Detailed Technical Information for IT Administrators and Security Officers

By Steve posted 02-28-2017 17:36

  

Summary

Docker-Engine is the main dependency for running Jama. Our orchestration tool, Replicated, also depends on it. Using the internet installation method, Docker-Engine is installed along with any dependencies needed. For air gapped installations, Docker-Engine will need to be installed manually and dependencies are also needed for a successful installation.

Details

Docker-Engine

Docker-Engine is only supported on 64-bit Linux operating systems with a kernel greater than or equal to 3.10

https://docs.docker.com/engine/installation/

  • Show the Operating System version
$ cat /etc/*release
  • Show current version of the kernel
$ uname -r

Supported versions of Docker-Engine

Replicated provides the range of supported versions here Airgapped Installations - Replicated. We suggest disabling the Docker repository except when to explicitly update Docker-Engine to a version listed in the link above.

Dependencies

Dependencies may differ between a variety of Linux distributions. Below are some examples of how to identify the dependencies using the package management, with both Yum and Apt.

RHEL 7

  • Show dependency list for Docker-Engine
$ sudo yum deplist docker-engine | grep provider | grep '_64' | sort -u
  • Install a particular version of Docker-Engine (for example, 1.12.3)
$ sudo yum install docker-engine-1.12.3

Ubuntu

  • Show available versions of Docker-Engine
$ apt-cache policy docker-engine
  • Show dependencies for a particular version (for example, 1.12.3)
$ apt-cache showpkg docker-engine | grep '1.12.3' | grep iptab
  • Install a particular version of Docker-Engine (for example, 1.12.3-0)
$ sudo apt-get install docker-engine=1.12.3-0~trusty

Certificates

Jama requires certificates for two reasons: allowing browsers to trust the site and to trust remote services such as SMTP and IMAP. Three files are needed in PEM format.

Steps for resolution: (PKCS12 / PFX example)

Reference URL: https://www.sslshopper.com/ssl-converter.html

  1. Convert the entire bundle to PEM format without the key
    1. openssl pkcs12 -in cert.pfx -out cert_chain.pem -nodes -nokeys
  2. Copy the PEM file to two different files
    1. domaincert.pem
    2. cacert.pem
  3. Edit domaincert.pem and remove the Root CA certificate
  4. Edit cacert.pem and remove everything except the Root CA certificate
  5. Extract the key 
    1. openssl pkcs12 -in cert.pfx -out key.pem -nodes –nocerts
  6. Confirm that we have four PEM formatted files, but we’ll use only three.
    1. cert_chain.pem
    2. domaincert.pem
    3. key.pem
    4. cacert.pem
  7. Import/Upload domaincert.pem and key.pem in the Admin Dashboard under Settings / Hostname / Custom TLS Configuration
    1. Note that the check in Replicated will say the certificate is signed by an unknown CA. Ignore this error!
  8. Import/Upload cacert.pem in the Admin Dashboard under Settings / Trusted Certificates
  9. Save and Apply settings (This restarts the application impacting user access for a few minutes)
  10. Log on as a user and test @mention functionality (sends an email to a user)
  11. Reply to the test @mention to confirm the message is picked up and posted in the comment thread or Stream section

Networking

In order to install Jama the application server will need access to several domains used by Replicated and Jama. These are listed in https://www.replicated.com/docs/kb/developer-resources/domains-required-by-replicated/ . The Replicated and Jama containers are using private NAT IP addresses which are managed and created by Docker. Docker creates a gateway interface named "docker0". You can use the following commands to view docker network information. You can also use traditional Linux network commands.

  • Show Networks
$ docker network inspect ls
  • Show network info about bridge interface
$ docker network inspect bridge
  • Confirm you have internet access with a return route.

    $ curl https://api.replicated.com/market/v1/echo/ip
    192.206.204.10


      Security

      On the application host(s) we utilize Iptables for isolating traffic to, from and between containers.

      Firewalld must be disabled during the installation on RHEL based systems and can be configured afterwards to further secure the host

      • Disable and stop Firewalld

      $ sudo systemctl disable firewalld

      $ sudo systemctl stop firewalld

      • Enable and start Firewalld

      $ sudo systemctl enable firewalld

      $ sudo systemctl start firewalld

      Iptables is configured during installation and the rules can be viewed by executing the following command

      $ sudo iptables -L

      Permissions and Users

      The following containers use the respective UIDs:

      • Jamacore-base: 91
      • Search: 482
      • Elasticsearch: 481
      • Nginx: 480
      • Directories are using 755 permissions.
      • Files are using 644 permissions.

      Prior to Jama 8.13, files and directories were owned by "root" with 777 permissions. Nginx used its default 104. These will change the first time these Docker containers are run. See this article from Replicated for more details: Replicated With Less Privileges.

      Things to have available during the installation

      Installation

      There are two options for installing Jama. The first is to utilize a convenient one-line command which will install Docker-Engine and Replicated. Once installed you will have the ability to access the Replicated Administration Console to configure settings for Jama. Upgrading Jama is a one-click process which stops the current application containers, downloads the latest release and starts the application. The same applies for license updates, such as the number of seats changing, so you execute a one-click process to "sync" the license with our license portal. Once the license is updated, the application can be restarted to apply for the new license.

      The second method to install Jama is specifically for air-gapped installations. An air-gapped environment means that the server has no internet access. In this scenario, all installation media must be downloaded on a separate workstation, transferred to the server and executed locally. Upgrading is not as trivial as with an Internet-connected server, meaning any updates would need to be downloaded separately and installed locally. The license change process would be similar where it must be transferred to the server, synced locally and the application restarted.



      #Jama8 #installation
      0 comments
      574 views