Skip to main content

On-Premises Prerequisites

Note

Chef Automate 4.10.1 released on 6th September 2023 includes improvements to the deployment and installation experience of Automate HA. Please read the blog to learn more about key improvements. Refer to the pre-requisites page (On-Premises, AWS) and plan your usage with your customer success manager or account manager.

Warning

The following prerequisites are according to the standard Chef Automate HA setup. You can contact the customer success manager or account manager if you use any specified version not mentioned here or a third-party extension or software.

Before installing Chef Automate HA in on-premises deployment mode, ensure you have taken a quick tour of this prerequisite page.

Chef Automate Architecture

Chef recommends using an 11 node cluster for a standard Chef Automate HA on-premises deployment, as detailed in the table below:

Service TypeCount
Chef Automate2
Chef Infra Server2
PostgreSQL DB3
OpenSearch DB3
Bastion Machine1

This topology requires two load balancers and two DNS entries with certificates. Refer to the architectural page for further guidance.

Chef Automate HA requires a high availability Chef Infra Server deployment; it does not support a standalone Chef Infra Server deployment.

You can deploy a Chef Automate high availability cluster on AWS or Google Cloud Platform (GCP) or Azure VMs.

On-prem deployments of Chef Automate HA supports making backups on file system (FS) or object storage (S3/MinIO/Google Cloud Storage).

Software Requirements

The software requirements for nodes in the cluster and for other external Chef and non-Chef tools are discussed below.

Node Software Requirements

The operating system and the supported version for different nodes in the on-premises deployment of Automate HA are mentioned below:

Operating SystemsSupported Version
Red Hat Enterprise Linux (64 Bit OS)7, 8, 9 . For 8 or above versions, the SELinux configuration must be permissive. The SELinux configuration is enforced in RHEL 8 and 9. Red Hat Enterprise Linux derivatives include Amazon Linux v1 (using RHEL 6 packages) and v2 (using RHEL 7packages).
Ubuntu (64 Bit OS)16.04.x, 18.04.x, 20.04.x
Centos (64 Bit OS)7
Amazon Linux 2 (64 Bit OS)2 (kernel 5.10)
SUSE Linux Enterprise Server12.5
Oracle Linux9

Minimum Supported Chef Tool Versions

Current Automate HA supports integration with the following Chef tools:

  • Chef Infra Server version: 14.0.58+
  • Chef Inspec version: 4.3.2+
  • Chef Infra Client: 17.0.242+
  • Chef Habitat: 0.81+

We do not support Chef Manage integration in the ongoing Automate version.

External Supported Softwares

Current Automate HA integrates with the following non-Chef tools:

  • SQL Database: PostgreSQL: 13.14
  • NoSQL Database: OpenSearch: 1.3.7
  • Load Balancer: NGINX: 1.21.3 or HA Proxy: 2.2.18 or AWS Application Load Balancer

Hardware Requirements

Note

  • Refer to Performance Benchmarks for more details on the hardware requirements.
  • Make sure the hardware requirement is not less than the recommended Minimum Hardware Requirement
  • Contact your network manager to set up the above pre-requisites.
  • We recommended that all the hardware/VMs be in the same region/data center.

Minimum Hardware Requirement

InstanceCountvCPURAMStorage Size(/hab)AWS Machine TypeAZURE Machine TypeGCP Machine TypeAdditional Space
Chef Automate228200 GBm5.largeStandard_D2as_v4n2-standard-2/var/tmp=5% /root=20%
Chef Infra Server228200 GBm5.largeStandard_D2as_v4n2-standard-2/var/tmp=5% /root=20%
PostgreSQL DB328200 GBm5.largeStandard_D2as_v4n2-standard-2/var/tmp=5% /root=20%
OpenSearch DB328200 GBm5.largeStandard_D2as_v4n2-standard-2/var/tmp=5% /root=20%
Bastion Machine128200 GBm5.largeStandard_D2as_v4n2-standard-2/var/tmp=5% /root=20%

Note

For production, OpenSearch volume size also depends on the number of nodes and frequency of Chef Infra Client runs and compliance scans.

