Preparing for installing a three-node private location
Prepare your environment before you install private location on a three-node cluster.
Review the system requirements before you prepare your environment. See System requirements.
-
Install the required packages on all nodes.
Install the following packages on all nodes:
- curl
- wget
- tar
- gzip
For example, on Ubuntu or Debian:
apt update && apt install -y curl wget tar gzipOn Red Hat Enterprise Linux or CentOS Stream:
yum install -y curl wget tar gzip -
If your environment requires an HTTP proxy for external connectivity, set the proxy environment variables on all nodes.
Set the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables. For example:
When you run the popctl up --multi-node-enable command (starts the service) to install private location, the installation automatically uses the environment variable values from the current shell.
Example:
export HTTP_PROXY=http://proxy.example.com:8080 export HTTPS_PROXY=http://proxy.example.com:8080 export NO_PROXY=localhost,127.0.0.1,10.42.0.0/16,10.43.0.0/16,<leader-node-IP>,<instana-1-IP>,<instana-2-IP> -
Configure firewall rules to open the required ports on all nodes.
Certain Linux distributions might have firewall restrictions that impact network communication and service discovery required for installation. If you enable your firewall, add the required ports and rules.
If you have an external firewall, see the firewall documentation for information on how to open ports.
-
On Ubuntu hosts, run the following commands on all nodes. Use the IP addresses of the nodes in the commands:
ufw allow 22/tcp ufw allow from <pop-node-0 IP> to any port 22 proto tcp ufw allow from <pop-node-0 IP> to any port 6443,10250,2379,2380,5001,9443,53 proto tcp ufw allow from <pop-node-0 IP> to any port 8472,53 proto udp ufw allow from <pop-node-1 IP> to any port 6443,10250,2379,2380,5001,9443,53 proto tcp ufw allow from <pop-node-1 IP> to any port 8472,53 proto udp ufw allow from <pop-node-2 IP> to any port 6443,10250,2379,2380,5001,9443,53 proto tcp ufw allow from <pop-node-2 IP> to any port 8472,53 proto udp ufw allow from 10.42.0.0/16 to any ufw allow from 10.43.0.0/16 to any ufw allow in on lo ufw allow out on lo ufw reload -
Run the required commands on all nodes for Debian, Red Hat Enterprise Linux, CentOS Stream, Amazon Linux, Oracle Linux, and SLES hosts.
firewall-cmd --permanent --add-port=22/tcp firewall-cmd --new-zone=internal-access --permanent firewall-cmd --permanent --zone=internal-access --add-source=<pop-node-0 IP> firewall-cmd --permanent --zone=internal-access --add-source=<pop-node-1 IP> firewall-cmd --permanent --zone=internal-access --add-source=<pop-node-2 IP> firewall-cmd --permanent --zone=internal-access --add-port=22/tcp firewall-cmd --permanent --zone=internal-access --add-port=6443/tcp firewall-cmd --permanent --zone=internal-access --add-port=10250/tcp firewall-cmd --permanent --zone=internal-access --add-port=2379/tcp firewall-cmd --permanent --zone=internal-access --add-port=2380/tcp firewall-cmd --permanent --zone=internal-access --add-port=5001/tcp firewall-cmd --permanent --zone=internal-access --add-port=8472/udp firewall-cmd --permanent --zone=internal-access --add-port=9443/tcp firewall-cmd --permanent --zone=internal-access --add-port=53/udp firewall-cmd --permanent --zone=internal-access --add-port=53/tcp firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 firewall-cmd --permanent --zone=trusted --add-interface=lo firewall-cmd --reload
Verify that the required ports are open by using tools such as netstat, ss, or nmap. For example, to verify that port 6,443 is listening:
ss -tuln | grep 6443 -
-
Configure passwordless SSH access between all three nodes.
Configure Secure Shell (SSH) for multi-node clusters. The user must be able to connect from the leader node to instana-1 and instana-2 by using SSH without a password.
- The root user must have passwordless SSH access to all three nodes.
- A non-root user must have passwordless SSH access to all three nodes and sudo privileges on each node.
You can run popctl as root or as a user with sudo access.
-
If no SSH keys exist in your cluster, generate an SSH key pair on the leader node.
ssh-keygen -t rsa - Copy the public key content to the $HOME/.ssh/authorized_keys file of instana-1 and instana-2.
-
If the sshd services in instana-1 and instana-2 listen on an alternative
port instead of the default SSH port 22, update the $HOME/.ssh/config file on
the leader node to use that port.
cat <<EOF >> ~/.ssh/config Host * port <alternate_port_number> EOF -
Test the SSH connection between the leader node and the other two nodes.
ssh <username>@<node_ip>If the SSH connection succeeds, you see a command prompt. If you get an error message, verify that you copied the public key to the correct user account on the node.
To install private location on a three-node cluster, see Installing popctl three node.