As part of the manual installation process (which is not recommended), install and configure RaaS.
To install and configure the RaaS node:
- FOR SLES 15 INSTALLATIONS ONLY: Install the
xmlsec1
package. Without this dependency, a SLES 15 installation may fail. To download the package and read installation documentation, see xmlsec1. - FOR SLES INSTALLATIONS ONLY: Import the RPM signing key using the following command:
rpm --import http://repo.saltstack.com/py3/redhat/7.7/x86_64/latest/SALTSTACK-GPG-KEY.pub
- Download and install the RPM for your operating system:
RHEL
Download and install the Red Hat/CentOS SaltStack Config RPM, replacing the exact filename:
sudo yum install raas-<version>-0.el7.x86_64.rpm
- In the RaaS service configuration file
/etc/raas/raas
, update thesql
configuration to provide the host and port created in the previous section. If you plan to use SSL, setssl
toTrue
and see the next step for additional details.sql:dialect:postgresqlhost:localhostport:5432driver:psycopg2ssl:false
- If you set
ssl
toTrue
in the previous step, you’ve enabled an SSL connection, but additional information is required to verify the server’s SSL certificate. To configure certificate verification, in/etc/raas/raas
, add a newssl_opts
key and provide values as follows:Option
Description
sslmode
Choose the mode for your SSL connection from one of the following:
-
disable
- Use only cleartext connections. This value is used whenssl
is set to False. -
prefer
- Use SSL but fallback to cleartext if SSL is not available. -
require
- Use an SSL connection but do not attempt to verify the server’s certificate. -
verify-ca
- Use the contents ofsslrootcert
, if present, to validate the server’s SSL certificate. Or ifsslrootcert
is not present, use the system certificate store to validate the server’s SSL certificate. -
verify-full
- Use the contents ofsslrootcert
, if present, to validate the server’s SSL certificate. Or ifsslrootcert
is not present, use the system certificate store to validate the server’s SSL certificate.verify-full
requires that the hostname in the certificate match the hostname SaltStack Config uses when connecting.
For more on these settings, see the PostgreSQL documentation.
sslrootcert
Location on the RaaS filesystem of the CA certificate to use if a self-signed certificate is in place on the PostgreSQL server
sslcert
Location of the client certificate on the RaaS server to use instead of username and password to connect to PostgreSQL
sslkey
Location of the key file that goes along with the client certificate referenced in
sslcert
For more in-depth information about these options, see the PostgreSQL documentation: Client Verification of Server Certificates, as well as the following example configurations.
Example 1
The first example shows a configuration set to full verification. This means that the certificate PostgreSQL presents to SaltStack Config is validated against the Certificate Authority certificate specified in the file
path/to/CA_Certificate
. Furthermore, the Common Name in the SaltStack Config certificate must match the hostname SaltStack Config is using for PostgreSQL.sql: ssl:True ssl_opts: sslmode:verify-full sslrootcert:path/to/CA_certificate
Example 2
The second example enables SSL communication without certificate validation, and authenticates the user that the RaaS uses to connect to PostgreSQL via client SSL certificate.
sql: ssl:True ssl_opts: sslmode:require sslcert:path/to/Client_Certificate sslkey:path/to/Key_for_Client_Certificate
-
- In the RaaS service configuration file
/etc/raas/raas
, define options for background workers:background_workers: combined_process:True max_tasks:100000 max_memory:1048576
Note:SaltStack Config includes a range of different background worker settings to improve performance for various deployment scenarios. For more information, see Improve system performance.
- In the RaaS service configuration file
/etc/raas/raas
, configure the location of your Redis server:redis: url:redis://<Redis_IP>:6379
- To store database credentials for both PostgreSQL and Redis in an encrypted file, run the following command:
su - raas -c 'raas save_creds'
- Follow the prompts to set up your username and password for Redis and PostgreSQL. If you would prefer to leave those values blank, press the Enter key when prompted. The credentials are stored in
/etc/raas/raas.secconf
.Note:If credentials appear in both
/etc/raas/raas
and/etc/raas/raas.secconf
, the settings in the plaintext/etc/raas/raas
take precedence. For more on securing credentials, see Securing credentials in your configuration. - Enable the RaaS service at system startup and launch the service using the following commands:
sudo systemctl enable raas sudo systemctl start raas
The manual installation process is now complete.
What to do next
After installing and configuring RaaS, the next step is to install the RaaS license key. See Install the RaaS license key for more information.