Installation & Deployment

Warning

この方法は、Ericom社がワールドワイドでリリースしている最新バージョンを導入するための手順です。参考としてそのまま記載を残しています。日本では独自にサポート可能なバージョンを限定してリリースしています。そのため、shield-setup.sh および shield-update.sh によって導入可能なものだけがサポート対象です。下記のドキュメントについては、サポート対象外ですご了承ください。

Ericom Shield can be installed using a number of different methods depending on the environment architecture and connectivity requirements.

Shield components are deployed on Linux machines using Rancher. Rancher is a well-known software platform that enables easy deployment and management of Docker and Kubernetes products in production environments.

OVA

  • OVA contains the base operating system, required services, and all Shield install files.
  • Easy server setup and for environments without Internet Connectivity.
  • OVA installed in VMware Environment

Scripts

  • Real-time download of the latest Shield infrastructure scripts and install files.
  • Environments with internet connectivity that require the latest stable Shield version.
  • Ubuntu Server 18.04 and internet connectivity

Registry

  • Installation of Shield infrastructure scripts and install files from a local registry.
  • Environments without Internet Connectivity that use physical servers.
  • Ubuntu Server 18.04 and registry OVA installed in VMware environment.

For High Availability production deployments (recommended), 3 Master (cluster management) machines are required. For more details, see here .

OVA File Instllation

Create The Server Machines

  1. From the VMware vSphere client, select File > Deploy From OVF Template.
../_images/ova16.png

Browse to the location of the OVA file and select it. Click Next

../_images/ova26.png
../_images/ova36.png
  1. Name the file and select the storage path. Complete all the steps and click Finish
../_images/ova46.png
../_images/ova56.png
  1. Wait for the machine to be ready
../_images/ova66.png
  1. Enter the machines settings and change the CPU to 8 cores (minimum) or 12 cores (recommended) and the memory to 16GB (minimum).
../_images/ova76.png
  1. Power on the machine.
../_images/ova86.png

  1. Follow the steps detailed in Machine Preparation

  2. If required, increase the size of the OS (to match the VMware size). Run:

    growpart /dev/sda1
resize2fs /dev/sda1

Prepare The Rancher Server

Note

Shield repository requires a valid PASSWORD. Before you continue, contact Ericom Shield Professional Services to get a valid password.

On the Linux Rancher Server machine, run this service:

sudo ./install-shield.sh -R -l -p <PASSWORD>

This command will run Rancher (-R) with all the labels (-l) and use the latest (online) Shield repository.

Now that all the Server Machines are ready, continue with the installation steps detailed here.

Online Installation Via Scripts

The recommendation is to set up a dedicated Linux machine that will be used for cluster deployment and management. This machine will be referred to as the Rancher Server machine. This machine will include all the internal components (e.g. Kubectl & Helm). The Rancher Server can be a separate machine or on one of the Master machines (running etcd & Control Plane). All other nodes in the system are determined by the deployment type.

Before you begin, follow the steps detailed in Machine Preparation.

Prepare The Rancher Server

Note

Shield repository requires a valid PASSWORD. Before you continue, contact Ericom Shield Professional Services to get a valid password.

On the Linux Rancher Server machine, download and run this service:

curl -s -o install-shield.sh https://raw.githubusercontent.com/EricomSoftwareLtd/Shield/master/Kube/scripts/install-shield.sh
chmod +x install-shield.sh
sudo ./install-shield.sh -l -p <PASSWORD>

This command will run Rancher (-R) with all the labels (-l) and use the latest (online) Shield repository.

Prepare The Server Nodes

Each server node that takes part in the Shield cluster must be prepared before creating the cluster. From the Linux Rancher Server machine run:

./shield-prepare-servers [-u <USER>] <ServerIPAddress(s)>

Replace the USER with the user that matches ALL nodes. Replace the ServerIPAddress(s) with the list of IP addresses of the system nodes. Multiple IP addresses may be entered, separated by a space (" ").

E.g.:

./shield-prepare-servers -u ericom xx.xx.xx.xx yy.yy.yy.yy

Note

The Kernel may be updated during this process (if required).

