Install Swarm on RHEL 9

Important
Note
  • Swarm can be connected to Helix Core Servers (P4D) and commit servers.
  • To configure Swarm to connect to more than one Helix Core Server (P4D), see Multiple Helix Core Server instances.

    To configure Swarm to connect to a Helix Core Server configured to use commit-edge architecture, see Commit-edge deployment.

  • Swarm must not be connected to Helix Broker, Helix Proxy, Helix Edge, forwarding replica, or read-only replica servers.

Installation

Important
  • Review the runtime dependencies before you install Swarm, see Runtime dependencies.

  • Review the PHP requirements before you upgrade Swarm, see PHP.

  • Review the Helix Core Server requirements before you install Swarm, see Helix Core Server requirements.
  • Before continuing with the Swarm install process, you must register the RHEL system to Red Hat using the Subscription Manager client.
  1. Configure the Perforce package repository, on the server to host Swarm and on the server hosting your Helix Core Server.

    Important

    If the server hosting your Helix Core Server cannot use packages, for example when it is running Windows, skip this step on that server.

    As root, create the file /etc/yum.repos.d/perforce.repo with the following content:

    [Perforce]
    name=Perforce
    baseurl=http://package.perforce.com/yum/rhel/9/x86_64/
    enabled=1
    gpgcheck=1
  2. Import the Perforce package signing key, on the server to host Swarm and the server hosting your Helix Core Server.

    Important

    If the server hosting your Helix Core Server cannot use packages, for example when it is running Windows, skip this step on that server.

    Run the following command as root:

    rpm --import https://package.perforce.com/perforce.pubkey

    For information about how to verify the authenticity of the signing key, see Perforce Packages.

  3. Install the main Swarm package on the server to host Swarm (run these commands as root):

    1. Run an upgrade for PHP, this will also upgrade the Swarm packages:
    2. dnf update

    3. Install Swarm.
    4. yum install helix-swarm

      Important

      When the Swarm installation has completed, you are prompted to run the configure-swarm.sh post-installation script.

      Do not run this script until you have completed the rest of these Installation instructions. Instructions for running the configure-swarm.sh post-installation script are in the Post-Installation configuration section referenced in the final step of the Installation instructions.

      Note

      The firewall configuration may need to be adjusted to allow access to the web server.

      sudo firewall-cmd --permanent --add-service=http
      sudo systemctl reload firewalld

      If you subsequently wish to enable HTTPS, run (as root):

      sudo firewall-cmd --permanent --add-service=https
      sudo systemctl reload firewalld

  4. Swarm needs to know about some Helix Core Server events to operate correctly. Use Helix Core Server Extensions (recommended) or Helix Core Server Triggers to notify Swarm about these events. The Swarm Helix Core Server extension can be installed automatically by the Swarm configure-swarm.sh post-installation script, but Triggers must be manually installed. To use Helix Core Server Extensions, ignore this step and skip to the next step.

    Trigger installation only (not recommended): Install the Swarm triggers package on the server hosting your Helix Core Server. This might be the server hosting Swarm or elsewhere on your network.

    Important
    • If the server hosting your Helix Core Server cannot use packages, for example when it is running Windows, you need to copy the appropriate Swarm trigger script from /opt/perforce/swarm/p4-bin/scripts to the server hosting your Helix Core Server. The swarm-trigger.pl is for both Linux and Windows systems. Once copied, the trigger script needs to be configured. See Installing Triggers for details.

    • The package installs a config file at /opt/perforce/etc/swarm-trigger.conf that you will need to modify. See Installing Triggers for more details on configuring that file.

    Install the Swarm triggers package on the server hosting your Helix Core Server (run this command as root):

    yum install helix-swarm-triggers

  5. Optional: Install the Swarm optional package, on the server hosting Swarm.

    While not required, installing this package installs the dependencies required to use the ImageMagick and LibreOffice Swarm modules. These modules provide previews of a variety of image and office documents. Run this command as root:

    yum install helix-swarm-optional

  6. Make your Swarm installation more secure by applying recommendations related to HTTP and Swarm implementation through security groups. See Secure your Swarm installation .

