Adding a Data Node to an HA Cluster - TufinOS

Overview

This procedure is for adding a data node to an existing TOS cluster running on TufinOS. If you have not yet installed TOS, on the primary data node, start with the appropriate clean install procedure.

For all other installation paths such as upgrade or other platforms, see the menu for the appropriate procedure.

You do not need to install TOS on non-primary data nodes.

For more information on high availability, see High Availability.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced Linux administrator with knowledge of network configuration.

  • To ensure optimal performance and reliability, the required resources need to be allocated exclusively to TOS. If resources become unavailable, this will affect TOS performance. Do not oversubscribe resources.

  • IP tables version 1.8.5 and above. IP tables must be reserved exclusively for TOS Aurora and cannot be used for any other purpose. During installation, any existing IP tables configurations will be flushed and replaced.

  • Your primary data node must also be deployed on TufinOS.

  • You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter, provided by your account team based on the procedure Calculate resources - clean install.

  • (On-premises deployments only) The node's network IP must be on the same subnet as the cluster primary VIP.

  • Give the node a unique hostname in the cluster - use the command below, replacing <mynode> with your preferred name:

    • [<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>
    sudo hostnamectl set-hostname <mynode>

  • If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.

  • The Virtual Machine Operating System guest family must be Linux, and the operating system guest version must be RHEL 8.x

Tufin Appliance Requirements

VMware Requirements

  • The ESX host must be running VMware ESXi 6.5, 6.7, 7.0 or 8.0 only. ESXi 8.0 requires TufinOS 4.20 or later
ESXi 6 is already EOL (end of life). ESXi 7 is planned to reach EOL in April 2025
  • Disks:
    • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.
    • Storage size of disk is determined by the sizing calculation. Minimum: 400 GB.
    • Data nodes require an additional disk for etcd. Size: 50 GB.

  • Secure boot must be disabled.

Downloads

This section is only relevant for VMWare. Tufin appliances come pre-installed with TufinOS. If you wan to update TufinOS to the latest version, see Update TufinOS

  1. Download the TufinOS 4.50 installation package from the Download Center.

    2. The downloaded files are in .tgz format <FILENAME>.tgz.

  2. Extract the TufinOS image from its archive.
    3. [<ADMIN> ~]$ sudo tar xzvf <FILENAME>.tgz
    sudo tar xzvf <FILENAME>.tgz

    The run file name includes the release, version, build number, and type of installation.

    TufinOS ISO file example: TufinOS-4.50-4368238-x86_64-Final.iso

    TufinOS USB file example: TufinOS-4.50-4368238-x86_64-Final.usb.img

  3. Verify the integrity of the TufinOS installation package.

    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.iso.sha256
    [<ADMIN> ~]# sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.usb.img.sha256
    sha256sum -c TufinOS-X.XX-XXXXXX-x86_64-Final.usb.img.sha256

    The output should return OK

Procedure

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

    1. Place the TufinOS ISO image file on the datastore of vSphere. For local installation on a VMware machine, locate the extracted ISO image file.

    2. Confirm that in your virtual machine settings, Boot Options is configured to use BIOS. If you are using EFI, the procedure will not work.

    3. Edit the properties of the virtual CD/DVD drive, and do one of the following:

      Using vSphere:

      • As Device Type select Datastore ISO file, and browse to the TufinOS ISO image.

      • Under Device Status, select Connect at power on.

      Using a workstation:

      • Under Device Status, select Connect at power on.

      • Under Connection, select Use ISO image file, and browse to the TufinOS ISO image.

    4. Set the VM to boot to BIOS configuration

      1. Navigate to VM settings > VM options.
      2. Check: During the next boot, force entry into the BIOS setup screen.

    5. In BIOS > Boot, select CD-ROM Drive.

    6. In BIOS > Exit, select Exit Saving Changes. Click Yes.

    7. Save the settings.

    8. Restart the VM. TufinOS installation begins.

    9. Select TufinOS 4.50 Installation for TOS Aurora.

    10. When prompted, select Install TufinOS 4.50 for Data Node:

    11. When prompted, confirm and choose Yes.

    12. When the installation is complete, reboot the virtual machine.

    13. When BIOS launches, change the Boot option to Hard Drive.

    14. In BIOS > Exit, select Exit Saving Changes. Click Yes.

    15. Log in using the default admin user credentials:

      username: tufin-admin

      password: admin (you will be prompted to change this on first log in)

      IP address: assigned by DHCP

    1. If you want to reset the host name or IP of the machine, do so now. It cannot be done at a later stage. See Changing IP Address/Host Names.