Load Balancer

Load Balancers in on-premises deployment need to be set up according to Chef Automate HA Architecture.

You can set up your load balancer using:

Firewall Checks

The Chef Automate HA cluster requires multiple ports for the frontend and backend servers to operate effectively.

The first column in the table below represents the source of the connection. The table’s other columns represent the destination with the matrix value as a port number. The specified port numbers need to be opened on the origin and destination.

Chef AutomateChef Infra ServerPostgreSQLOpenSearchBastionAutomate Load Balancer
Chef Automate7432, 96319200, 9631
Infra Server7432, 96319200, 9631443
PostgreSQL9631, 7432, 5432, 6432, 9638
UDP 9638
OpenSearch9631, 9200, 9300, 9638
UDP 9638
Bastion22, 9631, 9638, 779922, 9631, 9638, 779922, 9631, 9638, 7432, 779922, 9631, 9638, 9200, 779922
Automate Load Balancer443, 80443, 80

Note

Custom SSH port is supported, but use the same port across all the machines.

Port usage definitions

ProtocolPort NumberUsage
TCP22SSH to configure services
TCP9631Habitat HTTP API
TCP443Allow Users to reach UI / API
TCP80Optional, Allows users to redirect to 443
TCP9200OpenSearch API HTTPS Access
TCP9300Allows OpenSearch node to distribute data in its cluster
TCP/UDP9638Habitat gossip (UDP)
TCP7432HAProxy, which redirects to PostgreSQL Leader
TCP6432Re-elect PostgreSQL Leader if PostgreSQL leader is down
TCP5432Allows PostgreSQL nodes to connect with each other
TCP/UDP7799Allows bastion to connect with automate-verify service

Certificates

Generate the certificates using recommended tools and supported algorithms and versions mentioned below:

  • OpenSSL: 1.0.2zb-fips
  • OpenSSL Algorithms: PBE-SHA1-3DES, RSA (2048), SHA-256
  • Certificate Format: X509 V3(PEM format) ,Private key is in PKCS8 format

To understand how to generate certificates, refer to the Certificate Generation documentation.

Deployment Specific Pre-requisites

The on-premises deployment specific pre-requisites are as follows:

Infra Server

  • Chef Automate HA comes with a bundled Infra Server, and it is recommended not to use any external server in Automate HA. Using an external server will lose the Automate HA functionalities, and things may not work as expected.

Access

  • All Virtual Machines or Machines should be up and running.
  • We need a local user hab and local group hab linked together to complete the deployment process successfully.
  • If they are unavailable, the SSH user should have privileges to create local users and groups so that the deployment process can create the required local user hab and local group hab.
  • Currently, we only support local Linux users and groups for Installation flow. We don’t support AD or LDAP managed users in nodes.
  • The SElinux config should either be disabled or permissive.

Storage Space

  • Operating System Root Volume (/) must be at least 40GB. Temporary space (/var/tmp) must be at least 10GB.
  • Separate Hab volume should be provisioned and mounted at /hab with at least 200GB for all nodes except OpenSearch.
  • For OpenSearch nodes, /hab volume should be calculated based on the data retention policy, and use the Performance Benchmarks for estimation.

SSH User

  • SSH users should use key-based SSH login without a passphrase.
  • The user’s SSH key should be generated using algorithms ed25519 and RSA(2048) without a passphrase.
  • This SSH user should be a local Linux user on all the machines.
  • This SSH user should have sudo privileges on all the machines.
  • SSH user should have write permission in nodes.
  • The SSH user should access all machines using the same SSH private key.
  • The SSH user should have execute permissions on the /tmp directory.

