Software Prerequisites
To ensure the performance and stability of Anypoint Platform Private Cloud Edition (Anypoint Platform PCE), every node in your Anypoint Platform PCE environment must meet the software prerequisites described in this topic:
-
Operating system (OS) prerequisites
-
Third-party software prerequisites
-
MuleSoft software prerequisites
| Before you install Anypoint Platform PCE, your infrastructure team must review each of the following sections and verify that your environment meets the stated software requirements. If needed, contact your MuleSoft representative for assistance. |
Operating System Prerequisites
Verify Linux Distribution
The following Linux distributions are supported:
-
Red Hat Enterprise Linux (RHEL) 7.8, 7.9, 8.1, 8.2, 8.3., 8.4, 8.5, 8.6, 8.7, and 8.8.
-
CentOS 7.8 and 7.9
|
Anypoint Platform PCE no longer supports CentOS 8, as it has reached end-of-life. |
Check for SELinux Custom Profiles
Although SELinux is not required, Anypoint Platform PCE supports the default SELinux profile running in strict mode. If your environment uses a custom profile, it must provide an unconstrained user context when running the installer. Review any custom profiles with your MuleSoft representative.
Enable and Load Kernel Modules
You must enable the following kernel modules on each node:
-
br_netfilter -
ebtable_filter -
ip_tables -
iptable_filter -
iptable_nat -
overlay
For each kernel module, run a command similar to the following example to verify that each module is loaded. Replace br_netfilter with the name of the kernel module you are checking:
root$ lsmod | grep br_netfilter
-
If this command does not display any output, then the module is not loaded. In this case, load the module using
modprobe:root$ modprobe br_netfilter
Ensure a module is loaded after a reboot by using the following command:
root$ echo 'br_netfilter' > /etc/modules-load.d/br_netfilter.conf
Verify Kernel Settings
The following flags must be enabled:
-
net.bridge.bridge-nf-call-iptables=1 -
net.ipv4.ip_forward=1 -
fs.may_detach_mounts=1 -
fs.inotify.max_queued_events=16384 -
fs.inotify.max_user_instances=8192 -
fs.inotify.max_user_watches=1048576
The kubelet requires the following settings, which do not update the Kernel settings automatically:
-
vm.overcommit_memory=1 -
kernel.panic=10 -
kernel.panic_on_oops=1
Ensure that no processes on your system overrides any of these flags. To set a parameter, use sysctl -w, as shown in the following example:
root$ sysctl -w net.ipv4.ip_forward=1
To make the changes permanent for the next reboot, write the changes to a file under /etc/sysctl.d. Replace the setting in the following example with the setting you are configuring.
echo net.ipv4.ip_forward=1 >> /etc/sysctl.d/10-ipv4-forwarding.conf
Permanently configure settings required by the kubelet:
cat > /etc/sysctl.d/90-kubelet.conf << EOF vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 EOF
Ensure that no processes or files conflict with those settings.
Third Party Software Prerequisites
Requirements When Firewalld Is Enabled
Firewalld is an iptables controller that defines rules for persistent network traffic.
If you are using firewalld with a Red Hat Enterprise Linux (RHEL) 7.3 operating system, you must enable forwarding on the docker0 device.
You must also forward any packets being sent from or to the 10.0.0.0/8 subnet.
Determine If You Are Using Firewalld
To determine if your system is using firewalld, run the following command on every node:
systemctl status firewalld.service
If firewalld is installed, the following output is displayed:
$ sudo systemctl status firewalld.service * firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
If firewalld is not installed, an error message is displayed.
Enable Forwarding on Docker Device
To enable forwarding on the docker0 device, run the following commands:
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet" firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"
To enable forwarding on the 10.0.0.0/8 subnet, run the following commands:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -s 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet" firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -d 10.0.0.0/8 -j ACCEPT -m comment --comment "docker subnet"
Remove Local DNS Servers
Remove local caching DNS servers listening on port 53, for example, named, dnsmasq, and bind.
Install Required Tools
-
Tool to Verify NFS Server Ports are Open
Netcat is recommended, but you can use your tool of choice to verify the correct ports are open on the NFS server. If you do not have
netcat, you can install it from http://netcat.sourceforge.net/download.php or follow the instructions at https://linoxide.com/linux-how-to/install-use-netcat-command-linux/.
Remove Server Configuration Management Software
Any Server Configuration Management software, such as Puppet, Chef, Ansible, and SaltStack, must be removed. This software usually changes kernel modules and settings that are required, and can also restart servers without following the correct shut down procedure, causing the system to enter a failed state.
MuleSoft Software Prerequisites
Obtain Install Archive and License Key
Obtain the installer archive (anypoint-3.2.x-installer.tar.gz) and license key from your MuleSoft account representative.
Verify IP Forwarding and Bridging
To ensure proper cluster load balancing and routing, you must enable, correctly configure, and verify the following items:
-
Kernel IP forwarding
To enable internal Kubernetes load balancing, you must enable IPv4 forwarding on all servers.
-
Bridge-netfilter
Enable the Linux kernel to translate packets to and from hosted containers.
-
IP addresses for bridge-netfiltering are managed by the overlay network created by Kubernetes. Verify that the CIDR block used for that network is in the private IP address range.
-
Verify SSL Certificate Requirements
To use the Anypoint Platform PCE, you must provide SSL certificates. You can upload a certificate through the Anypoint Platform PCE UI. This certificate must be trusted by every machine that is connected to the platform.
| You must register the same SSL certificate on every node containing Mule runtime engines managed by your installation. |