Red Hat Enterprise Linux (RHEL) and Rocky Linux
editRed Hat Enterprise Linux (RHEL) and Rocky Linux
editRed Hat Enterprise Linux 8 (RHEL 8), 9 (RHEL 9), and Rocky Linux 8 and 9
editThe following instructions show you how to prepare your hosts on Red Hat Enterprise Linux 8 (RHEL 8), 9 (RHEL 9), and Rocky Linux 8 and 9.
Prerequisites
editCreate a RHEL 8 (the version must be >= 8.5), RHEL 9, Rocky Linux 8, or Rocky Linux 9 instance.
- For RHEL 8, follow your internal guidelines to add a vanilla RHEL 8 instance to your environment. Note that the version must be >= 8.5.
Verify that required traffic is allowed.
Configure the host
edit-
Install the OS packages
lvm2
,iptables
,sysstat
, andnet-tools
by executing:For RHEL 9 and Rocky Linux 9, also install the
containernetworking-plugins
package using:sudo dnf -y install containernetworking-plugins
-
Remove Docker and previously installed podman packages (if previously installed).
sudo dnf remove docker docker-ce podman podman-remote containerd.io
-
As a sudoers user, edit the
/etc/selinux/config
file:-
If you are not using SELinux, set it to permissive mode:
SELINUX=permissive
-
If you are using SELinux, set it to enforcing mode:
Avoid customizing the host Docker path
/mnt/data/docker
when using SELinux. Otherwise the ECE installer script needs to be adjusted.SELINUX=enforcing
-
-
Install podman:
-
For RHEL 8 and Rocky Linux, install version
4.*
.sudo dnf install podman-4.* podman-remote-4.*
-
For RHEL 9, install the latest available version
4.*
using dnf.sudo dnf install podman-4.* podman-remote-4.*
-
-
[This step is for RHEL 9 and Rocky Linux 9 only] Switch the network stack from Netavark to CNI:
-
If the /etc/containers/containers.conf file does not exist, copy the /usr/share/containers/containers.conf file to the /etc/containers/ directory (for example, using
cp /usr/share/containers/containers.conf /etc/containers/
). -
Open the /etc/containers/containers.conf file. Navigate to the network section and make sure that the network_backend setting is set to
cni
. -
Reboot the system (
reboot
). -
Check that the network stack has changed to
cni
:cat /etc/containers/containers.conf [...] [network] network_backend="cni" [...]
-
If the /etc/containers/containers.conf file does not exist, copy the /usr/share/containers/containers.conf file to the /etc/containers/ directory (for example, using
-
If podman requires a proxy in your infrastructure setup, modify the
/usr/share/containers/containers.conf
file and add theHTTP_PROXY
andHTTPS_PROXY
environment variables in the [engine] section. Please note that multiple env variables in that configuration file exists — use the one in the [engine] section.Example:
[engine] env = ["HTTP_PROXY=http://{proxy-ip}:{proxy-port}", "HTTPS_PROXY=http://{proxy-ip}:{proxy-port}"]
-
Reload systemd configuration
sudo systemctl daemon-reload
-
Create OS groups, if they do not exist yet
Reference: Users and permissions
sudo groupadd elastic sudo groupadd podman
-
Add user
elastic
to thepodman
groupReference: Users and permissions
sudo useradd -g "elastic" -G "podman" elastic
-
As a sudoers user, add the following line to /etc/sudoers.d/99-ece-users
Reference: Users and permissions
elastic ALL=(ALL) NOPASSWD:ALL
-
Add the required options to the kernel boot arguments
sudo /sbin/grubby --update-kernel=ALL --args='cgroup_enable=memory cgroup.memory=nokmem swapaccount=1'
-
Create the directory
sudo mkdir -p /etc/systemd/system/podman.socket.d
-
As a sudoers user, create the file
/etc/systemd/system/podman.socket.d/podman.conf
with the following content. Set the correct ownership and permission.Both
ListenStream=
andListenStream=/var/run/docker.sock
parameters are required!File content:
[Socket] ListenStream= ListenStream=/var/run/docker.sock SocketMode=770 SocketUser=elastic SocketGroup=podman
File ownership and permission:
sudo chown root:root /etc/systemd/system/podman.socket.d/podman.conf sudo chmod 0644 /etc/systemd/system/podman.socket.d/podman.conf
-
As a sudoers user, create the (text) file
/usr/bin/docker
with the following content. Verify that the regular double quotes in the text file are used (ASCII code Hex 22)#!/bin/bash podman-remote --url unix:///var/run/docker.sock "$@"
-
Set the file permissions on
/usr/bin/docker
sudo chmod 0755 /usr/bin/docker
-
As a sudoers user, add the following two lines to section
[storage]
in the file/etc/containers/storage.conf
. Verify that those parameters are only defined once. Either remove or comment out potentially existing parameters.Avoid customizing the host Docker path
/mnt/data/docker
when using SELinux. Otherwise the ECE installer script needs to be adjusted.runroot = "/mnt/data/docker/runroot/" graphroot = "/mnt/data/docker"
-
Enable podman so that itself and running containers start automatically after a reboot
sudo systemctl enable podman.service sudo systemctl enable podman-restart.service
-
Enable the
overlay
kernel module (check Use the OverlayFS storage driver) that the Podmanoverlay
storage driver uses (check Working with the Container Storage library and tools in Red Hat Enterprise Linux).In the Docker world there are two overlay drivers, overlay and overlay2. Today most users use the overlay2 driver, so we just use that one, and called it overlay. Refer also to Use the OverlayFS storage driver.
