Installation

This guide describes the installation of the RPM packages using yum.

This installation guide is intended to be used to install SKOOR on a fresh system. To upgrade an existing SKOOR system, please use the upgrade guide here.

Prerequisites

Disable SELinux

Before installing SKOOR Engine, SELINUX must be disabled. Display SELinux status:

sestatus

Check if mode is enforcing:

SELinux status:                 enabled
...
Current mode:                   enforcing

If so, change it at least to permissive or disable it by changing the SELinux configuration:

vi /etc/selinux/config

Change configuration to permissive or disabled:

SELINUX=disabled

Activate configuration and verify with sestatus:

setenforce 0 

Allow cron for users

If cron is restricted, the users needed by the SKOOR software must be allowed cron access by adding them to the following file:

/etc/cron.allow

Users:

postgres
eranger
reranger

SKOOR repository GPG fingerprints:

RPM-GPG-KEY-SKOOR:

0C18 95B8 11D4 71E5 D043 EFA3 69E1 147C 2CB4 0F3A

RPM-GPG-KEY-PGDG:

68c9 e2b9 1a37 d136 fe74 d176 1f16 d2e1 442d f0f8

RPM-GPG-KEY-TIMESCALEDB:

1005 fb68 604c e9b8 f687 9cf7 59f1 8edf 47f2 4417

SKOOR Engine Installation (Single server)

For Systems with database replication, two separate servers must be installed as described in this section. See Database replication guide for further configuration steps

PostgreSQL Installation

PostgreSQL 13 is the database server needed by the SKOOR Engine. It must be installed before the SKOOR software:

Install the PostgreSQL server using the SKOOR PostgreSQL installer package:

dnf install eranger-postgresql

This package performs the following steps:

  • Installs postgresql13-server, timescaledb-2-postgresql-13, eranger-database-utils through its dependencies.

  •  Initializes a database cluster using initdb

  • Tunes postgresql.conf for TimescaleDB

  • Initializes a database (plain database, no schema nor data) that can be used by the SKOOR Server

  • Opens TCP port 5432 on the firewall

PgBouncer Installation

PgBouncer is used as a connection pool and sits between SKOOR and PostgreSQL Server.

Install PgBouncer using the SKOOR PgBouncer installer package:

dnf install eranger-pgbouncer

This package performs the following steps:

  • Install pgbouncer through its dependencies.

  • Reconfigures PostgreSQL (postgresql.conf)

    • listen_addresses = 'localhost' only listen for local connections

    • unix_socket_directories = '/var/run/postgresql-backend' do not use default PostgreSQL UNIX socket

    • max_connections = 300 allow 300 connections

  • Configures PgPool

    • listen_addr = *

    • listen_port = 5432

    • unix_socket_dir = /var/run/postgresql

    • max_client_conn = 300

    • default_pool_size = 60

Standard Server Installation

For customers requiring only the base set of software (i.e. most customers), run the following command to install the required packages:

dnf install eranger-server

Check the installed SKOOR Engine packages:

dnf list installed |grep eranger

Expected output:

eranger-agent.x86_64                      <version>
eranger-auth.x86_64                       <version>
eranger-collector.x86_64                  <version>
eranger-collector-eem.x86_64              <version>
eranger-collector-mail.x86_64             <version>
eranger-common.x86_64                     <version>
eranger-database-utils.x86_64             <version>
eranger-doc.x86_64                        <version>
eranger-nodejs.x86_64                     <version>
eranger-postgresql.x86_64                 <version>
eranger-pymodules.x86_64                  <version>
eranger-report.x86_64                     <version>
eranger-server.x86_64                     <version>
eranger-syncfs.x86_64                     <version>
eranger-ui.x86_64                         <version>

SKOOR Engine Collector Installation

Since the Release 5.5 are two options for an external collector, full installation and basic installation. The basic installation comes with a limited feature-set and less dependencies and can later be extended to a full installation with additional packages.

Full Skoor Engine Collector installation:

To install an external SKOOR Engine Collector use the following command for the full installation:

dnf install eranger-collector eranger-collector-eem eranger-collector-mail

Basic Skoor Engine Collector Installation:

To install a basic external SKOOR Engine Collector use the following command:

dnf install eranger-collector

Additional packages for the minimal Skoor Engine Collector:

To enable EEM Jobs on the external collector you can install the plugin with the following command:

dnf install eranger-collector-eem

To enable Mail Jobs (EWS, IMAP, POP3 or SMTP) on the external collector you can install the plugin with the following command:

dnf install eranger-collector-mail

Communication to SKOOR Engine

After installing a new external collector, the communication to the SKOOR Engine must be configured. The following section shows different possibilities to achieve this.

General

For the SKOOR Engine, a collector is a special kind of user. So every external collector must be configured in the UI. Create a locally authenticated user with the role Collector in /root /Users /Users and set a password.

