Skip to content

System Requirements

Supported platforms

The following sections detail the capacity and configuration requirements for the deployment of Runecast Analyzer. Customers can deploy the application on the following platforms:

  • VMware vSphere as a pre-packaged OVA image available on the Runecast Portal or the VMware Marketplace
  • Amazon AWS as a pre-built AMI image available on the AWS Marketplace
  • Microsoft Azure as a pre-built image available on the Azure Marketplace
  • Kubernetes via Helm chart hosted in the Runecast Helm chart repository (see the Kubernetes section in the Deployment chapter for more information).

To access the Runecast Analyzer Web Interface after deployment, please use one of the supported browsers:

  • Chrome v68.0.3440.106 and newer
  • Firefox v50.0.2 and newer
  • MS Edge v38.14393.0.0 and newer

VMware vSphere

  • VMware vSphere infrastructure should already be deployed. ESXi hosts must be v6.x and above, and these must be managed by vCenter v6.x or v7.x.
  • The Runecast Analyzer appliance is typically deployed into an existing vSphere infrastructure. Appropriate resource allocation for the appliance is selected during the deployment process. The standard sizing options are small/medium/large; with resources allocated as follows:

    • Small (use this configuration for small environments: up to 50 Hosts)

      • 2 vCPU
      • 6 GB RAM
      • 120 GB Storage
      • 100 Mbit network (1 Gbit or above recommended)
    • Medium (use this configuration for medium environments: up to 150 Hosts)

      • 4 vCPU
      • 8 GB RAM
      • 120 GB Storage
      • 100 Mbit network (1 Gbit or above recommended)
    • Large (use this configuration for large environments: up to 1200 Hosts)

      • 8 vCPU
      • 32 GB RAM
      • 120 GB Storage
      • 100 Mbit network (1 Gbit or above recommended)
  • Internet Connectivity - Runecast Analyzer is packaged as a virtual appliance in OVA format that is deployed into your virtual infrastructure. All data and logic necessary for full operation are contained in the appliance. No data is transmitted from the Runecast Analyzer outside of your datacenter. Optionally, customers can connect the Runecast Analyzer to the Internet to download zero-touch updates for knowledge definitions and application updates. An entirely off-line update mechanism is provided using files (.ISO and .bin) made available from the user portal.

AWS

  • An active AWS account is required to deploy Runecast Analyzer.
  • Deployment requires the following resources (customers can reuse existing resources):
    • VPC
    • Network subnet with Internet Gateway attached
    • Security Group allowing the following communication:
      • Incoming communication on ports 443 (HTTPS) and 22 (SSH)

Azure

  • An active Microsoft Azure cloud account is required to deploy Runecast Analyzer.
  • Deployment requires the following resources (customers can reuse existing resources):
    • Azure Active Directory
    • Active subscription
    • Virtual Network
    • Subnet
    • Public IP for accessing over internet
    • Network Security Group with HTTPS(443) open for accessing web interface

Kubernetes

Warning

Runecast Analyzer on Kubernetes is in preview stage but is fully supported. Please let us know if you face any issues or have any comments.

  • Any K8s cluster that supports Helm - on-premises upstream open-source Kubernetes version based cluster, or commercial solutions like HPE Ezmeral, Amazon EKS, Microsoft AKS or Google GKE.

  • Helm 3 (Helm 2.2.0+ should work but is not validated)

    Tip

    To find out how to install and use Helm, please visit the Helm website on https://helm.sh/.

  • By default, the application is deployed with the following settings:

    • Requests
      • 1.1 CPU
      • 2.1 GB RAM
    • Limits
      • 3 CPU
      • 3.5 GB RAM
    • 50 GB persistent storage


Runecast is an HPE Technology Partner, and Runecast Analyzer is validated for deployment on HPE Ezmeral Container Platform. To find more about Runecast Analyzer on HPE Ezmeral please see the HPE Ezmeral Marketplace page https://www.hpe.com/us/en/software/marketplace/runecast.html.

Analyzed System Privileges

VMware vCenter Server

A user with the following privilege at the vCenter level is required to connect to a VMware vCenter Server:

Minimum requirement

  • Read Only

Note

The minimum required permission for the Analyzer to perform scanning is Read Only. However, in this case, collection will not be fully comprehensive and it will not be possible to report issues related to some areas of the configuration, such as device-specific info from ESXi hosts (driver, firmware). This is due to the way specific data is exposed through the vSphere permissions model.

To provide a fully comprehensive analysis, the additional privileges provided below will ensure that sufficient information is collected for 100% of the checks performed by Runecast Analyzer.

vCenter privilege Description
Host > CIM > CIM interaction CIM collection
Global > Settings vSAN configuration collection
Host > Configuration > Firmware Host files collection
Host > Configuration > Change settings Kernel modules collection
Host > Configuration > Advanced settings
Host > Configuration > Change settings
Host > Configuration > Security profile and firewall
Automatic ESXi Syslog configuration
Virtual Machine > Configuration > Advanced Automatic VM Syslog configuration
Extension > Register extension
Extension > Update extension
Automatic Web Client registration
Host profile > View
Host profile > Edit
Automatic Host Profile collection
Host > Configuration > Change settings
Global > Settings
HW Compatibility

Tip

A PowerCLI script to automatically create Runecast Role with the above permissions is available at https://github.com/Runecast/public/blob/master/PowerCLI/createRunecastRole.ps1.

