Install Rudder Server

This chapter covers the installation of a Rudder Root Server, from the specification of the underlying server, to the initial setup of the application.

Before all, you need to setup a server according to the server specifications. You should also configure the network. These topics are covered in the Architecture chapter.

Ideally, this machine should have Internet access, but this is not a strict requirement.

As Rudder data can grow really fast depending on your number of managed nodes and number of rules, it is advised to separate partitions to prevent /var getting full and break your system. Special attention should be given to:

/var/lib/pgsql
(OS dependent). Please see the database maintenance chapter for more details about the PostgreSQL database size estimation.
/var/rudder
Contains most of your server information, the configuration-repository, LDAP database, etc… Rudder application-related files should stay under 1GB, but the size of the configuration-repository will depend of the amount of data you store in it, especially in the shared-files folder (files that will get distributed to the agents using the "Download a file for the shared folder" Technique).
/var/log/rudder
Report logs (/var/log/rudder/reports) size will depend on the amount of nodes you manage. It is possible to reduce this drastically by unticking "Log all reports received to /var/log/rudder/reports/all.log" under the Administration - Settings tab in the Rudder web interface. This will prevent Rudder from recording this logs in a text file on disk, and will only store them in the SQL database. This saves on space, and doesn’t remove any functionality, but does however make debugging harder.

Install Rudder Root server on Debian or Ubuntu

[Warning]Warning

Any nodes running syslogd (not syslog-ng or rsyslog) will fail to send any reports about the configuration rules they have applied to a Rudder Server running on Ubuntu (and only on Ubuntu). Rudder will apply rules on nodes but will never get reports from them. Therefore Rudder will not be able to calculate compliance.

The only supported platform using syslogd by default is RHEL/CentOS 5, and several workarounds are available to fix this:

  1. Install another syslog server on your nodes, such as rsyslog or syslog-ng.
  2. Change the rsyslog configuration on the Rudder server (running Ubuntu 12.04 or later) to use port 514 and authorize this in the rsyslog configuration.
  3. Setup iptables on the node to send syslog traffic to the correct port on your Rudder server.
  4. Use a different OS for your Rudder server that Ubuntu Server 12.04 or later.

Add the Rudder packages repository

Rudder 4.1 requires Java RE (version 8 at least) which is not packaged by default on Debian 7 nor Ubuntu 14.04.

The Java RE 8 for Debian or Ubuntu can be found through Oracle's website: https://www.java.com

Each package that is published by Rudder Project is signed with our GPG signature. To ensure the packages you will install are official builds and have not been altered, import our key into apt using the following command:

wget --quiet -O- "https://www.rudder-project.org/apt-repos/rudder_apt_key.pub" | sudo apt-key add -

Our key fingerprint is:

pub  4096R/474A19E8 2011-12-15 Rudder Project (release key) <security@rudder-project.org>
      Key fingerprint = 7C16 9817 7904 212D D58C  B4D1 9322 C330 474A 19E8

Then run the following commands as root:

echo "deb http://www.rudder-project.org/apt-4.1/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/rudder.list
apt-get update

This will add the package repository and finally update the local package cache.

Install your Rudder Root Server

To begin the installation, you should simply install the rudder-server-root metapackage, which will install the required components:

apt-get install rudder-server-root

Initial configuration of your Rudder Root Server

After the installation, you have to configure some system elements, by launching the following initialisation script:

/opt/rudder/bin/rudder-init

This script will ask you to fill in the following details:

Allowed networks
A list of IP networks authorized to connect to the server. It uses the network/CIDR mask notation, for instance 192.168.0.0/24 or 10.0.0.0/8. To add several networks, first type the first network, then press the return key - the script will ask if you wish to add some more networks. Also, the allowed networks can be adjusted later in the web interface in the Administration - Settings tab without having to run the script again.
[Tip]Tip

In case of typing error, or if you wish to reconfigure Rudder, you can execute this script again as many times as you want.

