificates are configured properly, you should run the command below. Note that
openssl is required.
openssl verify -verbose -CAfile /path/to/ca.crt /path/to/immuta/cert.crt
If you do not have certificates issued by a trusted CA available, you can follow this guide to generate temporary insecure certificates for proof-of-concept deployments only. Production deployments should use certificates issued by a trusted CA.
Hostname Configuration
Servers should have their hostname resolvable by the loopback address. Ensure that each server's hostname is associated
with the IP address 127.0.0.1 in the /etc/hosts file.
Note: the following command must be run as
root.
sh -c 'echo "127.0.0.1 $(hostname)" >> /etc/hosts'