Adding a Worker Node - AWS

Overview

This procedure is for adding a worker node to an existing TOS cluster on the AWS platform. If you have not yet installed TOS on the primary data nodes, start with Clean Install of TOS on AWS. For all other installation paths such as upgrade or other platforms, see the menu for the appropriate procedure.

You do not need to install TOS on the worker nodes.

Prerequisites

• This procedure must be performed by an experienced Linux administrator with knowledge of network and storage configuration.

• To ensure optimal performance and reliability, the required resources need to be allocated exclusively to TOS. If resources become unavailable, this will affect TOS performance. Do not oversubscribe resources.

• IP tables version 1.8.5 and above. IP tables must be reserved exclusively for TOS Aurora and cannot be used for any other purpose. During installation, any existing IP tables configurations will be flushed and replaced.

• Your primary data node must also be deployed on AWS.

• You must know the resources you will need - CPU cores, RAM, disk space and the load-model parameter, provided by your account team based on the procedure Calculate resources - clean install.

• (On-premises deployments only) The node's network IP must be on the same subnet as the cluster primary VIP.

• We do not recommend installing on your server 3rd party software not specified in the current procedure. It may impact TOS functionality and features, and it is your responsibility to verify that it is safe to use.

• Give the node a unique hostname in the cluster - use the command below, replacing <mynode> with your preferred name:

[<ADMIN> ~]$ sudo hostnamectl set-hostname <mynode>

sudo hostnamectl set-hostname <mynode>

• If you intend to use syslog, allocate a syslog VIP on the same subnet as your primary VIP.

Operating System Requirements

• OS distribution:

  • Red Hat Enterprise Linux 8.10

  • Rocky Linux 8.10

• Disks:

  • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • The disk for the operating system and TOS data requires three partitions: /opt, /var and /tmp.

  • Partition sizes:

    • /opt: Use the Sizing Calculator to determine the partition size

    • /var: 200 GB

    • /tmp: 25 GB

  • We recommend allocating the /opt partition all remaining disk space after you have partitioned the OS disk and moved etcd to a separate disk.

• Secure boot must be disabled.

• The kernel must be up-to-date

• SELinux must be disabled

• Language: en-US

• You must have permissions to execute TOS CLI commands located in directory /usr/local/bin/tos and to use sudo if necessary.

• To run TOS CLI commands without specifying the full path (/usr/local/bin/tos), your environment path must be modified accordingly.

• The server timezone must be set.

Network Requirements

• Tufin Orchestration Suite must only be installed in an appropriately secured network and physical location. Only authorized users should be granted access to TOS products and the operating system on the server.

• You must allow access to required Ports and Services.

• All TOS nodes need to be on the same subnet and layer 2 network that supports ARP (address resolution protocol).

• All TOS nodes should have network latency of under 1ms.

• Network configurations for your interface must be set to manual IPv4 with gateway and DNS Servers set to the IPs used by your organization.

  The system will use a reverse DNS lookup (PTR record) to resolve the DNS IP addresses with the domain name during the TOS installation. Therefore you have to add these PTR records to the DNS server. If you do not, the TOS installation will fail.

• Allocate a 24-bit CIDR subnet for the Kubernetes service network and a 16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

  The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with each other, and:

  • The physical addresses of your TOS servers (see below)

  • Your primary VIP, Syslog VIP or external load balancer IP (see below)

  • Any other subnets communicating with TOS or with TOS nodes

• If a proxy is configured on your system make sure this network is excluded.

• You must have available the following dedicated IP addresses:

  • For on-premise deployments, a primary VIP that will serve as the external  IP address used to access TOS from your browser. The primary VIP will not be needed in the installation of the operating system, except in the final step - the installation command.
  • The physical network IP address of the first network interface used by the administrator for CLI commands. This is the IP address you will use in most steps of the procedure.

  • If additional nodes are subsequently added to the cluster, each node will require an additional dedicated physical network IP address.

  • Additional syslog VIPs can be allocated as needed.

  • The VIP, all node physical network IP addresses and all syslog VIPs must be on the first network interface.

  • Make sure your first physical interface is correctly configured and all other interfaces are not on the same network.

    To find the first network interface, run the following command:

    [<ADMIN> ~]$ sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

    sudo /opt/tufinos/scripts/network_interface_by_pci_order.sh | awk -F'=' '/NET_IFS\[0\]/ { print $NF }'

    Otherwise network errors such as connectivity failures and incorrect traffic routing might occur.

Procedure

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

1. Launch the instance

   For additional help, refer to the official AWS documentation - Create your EC2 resources and launch your EC2 instance.

