System requirements and environment preparation#

This guide provides comprehensive system requirements and environment preparation steps for installing Package Security Manager. Before beginning installation, make sure your system meets all listed requirements and complete the necessary environment preparation steps for your system setup. We recommend installing Package Security Manager in a dedicated environment.

Hardware requirements#

CPU/Processor specifications#

  • Minimum 4 CPU/Processor cores

  • Must support x86-64-v2 architecture

  • Must support SSE4.2 instruction set

Memory#

  • Minimum 16GB RAM

Storage#

  • Minimum 1.5TB available storage

Note

When partitioning space, allocate 20GB for /var/lib and the remaining 1.5TB for /opt/anaconda.

Warning

Our recommended storage space only accounts for Anaconda’s default channels; if you wish to mirror additional channels or upload additional packages, please allocate additional storage accordingly.

Software requirements#

Operating system#

  • RHEL/CentOS 7.9 or later

  • Ubuntu 20.04 or later

  • Other Linux variants with full Docker/Podman support (contact Anaconda implementation team for current approved distributions)

Container runtime requirements#

Note

For Red Hat systems, please refer to the Default options for modifying docker daemon options.

To verify the default log driver is configured to the json-file, run the following command:

docker info --format '{{.LoggingDriver}}'
Podman additional setup steps

Podman setup requires you to download and configure the podman-docker package. This package converts docker commands into their corresponding podman commands.

Note

You might need to work with your IT department to secure the podman-docker package.

  1. Install the required software by running the following commands:

    sudo yum install -y podman-docker
sudo yum install netavark
curl -SL https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose

  2. Using your preferred file editor, open the usr/share/containers/containers.conf file and verify the network_backend= value is set to "netavark". If it is not, set the value now, and save your changes.

  3. If necessary, make your docker-compose volume executable by running the following command:

    sudo chmod +x /usr/local/bin/docker-compose

  4. Create a symbolic link by running the following command:

    sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

  5. Enable the podman.socket by running the following commands:

    sudo systemctl enable --now podman.socket
sudo systemctl status podman.socket

  6. Verify that the podman socket works by running the following command:

    sudo curl -w "\n" -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping

External database requirements#

Package Security Manager supports Postgres versions 9.6 through 14.9 for external database server use. If you are using an external Postgres server, complete these steps to create the keycloak and anaconda users and assign them a role with appropriate permissions prior to installation.

External Postgres setup instructions

  1. Log in to your Postgres server.

  2. Create the keycloak and anaconda users, and set passwords for them by running the following commands:

    # Replace <PSM_PASSWORD> with a password for your anaconda user
# Replace <KEYCLOAK_PASSWORD> with a password for your keycloak user
CREATE USER "anaconda" WITH PASSWORD '<PSM_PASSWORD>';
CREATE USER "keycloak" WITH PASSWORD '<KEYCLOAK_PASSWORD>';

    Tip

    You’ll need your keycloak and anaconda user passwords to complete installation. Save them in a secure location.

  3. Create the databases needed for your users by running the following commands:

    CREATE DATABASE anaconda OWNER "anaconda";
CREATE DATABASE keycloak OWNER "keycloak";

  4. Create the role needed to configure permissions for the keycloak and anaconda users, then assign them the role by running the following commands:

    CREATE ROLE anaconda_role;
GRANT ALL PRIVILEGES ON DATABASE anaconda TO anaconda_role;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO anaconda_role;

ALTER ROLE anaconda_role WITH CREATEDB;
ALTER ROLE anaconda_role WITH LOGIN;

GRANT CONNECT ON DATABASE postgres TO anaconda_role;
GRANT USAGE ON SCHEMA public TO anaconda_role;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO anaconda_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anaconda_role;

GRANT anaconda_role TO "anaconda";
GRANT anaconda_role TO "keycloak";

Security considerations#

The following security software must be temporarily disabled during installation:

  • SELinux

  • CrowdStrike

  • FIPS

  • Other system hardening software

Note

Security software can be re-enabled after installation is complete.

SSL requirements#

Package Security Manager can use TLS/SSL certificates to provide transport layer security for the cluster. If you do not have these certs prior to installation, self-signed certificates can be generated during the initial installation. You can configure the platform to use organizational TLS/SSL certificates after completing the installation.

You can purchase certificates commercially, use Let’s Encrypt, or generate them using your organization’s internal public key infrastructure (PKI) system. When using an internal PKI-signed setup, the CA certificate is stored on the file system. You will need to make sure that the root certificate of your certificate authority is trusted by the server running the application and the workstations used by users of the application.

In all cases, SSL configuration requires the following:

  • A certificate for the root certificate authority (CA)

  • An intermediate certificate chain

  • A server certificate

  • A private server key

DNS requirements#

Web browsers use domain names and web origins to ensure security isolation between sites. If you plan to use DNS, you must have it ready prior to installation. This DNS name is what users will use to access the application.

