Skip to main content
BlueXP classification

Check that your Linux host is ready to install BlueXP classification

Contributors netapp-tonacki netapp-bcammett amgrissino

Before installing BlueXP classification manually on a Linux host, you can run a script on the host to verify that all the prerequisites are in place for installing BlueXP classification. You can run this script on a Linux host in your network, or on a Linux host in the cloud. The host can be connected to the internet, or the host can reside in a site that doesn't have internet access (a dark site).

There is also a prerequisite test script that is part of the BlueXP classification installation script. The script described here is specifically designed for users who want to verify the Linux host independently of running the BlueXP classification installation script.

Getting Started

You'll perform the following tasks.

  1. Optionally, install a BlueXP Connector if you don't already have one installed. You can run the test script without having a Connector installed, but the script checks for connectivity between the Connector and the BlueXP classification host machine - so it is recommended that you have a Connector.

  2. Prepare the host machine and verify that it meets all the requirements.

  3. Enable outbound internet access from the BlueXP classification host machine.

  4. Verify that all required ports are enabled on all systems.

  5. Download and run the Prerequisite test script.

Create a Connector

A BlueXP Connector is required before you can install and use BlueXP classification. You can, however, run the Prerequisites script without a Connector.

You can install the Connector on-premises on a Linux host in your network or on a Linux host in the cloud. Some users planning to install BlueXP classification on-prem may also choose to install the Connector on-prem.

To create a Connector in your cloud provider environment, see creating a Connector in AWS, creating a Connector in Azure, or creating a Connector in GCP.

You'll need the IP address or host name of the Connector system when running the Prerequisites script. You'll have this information if you installed the Connector in your premises. If the Connector is deployed in the cloud, you can find this information from the BlueXP console: click the Help icon, select Support, and click BlueXP Connector.

Verify host requirements

BlueXP classification software must run on a host that meets specific operating system requirements, RAM requirements, software requirements, and so on.

  • BlueXP classification is not supported on a host that is shared with other applications - the host must be a dedicated host.

  • When building the host system in your premises, you can choose among three system sizes depending on the size of the dataset that you plan to have BlueXP classification scan.

    System size CPU RAM (swap memory must be disabled) Disk

    Extra Large

    32 CPUs

    128 GB RAM

    1 TiB SSD on /, or
    - 100 GiB available on /opt
    - 895 GiB available on /var/lib/docker
    - 5 GiB on /tmp

    Large

    16 CPUs

    64 GB RAM

    500 GiB SSD on /, or
    - 100 GiB available on /opt
    - 395 GiB available on /var/lib/docker or for Podman /var/lib/containers or for Podman /var/lib/containers
    - 5 GiB on /tmp

    Medium

    8 CPUs

    32 GB RAM

    200 GiB SSD on /, or
    - 50 GiB available on /opt
    - 145 GiB available on /var/lib/docker or for Podman /var/lib/containers
    - 5 GiB on /tmp

    Small

    8 CPUs

    16 GB RAM

    100 GiB SSD on /, or
    - 50 GiB available on /opt
    - 45 GiB available on /var/lib/docker or for Podman /var/lib/containers
    - 5 GiB on /tmp

    Note that there are limitations when using the smaller systems. See Using a smaller instance type for details.

  • When deploying a compute instance in the cloud for your BlueXP classification installation, we recommend a system that meets the "Large" system requirements above:

  • UNIX folder permissions: The following minimum UNIX permissions are required:

    Folder Minimum Permissions

    /tmp

    rwxrwxrwt

    /opt

    rwxr-xr-x

    /var/lib/docker

    rwx------

    /usr/lib/systemd/system

    rwxr-xr-x

  • Operating system:

    • The following operating systems require using the Docker container engine:

      • Red Hat Enterprise Linux version 7.8 and 7.9

      • CentOS version 7.8 and 7.9

      • Ubuntu 22.04 (requires BlueXP classification version 1.23 or greater)

    • The following operating systems require using the Podman container engine, and they require BlueXP classification version 1.30 or greater:

      • Red Hat Enterprise Linux version 8.8, 9.0, 9.1, 9.2, and 9.3

        Note that the following features are not currently supported when using RHEL 8.x and RHEL 9.x:

        • Installation in a dark site

        • Distributed scanning; using a master scanner node and remote scanner nodes

  • Red Hat Subscription Management: The host must be registered with Red Hat Subscription Management. If it's not registered, the system can't access repositories to update required 3rd-party software during installation.

  • Additional software: You must install the following software on the host before you install BlueXP classification:

    • Depending on the OS you are using, you'll need to install one of the container engines:

      • Docker Engine version 19.3.1 or greater. View installation instructions.

        Watch this video for a quick demo of installing Docker on CentOS.

      • Podman version 4 or greater. To install Podman, update your system packages (sudo yum update -y), and then install Podman (sudo yum install netavark -y).

  • Python version 3.6 or greater. View installation instructions.

