Networking and Security

Internet Access

The controller installer includes all necessary package dependencies. Therefore, the server does not need Internet access during installation.

DNS & FQDN

Your server must have a properly-configured Fully Qualified Domain Name (FQDN). This can be configured by using DNS infrastructure (recommended) or via the /etc/hosts file.

If you are deploying a primary controller with a recovery/standby controller, we recommend using DNS infrastructure and three unique FQDNs:

  1. A “local hostname” for the primary
  2. A “local hostname” for the standby controller
  3. A “primary controller hostname” CNAME record pointing to the primary controller’s “local hostname”. This FQDN is what you will give to SwiftStack and which will appear in your controller license.

Prior to restoring from backup on the standby controller, you would update the CNAME record to point to the recovery controller’s local hostname.

Setting FQDN With DNS Infrastructure

This section uses the example FQDN “controller1.company.com”. The controller server should be configured with the “short hostname”, controller1 in this example, by running a command like this, as root:

hostnamectl --static set-hostname controller1

The /etc/resolv.conf file is often auto-generated, so please refer to your operating system vendor’s documentation for how to manage its content. The /etc/resolv.conf file should contain a line like (but with your domain, not this example value):

search company.com

Finally, the /etc/hosts file should not have any mention of the short nor fully-qualified domain names. You can test your configuration with the following commands (using your values instead of these example values):

grep controller1 /etc/hosts   # should have no output
hostname                      # should output “controller1”
hostname -f                   # should output “controller1.company.com”

Setting FQDN With Hosts File

To use /etc/hosts to set the FQDN, just allow the post-install setup process to do it. The post-install setup web UI form and manual_setup CLI tool both allow you to specify a “local hostname”, and if DNS infrastructure is not being used, that local hostname will be set using the /etc/hosts file.

Note

The nodes and any administrators’ web browsers all need to be able to find the controller by its primary hostname. So, if you allow the FQDN to be set via the /etc/hosts file, you must still do something to allow nodes and administrators’ web browsers to resolve the hostname themselves.

SSL Certificate

SSL certificates are necessary for the Controller and Nodes to be able to communicate securely. The SwiftStack Controller needs to have a valid certificate issued by a commercial certificate authority (CA) or by an internal trusted CA. Without a valid, trusted certificate installed, the SwiftStack Nodes will not be able to connect to the Controller. If your organization uses an internal CA, you must ensure that all the pertinent certificates, including intermediate ones, are trusted by the Nodes.

The post-install setup process will automatically generate a self-signed certificate for you. If you intend to use the self-signed certificate, you need to transfer the certificate, after post-install setup, and install it on all nodes. For instructions of how to trust a self-signed certificate on the Nodes, please see Trusting a Self Signed Certificate.

To use a real SSL certificate already trusted within your organization, first complete the installation and post-install setup steps in this document. Then log into the controller as a controller superuser (like the “localadmin” user) and install the SSL certificate and key files using the “SSL Certificate” portion of the Admin > Network page.

SELinux

Support for SELinux is provided from version 6.13.0 and above. RHEL/CentOS, by default, sets SELinux to "enforcing" mode during the OS installation. When installing version 6.13.0 or above, of the SwiftStack Controller, you will be prompted with the following message:

NOTE: controller installer versions 6.13.0 and later will refuse to run if SELinux is enforcing
and the `policycoreutils-python` RPM is not installed.  In that case, either disable or set SELinux
to "permissive" or install the `policycoreutils-python` RPM and rerun the installer.

If you wish to continue with SELinux in enforcing mode, you must install the policycoreutils-python RPM.

If you wish to continue with SELinux in permissive mode you must modify the settings on the controller using the following command:

sed --follow-symlinks -i 's/SELINUX=.*/SELINUX=permissive/' /etc/sysconfig/selinux; setenforce 0

The above command will modify the SELinux configuration file and set the level to "permissive" and it will also set the enforcement level to 0, which will allow the system to retain the "permissive" setting after reboot.

Note

Controller installers prior to 6.13.0 will unconditionally set SELinux to "permissive" mode.

To install a node with SELinux set to enforcing a unique installation path must be used:

curl https://controller.name/install_selinux | bash

This command installs a specific version of the node software that supports SELinux set to "enforcing"