From e97d4d0b948a5cca8a92bacaf2bde07e729d1bf2 Mon Sep 17 00:00:00 2001 From: Benjamin Reed Date: Wed, 13 Nov 2024 10:11:16 -0500 Subject: [PATCH] add documentation for firewalld and selinux environments --- docs/netbox-enterprise/nbe-ec-installation.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/docs/netbox-enterprise/nbe-ec-installation.md b/docs/netbox-enterprise/nbe-ec-installation.md index 2e437f3..210035f 100644 --- a/docs/netbox-enterprise/nbe-ec-installation.md +++ b/docs/netbox-enterprise/nbe-ec-installation.md @@ -1,5 +1,10 @@ # NetBox Enterprise Embedded Cluster Installation +## Conventional Installation + +You should be able to follow these instructions for installing the Embedded Cluster in most environments. +If you are in a more restrictive environment, see the [Advanced Installation](#advanced-installation) section below. + ### Deploying the cluster The following steps are required for an Embedded Cluster (EC) installation of NetBox Enterprise. @@ -69,3 +74,71 @@ Once you see `Ready`, NetBox Enterprise is fully deployed, and available on port - ![NetBox Enterprise Login](../images/netbox-enterprise/netbox-enterprise-login.png) - ![NetBox Enterprise Home](../images/netbox-enterprise/netbox-enterprise-app-home.png) + +## Advanced Installation + +### Firewalld + +If you are using Firewalld (commonly found on RHEL installations, among others), you will need to create a zone for the cluster before installing. + +1. Determine any host IP addresses or networks (external or otherwise) that might need access to the cluster. +2. Create a file called `/etc/firewalld/zones/embedded-cluster.xml` with the following contents: + ```xml + + + embedded-cluster + Zone for Embedded Cluster communication + + + + + + + + + + + + + + + + ``` +3. In the spot where it says ``, add a `` tag for each host or network you want to allow. + For example, if your external IP is `1.2.3.4`, and you also have a private class C network `192.168.123.0`, you would add two lines: + ```xml + + + ``` +4. Run `sudo firewall-cmd --reload` to load the zone configuration. + +### SELinux + +There are two steps to installing with SELinux enabled with enforcement turned on. + +First, before you install the Embedded Cluster, run: +```bash +setenforce 0 +``` + +...this will temporarily disable SELinux enforcement until you reenable it, or reboot. + +Next, follow the normal instructions for [Conventional Installation](#conventional-installation) above. + +Finally, run the following commands to make sure your Embedded Cluster installation is accessible with enforcement enabled: + +```bash +export EC_DIR="/var/lib/embedded-cluster" +export KUBE_DIR="${EC_DIR}/k0s" + +sudo semanage fcontext -a -t container_var_lib_t "${EC_DIR}" +sudo restorecon -R -v "${EC_DIR}" + +sudo semanage fcontext -a -t container_runtime_exec_t "${KUBE_DIR}/bin/containerd.*" +sudo semanage fcontext -a -t container_runtime_exec_t "${KUBE_DIR}/bin/runc" +sudo restorecon -R -v "${KUBE_DIR}/bin" + +sudo semanage fcontext -a -t container_var_lib_t "${KUBE_DIR}/containerd(/.*)?" +sudo semanage fcontext -a -t container_ro_file_t "${KUBE_DIR}/containerd/io.containerd.snapshotter.*/snapshots(/.*)?" +sudo restorecon -R -v ${KUBE_DIR}/containerd +``` \ No newline at end of file