Standalone Installer

What Is Standalone Installer

The standalone installer is a software made to install all Oz Forensics modules to customers servers, performing all required settings related to personal topology and customer requirements.

This installer is intended to deploy the software to servers directly, under the server administration user account. The direct access to the Internet can be provided or not (with some notes). Linux OS should be preinstalled with the ability to connect with full access via SSH.

For installation to OpenShift and other orchestrators, please contact us.

Prerequisites

Server Requirements

Oz Biometry / Liveness Server

• CPU: 16 cores

• RAM: 32 GB

• Disk: 80 GB

Oz API / Web UI / Web SDK Server

• CPU: 8 cores

• RAM: 16 GB

• Disk: 300 GB

Please check the OS version with our team.

sed -i 's/always/unless-stopped/g' /usr/lib/systemd/system/podman-restart.service
systemctl daemon-reload

Kubernetes (K8s) Requirements

Kubernetes version: 1.27.

Mandatory components:

• Prometheus (Helm chart version (kube-prometheus-stack) – 45.7.1),

• Nginx Ingress Controller (Helm chart version – 4.7.1, please find our Helm chart repository here),

• ClusterIssuers.

Optional components:

• Any Storage Class that supports the ReadWriteMany (RWX) mode.

Node resources’ requirements:

• CPU Architecture: Intel

• CPU/Memory: same as described in Server Requirements.

If you want to configure the values yourself, please contact us.

Preparation

1. Request a list of clients’ URLs and the corresponding SSL certificates.

2. Check that all servers are accessible via the local network.

3. Check that access is allowed either via SSH with authorization by password or by key file and sudo without password.

4. For the installation, we recommend Docker or Podman. Alternatively, you need the Internet to download and install Docker or Podman automatically.

   • Docker version 19.03 and higher and Docker Compose version 1.27 and higher (should be installed in /usr/sbin);

   or

   • Podman version 4.4 and higher (with netavark and aardvark-dns modules) and podman-compose.

5. To install the balancer (only in case your installation bundle include it), we recommend installing nginx (version >= 1.17.5). Additionally, SELinux should be switched to permissive mode (for CentOS and Redhat only). Alternatively, the Internet should be accessible for automatic download and installation.

6. Check the availability of license service by address https://api.cryptlex.com for servers. The client’s firewall should be opened for this address.

7. Check that AVX flags for CPU on BIO host are supported. To verify this, run the lscpu | grep -E 'avx256|avx512' | wc -l command. The response should be 1.

8. The client’s firewall should not block:

   • any running scripts or binary image supplied;

   • any local ports for the processes’ intercommunication (docker networks: 192.168.0.1/24, 192.168.10.0/24, 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24);

   • ports 80, 8000, 8080, 8090 on the API server and port 8091 on the BIO server;

   • port 5432 for the additional Postgres installations.

Please be ready to terminate the HTTPS connection and decrypt the traffic before forwarding it to the API server. This is typically done by a firewall or other security device.

It is important that you warn our team about all non-typical and/or non-official software or services preinstalled on the host servers.

How to Get the Installer

Request your personal copy of the installer with the preliminary ordered product bundle for your test or production environment.

Trial bundle

You can order a trial bundle for free. For this bundle, you'll need two servers meeting system requirements listed above.

How to Run the Installer

To run the installer, you need any machine with Windows or Linux matching the following system requirements:

• 1 GB RAM, 1 CPU, 3 GB hard drive

• Windows 10+ (recommended)

• Linux 64 bit (Python 3.7 is required)

Prepare the Installer

Download and unpack your personal installer bundle.

Put the required configuration to the settings.yml file. The most important settings are described below. Usually, it is only required to fill the authorization and variables sections.

Please note: the configuration file is your personal copy, sharing it with any 3rd side is prohibited.

Settings

# authorization block
auth:
  ssh_user: # SSH user login
  use_sudo: yes # use SUDO as 
  # full path to private ssh key. optional
  ssh_private_key: C:\\cygwin64\\home\\user\\.ssh\\id_rsa 

# variables block - could vary for your personal deploy bundle
# please, fill up variables in your copy, don't copy from this example
vars:
  # usually, it contains IP addresses of servers by roles
  api1: 130.193.58.196
  api2: 178.154.232.159
  bio1: 130.193.59.58
  bio2: 130.193.57.151
  text1: 178.154.232.69
  balancer: 84.201.145.209