All the machines should be synchronized. Configure the NTP (Network Time Protocol) and the timezone on the machine on ALL the machines in the cluster.

Connect The Server Nodes To The Cluster Master

Open Rancher at https://RancherServerIPAddress:8443 (using the Rancher Server IP address).

Go To the cluster and select Edit

../_images/rancher113.png

Scroll down to the bottom of the page, mark the required checkboxes (according to the planned deployment) and copy the command on the bottom (using the Copy to Clipboard option in the right).

../_images/rancher213.png

Run the copied command on EACH server node to join it to the cluster. Make sure the copied command matches the node to join (Master/Worker). Follow the node joining by clicking on Nodes in the cluster menu.

Wait until the process is finished. After the node is joined to the cluster, a green message appears at the bottom of the page. Repeat this process per each node until the cluster is complete.

Set Node Labels

Set the node labels for each machine, according to the planned deployment:

In Rancher, select Nodes and for each node you wish to edit, select the Edit option from the menu on the right

../_images/rancher313.png

In the Edit Node dialog, expand the Labels & Annotations section and add the desired labels to the node. For each label, set the value accept. The possible labels are:

../_images/rancher413.png

Labels can be added manually, one by one, or using copy/paste for one or more lines of the following labels:

shield-role/management=accept
shield-role/proxy=accept
shield-role/elk=accept
shield-role/farm-services=accept
shield-role/remote-browsers=accept

Press Save. The updated labels now appear on the node details:

../_images/rancher56.png

Restart the system to apply the nodes that were added and the labels that were defined:

sudo ./stop.sh
sudo ./start.sh

Verify System Status

In Rancher, check under Workloads if the system is up and running. For more information see here.

Run ELK On NFS (Optional)

ELK is running locally (by default). It is highly recommended that ELK will run on a shared NFS folder, rather than locally. To do that, edit the custom-values-elk.yaml file (located under ericomshield folder). Update elasticsearchDataPath with the path to the shared NFS folder. Please also consider updating the elasticsearchSnapshotPath.

Run the install-shield service again:

sudo ./install-shield.sh -p <PASSWORD>

Backup

Set up the backup path and storage account. For more details go here.

Split Mode

If the system is deployed in Split Mode, please see required configuration here.

Offline Installation Via Shield Registry

The Shield Registry is a downloadable collection of all the required services for installing Shield on physical machines and when there is no Internet Connectivity. This method ensures that all the needed scripts exist locally prior to starting the installation itself. Once the environment is prepared, the installation process is shorter and less prone to encounter issues.

When installing using the Shield Registry, a single, dedicated machine is needed for the Shield registry itself (referred to as Registry VM). The requirements for this specific machine are:

  • Minimum: 1 Core / 2GB memory
  • Recommended: 2 Core / 4GB memory

When planning the Shield system - the recommendation is to set up a dedicated Linux machine that will be used for cluster deployment and management. This machine will be referred to as the Rancher Server machine. This machine will include all the internal components (e.g. Kubectl & Helm). The Rancher Server can be a separate machine or on one of the Master machines (running etcd & Control Plane). All other nodes in the system are determined by the deployment type.

The process includes the following steps:

  • Prepare all the nodes that will be part of the system (on separate machines, not including the VM)
  • Create the Offline Shield Registry VM
  • Create the Rancher Server
  • Add all the other nodes to the cluster.

Node Preparation

As stated in the Requirements <requirements.html#software-requirements>, all machines in the Shield system should have:

  • A fixed IP Address
  • A unique hostname
  • The same timezone (as other machines in the system)

Please follow these steps to prepare the machines:

  1. Login using: ericom/ericomshield

  2. Configure the IP of the machine to be unique and static:

    • Go to /etc/systemd/network

    • Edit the 20-wired.network file. Change the line with DHCP=ipv4 to refer to a specific IP address/subnet, for example:

      [Match]
Name=en*

[Network]
Address=10.1.10.12/24
Gateway=10.1.10.1
DNS=10.1.10.1
DNS=10.1.10.2   //optional, multiples may be used
IPForward=ipv4

Note

In case a DHCP server exists in the environment, configure it to lease a reserved (static) IP to the OVA. You should be able to determine the MAC address of the OVA by the IP address given the OVA at first startup.

