2.2.1.1. Rocky Linux Deployment Requirements

This section features de requirements steps for deploying OpenNAC from an empty Rocky Linux:

1. IP Address Assignment

2. Operating System Language

3. Disk Partitions

4. Network Connectivity

5. Repository Credentials

2.2.1.1.1. IP Address Assignment

The very first step to begin a deployment is IP assignment.

Note

The name of the interfaces may change depending on the OS version, i.e.: ens18

Access your deployed OVAs by CLI and provide IPs for all nodes by executing the graphical network manager:

nmtui

On the initial window, select Edit a connection:

Select the interface and press Edit:

You will see the following default configuration:

The IPv4 Configuration is set to “Automatic” by default. Change it to “Manual” and manually configure the following parameters:

• Addresses: Add node IP address with netmask (<IP>/<MASK>)

• Gateway: Add a default gateway

• DNS Servers: Add a DNS server. We recommend using the Corporate DNS server.

Set option Require IPv4 addressing for this connection.

The IPv6 Configuration is set to “Automatic” by default. Change it to “Ignore”:

Finalize by selecting <OK> at the bottom of the view and go back to the initial menu.

Afterward, apply the changes by activating and deactivating the interface. Navigate to the Network Manager menu and choose the Activate a connection option.

Deactivate and activate interface and go back to the initial menu.

Interface is now configured and can be verified by typing the following command in CLI “ifconfig” o “ip a”:

ifconfig

2.2.1.1.2. Operating System Language

Warning

In order to proceed with the configuration, ensure that the operating system language is set to English:

• Open the /etc/locale.conf file and ensure that the following line reflects the English language configuration:

LANG="en_US.UTF-8"

• Save and exit the file, then reboot the system to apply the changes.

For more information about the Rocky Linux 9 installation you can visit the official Rocky Linux official site.

2.2.1.1.3. Disk Partitions

Before deploying the nodes, it is necessary to have the proper disk partitions made. Each role requires different partitions. These partitions are made from minimum 200GB disk size. If you want to add more disk space, you should distribute it according to your needs.

Note

The recommended file system is the xfs.

Partition Role	Permissions	Principal	Proxy	Worker	Analytics	Analy+agg	Aggregator	Sensor	Captive	VPNGW
/ (xfs)	default	40GB	40GB	40GB	20GB	20GB	20GB	20GB	40GB	40GB
/backup (xfs)	nosuid,nodev,noexec	24GB		24GB
/boot (xfs)	default	1.5GB	1.5GB	1.5GB	1.5GB	1.5GB	1.5GB	1.5GB	1.5GB	1.5GB
/boot/efi (vfat)	default	1024MB	1024MB	1024MB	1024MB	1024MB	1024MB	1024MB	1024MB	1024MB
/home (xfs)	nosuid,nodev	5GB	5GB	5GB	5GB	5GB	5GB	5GB	5GB	5GB
/opt (xfs)	nosuid,nodev	10GB	10GB	10GB	10GB	10GB	10GB	127GB	10GB	10GB
/tmp (tmpfs)	nosuid,nodev,noexec	*	*	*	* (remove noexec permission)	* (remove noexec permission)	*	*	*	*
/var (xfs)	nosuid,nodev	40GB	52GB	40GB	127GB	127GB	127GB	10GB	52GB	52GB
/var/log (xfs)	nosuid,nodev,noexec	58GB	70GB	58GB	15GB	15GB	15GB	15GB	70GB	70GB
/var/log/audit (xfs)	nosuid,nodev,noexec	5GB	5GB	5GB	5GB	5GB	5GB	5GB	5GB	5GB
/var/tmp (tmpfs)	nosuid,nodev,noexec	*	*	*	*	*	*	*	*	*
Swap	default	8GB	8GB	8GB	8GB	8GB	8GB	8GB	8GB	8GB

* The system will define the partition size, because tmpfs uses volatile memory.

2.2.1.1.4. Network Connectivity

The following flows must be allowed:

Note

Always add it at the end, i.e., delete the line, add it below:

-A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited

Node	Open Port	Access
principal	22 (tcp)	all
	67 (udp)	all
	80 (tcp)	all
	161 (udp)	principal, worker
	443 (tcp)	all
	1812 (udp)	all
	1813 (udp)	all
	3306 (tcp)	worker
	6379 (tcp)	worker, analytics, aggregator, analy+agg, vpngw, captive, proxy, sensor
	25826 (udp)	worker, analytics, aggregator, analy+agg, vpngw, captive, proxy, sensor
worker	22 (tcp)	all
	67 (udp)	all
	80 (tcp)	all
	161 (udp)	principal, worker
	443 (tcp)	all
	1812 (udp)	all
	1813 (udp)	all
proxy	22 (tcp)	all
	161 (udp)	principal, worker
	1812 (udp)	all
	1813 (udp)	all
captive	22 (tcp)	all
	80 (tcp)	all
	161 (udp)	principal, worker
	443 (tcp)	all
analy+agg	22 (tcp)	all
	161 (udp)	principal, worker
	5000 (tcp)	principal, worker, vpngw
	5001 (tcp)	sensor
	5601 (tcp)	principal, worker
	9200 (tcp)	principal, worker, analytics
	9300 (tcp)	analytics
analytics	22 (tcp)	all
	161 (udp)	principal, worker
	5601 (tcp)	principal, worker
	9200 (tcp)	principal, worker, aggregator
	9300 (tcp)	analytics
aggregator	22 (tcp)	all
	161 (udp)	principal, worker
	5000 (tcp)	principal, worker, vpngw
	5001 (tcp)	sensor
sensor	22 (tcp)	all
	67 (udp)	all
	161 (udp)	principal, worker
vpngw		depends on what we set up in the shorewall

2.2.1.1.5. Repository Credentials

Note

It is necessary to access the repo-opennac.

Check you have access to the repository by trying to download the following file:

[root@onprincipal ~]# wget --user "repo_user" --ask-password  https://repo-opennac.opencloudfactory.com/1.2.5/opennac-v1.2.5.repo
Password for user ‘repo_user’:
--2024-03-05 13:56:26--  https://repo-opennac.opencloudfactory.com/1.2.5/opennac-v1.2.5.repo
Resolving repo-opennac.opencloudfactory.com (repo-opennac.opencloudfactory.com)... 10.21.160.10
Connecting to repo-opennac.opencloudfactory.com (repo-opennac.opencloudfactory.com)|10.21.160.10|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 388 [application/x-troff-man]
Saving to: ‘opennac-v1.2.5.repo’

opennac-v1.2.5.repo                                         100%[===========================================================================================================================================>]     388  --.-KB/s    in 0s

2024-03-05 13:56:26 (9.39 MB/s) - ‘opennac-v1.2.5.repo’ saved [388/388]

Once you verify you can access the repository, you can delete this file:

[root@onprincipal ~]# rm opennac-v1.2.5.repo
rm: remove regular file 'opennac-v1.2.5.repo'? y