Cluster Setup

  • LoadBalancers should be set up according to Chef Automate HA Architecture.
  • Network ports should be opened as per Chef Automate HA Architecture needs as explained in Security and Firewall page.
  • DNS is configured to redirect chefautomate.example.com to the Primary Load Balancer.
  • DNS is configured to redirect chefinfraserver.example.com to the Primary Load Balancer.
  • Domain Certificates should be created and added for chefautomate.example.com, and chefinfraserver.example.com in the Load Balancers.
  • We expect the customer to have all the Cluster related items ready before deployment. Customer experts will set up things like Load Balancer, Ports, and DNS with certificates.

Config Changes

  • Config Patch in the whole application will result in downtime. For example, if you change or update something in OpenSearch or PostgreSQL, they will restart, resulting in restarting everything.
  • Certificate Rotation will also change the system’s configuration, leading to restarting the whole application.

To learn more about the above deployment, visit our on-premises deployment page.

External Managed Databases

Set up the databases with password-based authentication.

AWS Managed

  • AWS RDS PostgreSQL: 13.14
  • AWS OpenSearch: 1.3

Configure the backup only with S3 when using AWS managed databases.

Customer Managed

  • PostgreSQL: 13.14
  • OpenSearch: 1.3.7

Upgrade

Things to keep in mind while upgrading are:

  • Backend upgrades will restart the backend service, which takes time for the cluster to be healthy.
  • The Upgrade command currently supports only minor upgrades.
  • A downtime will occur while upgrading the frontend, backend or the workspace.
  • Rolling upgrades are not supported.

Disaster Recovery

Chef Automate HA supports disaster recovery in active/passive mode. The primary cluster will be in active mode, and the disaster recovery cluster will be in passive mode.

Active/Active Disaster Recovery is not supported right now as we do not support streaming of data across clusters and automatic fail-over switching of clusters.

The requirements for disaster recovery setup (Active/Passive) are:

  • Two identical clusters located in different data centers or cloud provider regions.
  • Network Attached Storage (NAS) or Object Store (S3/MinIO/Google cloud storage) should be available in both data centers/regions.
  • Set up scheduled jobs to run backup and restore commands on both clusters. We recommend using cron to schedule the jobs.

To know more about the on-premises deployment disaster recovery, visit our Disaster Recovery Setup page.

Migration

Common Notes

  • Migrations involve downtime depending on how much data you have and the type of setup you are running.

  • Migration cannot be done from more than 1 Standalone Automate, more than 1 Standalone Infra Server, or more than 1 Chef Backend to a Single Automate HA cluster.

  • Automate HA will always have Chef Automate and Chef Infra Server running in the cluster.

Existing SystemSupported Setup TypeMinimum Eligible System VersionMaximum Eligible System VersionPre-requisite Before Migration
Chef AutomateStandaloneAutomate 2020XXXXXXTo migrate to the Managed OpenSearch Automate HA cluster, the current standalone Chef Automate version should be at most 4.3.0.
Chef BackendChef Backend ClusterBackend 2.X and Infra Server 14.XChef Infra Server 15.4.0Chef Backend using PostgreSQL storage for Cookbooks should only migrate to Automate HA.
Chef Infra ServerStandalone
Tiered
Infra server 14.XXXChef Infra Server 15.4.0Chef Infra Server using PostgreSQL storage for Cookbooks should only migrate to Automate HA.
A2HAPS Lead A2HA On-Premises DeploymentChef Automate version 20201230192246Chef Automate Version 20220223121207The A2HA cluster-mounted backup file system should also be attached to Automate HA cluster.
In case of In-Place migration, the volume having /hab should have more than 60% free space on each node.

Note

  • Suppose you have done any modification to the standard installation setup mentioned above. In that case, we do not support migration to Automate HA.
  • We don’t recommend in-place migration of A2HA and Chef Backend to Automate HA as the system level changes like ports, system users, and groups may conflict with the successful installation of Automate HA. Also, no easy rollback process is available. This will lead to higher downtime or loss of existing setup.

Backup and Restore

In on-premises deployment of Automate HA, we support Network File System (NFS) or Object Storage (S3/MinIO/Google Cloud Storage) for taking backup.

Encrypted S3 buckets are only supported with Amazon S3 managed keys (SSE-S3).

Thank you for your feedback!

×