Warning

Hardware Compatibility checks are performed on ESXi v6.0 and above.

VMware NSX-V

NSX-V is supported by connecting to an NSX-V Manager when paired with a vCenter instance. Runecast Analyzer supports NSX-V Manager v6.2 and above.

For connection to NSX-V, a user with the following privileges in NSX Manager is needed:

Minimum requirement

  • Auditor
  • Security administrator – required to leverage the NSX-V Custom Dashboard Widget for Runecast.

Note

Due to NSX-V Manager’s constraints before v6.3.3, Runecast Analyzer cannot automatically validate that an NSX-V Manager is registered to a specific vCenter. You will be asked to confirm during the connection process.

Authentication source

Domain

Domain users are supported on NSX-V 6.4 and later.

Local

Local CLI user can be created following the below procedure:

  1. Open console session to NSX-V Manager and log in with the Administrator account
  2. Switch to Privilege mode using the enable command
  3. Switch to Configuration mode using the configure terminal command
  4. Add a CLI user account using the user <username> password (hash | plaintext) <password> command

    Example: user cliuser password plaintext abcd1234

  5. Save the configuration with write memory command

  6. Allow the created CLI user to run the REST API calls using the user <username> privilege web-interface command
  7. Issue POST request to https://<NSX-IP>/api/2.0/services/usermgmt/role/<username>?isCli=true endpoint with user having administrator privileges to assign a role to the newly created CLI user. Example of the body content assigning auditor privilege:
    <accessControlEntry>
    <role>auditor</role>
    <resource>
    <resourceId>globalroot-0</resourceId>
    </resource>
    </accessControlEntry>    
    
  8. Now you'll be able to use the new CLI user for connection to NSX-V Manager

VMware NSX-T

VMware NSX-T Data Center is supported by connecting to an NSX-T Manager or Cluster Virtual IP. Runecast Analyzer supports NSX-T Manager version 2.4 and above.

For connection to NSX-T, a user with the following privileges in NSX-T Manager is needed:

Minimum requirement

  • Auditor

VMware Horizon

VMware Horizon is supported by connecting to a Connection Server. For Connection Servers that are part of a single replication group, it is required to establish the connection to only one Connection Server which belongs to the group. Also, if there is a Load Balancer configured with session persistence, it can be used to connect to a Connection Server in a replication group. Runecast Analyzer supports Horizon v6.x and above.

For connection to a Connection Server, a user with the following privileges in Horizon is needed:

Minimum Requirement

  • Administrators (Read-only).

VMware Cloud Director

VMware Cloud Director is supported by connecting to the provider portal. Runecast Analyzer supports VMware Cloud Director version 10.0 and above.

For connection to VMware Cloud Director, a user with the following privileges on the vCD provider level is needed:

Minimum Requirement

  • A role with View-only permissions.

AWS

Amazon Web Services is supported by connecting to an AWS Account.

For connection to an AWS Account, a user with the following privileges is needed:

Minimum Requirements

  • We recommend using an account with Programmatic access only. To limit the operational overhead, we suggest using the AWS managed ReadOnlyAccess policy. This will cover future functionality and analysis capability provided by Analyzer, without the need to adjust the policy very often.

Microsoft Azure

Azure AD is supported by connecting an Azure Application. To create the Azure Application and assign the required permissions, please follow these steps:

  1. Login to the Azure Portal
  2. Navigate to Azure Active Directory
  3. From the left side menu, click on App registrations then click on New Registration

  4. Provide a name for the application and select Accounts in this organizational directory only (Demo-directory only - Single tenant). Leave Redirect URI empty

  5. Once the application is created, make a note of the Application (client) ID and Directory (tenant) ID shown in the application Overview page

  6. Click on Certificates & secrets under Manage in the left side menu of the app

  7. Under the Client secrets section, click on New client secret

  8. Provide a suitable description for the client secret and select the expiration as per your organization policy. We recommend 1 year expiry for client secrets

  9. Make a note of the newly created client secret value
  10. Click on the API permissions under Manage in the left side menu of the App
  11. Under Configured permissions section, add application permission for Directory.Read.All from Graph API and click on Grant Admin Consent for Demo-directory

    If you do not have admin privileges, please refer to the below link.
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal

    With the help of your administrator, you can change User consent settings.