The further configuration is done in the collectors configuration file on the collector server: 

/etc/opt/eranger/eranger-collector.cfg

First, the server_id of the SKOOR Engine must be identified. On the SKOOR Engine host, open the eranger-server.cfg:

/etc/opt/eranger/eranger-server.cfg

Find the parameter server_id  in the configuration (if commented as in the following example, the id is 1):

#server_id      = 1

If an external collector delivers measurements to more than one SKOOR Engine, the server_id parameter must be different on every SKOOR Engine.

TCP

This is the standard way collectors communicate with the SKOOR Engine. The communication is not encrypted.

The following parameters must be configured in eranger-collector.cfg:

  • Set the server1_id parameter to the value configured on the SKOOR Engine server as server_id (default is 1)

  • Set the server1_address parameter to the SKOOR Engine hostname or IP address (unix sockets are used only for local collectors only)

  • Set server1_user and server1_passwd as configured in the SKOOR Engine

server1_id            = 1
server1_address        = 10.10.10.10
#server1_port           = 50001
#server1_domain         =
server1_user           = collector-user
server1_passwd         = collector-password
#server<server_id>_fetch_parse_dir (server_id instead of index)!
#server1_fetch_parse_dir= /var/opt/run/eranger/collector/tmp

HTTP/HTTPS

Communication using HTTP with no encryption is discouraged. If required for some reason, the httpd server on the SKOOR Engine must be configured to allow this kind of communication first.

Collectors using HTTP(S) for communication can not be switched automatically when performing a failover in a primary/standby setup

The following section describes how to set up encrypted communication using HTTPS. For encryption, the root CA certificate used by the SKOOR Engine server must be copied to the collector system. Standard Linux paths can be used to place it in the filesystem.

Configure the required parameters in eranger-collector.cfg:

  • Set the server1_id parameter to the value configured on the SKOOR Engine server as server_id (default is 1)

  • Set the server1_address parameter to the SKOOR Engine hostname or IP address in the form of a URL as shown below

  • Make sure the server1_port parameter is commented, it will break the communication otherwise

  • Set server1_user and server1_passwd as configured in the SKOOR Engine

  • Configure either server1_ssl_cacert or server1_ssl_capath to the location the certificate was copied before

server1_id            = 1
server1_address        = https://10.10.10.10/skoor-collector
#server1_port           = 50001
#server1_domain         =
server1_user           = collector-user
server1_passwd         = collector-password
#server<server_id>_fetch_parse_dir (server_id instead of index)!
#server1_fetch_parse_dir= /var/opt/run/eranger/collector/tmp
server1_ssl_cacert     = /etc/pki/tls/certs/rootCA.pem

HTTPS with client authentication

Client authentication must be enabled on the SKOOR Engine first. Open the respective web server configuration file for this purpose:

/etc/httpd/conf.d/skoor-engine-over-http.conf

Uncomment the SSLVerifyClient directive:

<Location "/skoor-collector">
        ExpiresActive On
        ExpiresDefault "now"
        ProxyPass http://localhost:50080 retry=0 connectiontimeout=15 timeout=30
    SSLVerifyClient require
</Location>

Reload httpd:

systemctl reload httpd

Name

Description

server1_ssl_cacert

Full path to the root CA certificate, the collector will use this specific file

server1_ssl_capath

Path to a directory containing the root CA certificate, the collector will search for the correct certificate

server1_ssl_verify_peer

If set to true (default), the SKOOR Engine server's certificate is verified

server1_ssl_verify_host

If set to true (default), the hostname of the SKOOR Engine server is verified

server1_ssl_cert_client_public_key

The public key used for client authentication (collector's certificate)

server1_ssl_cert_client_private_key

The private key used for client authentication (collector's private key)

server1_ssl_cert_client_private_key_passwd

Password to read the collector's private key if set

SKOOR Engine license

Obtain a valid license from SKOOR and add the necessary lines to the file:

/etc/opt/eranger/eranger-server.cfg

Example with a license of 1000 devices:

license_name   = Example customer
license_feature_set = 3.1
license_devices= 1000
license_key    = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxx… represents the actual license key. Make sure the actual key is inserted in a single line with no newline characters in-between.

SKOOR Engine configuration

Expand the PATH Variable for root:

~/.bashrc

Add:

PATH=$PATH:/opt/eranger/bin

Then apply the changes and run eRanger.sh start to start SKOOR Engine services:

. ~/.bashrc
eRanger.sh start

===========================================================================
 Choose command                                 eRanger Version 5.0.0

 Command - Action       - Object                - Current State
===========================================================================

 1       - start        - eRanger Server        - started
 2       - start        - eRanger Collector     - started
 3       - start        - eRanger Report        - started
 4       - start        - eRanger Agent         - started
 a       - start        - all above
 9       - start        - eRanger Webservice    - started
 11      - start        - PostgreSQL            - started
 12      - start        - Rsyslog               - started
 13      - start        - Trapd                 - stopped
 14      - start        - Httpd                 - started
 15      - start        - Smsd                  - stopped
 16      - start        - Postfix               - started

 r       - Switch to restart mode
 S       - Switch to stop mode
 c       - Current eRanger status
 0       - do_exit program

Enter selection:

The Webservice, IC Alerter and Ethd are only listed if the corresponding package is installed.

