Skip to main content
Version: 2.16.0

Single node VM FAQs

Virtualisation

Which hypervisors do you support, including the version?

We support the following virtualisation platforms:

  • Microsoft Hyper-V: Windows Server 2019+ and Windows 10+
  • VMware: ESXi 7.0.0+
  • VirtualBox: 7.0.8+

Resources

How is storage managed in the VM?

A solid state drive (SSD) (for better I/O and performance) or a hard disk drive (HDD) can be attached to the VM for storage.

What is the minimum number of virtual cores required?

16

What is the minimum disk size of the VM?

100 GB

Does the VM self-rotate logs?

Yes. Logs for services running in the OS follow the default Red Hat log rotation policy configured in /etc/logrotate.conf. This file can be customised as needed.

Pod logs from RKE2 follow the default RKE2 log rotation:

  • Maximum log files per container: 3
  • Maximum size per log file: 2 MB

Is there a benefit in assigning more vCPUs to increase performance?

No. Increasing CPU allocation does not improve the performance of Glasswall Halo's synchronous API.

What is the minimum memory required?

32 GB

What is the size of the VM image?

  • VMware or VirtualBox: OVA approximately 5.5 GB
  • Hyper-V: VHD 64 GB

Security

Is an OS firewall active?

No. The firewall is disabled to avoid conflicts with Kubernetes networking.

What firewall rules are applied?

None — firewall is disabled.

What network ports remain open on the VM?

  • 80
  • 443
  • 22 (SSH)
  • 6443 (Kubernetes API server — restricted to cluster CIDR 10.42.0.0/16 and service CIDR 10.43.0.0/16)

Is there protection for brute-force SSH attempts?

Yes. Fail2Ban monitors log files (e.g., /var/log/auth.log) and blocks malicious IP addresses after repeated failures.

How do I keep the base OS patched?

Glasswall provides updated VM images quarterly.

To update directly from Red Hat mirrors:

subscription-manager register --username <your_username> --password <your_password> --auto-attach'''

How do I configure my organisation's SSL certificate and preferred FQDN?

Copy the private key and certificate of the domain to the VM and run bash configure_tls.sh in the VM.

How do I enforce certificate only authentication via SSH?

Update ~/.ssh/authorized_keys with your public key in the VM - disable password authentication:

sudo sed -i "s/passwordauthentication yes/passwordauthentication no/g" /etc/ssh/sshd_config sudo service sshd restart

Does the default SSH username and password require immediate update?

Yes, it is mandatory to update the password. Once you are logged into the VM, you will be prompted to update the password.

What level of security hardening has taken place?

  • STIG hardening is applied to the base OS.
  • CIS hardening is applied to the RKE2 (Kubernetes cluster).
  • All Glasswall containers utilise hardened container images.
  • All Glasswall software is hardened using SAST, DAST, SCA tooling.

Do you provide hashes to authenticate the authenticity of the VM image?

Yes, Glasswall provides base64 encoded MD5 hash value of the file. Verify if it matches by using the command by replacing $ova_file_path with the OVA file path:

openssl dgst -md5 -binary < $ova_file_path | base64

How do I enable an anti-virus solution in the VM?

There is no anti-virus solution installed in the VM image. If needed, an anti-virus solution can be installed separately in the VM.

Will an anti-virus solution impede or hang the CDR process?

An anti-virus solution can interfere with the CDR process and hence the folders in the VM where files being processed should be excluded from the anti-virus scanning.

Are there any folders which need to be out of scope for anti-virus protection?

Yes, /opt/local-path-provisioner should be excluded from anti-virus scanning.

Does RKE2 support FIPS 140-2 validated encryption?

Yes, FIPS 140-2 support is built into RKE2 at the foundation level. Specifically, the functions used within RKE2 meet the stringent security requirements outlined in the FIPS 140-2 standard. This includes the algorithms used for encryption and decryption, the methods used for key generation and management, and the protections in place to prevent unauthorized access or use of the cryptographic modules.

Additional documentation regarding FIPS 140-2 enablement can be found here.

Will an anti-virus solution impede or hang the CDR process?

An anti-virus solution can interfere with the CDR process and hence the folders in the VM where files being processed should be excluded from the anti-virus scanning.

OS configuration

How do I configure the system banner message when I log onto the VM?

The banner message can be customized by updating /etc/issue file in the VM.

What OS level services are running on the VM?