    2. Configure the server timezone.

      [<ADMIN> ~]$ sudo timedatectl set-timezone <timezone>
      sudo timedatectl set-timezone <timezone>

      where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague.

      To view a list of the time-zone formats that can be used, run:

      [<ADMIN> ~]$ sudo timedatectl list-timezones
      sudo timedatectl list-timezones
      Ukraine only. Since the change in timezone name from Kiev to Kyiv, not all software products have been adjusted. We therefore recommend avoiding these names and instead using an alternative city in the same timezone such as Europe/Tallinn.

    3. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony. In an HA deployment, all servers need to be synchronized to the same time.

    4. Configure the IP address and DNS, where <Interface Name> is the name of the interface you are using (for example, ens32). If you have several network interfaces, configure the first one.

      Run the command: 

      [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'
      sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

    5. To assign a static IP address:

      1. Run the command: 

        2. [<ADMIN> ~]$ sudo nmtui edit <Interface Name>
        sudo nmtui edit <Interface Name>

        and set the following parameters in the window:

        • Set IPv4 CONFIGURATION to Manual
        • Set Addresses for the physical IP, together with the chosen subnet
        • Set Gateway and DNS Servers to the IPs used by your organization
      2. Restart the network service. 
        3. [<ADMIN> ~]$ sudo systemctl restart NetworkManager.service
        sudo systemctl restart NetworkManager.service

    6. Run:

      [<ADMIN> ~]$ sudo nslookup <DNS SERVER IP>
      sudo nslookup <DNS SERVER IP>

      If the name of the server appears, the DNS server can resolve its own address using a reverse lookup.

      Example Output

      [<ADMIN> ~]$ sudo nslookup  1.2.3.4
4.3.2.1.in-addr.arpa	name=EXAMPLE.company.com

      If the name of the server does not appear, set it using a reverse lookup entry at /etc/hosts.

      Example Output where 1.2.3.4 4.3.2.1.in-addr-arpa was added.

      [<ADMIN> ~]$ sudo cat /etc/hosts 
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost6 localhost6.localdomain6
1.2.3.4 admin.company.com admin
2.3.4.5 5.4.3.2.in-addr-arpa

      1. Log in to the primary data node.

      2. On the primary data node:

        [<ADMIN> ~]$ sudo tos cluster node add --role=data
        sudo tos cluster node add --role=data

        On completion, a new command string is displayed, which you will need to run on the new node within 30 minutes. If the allocated time expires, you will need to repeat the current step.

      3. Copy the command string to the clipboard.

      4. Log in to the new node.

      5. On the new node, paste the command string copied previously and run it. If the allocated time has expired, you will need to start from the beginning.
      6. Verify that the node was added by running sudo tos cluster node list on the primary data node.

    1. On the primary data node, check the TOS status.

      [<ADMIN> ~]$ sudo tos status
      sudo tos status

    2. In the output, check if the System Status is Ok and all the items listed under Components appear as ok. If this is not the case, contact Tufin Support.

      3. Example output:

      [<ADMIN> ~]$ tos status         
[Mar 28 13:42:09]  INFO Checking cluster health status           
TOS Aurora
Tos Version: 24.2 (PRC1.1.0)

System Status: "Ok"
            
Cluster Status:
   Status: "Ok"
   Mode: "Preparing High Availability"

Nodes
  Nodes:
  - ["datanode1"]
    Type: "Primary"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 32%
  - ["datanode2"]
    Type: "Data Node"
    Status: "Ok"
    Disk usage:
    - ["/opt"]
      Status: "Ok"
      Usage: 16%
 
registry
  Expiration ETA: 819 days
  Status: "Ok"

Infra
Databases:
- ["cassandra"]
  Status: "Ok"
- ["kafka"]
  Status: "Ok"
- ["mongodb"]
  Status: "Ok"
- ["mongodb_sc"]
  Status: "Ok"
- ["ongDb"]
  Status: "Ok"
- ["postgres"]
  Status: "Ok"
- [postgres_sc"]
  Status: "Ok"

Application
Application Services Status OK
Running services 54/54

  Backup Storage:
  Location: "Local
s3:http://minio.default.svc:9000/velerok8s/restic/default "
  Status: "Ok"
  Latest Backup: 2024-03-23 05:00:34 +0000 UTC