Installation Notes (Release 7.0.0)

Describes considerations for installing release 7.0.0.

Note these considerations for new installations of release 7.0.0, which can be installed using manual steps or by using the Installer:

Considerations for Using the Installer

Before using the Installer with release 7.0.0, review these considerations:
  • Only Installer can be used to install release 7.0.0. For more info, see Installer Updates.
  • The Installer is not FIPS compliant and is not supported to run on a FIPS-enabled node. However, you can use the Installer to install a FIPS-compliant cluster. To do this, the Installer node must be installed on a non-FIPS node, and the cluster to be installed cannot include the Installer node as part of the cluster.
  • You can use Installer to install a FIPS-enabled cluster only if all the nodes to be installed are FIPS-enabled. Using the Installer to install a mix of FIPS-enabled and non-FIPS-enabled nodes is not supported.
  • You can use Installer to upgrade to release 7.0.0, but upgrading from a non-FIPS-enabled cluster to a FIPS-enabled cluster is not supported.
  • Installer is supported on Rocky Linux and RHEL 8.5. See Operating System Support Matrix.
  • For a list of known issues that affect Installer and other Installer versions, see Installer Known Issues.

32 GB Minimum Memory for Production Nodes

Minimum memory requirements for production nodes have changed. Production nodes require at least 32 GB of memory per node. For more information, see Memory and Disk Space.

Monitoring Components Support for FIPS

The Spyglass logging components (Elasticsearch, Fluentd, and Kibana) are NOT supported in FIPs mode. Spyglass metrics components (Collectd, Open TSDB, and Grafana) work in FIPS mode even through Grafana is written in Go and is not FIPS compliant.

Licensing Changes for FIPS

To support FIPS clusters, the license file now contains two identical licenses. One is signed with a SHA-1 signature for non-FIPS clusters. The other is signed with a SHA256 signature for FIPS clusters. This enables MCS or maprcli commands to verify the signature regardless of support for FIPS compliance. User-visible changes are minimal, since MCS and the maprcli license list command show only the license that is currently applied.

Manual Installations and FIPS

There are no changes to the procedure for manual package installation. The steps are the same as described in Installing without the Installer.

Installers continue to use the ${MAPR_HOME}/server/ script to configure both FIPS and non-FIPS nodes after the data-fabric packages are successfully installed. There are no customer-visible changes to the existing manual setup procedure to enable FIPS mode using the ${MAPR_HOME}/server/ script:
  • FIPS mode is automatically enabled only if the local operating system is FIPS enabled. The script uses the sysctl crypto.fips_enabled command to detect if the operating system is in FIPS mode.
  • FIPS mode implies secure mode as well. Thus, on a FIPS enabled node, -secure is the default, whereas in a regular, non-FIPS enabled node, -unsecure is the default.
  • If the local operating system is not FIPS-enabled, the script proceeds to perform regular, non-FIPS configuration.

Other than the change in the default -secure setting, system configuration for a machine running a FIPS enabled operating system looks the same as that on a regular machine running an operating system that is not FIPS-enabled.

It is important to note that nonsecure algorithms such as MD-5 and DES are disabled in FIPS. Therefore, legacy applications that use these algorithms will no longer run on FIPS-enabled nodes. So, while FIPS adds additional security, it also causes nonsecure legacy applications to fail unless they are upgraded. This is an important distinction between FIPS and non-FIPS mode.

Log Monitoring and FIPS

Log monitoring is not supported in installations with FIPS-enabled nodes in EEP 8.1.0.