Preparing for installing a three-node private location

Prepare your environment before you install private location on a three-node cluster.

Review the system requirements before you prepare your environment. See System requirements.

Note:
The preparation commands in the following sections are for a root user. If you are a non-root user, run these commands by using sudo.
  1. Install the required packages on all nodes.

    Install the following packages on all nodes:

    • curl
    • wget
    • tar
    • gzip

    For example, on Ubuntu or Debian:

    apt update && apt install -y curl wget tar gzip

    On Red Hat Enterprise Linux or CentOS Stream:

    yum install -y curl wget tar gzip
  2. If your environment requires an HTTP proxy for external connectivity, set the proxy environment variables on all nodes.

    Set the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. For example:

    When you run the popctl up --multi-node-enable command (starts the service) to install private location, the installation automatically uses the environment variable values from the current shell.

    Example:

    export HTTP_PROXY=http://proxy.example.com:8080
    export HTTPS_PROXY=http://proxy.example.com:8080
    export NO_PROXY=localhost,127.0.0.1,10.42.0.0/16,10.43.0.0/16,<leader-node-IP>,<instana-1-IP>,<instana-2-IP>
  3. Configure firewall rules to open the required ports on all nodes.

    Certain Linux distributions might have firewall restrictions that impact network communication and service discovery required for installation. If you enable your firewall, add the required ports and rules.

    If you have an external firewall, see the firewall documentation for information on how to open ports.

    • On Ubuntu hosts, run the following commands on all nodes. Use the IP addresses of the nodes in the commands:

      ufw allow 22/tcp
      ufw allow from <pop-node-0 IP> to any port 22 proto tcp
      ufw allow from <pop-node-0 IP> to any port 6443,10250,2379,2380,5001,9443,53 proto tcp
      ufw allow from <pop-node-0 IP> to any port 8472,53 proto udp
      ufw allow from <pop-node-1 IP> to any port 6443,10250,2379,2380,5001,9443,53 proto tcp
      ufw allow from <pop-node-1 IP> to any port 8472,53 proto udp
      ufw allow from <pop-node-2 IP> to any port 6443,10250,2379,2380,5001,9443,53 proto tcp
      ufw allow from <pop-node-2 IP> to any port 8472,53 proto udp
      ufw allow from 10.42.0.0/16 to any
      ufw allow from 10.43.0.0/16 to any
      ufw allow in on lo
      ufw allow out on lo
      ufw reload
    • Run the required commands on all nodes for Debian, Red Hat Enterprise Linux, CentOS Stream, Amazon Linux, Oracle Linux, and SLES hosts.

      firewall-cmd --permanent --add-port=22/tcp
      firewall-cmd --new-zone=internal-access --permanent
      firewall-cmd --permanent --zone=internal-access --add-source=<pop-node-0 IP>
      firewall-cmd --permanent --zone=internal-access --add-source=<pop-node-1 IP>
      firewall-cmd --permanent --zone=internal-access --add-source=<pop-node-2 IP>
      firewall-cmd --permanent --zone=internal-access --add-port=22/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=6443/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=10250/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=2379/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=2380/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=5001/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=8472/udp
      firewall-cmd --permanent --zone=internal-access --add-port=9443/tcp
      firewall-cmd --permanent --zone=internal-access --add-port=53/udp
      firewall-cmd --permanent --zone=internal-access --add-port=53/tcp
      firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
      firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16
      firewall-cmd --permanent --zone=trusted --add-interface=lo
      firewall-cmd --reload

    Verify that the required ports are open by using tools such as netstat, ss, or nmap. For example, to verify that port 6,443 is listening:

    ss -tuln | grep 6443
  4. Configure passwordless SSH access between all three nodes.

    Configure Secure Shell (SSH) for multi-node clusters. The user must be able to connect from the leader node to instana-1 and instana-2 by using SSH without a password.

    • The root user must have passwordless SSH access to all three nodes.
    • A non-root user must have passwordless SSH access to all three nodes and sudo privileges on each node.

    You can run popctl as root or as a user with sudo access.

    1. If no SSH keys exist in your cluster, generate an SSH key pair on the leader node.
      ssh-keygen -t rsa
    2. Copy the public key content to the $HOME/.ssh/authorized_keys file of instana-1 and instana-2.
    3. If the sshd services in instana-1 and instana-2 listen on an alternative port instead of the default SSH port 22, update the $HOME/.ssh/config file on the leader node to use that port.
      cat <<EOF >> ~/.ssh/config
      Host *
          port <alternate_port_number>
      EOF
    4. Test the SSH connection between the leader node and the other two nodes.
      ssh <username>@<node_ip>

      If the SSH connection succeeds, you see a command prompt. If you get an error message, verify that you copied the public key to the correct user account on the node.

To install private location on a three-node cluster, see Installing popctl three node.