  12. Navigate to the Subscriptions page and select the subscription for which you want to scan from Runecast Analyzer

  13. From the left side menu of subscription, click on Access control (IAM) and select Role assignments then click on Add and select Add role assignment
  14. Select Reader as a role and set Assign access to to option User, group, or service principal. Under Select provide the name of your app created in step 5 and click on Save

Kubernetes

Kubernetes is supported by connecting to API server address using service account token authentication. Runecast Analyzer follows an extended version of the Kubernetes lifecycle policy, testing and validating against the current Kubernetes release, as well as the three previous releases. Managed Kubernetes environments, including Amazon EKS, Microsoft AKS, Google GKE and HPE Ezmeral Container Platform are supported. However, as these services may limit access to the control plane, Runecast Analyzer cannot provide results for the control plane (as such, results in these environments are for the customer deployed clusters or workloads only).

For connection to a Kubernetes cluster, a service account token is required. The service account needs to be bound to a cluster role with the following privileges:

Minimum Requirements

cluster role option cluster role option values
verbs get
list
watch
resources nodes
namespaces
pods
replicationcontrollers
serviceaccounts
services
daemonsets.apps
deployments.apps
replicasets.apps
statefulsets.apps
cronjobs.batch
jobs.batch
networkpolicies.networking.k8s.io
podsecuritypolicies.policy
clusterrolebindings.rbac.authorization.k8s.io
clusterroles.rbac.authorization.k8s.io
rolebindings.rbac.authorization.k8s.io
roles.rbac.authorization.k8s.io

You can use the following scripts to create a service account and output the account token:

Bash
# set the namespace where the service account will be created
export NAMESPACE="kube-system"

# create the service account
kubectl create serviceaccount runecast-analyzer-scan -n ${NAMESPACE}

# create clusterrole
kubectl create clusterrole runecast-analyzer-scan --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io

# bind the clusterrole
kubectl create clusterrolebinding runecast-analyzer-scan --clusterrole=runecast-analyzer-scan --serviceaccount=${NAMESPACE}:runecast-analyzer-scan

# output the service account token
kubectl get serviceaccounts runecast-analyzer-scan -n ${NAMESPACE} -o jsonpath='{.secrets[].name}' | xargs kubectl get secret -n ${NAMESPACE} -o jsonpath='{.data.token}' | base64 -d | awk '{print "copy the service account token:\n"$1"\n"}'
PowerShell
# set the namespace where the service account will be created
$namespace = "kube-system"

# create the service account
kubectl create serviceaccount runecast-analyzer-scan -n $namespace

# create clusterrole
kubectl create clusterrole runecast-analyzer-scan --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io

# bind the clusterrole
kubectl create clusterrolebinding runecast-analyzer-scan --clusterrole=runecast-analyzer-scan --serviceaccount="$($namespace):runecast-analyzer-scan"

# output the service account token
$secretname = kubectl get serviceaccounts runecast-analyzer-scan -n $namespace -o json | ConvertFrom-json | % { $_.secrets.name }
$token = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($(kubectl get secret $secretname -n $namespace -o json | ConvertFrom-Json | % { $_.data.token})))
$token | Set-Clipboard
Write-Host "the service account token was copied to clipboard:`n$($token)`n"

Network connectivity

Source Destination Protocol Port Description Comment
RCA vCenter TCP 443 Collection of data using vSphere SDK (vCenter, ESXi, VMs configuration settings) required for core product functionality
RCA ESXi TCP 443 Collection of data from ESXi servers (file-level configuration settings) required for file-level checks
RCA ESXi TCP 5988, 5989 CIM data collection from ESXi servers required for CIM data
RCA NSX Manager TCP 443 Collection of data using NSX-v REST API (NSX configuration settings) required for core product functionality (in case NSX-v functionality is required)
RCA NSX-T Manager TCP 443 Collection of data using NSX-T REST API (NSX-T configuration settings) required for core product functionality (in case NSX-T functionality is required)
RCA AWS TCP 443 Collection of data using AWS REST API (AWS configuration settings) required for core product functionality (where AWS functionality is required)
RCA Horizon TCP 443 Collection of data using Horizon API (Horizon configuration settings) required for core product functionality (in case Horizon functionality is required)
RCA Kubernetes API TCP 6443 Collection of data using Kubernetes API (Kubernetes configuration settings) required for core product functionality (in case Kubernetes functionality is required)
RCA Cloud Director TCP 443 Collection of configuration data using vCD API required for core product functionality (in case vCD functionality is required)
ESXi RCA UDP 514 Syslog data collection required for log analysis
RCA updates.runecast.com TCP 443 Application and rules definition updates required for online updates only
User browser RCA TCP 80, 443 RCA web interface HTTP always redirects to HTTPS
vSphere Web Client RCA TCP 443 Web client plugin communication to RCA required for displaying results in WebClient
REST API client RCA TCP 443 Runecast API client’s communication required for REST API
Enterprise Console (EC) RCA TCP 443 Single pane of Glass to RCA communication required for displaying results from multiple Analyzers
RCA DC TCP 88 RCA communication to DC required for Kerberos authentication
RCA LDAP TCP 389 RCA communication to AD required for connection to a DC on a regular LDAP port
RCA LDAP SSL TCP 636 RCA communication to AD required for connection to a DC on a protected LDAPS port
RCA DNS TCP 53 RCA communication to DNS required for core product functionality