Enter a to start all required services. Then exit with 0.

SKOOR Engine login

Now one should be able to login to SKOOR Engine using a web browser and entering SKOOR Engine’s FQDN or IP address in the address bar:

 

The default login credentials are:

Username

admin

Password

admin

Following a default installation, the browser will complain about untrusted SSL security certificates. Either accept the default self-signed certificate or generate and install a custom SSL certificate.

By default the certificates are located under:

/etc/pki/tls/certs/

The configuration file

/etc/httpd/conf.d/eranger.conf

must be adjusted to point to the correct certificates. An example entry looks like this:

SSLCertificateFile /etc/pki/tls/certs/wildcard_mycompany.ch.crt
SSLCertificateKeyFile /etc/pki/tls/private/private-key_mycompany.ch.key 

When calling http://skoor.company.com, the webserver will rewrite the address to use https instead of http. If only http is to be used, disable the rewriting rule in the configuration file:

/etc/httpd/conf.d/eranger.conf


Comment the following three lines (putting a hash sign at the beginning):

# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Restart Apache webserver with the command:

eRanger.sh restart httpd

or:

systemctl restart httpd

Optimizing SKOOR on virtual environments

If running SKOOR Engine or SKOOR collector inside a virtual machine, the IO scheduler needs to be adapted for performance reasons. By default, Red Hat < 7 installs with the cfq IO scheduler. The recommended IO scheduler for Red Hat systems running in a virtual machine is the noop scheduler on Red Hat 7 and the none scheduler on Red Hat 8 / 9.

For Red Hat 7 systems

Run the following commands to enable the noop scheduler for a running system for the sda block device which usually corresponds to the first disk:

# echo noop > /sys/block/sda/queue/scheduler
# cat /sys/block/sda/queue/scheduler
[noop] anticipatory deadline cfq

The noop scheduler is now marked as the current scheduler. Run this command for each of the virtual disks configured for the system (replace sda with the name of the virtual disk).
However, the above setting will not persist across reboots. Use the following guide to enable the noop scheduler persistently.

Set noop globally for all devices by editing the file /etc/default/grub as shown below and then rebuilding the grub2 configuration file:

# vi /etc/default/grub
...
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel00/root rd.lvm.lv=rhel00/swap"                            (before)
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel00/root rd.lvm.lv=rhel00/swap elevator=noop"              (after)
...

# grub2-mkconfig -o /boot/grub2/grub.cfg                                                                     (on BIOS-based machines)
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg                                                            (on UEFI-based machines)

For Red Hat 8 / 9 systems

Run the following commands to enable the noop scheduler for a running system for the sda block device which usually corresponds to the first disk:

# echo none > /sys/block/sda/queue/scheduler
# cat /sys/block/sda/queue/scheduler
[none] mq-deadline kyber bfq

The none scheduler is now marked as the current scheduler. Run this command for each of the virtual disks configured for the system (replace sda with the name of the virtual disk).
However, the above setting will not persist across reboots. Use the following guide to enable the none scheduler persistently.

Set none globally for all devices by editing the file /etc/default/grub as shown below and then rebuilding the grub2 configuration file:

# vi /etc/default/grub
...
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rh9-swap rd.lvm.lv=rh9/root rd.lvm.lv=rh9/swap"                            (before)
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rh9-swap rd.lvm.lv=rh9/root rd.lvm.lv=rh9/swap elevator=none"              (after)
...

# grub2-mkconfig -o /boot/grub2/grub.cfg                                                                     (on BIOS-based machines)
# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg                                                            (on UEFI-based machines)

Creating a yum repository

 In case remote collector hosts do not have access to any Red Hat repositories but the SKOOR Engine does, it may help to create a simple software repository on the server which holds all RPM files used for installation via yum. The repository will be available to the collector hosts via Port 443 which is an open port already. Here are the steps required to set up such a repository and access it from a remote collector host:

Create the repository root directory and copy all required RPM files:

# cd /srv/eranger/html
# mkdir repo
# cp /path/to/*.rpm repo/
# yum install createrepo
# createrepo ./repo

Replace /path/to/ above with the path where the required RPM files have been copied on the SKOOR Engine host. This will create a new subdirectory named repodata inside the repo directory.

Now add the repository as a package installation source on remote hosts (e.g. a SKOOR Engine collector host):

# vi /etc/yum.repos.d/SKOOR.repo
[SKOOR]
name=SKOOR
baseurl=https://<ip or hostname of repository>/repo/
sslverify=false
gpgcheck=0
enabled=1

Check access to the newly added repo from the remote host:

# yum clean all
# yum repolist 

Now the remote host can install software using the SKOOR repository as package source. 

Adding a DVD or CD as a repository

To install software from an inserted RedHat DVD or CD drive, add a new repository by creating the following file: 

vi /etc/yum.repos.d/RHEL_6.5_DVD.repo
[RHEL_6.5_DVD]
name=RHEL_6.5_DVD
baseurl="file:///cdrom/"
gpgcheck=0