Validate the installation

Once all these steps have been completed, use your web browser to go to the URL given in the output of rudder-init.

You should see a loading screen, then a login prompt. The default login is "admin" with password "admin", authenticating you in the Rudder web interface with full administrative privileges. You are strongly advised to change this password as soon as possible.

The setup of the Rudder server is now over. If you plan to manage hundreds or thousands of Nodes, please note that some performance tuning can be necessary on the system.

Install Rudder Root server on SLES

Configure the package manager

Rudder requires Java RE (version 7 at least) that is not always packaged by SuSE on all versions

  • PostgreSQL 9
  • Java RE (version 8 at least).

It is also recommended to use PostgreSQL >= 9.2 for optimal performances.

PostgreSQL 9.4 can be installed through the OpenSuSE build service: https://build.opensuse.org/project/show/server:database:postgresql or through the system repositories, on SLES 11 SP4 and later systems.

The Java RE 8 for SLES11 can be found through Oracle's website: https://www.java.com

Also, Rudder server requires the git software, that can be found on SLES SDK DVD under the name git-core.

[Warning]Warning

SLES 11 pre SP4 will try to install PostgreSQL 8.x by default, which is not recommended for Rudder and will cause serious performance degradation, and requires much more disk space in the long run.

It is really recommended to either add the OpenSuSE build service repository, or install postgresql9x-server (if available) beforehand to prevent the system from choosing the default PostgreSQL version.

[Warning]Warning

You may encounter a segmentation fault in Zypper in the following cases:

  • On SLES 11 when trying to install Rudder rpm files locally with Zypper (for example with zypper install rudder-agent-version.release-1.SLES.11.x86_64.rpm)
  • On SLES 12 GA when installing Rudder packages, locally or from the repository

This is due to a bug (bnc#929483 on SuSE bugtracker) in Zypper’s RPM headers parsing. You can either:

  • Only for SLES 11, install the packages directly from the repository, as described below
  • Upgrade your libzypp package to a version including the fix provided by SuSE (upgrade for SLES11SP3 and for SLES12)
  • Use the rpm command to install packages locally (for example with rpm -i rudder-agent-version.release-1.SLES.11.x86_64.rpm)
[Warning]Warning

Zypper seems to be quite tolerant to missing dependencies and will let you install rudder-server-root even if you are missing something like git-core for example, if nothing provides it or you did not install it beforehand.

Special care should be taken during initial installation not to say "Continue anyway" if Zypper does complain a dependency can not be resolved and asks what to do.

Add the Rudder packages repository

Each package that is published by Rudder Project is signed with our GPG signature. To ensure the packages you will install are official builds and have not been altered, import our key into rpm using the following command:

rpm --import https://www.rudder-project.org/rpm-repos/rudder_rpm_key.pub

Our key fingerprint is:

pub  1024R/6F07D355 2012-11-09 Rudder Project (RPM release key) <security@rudder-project.org>
      Key fingerprint = 1141 A947 CDA0 4E83 82C1  B9C4 ADAB 3BD3 6F07 D355

Then run the following commands as root:

zypper ar -n "Rudder SLES repository" http://www.rudder-project.org/rpm-4.1/SLES_11/ Rudder
zypper refresh

This will add the Rudder package repository, then update the local package cache.

Install your Rudder Root Server

To begin the installation, you should simply install the rudder-server-root metapackage, which will install the required components:

zypper in rudder-server-root

Initial configuration of your Rudder Root Server

After the installation, you have to configure some system elements, by launching the following initialisation script:

/opt/rudder/bin/rudder-init

This script will ask you to fill in the following details:

Allowed networks
A list of IP networks authorized to connect to the server. It uses the network/CIDR mask notation, for instance 192.168.0.0/24 or 10.0.0.0/8. To add several networks, first type the first network, then press the return key - the script will ask if you wish to add some more networks. Also, the allowed networks can be adjusted later in the web interface in the Administration - Settings tab without having to run the script again.
[Tip]Tip

In case of typing error, or if you wish to reconfigure Rudder, you can execute this script again as many times as you want.

