Adding a Node on a non-TufinOS Server

Overview

This procedure is for preparing a server running a non-TufinOS operating system before adding it as a node to an existing TOS Aurora cluster.

For all other installation procedures, such as installing TOS Aurora and adding nodes on other platforms, see the menu for the appropriate procedure.

If you are preparing a data node, start with high availability.

If you are preparing a worker node, start with multi-node cluster.

Read and understand Prerequisites, then proceed with Configuring the Operating System.

Prerequisites

Computing Resources

  • Operating system:
    • Red Hat Enterprise Linux 8.10
    • Rocky Linux 8.10
  • Disk(s) SSD with 7,500 IOPS and 250MB/s throughput, or higher.

  • Sufficient CPUs, disk storage and main memory for TOS Aurora to work effectively. Consult with your sales engineer or Tufin support.

  • Partitions:

    You need to configure a separate partition for /opt, a separate disk for etcd, and the boot disk needs at least 300 GB of available storage. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team. Minimum sizes for all partitions:

    Minimum Partition Sizes

    Boot disk

    /opt/

    (Small)*

    /opt/

    (Medium)*

    /opt/

    (Large)*

    etcd

    Central cluster / remote cluster primary data node / HA data nodes 300 GB 80 GB 170 GB 370 GB 128 GB
    Worker node (central and remote clusters) 150 GB 70 GB 70 GB 70 GB N/A

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the boot disk and etcd.

Network Requirements

  • You must allow access to required Ports and Services.
  • You cannot use IP Tables. All IP tables rules will be flushed when adding the node.

  • If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.
  • The node's network IP must be on the same subnet as the cluster primary VIP.

  • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

    To find the first network interface, run the following command:

    [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
    sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

    Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

Configuring the Operating System

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

  1. If you are not currently logged in as user root, do so now.

    [<ADMIN> ~]$ su -
    su -
  2. If you want to change the host name or IP of the machine, do so now. Once TOS Aurora has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

    [<ADMIN> ~]# hostnamectl set-hostname <mynode>
    hostnamectl set-hostname <mynode>
  3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos).

    [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
    echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null
  4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

  5. Configure the server timezone.

    [<ADMIN> ~]# timedatectl set-timezone <timezone>
    timedatectl set-timezone <timezone>

    where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

    [<ADMIN> ~]# timedatectl list-timezones
    timedatectl list-timezones
  6. Upgrade the kernel:

    [<ADMIN> ~]# dnf upgrade
    dnf upgrade
  7. Disable SELinux:

    • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

      SELINUX=disabled
    • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
  8. Reboot the machine and log in.
  9. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster.

  10. [<ADMIN> ~]# sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
    [<ADMIN> ~]# sudo yum install kmod-wireguard wireguard-tools
    sudo yum install kmod-wireguard wireguard-tools
  11. Reboot the machine and log in.
  12. Install tmux and rsync:

    [<ADMIN> ~]# dnf install -y rsync tmux
    dnf install -y rsync tmux
  13. Disable the firewall:

    [<ADMIN> ~]# systemctl stop firewalld
    systemctl stop firewalld
    [<ADMIN> ~]# systemctl disable firewalld
    systemctl disable firewalld
  14. Create the TOS Aurora load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf
    vi /etc/modules-load.d/tufin.conf
  15. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter
    br_netfilter wireguard overlay ebtables ebtable_filter
  16. Load the above modules now:

    [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 
    cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

    Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

  17. Check that Wireguard has loaded correctly.

    [<ADMIN> ~]# lsmod |grep wireguard
    lsmod |grep wireguard

    The output will appear something like this:

    wireguard              201106  0
    ip6_udp_tunnel         12755  1 wireguard
    udp_tunnel             14423  1 wireguard
    

    If Wireguard is not listed in the output, contact support.

  18. Create the TOS Aurora kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf
    vi /etc/sysctl.d/tufin.conf
  19. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot.

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances = 10000
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances = 10000 net.ipv4.ip_forward = 1
  20. Apply the above kernel settings now:

    [<ADMIN> ~]# sysctl --system
    sysctl --system
For maximum security, we recommend only installing official security updates and security patches for your Linux distribution, as well as the RPMs specifically mentioned in this section.