echo "overlay" | sudo tee -a /etc/modules-load.d/overlay.conf
-
Format the additional data partition
sudo mkfs.xfs /dev/nvme1n1
-
Create the
/mnt/data/
directory used as a mount pointsudo install -o elastic -g elastic -d -m 700 /mnt/data
-
As a sudoers user, modify the entry for the XFS volume in the
/etc/fstab
file to addpquota,prjquota
. The default filesystem path used by Elastic Cloud Enterprise is/mnt/data
.Replace
/dev/nvme1n1
in the following example with the corresponding device on your host, and add this example configuration as a single line to/etc/fstab
./dev/nvme1n1 /mnt/data xfs defaults,nofail,x-systemd.automount,prjquota,pquota 0 2
-
Restart the local-fs target
sudo systemctl daemon-reload sudo systemctl restart local-fs.target
-
Set the permissions on the newly mounted device
ls /mnt/data sudo chown elastic:elastic /mnt/data
-
Create the
/mnt/data/docker
directory for the Docker service storageAvoid customizing the host Docker path
/mnt/data/docker
when using SELinux. Otherwise the ECE installer script needs to be adjusted.sudo install -o elastic -g elastic -d -m 700 /mnt/data/docker
-
If you want to use FirewallD, please ensure you meet the networking prerequisites. Otherwise, you can disable it with:
sudo systemctl disable firewalld
If FirewallD does not exist on your VM, you can skip this step.
-
Configure kernel parameters
cat <<EOF | sudo tee -a /etc/sysctl.conf # Required by Elasticsearch vm.max_map_count=262144 # enable forwarding so the Docker networking works as expected net.ipv4.ip_forward=1 # Decrease the maximum number of TCP retransmissions to 5 as recommended for Elasticsearch TCP retransmission timeout. # See https://www.elastic.co/guide/en/elasticsearch/reference/current/system-config-tcpretries.html net.ipv4.tcp_retries2=5 # Make sure the host doesn't swap too early vm.swappiness=1 EOF
-
Apply the new sysctl settings
sudo sysctl -p sudo systemctl restart NetworkManager
-
As a sudoers user, adjust the system limits. Add the following configuration values to the
/etc/security/limits.conf
file.* soft nofile 1024000 * hard nofile 1024000 * soft memlock unlimited * hard memlock unlimited elastic soft nofile 1024000 elastic hard nofile 1024000 elastic soft memlock unlimited elastic hard memlock unlimited elastic soft nproc unlimited elastic hard nproc unlimited root soft nofile 1024000 root hard nofile 1024000 root soft memlock unlimited
-
NOTE: This step is optional if the Docker registry doesn’t require authentication.
Authenticate the
elastic
user to pull images from the Docker registry you use, by creating the file/home/elastic/.docker/config.json
. This file needs to be owned by theelastic
user. If you are using a user name other thanelastic
, adjust the path accordingly.Example: In case you use
docker.elastic.co
, the file content looks like as follows:{ "auths": { "docker.elastic.co": { "auth": "<auth-token>" } } }
-
Restart the podman service by running this command:
sudo systemctl daemon-reload sudo systemctl restart podman
-
Reboot the RHEL host
sudo reboot