Creating and using an external repo in 11.x

Document created by John Snider Employee on Jul 9, 2019
Version 1Show Document
  • View in full screen mode

Scenario -
Due to a slow or unstable WAN link between host(s) and the NW Admin Server (node-zero) host, installs and/or upgrades are failing to complete successfully.


Solution – External Repo
Create an external  netwitness repo that is closer to the hosts, for yum to pull the files from during upgrades, even if the original install was done using the NW server, you can later point host(s) to an external repo to speed up upgrades.


In this example process we will be publishing the 11.3.0.0 and 11.3.0.1 repos to the external repository on a Malware Analysis server to serve as an upgrade repository for the remote site.

 

The Process -
1. SSH to the node-X host to be used as the external repo server, and install nginx web services.

yum install nginx -y

 

2. After nginx rpm is installed, modify the “/etc/nginx/conf.d/default.conf” file to serve out the repo directory.

vi /etc/nginx/conf.d/default.conf


Insert the red text at noted location:

location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /nwrpmrepo {
alias /var/netwitness/common/repo;
index index.html index.htm;
autoindex on;
}

#error_page 404 /404.html;

 

3. Create the directory path, for the repo files, then restart nginx.service

mkdir -p /var/netwitness/common/repo
systemctl restart nginx

 

4. Copy the 11.3.0.0 and 11.3.0.1 zip files to the host under /tmp and then use the “external-repo-creator” script to create the repos on the external host

/opt/rsa/saTools/bin/external-repo-creator /tmp/netwitness-11.3.0.0.zip /var/netwitness/common/repo
/opt/rsa/saTools/bin/external-repo-creator /tmp/netwitness-11.3.0.1.zip /var/netwitness/common/repo

 

5. Create a backup of the following files:

mkdir /root/conf-backup

cp /etc/netwitness/config-management/environments/netwitness.json /root/conf-backup
cp /etc/sysconfig/iptables-config /root/conf-backup
cp /etc/sysconfig/iptables /root/conf-backup

 

 

6. Edit the original files:

a. netwitness.json - add the “customer-firewall” entry after the Global heading (if not already there):

"default_attributes" : {
"global" : {
    "customer-firewall" : true,
    "nodezeroipaddress" : "192.168.1.129",

 

b. iptables-config - enable saving of ruleset on stop /restart of service:

IPTABLES_SAVE_ON_STOP="no" to IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="no" to IPTABLES_SAVE_ON_RESTART="yes"

 

7. Insert repo rule for port 80 to iptables before the INPUT drop rule

a. Find the line number of the INPUT chain DROP rule:

iptables -L -n --line-numbers
...
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 5432 /* postgresql-listen-port */ ctstate NEW
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 60007 /* rsa-nw-malware-analytics-server ports */ ctstate NEW
12 DROP all -- 0.0.0.0/0 0.0.0.0/0

 

b. Insert the rule above the drop rule:

iptables -I INPUT 12 -p tcp -m tcp -m multiport --dports 80 -m comment --comment "external-repo-port" -m conntrack --ctstate NEW -j ACCEPT

iptables -L -n --line-numbers

...

11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 60007 /* rsa-nw-malware-analytics-server ports */ ctstate NEW
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80 /* external-repo-port */ ctstate NEW
13 DROP all -- 0.0.0.0/0 0.0.0.0/0

c. Restart the iptables service

systemctl restart iptables.service

 

d. Verify the rule saved

iptables -L -n

...

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 60007 /* rsa-nw-malware-analytics-server ports */ ctstate NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 80 /* external-repo-port */ ctstate NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0

 

8. On host to be upgraded:

a. Test access to the new repo:

curl http://192.168.10.132/nwrpmrepo/

<html>
<head><title>Index of /nwrpmrepo/</title></head>
<body bgcolor="white">
<h1>Index of /nwrpmrepo/</h1><hr><pre><a href="../">../</a>
<a href="11.3.0.0/">11.3.0.0/</a> 20-Jun-2019 04:24 -
<a href="11.3.0.1/">11.3.0.1/</a> 20-Jun-2019 14:02 -
</pre><hr></body>
</html>

 

b. Create the /etc/netwitness/platform/repobase file with the url of the new repo server as the only line:

echo "http://192.168.10.132/nwrpmrepo" > /etc/netwitness/platform/repobase

 

9. From Node-zero (NW Server), initiate offline upgrade of the host (using the IP address of the host to be upgraded):

upgrade-cli-client --upgrade --version 11.3.0.1 --host-addr 192.168.10.131

 

Client will use External repo to download rpms for the upgrade.

Outcomes