Validate the installation

Once all these steps have been completed, use your web browser to go to the URL given in the output of rudder-init.

You should see a loading screen, then a login prompt. The default login is "admin" with password "admin", authenticating you in the Rudder web interface with full administrative privileges. You are strongly advised to change this password as soon as possible.

The setup of the Rudder server is now over. If you plan to manage hundreds or thousands of Nodes, please note that some performance tuning can be necessary on the system.

Install Rudder Root server on RHEL-like systems

Add the Rudder packages repository

Each package that is published by Rudder Project is signed with our GPG signature. To ensure the packages you will install are official builds and have not been altered, import our key into rpm using the following command:

rpm --import https://www.rudder-project.org/rpm-repos/rudder_rpm_key.pub

Our key fingerprint is:

pub  1024R/6F07D355 2012-11-09 Rudder Project (RPM release key) <security@rudder-project.org>
      Key fingerprint = 1141 A947 CDA0 4E83 82C1  B9C4 ADAB 3BD3 6F07 D355

Then run the following command as root:

echo '[Rudder_4.1]
name=Rudder 4.1 EL repository
baseurl=http://www.rudder-project.org/rpm-4.1/RHEL_$releasever/
gpgcheck=1
gpgkey=http://www.rudder-project.org/rpm-4.1/RHEL_$releasever/repodata/repomd.xml.key' > /etc/yum.repos.d/rudder.repo

Install your Rudder Root Server

To begin the installation, you should simply install the rudder-server-root metapackage, which will install the required components:

yum install rudder-server-root

On Red Hat-like systems, a firewall setup is enabled by default, and would need to be adjusted for Rudder to operate properly. You have to allow all the flows described in the Network section.

[Tip]Tip

On EL6, the /etc/sysconfig/iptables file configures the firewall:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow SSH access (Maintenance)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Allow HTTPS access (Rudder)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The important line to have access to the Web interface being:

# Allow HTTPS access (Rudder)
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
[Tip]Tip

On EL7, the default firewall is firewalld, and you can enable HTTP/S access by running

firewall-cmd --permanent --zone=public --add-port=443/tcp

Initial configuration of your Rudder Root Server

After the installation, you have to configure some system elements, by launching the following initialisation script:

/opt/rudder/bin/rudder-init

This script will ask you to fill in the following details:

Allowed networks
A list of IP networks authorized to connect to the server. It uses the network/CIDR mask notation, for instance 192.168.0.0/24 or 10.0.0.0/8. To add several networks, first type the first network, then press the return key - the script will ask if you wish to add some more networks. Also, the allowed networks can be adjusted later in the web interface in the Administration - Settings tab without having to run the script again.
[Tip]Tip

In case of typing error, or if you wish to reconfigure Rudder, you can execute this script again as many times as you want.

Validate the installation

Once all these steps have been completed, use your web browser to go to the URL given in the output of rudder-init.

You should see a loading screen, then a login prompt. The default login is "admin" with password "admin", authenticating you in the Rudder web interface with full administrative privileges. You are strongly advised to change this password as soon as possible.

The setup of the Rudder server is now over. If you plan to manage hundreds or thousands of Nodes, please note that some performance tuning can be necessary on the system.

[Note]Files installed by the application
/etc
System-wide configuration files are stored here: init scripts, configuration for apache, logrotate and rsyslog.
/opt/rudder
Non variable application files are stored here.
/opt/rudder/etc
Configuration files for Rudder services are stored here.
/var/log/rudder
Log files for Rudder services are stored here.
/var/rudder
Variable data for Rudder services are stored here.
/var/rudder/configuration-repository/techniques
Techniques are stored here.
/var/rudder/cfengine-community
Data for CFEngine Community is stored here.
/var/cfengine
Data for CFEngine Enterprise is stored here.
/usr/share/doc/rudder*
Documentation about Rudder packages.