You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: product-guide/manual.adoc
+81-27Lines changed: 81 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -155,7 +155,7 @@ Although some of the subsystems have a preferred start-up order (to ensure initi
155
155
156
156
=== ANMS Components
157
157
158
-
The subsystems of the ANMS (all Docker containers) are illustrated as gray blocks within the "ANMS Instance" group in the diagram of <<fig-anms-components-protocol>>.
158
+
The subsystems of the ANMS (all containers) are illustrated as gray blocks within the "ANMS Instance" group in the diagram of <<fig-anms-components-protocol>>.
159
159
The entire ANMS instance is made to be run on a single host, with future plans to allow installing in a more distributed environment.
160
160
Currently the ANMS provides security at the boundary of the instance but not between comtainers (see <<sec-security>> for details), which would be required for a distributed installation.
The target host will be running the RedHat Enterprise Linux \(((RHEL))) version 8 (RHEL-8) with network interfaces configured, and IP addressing and DNS configured along with a running local firewall.
191
+
The target host will be running the RedHat Enterprise Linux \(((RHEL))) version 9 (RHEL-9) with network interfaces configured, and IP addressing and DNS configured along with a running local firewall.
192
192
193
193
The ANMS is intended to be deployed using the ((Puppet)) orchestrator, either from a local Puppet apply execution or configured from a central Puppet server.
194
194
Part of the ANMS source is a Puppet module "anms" to automate the configuration of an ANMS deployment.
195
195
Specific procedures for performing an installation using a local Puppet apply are in <<sec-proc-install>>.
196
196
197
-
Conditions for installing the ANMS are a host with packages identified in <<target-host-packages>>, at least 7{nbsp}GiB of filesystem space for docker image storage, and additional space for long-term data warehouse storage.
197
+
Conditions for installing the ANMS are a host with packages identified in <<target-host-packages>>, at least 7{nbsp}GiB of filesystem space for container image storage, and additional space for long-term data warehouse storage.
198
198
The total amount of storage needed depends on the mission use of reports, specifically the average size and rate of reported data.
199
199
200
200
[#target-host-packages]
@@ -204,14 +204,20 @@ The total amount of storage needed depends on the mission use of reports, specif
204
204
|Package Name
205
205
|Version Minimum
206
206
207
-
|docker-ce
208
-
|23.0.1
207
+
|podman
208
+
|5.2
209
209
210
-
|docker-compose
211
-
|1.29.2
210
+
|podman-compose
211
+
|1.0
212
+
213
+
|systemd
214
+
|252
212
215
213
216
|Puppet
214
217
|7
218
+
219
+
|Puppet Bolt
220
+
|4
215
221
|===
216
222
217
223
The ANMS is designed to operate on a network where the MGSS Common Access Manager (CAM) is used to manage user accounts and a CAM Gateway is used as a reverse proxy within the ANMS installation to enforce user login sessions and access permissions.
@@ -312,12 +318,13 @@ The test environment service configuration.
312
318
The project-specific deployment path for compose configurations.
313
319
Its contents are:
314
320
`.env`:::
315
-
The compose-level environment configuration for all of the ANMS and testenv containers.
321
+
The compose-level environment configuration for all of the ANMS and testenv containers, including host port mapping options (see <<sec-deploy-containers>>).
316
322
`anms-compose.yml`:::
317
323
Compose configuration for the ANMS containers, volumes, and networks.
318
-
The compose runtime is managed by the `podman-compose@` template service.
324
+
The compose runtime is managed by the `podman-compose@anms` template service.
319
325
`testenv-compose.yml`:::
320
326
Compose configuration for the test environment containers and network.
327
+
The compose runtime is managed by the `podman-compose@testenv` template service.
321
328
322
329
`/run/anms`::
323
330
The temporary file directory used at runtime.
@@ -327,6 +334,14 @@ The transport proxy socket needed by the AMP Manager in order to message to and
327
334
328
335
Secondary files related to the ANMS deployment are:
329
336
337
+
`/etc/containers/containers.conf`::
338
+
Configured to enable compose provider and SELinux for containers.
339
+
`/etc/containers/compose/projects/anms.env`::
340
+
The systemd environment for the `anms` project, used by the systemd service `podman-compose@anms`.
341
+
This points to `/ammos/anms/` for its compose configuration.
342
+
`/etc/systemd/system/podman-compose@.service`::
343
+
A parameterized service interface which reads compose environment from under `/etc/containers/compose/projects/`
344
+
330
345
`/ammos/etc/pki/tls`::
331
346
Host-level PKI security configuration from which the ANMS user-agent TLS configuration is derived.
332
347
Its contents for ANMS are:
@@ -337,18 +352,16 @@ The corresponding public key certificiate for the local TLS endpoint.
