Standard installation#

This topic provides guidance on installing Package Security Manager and verifying your installation.

Note

To successfully install Package Security Manager, you must have already prepared your environment according to the Standard environment preparation topic.

Installing Package Security Manager#

  1. Download your installer by running the following command:

    # Replace <INSTALLER_LOCATION> with the provided installer URL
    curl -O <INSTALLER_LOCATION>
    

    Caution

    If you do not have root access, you must add yourself to the docker group by running the following command before you install:

    # Replace <USERNAME> with your Anaconda username
    usermod -a -G docker <USERNAME>
    
  2. Run one of the following installation commands. Choose the command that corresponds with your setup.

    # Replace <INSTALLER> with the installer you just downloaded
    # Replace <FQDN> with the fully qualified domain name of your Package Security Manager instance
    sudo bash <INSTALLER> --keep -- --domain <FQDN> --default-user anaconda 2>&1 | tee as.install.output
    

    Note

    To include Grafana monitoring dashboards in your installation of Package Security Manager, add the following argument to your installation command:

    --grafana-monitor-stack
    

    If you are using TLS/SSL certificates, run this command to install Package Security Manager:

    # Replace <INSTALLER> with the installer you just downloaded
    # Replace <FQDN> with the fully qualified domain name of your Package Security Manager instance
    # Replace <PATH_TO_CERT> with the path to your TLS/SSL cert
    # Replace <PATH_TO_KEY> with the path to your TLS/SSL key
    sudo bash <INSTALLER> --keep -- --domain <FQDN> --tls-cert <PATH_TO_CERT> --tls-key <PATH_TO_KEY> --default-user anaconda 2>&1 | tee as.install.output
    

    Note

    To include Grafana monitoring dashboards in your installation of Package Security Manager, add the following argument to your installation command:

    --grafana-monitor-stack
    

    Caution

    You must be using Postgres version 9.6 or later and Redis version 6.0 or later.

    # Replace <INSTALLER> with the installer file you just downloaded
    # Replace <FQDN> with the fully qualified domain name of your Package Security Manager instance
    # Replace <PATH_TO_CERT> with the path to your TLS/SSL cert
    # Replace <PATH_TO_KEY> with the path to your TLS/SSL key
    # Replace <EXTERNAL_PS/RD_INSTANCE_IP4> with your external instance IP4 address (in both locations)
    # Replace <ASSIGNED_PORT> with the port used for communication
    # Replace <POSTGRES_USERID> with your postgres user ID
    # Replace <POSTGRES_PASSWORD> with your postgres password
    chmod +x <INSTALLER>
    bash <INSTALLER> --keep -- --domain <FQDN> --tls-cert <PATH_TO_CERT> --tls-key <PATH_TO_KEY> -e redis://<EXTERNAL_PS/RD_INSTANCE_IP4> -h <EXTERNAL_PS/RD_INSTANCE_IP4> -p <ASSIGNED_PORT> -u <POSTGRES_USERID> -pw <POSTGRES_PASSWORD> --default-user anaconda -y 2>&1 | tee as.install.output
    

    Note

    To include Grafana monitoring dashboards in your installation of Package Security Manager, add the following argument to your installation command:

    --grafana-monitor-stack
    

The installation process creates three distinct user profiles: one for administrating Package Security Manager, one for administrating Keycloak, and one for accessing Prometheus. Login credentials for these profiles are shown during the installer output. Use these credentials for your initial logins, and update them as soon as possible.

Example output
KeyCloak admin user: 'admin'
KeyCloak admin password: 'B1EpU33Wasdfh0Z64LL767cD'

Updating Keycloak settings ...
Default user: 'anaconda' password: '8aZ6302Ssd34ge415Ld97I'

Prometheus admin user:
username=admin
Generated password for prometheus
password=34ab35y63CUJak6asdf2Am7z40z7lhG8

Note

The Prometheus password cannot currently be updated. Save your password somewhere secure!

Note

The installer directory contains both the installation script (install.sh) and the docker-compose.yml file, which defines how Package Security Manager services are run.

By default, /opt/anaconda/repo is the file path for the installation folder. You can either create the folder manually by assigning write access to the current user, or use the -b (--base-install-dir) parameter to specify the folder for your installation.

Warning

Never delete the directory containing the docker-compose.yml and .env files.

Verifying your installation#

Services are one-to-one to containers. Therefore, verifying that all major containers are up and not restarting or failing is a good first step.

  1. Return to your terminal and run the following command:

    docker ps
    

    You should see output similar to the following:

  2. Verify that the following containers appear with a STATUS of Up (not stuck in a restart loop) in the output:

    repo_api
    repo_worker
    repo_dispatcher
    proxy
    nginx_proxy
    keycloak
    redis
    postgres
    

    These containers should always be running. However, you might see additional containers, depending on the phase of installation or your initial configuration choices:

    Additional containers
    loki
    grafana
    promtail
    prometheus
    node_exporter
    redis-exporter
    postgres-exporter
    
  3. Open a browser and navigate to the domain that you supplied when executing the installer. If you are able to successfully authenticate and are asked for a license, Package Security Manager has installed successfully.

Advanced options#

Further installation options can be seen by running the following command:

# Replace <INSTALLER> with your installer file
./<INSTALLER>/install.sh --help

This will present you with the following list of possible arguments:

Arguments (shorthand)

Arguments (longhand)

Description

-r

--registry

Docker registry, url:port (default uses the system Docker daemon)

-h

--pg-host

Postgresql host (default is on internal Postgres instance)

-p

--pg-port

Postgresql port number

-u

--pg-user

Postgresql username

-pw

--pg-password

Postgresql password (will set the internal Postgres instance password)

-e

--redis

Redis URL (default is an internal Redis instance)

-d

--domain

External domain (or IP address) of host system

-c

--tls-cert

Path to TLS certification file for optionally configuring HTTPS (includes the host certificate and all intermediate certificates, but not the Root CA)

-k

--tls-key

Path to TLS key file for optionally configuring HTTPS

--default-user

Default user name

--custom-ca-cert

Path to custom CA certification, which should be respected

--custom-cve-source

For Airgapped environments provide a custom source for CVE data

--upgrade-from

Previous install folder

-l

--no-image-load

Don’t load Docker images

-y

--no-prompt

Answer yes to all prompts

-- help

Print help text