  1. All the machines should be synchronized. Configure the NTP (Network Time Protocol) and the timezone on the machine:

    sudo timedatectl set-ntp on
sudo systemctl restart systemd-timesyncd
timedatectl set-timezone <Continent>/<City>

  2. Rename the machine with a unique name (necessary for the cluster to be created properly). As root, run:

    hostnamectl set-hostname <NewUniqueHostname>

  3. Update the new hostname in the /etc/hosts file. If it is missing - add it.

  4. In case the Shield system will include an Upstream Proxy which uses SSL Inspection, a matching certificate must be installed on the machine. To do that, create a file cert-1.crt under /usr/local/share/ca-certificate/cert-1.crt and run:

    sudo update-ca-certificates

  5. Reboot the machine

Repeat these steps for EACH machine in the system.

Prepare The Server Nodes

Each server node that takes part in the Shield cluster must be prepared before creating the cluster. Log in to the Registry VM and run:

./shield-prepare-servers -u <USER> --offline-mode --offline-registry <RegistryIPAddress:5000> <ServerIPAddress(s)>

Replace the USER with the user that matches ALL nodes. Replace the ServerIPAddress(s) with the list of IP addresses of ALL the nodes in the system. Multiple IP addresses may be entered, separated by a space (" ").

E.g.:

./shield-prepare-servers -u ericom --offline-mode --offline-registry vv.vv.vv.vv:5000 xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz)

Prepare The Rancher Server

Log into one of the nodes in the system. This node will become the Rancher Server .

Retrieve the following file from the Registry VM (make sure to replace the RegistryIPAddress with the actual IP):

curl -s -o install-shield.sh http://<RegistryIPAddress>/ericomshield/install-shield.sh
chmod +x install-shield.sh
sudo ./install-shield.sh -l -p <PASSWORD> -v <version-name> --registry <RegistryIPAddress:5000>

The version name format is: Rel-yy.mm.xxx (e.g., Rel-20.03.641). Use the version-name mentioned in the Shield Registry file (the file that was previously downloaded).

Connect The Server Nodes To The Cluster Master

Open Rancher at https://RancherServerIPAddress:8443 (using the Rancher Server IP address).

Go To the cluster and select Edit

../_images/rancher113.png

Scroll down to the bottom of the page, mark the required checkboxes (according to the planned deployment) and copy the command on the bottom (using the Copy to Clipboard option in the right).

../_images/rancher213.png

Run the copied command on EACH server node to join it to the cluster. Make sure the copied command matches the node to join (Master/Worker). Follow the node joining by clicking on Nodes in the cluster menu.

Wait until the process is finished. After the node is joined to the cluster, a green message appears at the bottom of the page. Repeat this process per each node until the cluster is complete.

Set Node Labels

Set the node labels for each machine, according to the planned deployment:

In Rancher, select Nodes and for each node you wish to edit, select the Edit option from the menu on the right

../_images/rancher313.png

In the Edit Node dialog, expand the Labels & Annotations section and add the desired labels to the node. For each label, set the value accept. The possible labels are:

../_images/rancher413.png

Labels can be added manually, one by one, or using copy/paste for one or more lines of the following labels:

shield-role/management=accept
shield-role/proxy=accept
shield-role/elk=accept
shield-role/farm-services=accept
shield-role/remote-browsers=accept

Press Save. The updated labels now appear on the node details:

../_images/rancher56.png

Restart the system to apply the nodes that were added and the labels that were defined:

sudo ./stop.sh
sudo ./start.sh

Verify System Status

In Rancher, check under Workloads if the system is up and running. For more information see here.

Run ELK On NFS (Optional)

ELK is running locally (by default). It is highly recommended that ELK will run on a shared NFS folder, rather than locally. To do that, edit the custom-values-elk.yaml file (located under ericomshield folder). Update elasticsearchDataPath with the path to the shared NFS folder. Please also consider updating the elasticsearchSnapshotPath.

Run the install-shield service again:

sudo ./install-shield.sh -p <PASSWORD>

Backup

Set up the backup path and storage account. For more details go here.

Split Mode

If the system is deployed in Split Mode, please see required configuration here.