Adding a Data Node to an HA Cluster - Open Server

Overview

This procedure is for adding a data node to an existing TOS Aurora cluster deployed on a bare-metal server or hypervisor running RHEL or Rocky Linux. If you have not yet installed TOS Aurora, on the primary data node, start with Clean Install of TOS Aurora on an Open Server .

For all other installation and upgrade options, see Installing and Upgrading.

You do not need to install TOS on non-primary data nodes.

For more information on high availability, see High Availability.

Prerequisites

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • To ensure optimal performance and reliability, the required resources need to be allocated exclusively to TOS. If resources become unavailable, this will affect TOS performance. Do not oversubscribe resources.

  • You cannot use IP Tables. All IP tables rules will be flushed when adding the node.

  • Your primary data node must also be deployed on the same operating system.

  • You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter, provided by your account team based on the procedure Calculate resources - clean install.

  • If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.

  • (On-premises deployments only) The node's network IP must be on the same subnet as the cluster primary VIP.

  • Give the node a unique hostname in the cluster - use the command below, replacing <mynode> with your preferred name:

  • [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>

Operating System Requirements

  • OS distribution:

    • Red Hat Enterprise Linux 8.10

    • Rocky Linux 8.10

  • Disks: Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • You need to configure a separate partition for /opt, a separate disk for etcd, and the OS disk needs at least 300 GB of available storage. The /opt partition will contain your data, which will increase over time. Most of your available disk space should be allocated to this partition and the minimum is determined by the load model parameter (small, medium, large) provided by your account team.

    Minimum sizes for all partitions:

    • OS disk: 300 GB

    • /opt/ (small): 80 GB

    • /opt/ (medium): 170 GB

    • /opt/ (Large): 370 GB

    • etcd: 128 GB

    *Small, medium and large refer to the load model parameter provided by your account team.

    We recommend allocating /opt partition all remaining disk space after you have partitioned the OS disk and moved etcd to a separate disk.

  • The kernel must be up-to-date

  • SELinux must be disabled

  • Language: en-US

  • You must have permissions to execute TOS CLI commands located in directory /usr/local/bin/tos and to use sudo if necessary.

  • To run TOS CLI commands without specifying the full path (/usr/local/bin/tos), your environment path must be modified accordingly.

  • The server timezone must be set.

  • Network configurations for your interface must be set to manual IPv4 with gateway and DNS Servers set to the IPs used by your organization.

    The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.
  • You must have permissions to execute TOS CLI commands located in directory /usr/local/bin/tos and to use sudo if necessary.

  • To run TOS CLI commands without specifying the full path (/usr/local/bin/tos), your environment path must be modified accordingly.

  • The server timezone must be set.

Network Requirements

  • Tufin Orchestration Suite must only be installed in an appropriately secured network and physical location. Only authorized users should be granted access to TOS products and the operating system on the server.

  • You must allow access to required Ports and Services.

  • All TOS nodes need to be on the same subnet and layer 2 network that supports ARP (address resolution protocol).

  • All TOS nodes should have network latency of under 1ms.

  • Network configurations for your interface must be set to manual IPv4 with gateway and DNS Servers set to the IPs used by your organization.

    The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.
  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with each other, and:

    • The physical addresses of your TOS Aurora servers (see below)

    • Your primary VIP, Syslog VIP or external load balancer IP (see below)

    • Any other subnets communicating with TOS or with TOS nodes

  • If a proxy is configured on your system make sure this network is excluded.

  • You must have available the following dedicated IP addresses:

    • For on-premise deployments, a primary VIP that will serve as the external  IP address used to access TOS Aurora from your browser. The primary VIP will not be needed in the installation of the operating system, except in the final step - the installation command.
    • The physical network IP address of the first network interface used by the administrator for CLI commands. This is the IP address you will use in most steps of the procedure.
    • If additional nodes are subsequently added to the cluster, each node will require an additional dedicated physical network IP address.

    • Additional syslog VIPs can be allocated as needed.
    • The VIP, all node physical network IP addresses and all syslog VIPs must be on the first network interface.

    • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

      To find the first network interface, run the following command:

      [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
      sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

      Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

Mount The etcd Database to A Separate Disk

The etcd database should be on a separate disk to improve the stability of TOS Aurora and reduce latency. Moving the etcd database to a separate disk ensures that the kubernetes database has access to all the resources required to ensure an optimal TOS performance. This will require some down time as you are going to have to shut down TOS before separating the disks.

See Move etcd - New Non-Cloud VM.

Procedure

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.