    • NTP considerations: NetApp recommends configuring the BlueXP classification system to use a Network Time Protocol (NTP) service. The time must be synchronized between the BlueXP classification system and the BlueXP Connector system.

    • Firewalld considerations: If you are planning to use firewalld, we recommend that you enable it before installing BlueXP classification. Run the following commands to configure firewalld so that it is compatible with BlueXP classification:

      firewall-cmd --permanent --add-service=http
      firewall-cmd --permanent --add-service=https
      firewall-cmd --permanent --add-port=80/tcp
      firewall-cmd --permanent --add-port=8080/tcp
      firewall-cmd --permanent --add-port=443/tcp
      firewall-cmd --reload

      If you're planning to use additional BlueXP classification hosts as scanner nodes (in a distributed model), add these rules to your primary system at this time:

      firewall-cmd --permanent --add-port=2377/tcp
      firewall-cmd --permanent --add-port=7946/udp
      firewall-cmd --permanent --add-port=7946/tcp
      firewall-cmd --permanent --add-port=4789/udp

      Note that you must restart Docker or Podman whenever you enable or update firewalld settings.

Enable outbound internet access from BlueXP classification

BlueXP classification requires outbound internet access. If your virtual or physical network uses a proxy server for internet access, ensure that the BlueXP classification instance has outbound internet access to contact the following endpoints.

Tip This section is not required for host systems installed in sites without internet connectivity.
Endpoints Purpose

https://api.bluexp.netapp.com

Communication with the BlueXP service, which includes NetApp accounts.

https://netapp-cloud-account.auth0.com
https://auth0.com

Communication with the BlueXP website for centralized user authentication.

https://support.compliance.api.bluexp.netapp.com/
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/

Provides access to software images, manifests, templates, and to send logs and metrics.

https://support.compliance.api.bluexp.netapp.com/

Enables NetApp to stream data from audit records.

https://github.com/docker
https://download.docker.com

Provides prerequisite packages for docker installation.

http://mirror.centos.org
http://mirrorlist.centos.org
http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.107-3.el7.noarch.rpm

Provides prerequisite packages for CentOS installation.

http://packages.ubuntu.com/
http://archive.ubuntu.com

Provides prerequisite packages for Ubuntu installation.

Verify that all required ports are enabled

You must ensure that all required ports are open for communication between the Connector, BlueXP classification, Active Directory, and your data sources.

Connection Type Ports Description

Connector <> BlueXP classification

8080 (TCP), 443 (TCP), and 80

The firewall or routing rules for the Connector must allow inbound and outbound traffic over port 443 to and from the BlueXP classification instance.

Make sure port 8080 is open so you can see the installation progress in BlueXP.

Connector <> ONTAP cluster (NAS)

443 (TCP)

BlueXP discovers ONTAP clusters using HTTPS. If you use custom firewall policies, the Connector host must allow outbound HTTPS access through port 443. If the Connector is in the cloud, all outbound communication is allowed by the predefined firewall or routing rules.

Run the BlueXP classification Prerequisites script

Follow these steps to run the BlueXP classification Prerequisites script.

Watch this video to see how to run the Prerequisites script and interpret the results.

What you'll need
  • Verify that your Linux system meets the host requirements.

  • Verify that the system has the two prerequisite software packages installed (Docker Engine or Podman, and Python 3).

  • Make sure you have root privileges on the Linux system.

Steps
  1. Download the BlueXP classification Prerequisites script from the NetApp Support Site. The file you should select is named standalone-pre-requisite-tester-<version>.

  2. Copy the file to the Linux host you plan to use (using scp or some other method).

  3. Assign permissions to run the script.

    chmod +x standalone-pre-requisite-tester-v1.25.0
  4. Run the script using the following command.

     ./standalone-pre-requisite-tester-v1.25.0 <--darksite>

    Add the option "--darksite" only if you are running the script on a host that doesn't have internet access. Certain prerequisite tests are skipped when the host is not connected to the internet.

  5. The script prompts you for the IP address of the BlueXP classification host machine.

    • Enter the IP address or host name.

  6. The script prompts whether you have an installed BlueXP Connector.

    • Enter N if you do not have an installed Connector.

    • Enter Y if you do have an installed Connector. And then enter the IP address or host name of the BlueXP Connector so the test script can test this connectivity.

  7. The script runs a variety of tests on the system and it displays results as it progresses. When it finishes it writes a log of the session to a file named prerequisites-test-<timestamp>.log in the directory /opt/netapp/install_logs.

Result

If all the prerequisites tests ran successfully, you can install BlueXP classification on the host when you are ready.

If any issues were discovered, they are categorized as "Recommended" or "Required" to be fixed. Recommended issues are typically items that would make the BlueXP classification scanning and categorizing tasks run slower. These items do not need to be corrected - but you may want to address them.

If you have any "Required" issues, you should fix the issues and run the Prerequisites test script again.