   1. In your AWS console, navigate to EC2 > Instances > Launch Instances.

   2. In the Name and tags pane, enter the name of the instance.

      

   3. In the Application and OS Images pane, choose an Amazon Machine image (AMI) from the AWS Marketplace. The AMI needs to be for:

      • Red Hat Enterprise Linux 8.10

      • Rocky Linux 8.10

      If you select Red Hat, it must be 'Red Hat Enterprise Linux Server Standard'. Other Linux distributions and versions are not supported. The AMI must include Logical Volume Management (LVM), which is required to enlarge the volumes.

   4. In the Instance type pane, select an instance type that meets your CPU and RAM resource requirements (see Prerequisites section).

      

   5. In the Key pair (login) pane, select or create a key pair to securely connect to your instance.

      

   6. In the Network Settings pane, click Edit, and enter/select the following details:

      • Network: The VPC you are using with this instance

      • Subnet: The subnet you are using with this instance

      • Auto-assign public IP: Select Disable.

      • Firewall (security groups): Create a new security group, or select an existing security group that you want to use to control the traffic to your instance.

      

   7. In the Configure Storage pane:

      1. Click Add new volume.

      2. For each volume, enter/select the following:

         • 300

         • General purpose SSD (gp3)

      

      3. Click the Advanced link, and set the IOPS, Throughput, and Encryption for each volume. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

         The encryption should match your company's security policy.

         

   8. Click Launch Instance.

   9. (Optional) We recommend changing the permissions of the .pem file downloaded to your PC to prevent unauthorized users from running it. If your PC is running on a Linux-like operating system, run the command:

      [<ADMIN> ~]# chmod 400 <pem_key_name>

      chmod 400 <pem_key_name>

   10. When required, log in to the instance as follows:

       [<ADMIN> ~]# ssh -i <pem_key_name> <awsuser>@<IP>

       ssh -i <pem_key_name> <awsuser>@<IP>

       where

       • <pem_key_name> is the name of the .pem file downloaded previously from the AWS console

       • <awsuser> is the name of your AWS user

       • <IP> is its private or public IP

2. Modify the Target Groups

   1. In your AWS console, navigate to EC2 > Target Groups. All targets groups are listed.

   2. For each of the target groups created previously for the primary data node:

      1. Select the target group.

      2. Select tab Targets.

      3. Select Register targets.

      4. Enter/select details:

         • Network: The VPC allocated to TOS

         • IPv4 address: The IP address of the new instance

         • Ports: The corresponding source port for the defined target port - same as in the target added previously for the primary data node e.g. 31099

      5. Click Include as pending below.

      6. Click Register pending targets.

3. Configure Partitions.

   If not done already, set up partitions according to the Prerequisites.

4. Configure the Operating System.

   1. If you are not currently logged in as user root, do so now.

      [<ADMIN> ~]$ su -

      su -

   2. If you want to change the host name or IP of the machine, do so now. Once TOS has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

      [<ADMIN> ~]# hostnamectl set-hostname <mynode>

      hostnamectl set-hostname <mynode>

   3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos).

      [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

      echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

   4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

   5. Configure the server timezone.

      [<ADMIN> ~]# timedatectl set-timezone <timezone>

      timedatectl set-timezone <timezone>

      where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

      [<ADMIN> ~]# timedatectl list-timezones

      timedatectl list-timezones

   6. Upgrade the kernel:

      [<ADMIN> ~]# dnf upgrade

      dnf upgrade

   7. Disable SELinux:

      • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

        SELINUX=disabled

      • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
   8. Reboot the machine and log in.

   9. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster. The wireguard version must match the operating version you are installing.

   [<ADMIN> ~]# sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

   sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

   [<ADMIN> ~]# sudo yum install kmod-wireguard wireguard-tools

   sudo yum install kmod-wireguard wireguard-tools
   10. Reboot the machine and log in.

   11. Install tmux and rsync:

       [<ADMIN> ~]# dnf install -y rsync tmux

       dnf install -y rsync tmux

   12. Disable the firewall:

       [<ADMIN> ~]# systemctl stop firewalld

       systemctl stop firewalld

       [<ADMIN> ~]# systemctl disable firewalld

       systemctl disable firewalld

   13. Create the TOS load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

       [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf

       vi /etc/modules-load.d/tufin.conf

   14. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

       br_netfilter
       wireguard
       overlay
       ebtables
       ebtable_filter

       br_netfilter wireguard overlay ebtables ebtable_filter

   15. Load the above modules now:

       [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 

       cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

       Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

   16. Check that Wireguard has loaded correctly.

       [<ADMIN> ~]# lsmod |grep wireguard

       lsmod |grep wireguard

       The output will appear something like this:

       wireguard              201106  0
       ip6_udp_tunnel         12755  1 wireguard
       udp_tunnel             14423  1 wireguard
       

       If Wireguard is not listed in the output, contact support.

