Web Service Nodes Installation
Audience: System Administrators
Content Summary: Web Service nodes run the Immuta Web Service. The Immuta Web Service is a NodeJS application that consists of a REST API and a client-side web application. Multiple Web Service nodes are supported. Follow the instructions below on each Web Service node.
Web Service Node Environment Setup
The following variables will be used throughout the installation of the Web Service.
IMMUTA_FEATURE_PASSWORD: password for the Immuta feature_service user.IMMUTA_METADATA_PASSWORD: password for the Immuta bometadata user.QUERY_ENGINE_HOSTNAME: hostname for the Immuta query engine.IMMUTA_BASE_URL: base URL for the Immuta Web Service. See determining the Immuta base URL.WORKER_COUNT: number of worker processors to run. This should usually be the number of processors on your server. Runecho $(lscpu | grep '^CPU(s):' | awk '{print $2}')to determine what this should be set to. This must be at least 2, but should usually be set no higher than 8.PATH_TO_CA: path to the CA certificate.PATH_TO_PRIVATE_KEY: path to the private key nginx will use for TLS.PATH_TO_CERT: path to the certificate nginx will use for TLS.
Export these as environment variables before beginning the setup.
export WORKER_COUNT=WORKER_COUNT
export PATH_TO_CA=/etc/pki/tls/certs/ca-bundle.crt
export PATH_TO_PRIVATE_KEY=<path to private key>
export PATH_TO_CERT=<path to cert>
Notes:
- You should have exported the database passwords according to secure password generation.
- You should have exported the Immuta base URL according to determining the Immuta base URL.
- You should have exported the database hostnames according to database installation.
Web Service Node Package Installation
The following command must be run as root:
yum install immuta immuta-fingerprint nginx memcached
Note: The Immuta RPM will create an immuta user if one does not already exist.
If the yum install command fails with an error message about libntlm then you may need to enable the
rhui-REGION-rhel-server-releases-optional repository.
Web Service Node Setup and Configuration
This section will walk you through configuring the Immuta web service and supporting services.
Immuta configuration needs to be updated with the database hostnames and passwords.
The following commands must be run as root:
sed -i "/immutaDb/,/host/s/localhost/${QUERY_ENGINE_HOSTNAME}/" /etc/immuta/config.yml
sed -i "/featureStoreDb/,/host/s/#host: localhost/host: ${QUERY_ENGINE_HOSTNAME}/" \
/etc/immuta/config.yml
sed -i "s/__bometadata_password__/${IMMUTA_METADATA_PASSWORD}/" /etc/immuta/config.yml
sed -i "s/__immuta_password__/${IMMUTA_FEATURE_PASSWORD}/" /etc/immuta/config.yml
sed -i "/publicImmutaUrl/c\publicImmutaUrl: ${IMMUTA_BASE_URL}" /etc/immuta/config.yml
sed -i '/^databases:/,/^cache:/s/#*ssl: false/ssl: true/' /etc/immuta/config.yml
Before starting the Web Service, set the WORKER_COUNT in the system configuration for the Immuta service.
The following command must be run as root:
sed -i "/\<WORKER_COUNT\>=/c\WORKER_COUNT=${WORKER_COUNT}" /etc/sysconfig/immuta
Memcached should be configured to listen only on the loopback interface. This can be accomplished by
updating /etc/sysconfig/memcached and updating the OPTIONS variable. Next, enable memcached in the Immuta
configuration. Uncomment cache in the server section of /etc/immuta/config.yml.
The following commands must be run as root:
sed -i '/OPTIONS/{;/-l/n;s/""/"-l localhost"/}' /etc/sysconfig/memcached
sed -i "/^[ ]\{4\}#cache:/,/partition/s/#//" /etc/immuta/config.yml
Nginx is used as a reverse proxy for the Immuta web service listening on the loopback interface. Configure nginx by
creating or replacing /etc/nginx/nginx.conf.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
proxy_send_timeout 600;
proxy_read_timeout 600;
client_max_body_size 1g;
upstream local_service {
server localhost:8080;
}
server {
listen *:8443 ssl;
ssl_certificate /etc/nginx/tls/server.crt;
ssl_certificate_key /etc/nginx/tls/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://local_service;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
}
upstream web_service {
server localhost:8443;
}
server {
listen *:443 ssl;
ssl_certificate /etc/nginx/tls/server.crt;
ssl_certificate_key /etc/nginx/tls/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass https://web_service;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
}
}
Copy the TLS certificates into the /etc/nginx/tls directory. Ensure that they are readable by the nginx user. The
private keys should not be readable by group or other.
The following commands must be run as root:
mkdir -p /etc/nginx/tls
chown nginx: /etc/nginx/tls
cp "${PATH_TO_CERT}" /etc/nginx/tls/server.crt
cp "${PATH_TO_PRIVATE_KEY}" /etc/nginx/tls/server.key
chmod 600 /etc/nginx/tls/server.key
chown nginx: /etc/nginx/tls/*
If SELinux is enabled, ensure that nginx can communicate over the network.
The following command must be run as root:
setsebool -P httpd_can_network_connect 1
Finally, enable and start the immuta, immuta-fingerprint, memcached, and nginx services.
The following commands must be run as root:
chkconfig memcached on
service memcached start
chkconfig nginx on
service nginx start
chkconfig immuta-fingerprint on
service immuta-fingerprint start
chkconfig immuta on
service immuta start