Adding a Data Node to an HA Cluster - Non-TufinOS

Overview

This procedure is for adding a data node to an existing TOS Aurora cluster running on TufinOS. If you have not yet installed TOS Aurora, on the primary data node, start with Clean Install of TOS Aurora on a Non-TufinOS Server. For all other installation paths such as upgrade or other platforms, see the menu for the appropriate procedure.

You do not need to install TOS on non-primary data nodes.

For more information on high availability, see High Availability.

Prerequisites

  • You cannot use IP Tables. All IP tables rules will be flushed when adding the node.

  • Your primary data node must also be deployed on TufinOS.

  • You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter, provided by your account team based on the procedure Calculate resources - clean install.

  • You will need to allow access to required Ports and Services.
  • If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.
  • The node's network IP must be on the same subnet as the cluster primary VIP.

  • Give the node a unique hostname in the cluster - use the command below, replacing <mynode> with your preferred name:

  • [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>
  • You will need to configure three partitions: /opt, /tmp and /var. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team. Minimum sizes for all partitions:

    Minimum Partition Sizes

    /opt/

    (Small)*

    /opt/

    (Medium)*

    /opt/

    (Large)*

    /tmp/

     

    /var/

     

    Central cluster / remote cluster primary data node / HA data nodes 80 GB 170 GB 370 GB 25 GB 200GB
    Worker node (central and remote clusters) 70 GB 70 GB 70 GB 25 GB 60 GB

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the other directories.

Operating System Requirements

  • Host: Physical server / VMware ESXi 6.5, 6.7, 7.0 or 8.0, vSphere

  • OS distribution:
    • Red Hat Enterprise Linux 8.6, 8.8, or 8.9
    • Rocky Linux 8.6, 8.8, or 8.9
  • Disk(s) SSD with 7,500 IOPS and 250MB/s throughput, or higher.

  • Language: en-US

  • The kernel must be up-to-date
  • SELinux must be disabled
  • rsync, wireguard and screen must be installed for transferring data, in-cluster encryption and launching shell sessions respectively
  • Required modules must get loaded using a configuration file /etc/modules-load.d/tufin.conf containing entries:

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter
    br_netfilter wireguard overlay ebtables ebtable_filter
  • Permanent kernel parameters must be set. For example, using a configuration file /etc/sysctl.d/tufin.conf containing entries:

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances=10000
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances=10000 net.ipv4.ip_forward = 1
  • Network configurations for your interface must be set to manual IPv4 with gateway and DNS Servers set to the IPs used by your organization.

    The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.
  • You must have permissions to execute TOS CLI commands located in directory /usr/local/bin/tos and to use sudo if necessary.

  • To run TOS CLI commands without specifying the full path (/usr/local/bin/tos), your environment path must be modified accordingly.

  • The server timezone must be set.

Procedure

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.