   17. Create the TOS kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

       [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf

       vi /etc/sysctl.d/tufin.conf

   18. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot.

       net.bridge.bridge-nf-call-iptables = 1
       fs.inotify.max_user_watches = 1048576
       fs.inotify.max_user_instances = 10000
       net.ipv4.ip_forward = 1

       net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances = 10000 net.ipv4.ip_forward = 1

   19. Apply the above kernel settings now:

       [<ADMIN> ~]# sysctl --system

       sysctl --system

   For maximum security, we recommend only installing official security updates and security patches for your Linux distribution, as well as the RPMs specifically mentioned in this section.
5. Add the Node to the Cluster.

   1. Log in to the primary data node.

   2. On the primary data node:

      [<ADMIN> ~]$ sudo tos cluster node add --role=worker

      sudo tos cluster node add --role=worker

      On completion, a new command string is displayed, which you will need to run on the new node within 30 minutes. If the allocated time expires, you will need to repeat the current step.

   3. Copy the command string to the clipboard.

   4. Log in to the new node.

   5. On the new node, paste the command string copied previously and run it. If the allocated time has expired, you will need to start from the beginning.
   6. Verify that the node was added by running sudo tos cluster node list on the primary data node.
6. Check the TOS status.

   1. On the primary data node, check the TOS status.

      [<ADMIN> ~]$ tos status

      tos status

   2. In the output, check if the System Status is Ok and all the items listed under Components appear as Ok. If this is not the case, contact Tufin Support.

   Example output for a central cluster data node:

   [<ADMIN> ~]$ tos status         
   [Mar 28 13:42:09]  INFO Checking cluster health status           
   TOS Aurora
   Tos Version: 24.2 (PRC1.1.0)
   
   System Status: "Ok"
               
   Cluster Status:
      Status: "Ok"
      Mode: "Multi Node"
   
   Nodes
     Nodes:
     - ["node1"]
       Type: "Primary"
       Status: "Ok"
       Disk usage:
       - ["/opt"]
         Status: "Ok"
         Usage: 19%
     - ["node3"]
       Type: "Worker Node"
       Status: "Ok"
       Disk usage:
       - ["/opt"]
         Status: "Ok"
         Usage: 4%
   
   registry
     Expiration ETA: 819 days
     Status: "Ok"
   
   Infra
   Databases:
   - ["cassandra"]
     Status: "Ok"
   - ["kafka"]
     Status: "Ok"
   - ["mongodb"]
     Status: "Ok"
   - ["mongodb_sc"]
     Status: "Ok"
   - ["ongDb"]
     Status: "Ok"
   - ["postgres"]
     Status: "Ok"
   - ["postgres_sc"]
     Status: "Ok"
   
   Application
   Application Services Status OK
   Running services 50/50
   
   Remote Clusters
   Number Of Remote Clusters: 2
     - ["RC"]
        Connectivity Status:: "OK:"
     - ["RC2"]
        Connectivity Status:: "OK"
   
     Backup Storage:
     Location: "Local
   s3:http://minio.default.svc:9000/velerok8s/restic/default "
     Status: "Ok"
     Latest Backup: 2024-03-23 05:00:34 +0000 UTC			

   Example output for a remote cluster data node:

   [<ADMIN> ~]$ tos status         
   [Mar 28 13:42:09]  INFO Checking cluster health status           
   TOS Aurora
   Tos Version: 24.2 (PRC1.0.0)
   
   System Status: "Ok"
               
   Cluster Status:
      Status: "Ok"
      Mode: "Single Node"
   
   Nodes
     Nodes:
     - ["node2"]
       Type: "Primary"
       Status: "Ok"
       Disk usage:
       - ["/opt"]
         Status: "Ok"
         Usage: 19%
     
   registry
     Expiration ETA: 819 days
     Status: "Ok"
   
   Infra
   Databases:
   - ["mongodb"]
     Status: "Ok"
   - ["postgres"]
     Status: "Ok"
   
   Application
   Application Services Status OK
   Running services 16/16
   
     Backup Storage:
     Location: "Local
   s3:http://minio.default.svc:9000/velerok8s/restic/default "
     Status: "Ok"
     Latest Backup: 2024-03-23 05:00:34 +0000 UTC			

After the node is added, we recommend stopping tos and then starting it to enhance the node's performance. This will require downtime.