Installation
This section describes the steps you must perform to install the Hyperscale Compliance Engine.
Hyperscale Compliance Installation
Pre-requisites
Ensure that you meet the following requirements before you install the Hyperscale Compliance Engine.
- Download the Hyperscale tar file (
delphix-hyperscale-masking-4.1.0.0.tar.gz
) from download.delphix.com. - You must create a user that has permissions to install Docker and Docker compose.
- Install Docker on VM. Minimum supported docker version is 20.10.7.
- Install Docker compose on VM. Minimum supported docker-compose version is 1.29.2.
-
Check if docker and docker-compose are installed by running following command:
-
docker-compose -v
The above command displays an output similar to the following:
docker-compose version 1.29.2, build 5becea4c
-
docker -v
The above command displays an output similar to the following:
Docker version 20.10.7, build 3967b7d
-
-
Download and install Linux based Oracle’s instant client on the machine where the Hyperscale Compliance Engine will be installed. The client should essentially include
instantclient-basic
(Oracle shared libraries) along withinstantclient-tools
containingOracle’s SQL*Loader
client. Both the packagesinstantclient-basic
andinstantclient-tools
should be unzipped in the same directory. A group ownership id of 50 with a permission mode of 550 or a user id of 65436 with a permission mode of 500 must be set recursively on the directory where Oracle’s instant client packages will be installed. This is required by the Hyperscale Compliance Engine to be able to read or execute from the directory.
Procedure
Perform the following procedure to install the Hyperscale Compliance Engine.
-
Unpack the Hyperscale tar file.
tar -xzf delphix-hyperscale-masking-4.1.0.0.tar.gz
-
Load the extracted tars into Docker.
docker load --input controller-service.tar docker load --input unload-service.tar docker load --input masking-service.tar docker load --input load-service.tar docker load --input proxy.tar
-
Create an NFS shared mount, that will act as a Staging Area, on the Hyperscale Compliance Engine host where the Hyperscale Compliance engine will perform read/write/execute operations:
-
Create a ‘Staging Area’ directory. For example:
/mnt/hyperscale/staging_area
. The user(s) within each of the docker containers part of the Hyperscale Compliance Engine and the appliance OS user(s) in the Continuous Compliance Engine(s), all have the user id as 65436 and/or group ownership id as 50. As such, the ‘staging_area’ directory, along with the directory(‘hyperscale’) one level above, require the following permissions, based on the UID/GID of the OS user, so that the Hyperscale Compliance Engine and the Continuous Compliance Engine(s) can perform read/write/execute operations on the staging area:- If Hyperscale Compliance OS user has a UID of 65436, then the ‘staging_area’ directory, along with the directory(‘hyperscale’) one level above, must have UID of 65436 and 700 permission mode.
- If Hyperscale Compliance OS user has a GID of 50 and does not have a UID of 65436, then the ‘staging_area’ directory, along with the directory(‘hyperscale’) one level above, must have GID of 50 and 770 permission mode.
-
Mount the NFS shared directory on the staging area directory (
/mnt/hyperscale/staging_area
). This NFS shared storage can be created and mounted in two ways as detailed in the NFS Server Installation section. Based on the umask value for the user which is used to mount, the permissions for the staging area directory could get altered after the NFS share has been mounted. In such cases, the permissions(i.e 770 or 700 whichever applies based on the point 3a) must be applied again on the staging area directory.Note
The directory created in step 3a (‘staging_area’) will be provided as the ‘mountName’ and the corresponding shared path from the NFS file server as the ‘mountPath’ in the MountFileSystems API.
-
-
Configure the following docker container volume bindings for the docker containers by editing the
docker-compose.yaml
file from tar:- For each of the docker containers, except the ‘proxy’ container, add a volume entry binding the staging area path (from 3(a),
/mnt/hyperscale
) to the Hyperscale Compliance Engine container path(/etc/hyperscale
) as a volume binding under the ‘volumes’ section. - For load-service docker container, add a volume entry that binds the path of the directory on the host where both the
Oracle instant Client
packages were unzipped to the path on the container (/usr/lib/instantclient
) under the ‘volumes’ section. -
[Optional] Some data (for example, logs, configuration files, etc.) that is generated inside the docker containers may be useful to debug possible errors or exceptions while running the hyperscale jobs, and as such it may be beneficial to persist these logs outside docker containers. The following data can be persisted outside the docker containers:
- The logs generated for each service i.e. unload, controller, masking, and load services.
- The
sqlldr
utility logs and control files atopt/sqlldr
location in the load-service container.