Port requirements#

External ports#

It is important to protect all services running on the node from outside access. The following ports need to be open to allow access to Package Security Manager via browser and (optionally) via SSH:

  • :443 nginx - only if you are using HTTPS

  • :22 ssh - optional; only if you need SSH

Internal ports#

Note

Internal port configuration is only necessary in a multi-node installation. For more information, contact an Anaconda implementation representative.

Package Security Manager uses several ports for internal communication between components. These ports are open on Docker containers and exposed only to the Docker network. These ports do not need to be open to the end user, but they do need to be reserved, as some bind to the local host network interfaces:

  • :5000 repo - Package Security Manager API

  • :5002 repo-proxy - Package Security Manager file serving API proxy

  • :5000 repo-dispatcher - Package Security Manager event dispatcher/handler (exposed only for Prometheus metrics)

  • :5000 repo-worker - Package Security Manager scheduled jobs worker (exposed only for Prometheus metrics)

  • :8080 keycloak - Keycloak’s /auth/* endpoints are proxied in Nginx

  • :5432 postgres - PostgreSQL database used by Package Security Manager and Keycloak

  • :6379 redis - Redis instance used by Package Security Manager services

  • :9090 prometheus - Prometheus is proxied in Nginx at /prometheus

Note

To change user passwords after installation:

  • For postgres, run \password postgres when in the shell of the Postgres container.

  • For redis, follow the instructions under Troubleshooting.

Tip

You can verify port usage by running docker ps and referencing the PORTS column:

Network communication configuration#

To allow containers to communicate with one another on your host, enable IP address forwarding using these commands:

sysctl net.ipv4.conf.all.forwarding=1
sysctl net.ipv6.conf.all.forwarding=1
iptables -P FORWARD ACCEPT

System validation checks#

Caution

If you are using an air-gapped environment, complete the additional preparation steps for air-gapped environments before you run your system validation checks.

Once you have prepared your environment to meet the requirements, validate your system configuration by running the following commands:

Check processor and CPU details:

cat /proc/cpuinfo

Check available system memory:

cat /proc/meminfo

Check available disk space:

df -h

Check kernel version and processor type:

uname -a

Check operating system version:

cat /etc/os-release

Check Docker installation:

docker version

Check docker-compose version:

docker compose --version

Additional preparation steps for air-gapped environments#

Air-gapped installations of Package Security Manager require additional setup steps to obtain the package files that will populate your repository, then place them in the correct location.

Downloading packages and CVEs#

In this section, you will download Package Security Manager packages and CVEs.

Note

Downloading Package Security Manager Packages may take several hours.

Choose a set of commands to download the Anaconda repository and cve packages:

All platforms

Run the following commands to download the Anaconda repository for all platforms:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256

Note

Downloading the conda_msys2.zip and conda_r.zip files is optional.

Windows airgap files

Run the following commands to download the main repository for Windows systems only:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_win-32.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_win-64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_noarch.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_win-32.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_win-64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_noarch.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256

Run the following commands to download the r repository for Windows systems only:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_win-32.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_win-64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_noarch.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_win-32.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_win-64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_noarch.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256
Linux airgap files

Run the following commands to download the main repository for Linux systems only:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-32.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-aarch64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-armv6l.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-armv7l.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-ppc64le.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-s390x.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_noarch.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-32.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-aarch64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-armv6l.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-armv7l.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-ppc64le.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_linux-s390x.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_noarch.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256

Run the following commands to download the r repository for Linux systems only:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_linux-32.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_linux-64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_linux-ppc64le.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_noarch.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_linux-32.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_linux-64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_linux-ppc64le.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_noarch.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256
macOS airgap files

Run the following commands to download the main repository for macOS systems only:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_osx-32.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_osx-64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_osx-arm64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_noarch.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_osx-32.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_osx-64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_osx-arm64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_noarch.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256

Run the following commands to download the r repository for macOS systems only:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_osx-64.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_noarch.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Run the following commands to download the corresponding checksum files:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_osx-64.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_noarch.sha256
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.sha256

Caution

Do not unzip the tarball files you download. These files must be validated before being moved into the correct directory location as part of installation.

Validating Packages and CVEs#

To ensure that the files you’ve downloaded have not been tampered with, you must verify the integrity of the .zip files by running commands to generate their SHA-256 cryptographic hashes (or “checksums”) and the cryptographic hashes for their corresponding .sha256 files, then checking the output to be sure they match. Choose a set of commands that corresponds with your setup:

File verification commands

If you downloaded your repository files on a Windows machine, run the following commands to view the hashes for the files:

# Replace <FILE> with a file that you downloaded
Get-FileHash <FILE>.zip -Algorithm SHA256
Get-Content <FILE>.sha256

If you downloaded your repository files on a Linux or macOS machine, run the following commands to view the hashes for the files:

# Replace <FILE> with a file that you downloaded
sha256sum <FILE>.zip
cat <FILE>.sha256

Note

You must run these commands for each file you downloaded.

Once you have completed validating your packages and CVEs, perform your system validation checks.

On this page