These are the list of OS level services running on the VM:

Unitloadactivestatedescription
Atd.serviceloadedactiverunningjob spooling tools
Auditd.serviceloadedactiverunningsecurity auditing service
Chronyd.serviceloadedactiverunningNTP client/server
Dbus.serviceloadedactiverunningD-Bus system message bus
[email protected]loadedactiverunninggetty on tty1
Irqbalance.serviceloadedactiverunningirqbalance daemon
Libstoragemgmt.serviceloadedactiverunninglibstoragemgmt plug-in server daemon
Mcelog.serviceloadedactiverunningmachine check exception logging daemon
Networkmanager.serviceloadedactiverunningnetwork manager
Polkit.serviceloadedactiverunningauthorization manager
Rhsmcertd.serviceloadedactiverunningenable periodic update of entitlement certificates.
Rke2-server.serviceloadedactiverunningRancher Kubernetes Engine v2 (server)
Rsyslog.serviceloadedactiverunningsystem logging service
[email protected]loadedactiverunningserial getty on ttys0
Smartd.serviceloadedactiverunningself monitoring and reporting technology (SMART) daemon
Sshd.serviceloadedactiverunningOpenSSH server daemon
Systemd-journald.serviceloadedactiverunningjournal service
Systemd-logind.serviceloadedactiverunninglogin service
Systemd-resolved.serviceloadedactiverunningnetwork name resolution
Systemd-udevd.serviceloadedactiverunningudev kernel device manager
Usbguard.serviceloadedactiverunningUSBGuard daemon
[email protected]loadedactiverunninguser manager for UID 1000
Have unnecessary OS level services been deactivated?

The Red Hat OS has been gone through the STIG hardening process and any unnecessary services have been removed and no unnecessary services have been installed.

What is the base operating system, and what version?

The base OS version can be found in the release notes.

Does Kubernetes run within the VM?

Yes, Kubernetes cluster runs with a Single Node.

What version of Kubernetes is running?

Kubernetes version can be found in the release notes.

Monitoring

What error messages should we actively monitor?

Glasswall Halo error codes and API can be found via Glasswall API documentation.

Health of the Glasswall Halo cluster can be monitored using the API health endpoint.

CPU arch support

What CPU architecture is supported?

Currently x86-64 CPU processors are supported. ARM support will be available in upcoming releases.

Log rotation & storage management

How do I offload/aggregate logs to my preferred network location?

The VM comes with syslog pre configured and this can be used to send the logs to a syslog server.

Upgrade path

What happens if I replace this VM with another VM image from Glasswall, and what would be the full upgrade path to maintain live operations?

  • Create a new VM from the new image from Glasswall following the deployment steps.
  • Make sure the new VM is working as expected.
  • Switch the DNS record from old IP address to the new IP address of the VM.

Patching

How do I update the Kubernetes software from a security perspective?

Kubernetes software updates will be done in the VM images provided by Glasswall. However, it is recommended to update the Kubernetes cluster whenever security advisories are published.

When upgrading the Kubernetes version of a cluster, we recommend that you:

  • Take a snapshot.
  • Initiate a Kubernetes upgrade.
  • If the upgrade fails, revert the cluster to the pre-upgrade Kubernetes version. This is achieved by selecting the restore etcd and Kubernetes version option. This will return your cluster to the pre-upgrade Kubernetes version before restoring the etcd snapshot.
  • The restore operation will work on a cluster that is not in a healthy or active state.

Networking

How do I manage DNS / IP range settings?

Use nmcli command line utility or nmtui utility to configure the IP address, gateway and DNS server.

Is DHCP active in the VM?

Yes, DHCP client is active in the VM and can allocate an IP address when deployed to a network with DHCP server.

How can I SSH into the VM?

Once an IP address is configured to the VM, SSH using the username and password/private key shared by Glasswall.

What are the IP addresses or internet URLs that need to be allow listed?

None.

What communication protocols are supported with the VM?

HTTPS and HTTP endpoints are provided within the VM.

Licensing

Do I need to purchase a Red Hat subscription separately for my Glasswall Halo virtual appliance?

Yes. While Glasswall Halo virtual appliances run on Red Hat Enterprise Linux (RHEL), a RHEL subscription is not included with the appliance. Customers are responsible for obtaining a valid RHEL subscription directly from Red Hat or an authorized partner to ensure access to system updates, security patches, and support. Each deployed instance must be registered with Red Hat Subscription Management (RHSM) using your own Red Hat account credentials. Without a valid subscription, your appliance may not receive critical updates and will not be eligible for Red Hat support.

For more information, visit our RHEL licensing advisory.

Is the Kubernetes software licensed by Glasswall?

There is no need to purchase a license for the Kubernetes as it is open source with Apache 2.0 license.

What are the main open source components that are comprised within the overall solution?

RKE2 & RabbitMQ are the main open source components and the complete software bill of materials (SBOM) can be provided on request.

How are the open source components licensed?