If you would like to persist the above data on your host, then you have the option to do the same by setting up volume bindings in the respective service as indicated below, that map locations inside the docker containers to locations on the host in the
docker-compose.yaml
file. The host locations again must have a group ownership id of 50 with a permission mode of 770 or a user id of 65436 with a permission of 700, due to the same reasons as highlighted in step 3a.An example
docker-compose.yaml
file looks like the following:networks: hyperscale-net: null services: controller-service: depends_on: - unload-service - masking-service - load-service environment: - API_KEY_CREATE=${API_KEY_CREATE:-false} - EXECUTION_STATUS_POLL_DURATION=${EXECUTION_STATUS_POLL_DURATION:-12000} - LOGGING_LEVEL_COM_DELPHIX_HYPERSCALE=${LOG_LEVEL_CONTROLLER_SERVICE:-INFO} - API_VERSION_COMPATIBILITY_STRICT_CHECK=${API_VERSION_COMPATIBILITY_STRICT_CHECK:-false} - LOAD_SERVICE_REQUIREPOSTLOAD=${LOAD_SERVICE_REQUIRE_POST_LOAD:-true} healthcheck: interval: 30s retries: 3 start_period: 30s test: curl --fail --silent http://localhost:8080/actuator/health | grep UP || exit 1 timeout: 25s image: delphix-controller-service-app:${VERSION} init: true networks: - hyperscale-net restart: unless-stopped volumes: - hyperscale-controller-data:/data:rw load-service: environment: - LOGGING_LEVEL_COM_DELPHIX_HYPERSCALE=${LOG_LEVEL_LOAD_SERVICE:-INFO} - SQLLDR_BLOB_CLOB_CHAR_LENGTH=${SQLLDR_BLOB_CLOB_CHAR_LENGTH:-20000} image: delphix-load-service-app:${VERSION} init: true networks: - hyperscale-net restart: unless-stopped volumes: - hyperscale-load-data:/data:rw - /opt/oracle/instantclient_21_5:/usr/lib/instantclient - /home/delphix/nfs_mounts:/etc/hyperscale:rw masking-service: environment: - LOGGING_LEVEL_COM_DELPHIX_HYPERSCALE=${LOG_LEVEL_MASKING_SERVICE:-INFO} - INTELLIGENT_LOADBALANCE_ENABLED=${INTELLIGENT_LOADBALANCE_ENABLED:-true} image: delphix-masking-service-app:${VERSION} init: true networks: - hyperscale-net restart: unless-stopped volumes: - hyperscale-masking-data:/data:rw - /home/delphix/cert:/etc/config/cert - /home/delphix/nfs_mounts:/etc/hyperscale:rw proxy: depends_on: - controller-service image: delphix-hyperscale-masking-proxy:${VERSION} init: true networks: - hyperscale-net ports: - 443:443 restart: unless-stopped unload-service: environment: - LOGGING_LEVEL_COM_DELPHIX_HYPERSCALE=${LOG_LEVEL_UNLOAD_SERVICE:-INFO} - UNLOAD_FETCH_ROWS=${UNLOAD_FETCH_ROWS:-10000} image: delphix-unload-service-app:${VERSION} init: true networks: - hyperscale-net restart: unless-stopped volumes: - hyperscale-unload-data:/data:rw - /home/delphix/nfs_mounts:/etc/hyperscale:rw - <host SQLLDR directory>:opt/sqlldr - <host container log directory>: /logs version: '3.7' volumes: hyperscale-controller-data: null hyperscale-load-data: null hyperscale-masking-data: null hyperscale-unload-data: null
- For each of the docker containers, except the ‘proxy’ container, add a volume entry binding the staging area path (from 3(a),
-
(OPTIONAL) To modify the default Hyperscale configuration properties for the application, see Configuration Settings.
-
Run the application from the same location where you extracted the
docker-compose.yaml
file.docker-compose up -d
-
Run the following command to check if the application is running. The output of this command should shows five containers up and running.
docker-compose ps
-
Run the following command to access application logs of a given container.
docker logs -f <service_container_name>
Note
Service container name can be accessed by output of the command
docker-compose ps
. -
Run the following command to stop the application (if required).
sudo docker-compose down
-
-
Once the application starts, an API key will be generated that will be required to authenticate with the Hyperscale Compliance engine. This key will be found in the docker container logs of the controller service.
Docker logs -f <service_container_name>
Note
Service container name can be accessed by output of the command
docker-compose ps
.The above command displays an output similar to the following where the string
NEWLY GENERATED API KEY
can be grepped from the log::2022-05-18 12:24:10.981 INFO 7 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2022-05-18 12:24:10.982 INFO 7 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 9699 ms NEWLY GENERATED API KEY: 1.89lPH1dHSJQwHuQvzawD99sf4SpBPXJADUmJS8v00VCF4V7rjtRFAftGWygFfsqM
To authenticate with the Hyperscale Compliance Engine, you must use the API key and include the HTTP Authorization request header with type apk;
apk <API Key>
.For more information, see the Authentication section under Accessing the Hyperscale Compliance API.
Continuous Compliance Engine Installation
Delphix Continuous Compliance Engine is a multi-user, browser-based web application that provides complete, secure, and scalable software for your sensitive data discovery, masking, and tokenization needs while meeting enterprise-class infrastructure requirements. For information about installing the Continuous Compliance Engine, see Continuous Compliance Engine Installation documentation.