  # also, login-password of API user with ADMIN role
  common-login: [email protected]
  common-password: 123456

# servers list. usually, it uses variable values from the block above
# it is not needed to change anything manually here
servers:
  oz-api:
    - $api1
    - $api2
  oz-api-balancer: $balancer
  oz-webui:
    - $api1
    - $api2
  oz-webui-balancer:
  oz-webadapter:
    - $api1
    - $api2
  oz-webadapter-balancer: $balancer
  oz-bio:
    - $bio1
    - $bio2
  oz-bio-balancer: $balancer
  oz-text: $text1
  # if nothing is defined here, the full API configuration
  # will use the host of the database docker service
  oz-db:

# precise settings block
settings:
  # personal license key
  license-key: "123456-123456-123456-123456-123456-123456"
  # local path on each server to store configuration and data
  working-directory: /opt/oz

  # docker settings to `docker-daemon.json`
  docker-daemon:
    # address space to run containers via Docker
    bip: 192.168.0.1/24
    # address spaces to run containers via docker-compose
    default-address-pools:
      - base: 192.168.1.0/24
        size: 24

  # settings for Oz API
  oz-api:
    install: yes  # turn on installation of the component
    install-statistic: no # turn on installation of statistic submodule
    balancer: yes # turn on installation of balancer for component
    # domain name for external access to component
    domain_name:
    # SSL certificate and key for HTTPS access (optional)
    domain_cert:
    domain_key:
    # the local path to the host where to save media files
    media_path:
    # login/password of ADMIN preinstalled account on Oz API
    admin:
      login: $common-login
      password: $common-password
    # configuration to config.py - check details in Oz API section of knowledge base
    config:
    # network port to access component 
    # (in case of SSL certificate installation, it is always 443)
    port: 80

  # settings for Oz Liveness Web Adapter
  # settings, named the same as in the Oz API block, see above
  oz-webadapter:
    install: yes
    balancer: yes
    domain_name:
    domain_cert:
    domain_key:
    # https address for redirect GET request of root /
    # by default, demo page here
    redirect_url:
    # configuration to app_config.json
    config:
    port: 88

  # settings for Oz Web UI
  # settings, named the same as in the Oz API block, see above
  oz-webui:
    install: yes
    balancer: yes
    domain_name:
    domain_cert:
    domain_key:
    # login/password for service account, is needed to synchronize database
    admin:
      login: admin
      password: admin
    # configuration to .env
    config:
    port: 80

  # settings for database for Oz API
  oz-db:
    # turn on installation of Postgres on the same machine with Oz API
    # if "no" is chosen, then Oz API connects to external database
    # in that case external address external address is specified in block
    # servers -> oz-db
    install: yes
    # master - password for Postgres, in case of chosen installation
    psql_password: CHANGEME
    # database name
    database: gateway
    # login and password for database
    user_name: gateway_user
    user_password: CHANGEUSERPASS

  # Settings for Oz Bio (Liveness + Biometry)
  # settings, named the same as in the Oz API block, see above
  oz-bio:
    install: yes
    balancer: yes
    # settings and list of models are not intended to be modified by customer
    settings:
    models:

Running

Run the command prompt with administrator's rights. Use the cd command to go to the folder where the unzipped installer is located. Launch the installation.

Windows:

oz-installer.cmd install [parameters]

Linux:

chmod +x oz-installer.sh
./oz-installer.sh install [parameters]

Optional parameters:

• filename – filename with settings ('settings.yml' by default)

• private_key – a path to the private SSH key (overwrites the appropriate option from settings file)

• key_password – password to SSH key (if not specified, the system will ask to enter it in the console)

• ssh_password – password for SSH login

• debug – generate additional logging information for support

Usage example:

install.cmd filename=settings.prod.yml key_password=psyco --debug

Troubleshooting

Every step of the installer echoes information to process.log. To report any installation issues, please, attach that file to your ticket.

If the installation was interrupted by an issue, then, after the problem resolution, the process usually is allowed to continue. If it doesn't, be ready to reset servers to their original condition. You can try to solve the issue by adding the --debug flag to the command line of the installer. You can also contact the Oz team for details.

Use the Putty ppk File for Connection

You need to extract the private part of the key and then specify the path to that file in section auth -> ssh_private_key

Convert a .ppk private key (Putty) to a base64/pem private key for OpenSSH or OpenSSL

docker-compose: Command Not Found

This error could arise when the docker-compose tool was installed independently before the installer and default binary was set to /usr/local/bin

For the correct work of the installer, please, make a symbolic link:

ln -s /usr/local/bin/docker-compose /usr/sbin/docker-compose