  7. Complete the Post-installation configuration steps.

Secure your Swarm installation

To make your Swarm installation more secure apply the following recommendations for HTTP and Swarm implementation through security groups.

HTTP

Here is a list of best practices to use when port 80 is exposed for HTTP traffic:

  • Redirect to HTTPS: If Port 80 needs to be open to support legacy systems or specific use cases, ensure that all HTTP traffic is redirected to HTTPS to encrypt data in transit.

  • Use HSTS (HTTP Strict Transport Security) headers: Implement HSTS headers to force browsers only to use secure HTTPS connections when interacting with your server.

  • Close port 80: If there is no requirement to use HTTP, Port 80 must be closed entirely to prevent any unencrypted data transmission.

  • Implement SSL/TLS (secure sockets layer and transport layer security) certificates: Ensure that your server is configured with a valid SSL/TLS certificate to enable secure HTTPS connections.

  • Firewall configuration: Configure firewalls to block or filter access to Port 80, particularly from untrusted networks.

  • Continuous monitoring and auditing: Regularly monitor network traffic and audit server configurations to ensure that unnecessary ports are not exposed and that data is transmitted securely.

When you implement HTTPS, you must make the following changes:

  1. Modify your cron job for the Swarm workers.

    Edit the cron configuration file to point to your HTTPS URL, for example, https://HOSTNAME/. For more information about how to edit the cron configuration file, see Set up a recurring task to spawn workers.

    To verify if the cron configuration file points to your HTTPS URL, run the following curl statement:

    curl https://myswarm.host/queue/worker

  2. Modify the Swarm Extension or Trigger configuration.

    If you are using the Swarm extension run the following command and change ExtConfig’s Swarm URL to be your new HTTPS URL:

    p4 extension --configure Perforce:helix-swarm

    If you are using triggers, edit swarm-trigger.pl configuration file and set your SWARM_HOST to be https.

  3. Edit the external_url in the SWARM_ROOT/data/config.php file’s environment block to point to your HTTPS URL. This URL is used in emails, Jira links, and Swarm test’s pass-and-fail outgoing URL parameters.

    Tip

    If you make a configuration change, Swarm will not use it until the configuration cache has been reloaded, this forces Swarm to use the new configuration. You must be an admin or super user to reload the Swarm config cache. Navigate to the User id dropdown menu, select System Information, click the Cache Info tab, and click the Reload Configuration button.

  4. Modify the Helix Core Server's P4.Swarm.URL property. For more information about Helix Core Server integration, see Client integration.

    If your Apache server is listening on both HTTPS and HTTP in perforce-swarm-site.conf file, you must set the auto_register_urlconfigurable in the p4 block to false and correctly configure the P4.Swarm.URL property .

    If your Apache server is listening only on HTTPS and if the auto_register_urlconfigurable in the p4 block is set to true (default value), an Apache restart will correct the property.

    To get all your current values for P4.Swarm.URL property, run:

    p4 -Ztag property -A -l -n P4.Swarm.URL

    Ensure that the P4.Swarm.URL property points to your HTTPS URL.

  5. Modify the URL of all applications. Any other applications that reference the URL should be switched to using the HTTPS URL.

Swarm implementation through security groups

Here is a list of best practices for implementation using security groups or the user's preferred setup:

  • Use a trusted proxy: Ensure to only use a trusted proxy, such as allow lists, Content Delivery Networks (CDN), and API Gateways.

  • Backend servers and other proxies or load balancers should be disabled: Ensure that direct access to backend servers and other proxies or load balancers is disabled, except through the trusted proxy mentioned above. This will prevent unauthorized access while ensuring that all requests are filtered through the trusted proxy.

  • Continuous monitoring and logging of the X-Forwarded-For header: Implement monitoring and logging on the X-Forwarded-For header to track and identify any suspicious activities. This can help in identifying and preventing potential malicious activity or security threats.

  • Use a secure protocol: Implement a secure protocol such as HTTPS to encrypt the communications between the client and the load balancers, and between the load balancer and backend server to prevent eavesdropping or tampering with the X-Forwarded-For header.

  • Configure X-Forwarded-For header: Configure the processing mode of the X-Forwarded-For header (append, preserve, or remove) based on specific technical or security requirements.