Table of Contents
Table 1. Network Flows
To | From | Port | Usage |
---|---|---|---|
Root Server | User or API client | tcp/443 (https) | Access Web interface/API |
Policy Server | Any Node | udp/514 (or tcp/514) | Send reports |
Linux or AIX Node | tcp/443 (https/WebDAV) | Send inventories | |
tcp/5309 | Fetch policies | ||
tcp/5310 (optional) | Debug policy copy | ||
AIX Node | tcp/80 (http/WebDAV) | Send inventories | |
Windows DSC Node | tcp/443 (https/WebDAV) | Send inventories and fetch policies | |
Linux or AIX Node | Policy Server | tcp/5309 (optional) | Trigger remote agent run |
Note: The Policy Server is the server configured to manage the node, and can be either a Root Server or a Relay Server.
Rudder needs unlimited strength
security policy because it uses a variety of advanced
hashing and cryptographic algorithms only available in that mode.
Any recent JVM (JDK 8 > 8u161, all JDK 9 and more recent) is configured by default with this policy.
You can check your case by running the following command on your server:
jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256 ? 0 : 1);'; echo $?
If it returns 0, you have the correct policy. In other cases, you will need to change it.
For that, you can download the
unlimited strength
policy for JDK 8 here.
Then, simply copy the java.policy
file into $JAVA_HOME/jre/lib/security/java.policy
.
Fully supported Operating Systems are systems that are frequently built and tested on our servers. Partially suported Operating Systems are systems that have been built and tested at least once but that have not seen continuous flow of fixes.
The following operating systems are supported for Rudder Nodes and packages are available for these platforms:
GNU/Linux:
- Debian 5 to 9
- RedHat Enterprise Linux (RHEL) / RHEL-like 3 and 5 to 7
- SuSE Linux Enterprise Server (SLES) 10 SP3, 11 and 12
- Ubuntu 10.04 LTS (Lucid), 12.04 LTS (Precise), 14.04 LTS (Trusty), 16.04 LTS (Xenial), 18.04 LTS (Bionic)
Other Unix systems:
- IBM AIX 5.3, 6.1 and 7.1
Windows:
- Microsoft Windows Server 2008 R2, 2012, 2012 R2, 2016
Fully supported Operating Systems are systems that are frequently built and tested on our servers. Partially suported Operating Systems are systems that have been built and tested at least once but that have not seen continuous flow of fixes.
Partially supported Operating Systems | |
---|---|
It is possible to use Rudder on other platforms than the fully supported ones. However, we haven’t tested the application on them, and can’t currently supply any packages for them. Moreover, some Techniques may not work properly. If you wish to get Rudder support on those systems, please get in touch with us! A reference about how to manually build a Rudder agent is available on Rudder's documentation here: Building the Rudder Agent |
The following operating systems have had an agent built using Building the Rudder Agent:
- FreeBSD
- Slackware
- Solaris 10 and 11
- Raspbian, based on jessie (via dpkg)
- Debian 8 on ARM (armhf version) (via dpkg)
- OpenSUSE (via rpm)
You can also follow the documentation instructions to build and install Rudder Agent locally on your favorite linux distribution. Even if this distribution has not been tested by us, it has a reasonable chance of success.
The agent provides an abstraction that permits a high level management of the infrastructure. This abstraction is independant of the underlying hardware. This also works for the cloud - we can define configuration rules in Rudder that will be applied as well inside a cloud instance as in a virtual server or in a physical machine of a datacenter.
Any cloud instance based on one of the supported operating system is automatically supported.
Rudder agent has a very small footprint, and only consumes:
- 10 to 20 MB of RAM during an agent run
- a few kB on the network to check or update its policies
- a few kB on the network to report
- around 100 MB of disk space for the installed files and the workspace
These figures will vary depending on your configuration (backup retention, number of configured components to check, etc…).
A dedicated server is strongly recommended, either physical or virtual with at least one dedicated core. Rudder Server runs on both 32 (if available) and 64 bit versions of every supported Operating System.
Note | |
---|---|
Rudder does not fear big infrastructures. It is currently used in production in infrastructure with more than 7000 nodes. |
The required amount of RAM mainly depends on the number of managed nodes. A general rule for the minimal value on a stand-alone server is:
- less than 50 nodes: 2 GB
- between 50 and 1000 nodes: 4 GB
- more than 1000 nodes: 4 GB + 1 GB of RAM by 500 nodes above 1000.
When managing more than 1000 nodes, we also recommend you to use a multiserver installation for Rudder as described in chapter Multiserver Rudder.
When your server has more than 2 GB of RAM, you have to configure the RAM allocated to the Java Virtual Machine as explained in the section about webapplication RAM configuration.
When your server has more than 4 GB, you may need to also tune the PostgresSQL server, as explained in the Optimize PostgreSQL Server section.
Tip | |
---|---|
As an example, a Rudder server which manages 2600 nodes (with a lot of policies checked) will need:
In our load-tests, with such a configuration, the server is not stressed and the user experience is good. |
The PostgreSQL database will take up most disk space needed by Rudder. The storage necessary for the database can be estimated by counting around 150 to 400 kB by Directive, by Node and by day of retention of node’s execution reports (the default is 4 days):
max_space = number of Directives * number of Nodes * retention duration in days * 400 kB
For example, a default installation with 500 nodes and an average of 50 Directives by node, should require between 14 GB and 38 GB of disk space for PostgreSQL.
Follow the Reports Retention section to configure the retention duration.
Warning | |
---|---|
Be careful to correctly size your /var partition. Compliance data are growing fast, and PostgreSQL doesn’t like at all to encounter a write error because the disk is full. It is also adviced to set-up your monitoring to check for available space on that partition. |