Single Node VM FAQs
    • PDF

    Single Node VM FAQs

    • PDF

    Article summary

    Virtualisation

    Which hypervisors do you support, including the version?

    We support below virtualization platforms:

    • Microsoft Hyper-V: Hyper-V in Windows Server 2019+ and Windows 10+
    • VMWare: Minimum VMWare ESXi 7.0.0+
    • VirtualBox: 7.0.8+

    Resources

    How is storage managed in the VM?

    A Solid State Drive (SSD) (for better IO and performance) or a Hard Disk Drive (HDD) can be attached to the VM for the storage

    What is the minimum number of virtual cores that must be allocated?

    16

    What is the minimum Disk size of the VM?

    100 GB

    Does the VM self rotate logs?

    Yes, the logs of services running in the OS are rotated based on the default log rotation policy configured in the RedHat. `/etc/logrotate.conf` configuration file can be customise the log rotation as needed.

    The logs from each pod running in the RKE2 are rotated based on the default log rotation configured in the RKE2. Maximum number of log files per container is 3 and Maximum size of log file is 2MB.

     Is there any benefit in assigning more virtual cores to the VM, in terms of increasing performance?

    No, increasing the number of cores to the VM does not essentially increase the performance of Glasswall Halo's Synchronous API.

    What is the minimum level of memory that must be allocated to the VM?

    32 GB

    What is the size of the VM image before it is loaded and configured into the hypervisor?
    • If you are deploying to VMware or VirtualBox, an OVA of approximately 5.5GB will be shared by Glasswall.
    • If you are deploying to Hyper-V, a VHD of 64GB will be shared by Glasswall.

    Security

    Is a OS Firewall active?

    No, firewall is disabled in the Linux OS as it will conflict with Kubernetes networking.

    What rules have been applied to the Firewall?

    Firewall is disabled.

    What network ports remain open on the VM?
    • 80
    • 443
    • 22(SSH)
    • 6443 (Kubernetes API server is allowed only from Kubernetes cluster CIDR (10.42.0.0/16) and service CIDR (10.43.0.0/16))
    Is there any protection for brute force SSH attempts?

    Yes, Fail2Ban monitors server log files (such as /var/log/auth. log, /var/log/apache/access. log) for intrusion attempts and other suspicious activity. Once a predefined number of failures have been detected from a remote host, Fail2Ban blocks their IP address automatically for a specific amount of time.

    How do I keep the base OS patched with security updates?

    Glasswall will provide security updated image once every quarter. However, it is recommended to do security updates/patches whenever security advisories are published.

    To use RHEL update mirrors, you must subscribe using RHEL Subscription Manager:

    subscription-manager register --username  --password  --auto-attach

     How do I configure my organisation's SSL certificate and preferred FQDN?

    Copy the private key and certificate of the domain to the VM and Run bash configure_tls.sh    in the VM.

    How do I enforce certificate only authentication via SSH?

    Update ~/.ssh/authorized_keys with your public key in the VM - Disable Password authentication:

    sh sudo sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config sudo service sshd restart 
    Does the default SSH username and password require immediate update?

    Yes, it is mandatory to update the password. Once you are logged into the VM, you will be prompted to update the password

     What level of security hardening has taken place?
    • STIG hardening is applied to the base OS.
    • CIS hardening is applied to the RKE2 (Kubernetes cluster).
    • All Glasswall containers utilise hardened container images.
    • All Glasswall software is hardened using SAST, DAST, SCA tooling.
    Do you provide hashes to authenticate the authenticity of the VM image?

    Yes, Glasswall provides base64 encoded MD5 hash value of the file. Verify if it matches by using the command by replacing ${OVA_FILE_PATH} with the OVA file path:

    sh openssl dgst -md5 -binary < ${OVA_FILE_PATH} | base64
    How do I enable an anti-virus solution in the VM?

    There is no anti-virus solution installed in the VM image. If needed an anti-virus solution can be installed separately in the VM.

    Will an anti-virus solution impede or hang the CDR process?

    An anti-virus solution can interfere with the CDR process and hence the folders in the VM where files being processed should be excluded from the anti-virus scanning.

    Are there any folders which need to be out of scope for anti-virus protection?

    Yes, /opt/local-path-provisioner should be excluded from anti-virus scanning.

    Does RKE2 support FIPS-140-2 validated encryption?

    Yes, FIPS-140-2 support is built into RKE2 at the foundation level. Specifically, the functions used within RKE2 meet the stringent security requirements outlined in the FIPS-140-2 standard. This includes, the algorithms used for encryption and decription, the methods used for key generations and management, and the protections in place to prevent unauthorized access or use of the cryptographic modules.

    Additional documentation regarding FIPS-140-2 enablement can be found here.

    Will an anti-virus solution impede or hang the CDR process?

    An anti-virus solution can interfere with the CDR process and hence the folders in the VM where files being processed should be excluded from the anti-virus scanning.