337
352
`certs/ammos-ca-bundle.crt`:::
338
353
The trusted CA bundle for all TLS endpoints (including users).
339
354
340
-
`/etc/containers/containers.conf`::
341
-
Configured to enable SELinux for containers.
342
355
`/var/cache/puppet/puppet-selinux/modules`::
343
356
The containing directory for SELinux modules for the ANMS containers (see <<sec-security>>).
344
357
345
358
346
359
[#sec-network]
347
360
=== Networking
348
361
349
-
The target host will be running RHEL-8 with network interfaces configured, and IP addressing and DNS configured along with a running local firewall.
362
+
The target host will be running RHEL-9 with network interfaces configured, and IP addressing and DNS configured along with a running local firewall.
350
363
351
-
The Docker network configuration for the ANMS includes host port forwarding for the following services:
364
+
The container network configuration (under `/ammos/anms`) for the ANMS includes host port forwarding for the following services:
352
365
353
366
HTTPS::
354
367
Default port 443 forwarded to the `authnz` container for HTTP use.
When reports arrive from managed agents and are associated with known ADMs they are disassembled and stored as object-values in the historical data warehouse.
389
402
390
403
391
-
[#sec-proc]
392
-
== Procedures
404
+
[#sec-devel]
405
+
== Development Procedures
406
+
407
+
This chapter includes procedures related to development and pre-production testing of the ANMS.
408
+
These procedures assume that the user has a working copy of the ANMS source tree an intends to make some changes to the source or the configuration outside of a normal production deployment procedure (where build happens on a different host from the ultimate installation).
409
+
410
+
[#sec-devel-deploy]
411
+
=== Test Build and Deployment
412
+
413
+
TBD
414
+
415
+
[#sec-devel-install]
416
+
=== Production-Like Build and Installation
417
+
418
+
This procedure builds images in the root user's podman context and then uses puppet to install to the local host.
419
+
420
+
More TBD
421
+
422
+
. Images for all of the ANMS production and test containers can be built with the following:
This chapter includes specific procedures related to managing an ANMS instance.
395
450
451
+
[#sec-proc]
452
+
== Production Procedures
453
+
454
+
This chapter includes specific procedures related to managing an ANMS production instance.
396
455
397
456
[#sec-proc-build]
398
457
=== Building
399
458
400
-
The ANMS source is composed of a top-level repository `ammos-anms` and a number of submodule repositories; all of them are required for building the ANMS.
459
+
The ANMS source is composed of a top-level repository `anms` and a number of submodule repositories; all of them are required for building the ANMS.
. Optional: switching to a different tag or branch can be done with the sequence:
408
467
+
409
468
----
410
469
git checkout <TAGNAME>
411
470
git submodule update --init --recursive
412
471
----
413
-
. If necessary, add the local user to the `docker` access group with:
414
-
+
415
-
----
416
-
sudo usermod -a -G docker ${USER}
417
-
----
418
472
. The container image building is then executed with:
419
473
+
420
474
----
421
-
export DOCKER_IMAGE_PREFIX=<DOCKERURL>
475
+
export DOCKER_IMAGE_PREFIX=<REPOURL>
422
476
export DOCKER_IMAGE_TAG=latest
423
477
./build.sh buildonly
424
478
----
@@ -585,7 +639,7 @@ In many fault cases, the procedure will work for the first steps and then fail o
585
639
This is taken advantage of for the purposes of troubleshooting and failure reporting; the specific procedure(s) run and step(s) that fail are valuable to include in issue reports related to the ANMS.
586
640
587
641
To make the procedures more readable, the ANMS host is assumed to have the resolveable host name `anms-serv`.
588
-
For checkout steps ocurring on a "client host" it is assumed to be running RHEL-8 or equivalent from the perspective of commands available.
642
+
For checkout steps ocurring on a "client host" it is assumed to be running RHEL-9 or equivalent from the perspective of commands available.
589
643
590
644
591
645
[#sec-checkout-frontend]
@@ -600,7 +654,7 @@ The checkout procedure is as follows:
600
654
----
601
655
sudo firewall-cmd --zone public --list-services
602
656
----
603
-
which should include the servies "https".
657
+
which should include the services "https".
604
658
. From a client host check the port is open with:
605
659
+
606
660
----
@@ -673,7 +727,7 @@ The checkout procedure is as follows:
673
727
sudo firewall-cmd --zone public --list-services
674
728
----
675
729
which should include the services "ltp" and "dtn-bundle-udp".
676
-
. From any RHEL-8 host on the agent network run the following:
730
+
. From any RHEL-9 host on the agent network run the following:
0 commit comments