    OS Configuration

    How do I configure the system banner message when I log onto the VM?

    The banner message can be customized by updating /etc/issue file in the VM.

    What OS level services are running on the VM?

    These are the list of OS level services running on the VM:

    UNITLOADACTIVESTATEDESCRIPTION
    atd.serviceloadedactiverunningJob spooling tools
    auditd.serviceloadedactiverunningSecurity Auditing Service
    chronyd.serviceloadedactiverunningNTP client/server
    dbus.serviceloadedactiverunningD-Bus System Message Bus
    getty@tty1.serviceloadedactiverunningGetty on tty1
    irqbalance.serviceloadedactiverunningirqbalance daemon
    libstoragemgmt.serviceloadedactiverunninglibstoragemgmt plug-in server daemon
    mcelog.serviceloadedactiverunningMachine Check Exception Logging Daemon
    NetworkManager.serviceloadedactiverunningNetwork Manager
    polkit.serviceloadedactiverunningAuthorization Manager
    rhsmcertd.serviceloadedactiverunningEnable periodic update of entitlement certificates.
    rke2-server.serviceloadedactiverunningRancher Kubernetes Engine v2 (server)
    rsyslog.serviceloadedactiverunningSystem Logging Service
    serial-getty@ttyS0.serviceloadedactiverunningSerial Getty on ttyS0
    smartd.serviceloadedactiverunningSelf Monitoring and Reporting Technology (SMART) Daemon
    sshd.serviceloadedactiverunningOpenSSH server daemon
    systemd-journald.serviceloadedactiverunningJournal Service
    systemd-logind.serviceloadedactiverunningLogin Service
    systemd-resolved.serviceloadedactiverunningNetwork Name Resolution
    systemd-udevd.serviceloadedactiverunningudev Kernel Device Manager
    usbguard.serviceloadedactiverunningUSBGuard daemon
    user@1000.serviceloadedactiverunningUser Manager for UID 1000
    Have unnecessary OS level services been deactivated?

    The RedHad OS has been gone through the STIG hardening process and any unnecessary services have been removed and no unnecessary services have been installed.

    What is the base operating system, and what version?

    The base OS version can be found in the Release Notes.

    Does Kubernetes run within the VM?

    Yes, Kubernetes cluster runs with a single node.

    What version of Kubernetes is running?

    Kubernetes version can be found in the Release Notes.

    Monitoring

    What error messages should we actively monitor?

    Glasswall Halo error codes and API can be found via Glasswall API Documentation.

    Health of the Glasswall Halo cluster can be monitored using the API health endpoint.

    CPU Arch Support

    What CPU architecture is supported?

    Currently x86-64 CPU processors are supported. ARM support will be available in upcoming releases.

    Log Rotation & Storage Management

    How do I offload/aggregate logs to my preferred network location?

    The VM comes with syslog pre configured and this can be used to send the logs to a syslog server.

    Upgrade Path

    What happens if I replace this VM with another VM image from Glasswall, and what would be the full upgrade path to maintain live operations?
    • Create a new VM from the new image from Glasswall following the deployment steps.
    • Make sure the new VM is working as expected.
    • Switch the DNS record from old IP address to the new IP address of the VM.

    Patching

    How do I update the Kubernetes software from a security perspective?

    Kubernetes software updates will be done in the VM images provided by the Glasswall. However it is recommended to update the Kubernetes cluster whenever security advisories are published.

    When upgrading the Kubernetes version of a cluster, we recommend that you:

    • Take a snapshot.
    • Initiate a Kubernetes upgrade.
    • If the upgrade fails, revert the cluster to the pre-upgrade Kubernetes version. This is achieved by selecting the Restore etc and Kubernetes version option. This will return your cluster to the pre-upgrade kubernetes version before restoring the etcd snapshot.
    • The restore operation will work on a cluster that is not in a healthy or active state.

    Networking

    How do I manage DNS / IP range settings?

    Use nmcli command line utility or nmtui utility to configure the IP address, Gateway and DNS Server.

    Is DHCP active in the VM?

    Yes, DHCP client is active in the VM and can allocate an IP address when deployed to a network with DHCP Server.

    How can I SSH into the VM?

    Once an IP address is configured to the VM, SSH using the username and password/private key shared by Glasswall.

    What are the IP addresses or Internet URLs that need to be allow listed?

    None.

    What communication protocols are supported with the VM?

    HTTPS, HTTP endpoints are provided within the VM.

    Licensing

    Is the operating system software licensed by Glasswall?

    No, the RHEL license should be obtained separately.

    Is the Kubernetes software licensed by Glasswall?

    There is no need to purchase a license for the Kubernetes as it is open source with Apache 2.0 License.

    What are the main open source components that are comprised within the overall solution?

    RKE2 & RabbitMQ are the main open source components and the complete Software Bill of Materials (SBOM) can be provided on request.

    How are the open source components licensed? 

    Was this article helpful?

    What's Next