Product installation


Summary

This section provides instructions for an on-premises deployment of Unscrambl Qbo.

Qbo can be installed on x86 physical or virtual machines running:

  • RHEL07/CentOS 7.6 or later.

  • RHEL08/CentOS 8.0 or later.

Prerequisites


Before installing Qbo, set up an internal database and install external dependencies.

Install and configure the internal database


Qbo uses a relational database to store configuration and runtime data.

It supports MariaDB.

Install MariaDB

A standard setup uses MariaDB and Qbo on the same machine. You can install them on separate machines; however, this option requires extra configuration.

Check the MariaDB Foundation’s website for the current latest stable version.

Note

mariadb-server and MariaDB-server are different packages. Qbo requires the latest MariaDB-server packages from mariadb repo, which requires internet access to download the package.

Use your OS package manager (for example, yum or dnf for RedHat) to install the latest stable version of MariaDB, then configure it using the MariaDB Repository Configuration Tool .

Example installation

To install MariaDB 10.5 on RedHat 7 x86_64:

$ sudo bash

$ cat > /etc/yum.repos.d/MariaDB.repo <<EOF
[mariadb]
name=MariaDB
baseurl=http://yum.mariadb.org/10.5/rhel7-amd64
enabled=1
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
module_hotfixes=1
EOF

$ yum remove mariadb mariadb-server mysql-common
$ yum install -y MariaDB-server MariaDB-client

To install MariaDB-server on RedHat 8 x86_64:

$ sudo bash

$ cat > /etc/yum.repos.d/MariaDB.repo <<EOF
[mariadb]
name=MariaDB
baseurl=http://yum.mariadb.org/10.5/rhel8-amd64
enabled=1
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
module_hotfixes=1
EOF

$ yum remove mariadb mariadb-server mysql-common
$ yum install -y MariaDB-server MariaDB-client

Configure MariaDB

MariaDB is executed as a service on RedHat and its behavior is controlled by a configuration file. This is usually located in /etc/my.cnf.d/server.cnf or /etc/mysql/my.cnf).

Comment out or remove this line in the mysqld section of the configuration file:

bind-address = 127.0.0.1

This will ensure that other hosts in the cluster can interact with the MariaDB server.

Restart the operating system service to activate the configuration changes.

$ sudo service mariadb restart

Ensure that the MariaDB server is automatically started at boot time by configuring init, systemd, cron, or any other mechanism that you have in place for automating service startup.

Secure MariaDB

Once you’ve installed MariaDB, we recommend that you secure it.

Run the secure installation script:

$ sudo mysql_secure_installation

Configure MariaDB connections

Check that the server is using its default port (3306):

$ netstat -lptn | grep 3306

This will give output:

tcp   0   0 0.0.0.0:3306   0.0.0.0:*   LISTEN   11430/mysqld

If MariaDB and Qbo will be on different hosts, or will use a different port number, perform additional configuration outlined in Using a non-default MariaDB configuration.

Populate MariaDB time zone tables

The MariaDB system database includes several tables to store time zone information. Its installation procedure creates the time zone tables, but does not load them.

To load them manually, run the command below as root. You’ll need MariaDB’s root password.

$ mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql

The warnings shown below are common and can be ignored.

This will give output:

Warning: Unable to load `/usr/share/zoneinfo/leap-seconds.list` as time zone. Skipping it.

If time zone information changes, applications that use the old rules become out of date. Reload the time zone rules using the command above.

Refer to MariaDB documentation for more information.

Create MariaDB user for Qbo connection

Qbo needs a username and password to use when connecting to the MariaDB database server. By default, both the username and password are set to chai.

To create a MariaDB user called chai with the password chai, start MariaDB’s interactive shell using MariaDB’s root user:

$ mysql -u root -p

Enter the command below, replacing <username> and <password> with a username and password:

MariaDB [(none)]> CREATE USER '<username>'@'%' IDENTIFIED BY '<password>';

For example, in the default setup, both use chai, so the command will look like:

MariaDB [(none)]> CREATE USER 'chai'@'%' IDENTIFIED BY 'chai';

Give the user account privileges to create the Qbo databases:

MariaDB [(none)]> GRANT ALL PRIVILEGES ON  `chai_%` . * TO 'chai'@'%';

MariaDB [(none)]> FLUSH PRIVILEGES;

Close the MariaDB interactive shell by pressing CTRL-D (the Control and the D key, together) or entering the exit command.

Check that you can log in to MariaDB using the username and password you just configured:

$ mysql -u chai -p

If the new user has been properly configured, you will once again be greeted by the MariaDB interactive shell:

$ mysql -u chai -p

Enter password:

You will see:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 39
...

MariaDB [(none)]>

Use a non-default MariaDB configuration

Edit the Qbo configuration file if:

  • MariaDB is on a different host to Qbo.

  • MariaDB is listening on a port other than 3306.

  • You set up a non-default username or password; anything other than the default chai and chai.

Edit chai/etc/chai.json using a regular text editor.

Encrypt password

If you’re using a non-default password for the Qbo database server user, first encrypt the new password so it is not stored in clear text in the configuration file. Qbo includes an encryption tool that you can use. Enter:

$ UNSCRAMBL_HOME/bin/password_encryptor -p <new_password>

Update username and password

Find the userName and userPassword entries under databaseConfiguration in the configuration file. The configuration file is nested. Modify these entries with the encrypted password and the user name you set earlier.

If you use different settings than those you set up in the MariaDB configuration, update MariaDB with the new username and password.

Update host and port

If the MariaDB server isn’t using the same server as Qbo, or it is using a port other than the default 3306, add or modify the address entry under databaseConfiguration in the Qbo configuration file. The address is a tuple with the following format: hostname:port. For example, foo.example.com:3306.

External dependencies


The external software dependencies required by Qbo are specific to the operating system version and the architecture on which it will run.

The installer uses the dependency_checker utility before installing Qbo to ensure that all the dependencies are in place. This utility inspects the environment for RedHat provided software (referred to as OS-provided software in the rest of this documentation).

It also checks for specific Python packages and Node.js npm packages required by Qbo, which are provided as a virtualenv environment (for Python) and a node modules directory (for Node.js), pre-packaged and configured to match the needs of Qbo.

Install operating system software packages using the regular mechanism employed to download and install them, usually yum on RedHat.

The output from dependency_checker will be similar to:

$ $UNSCRAMBL_HOME/bin/dependency_checker -l

This will give output:

List of OS package dependencies:

mariadb: 5.5 (not installed)
mariadb-libs: 5.5 (installed)
mariadb-server: 5.5 (installed)

List of Python package dependencies (available in the Qbo virtualenv):

In this example, one external dependency (mariadb) is not currently installed. Assuming the host is running RedHat Linux, the person running the installation needs to use yum to install mariadb.

Install OpenResty

Qbo is dependent on nginx, which is released with the OpenResty platform. Install OpenResty before installing Qbo. See https://openresty.org/en/linux-packages.html.

Installing OS packages on a server without internet connection

Often, the server (or cluster) where Qbo is to be installed does not have direct internet connection. You’ll need the operating system installation CD/DVD or an .iso image with the OS installation.

If your installation is RedHat-based, use one of the following alternatives:

When installing external operating system-managed dependencies, as long as the major and minor version numbers match, the dependency is considered satisfied.

SSL certificate

An SSL certificate provides an assurance that the current interaction is between a client and a properly identified server. It also provides the key that the browser and web server will use to encrypt the connection.

When an SSL certificate is installed on a web server, a browser will use the encrypted HTTPS protocol when interacting with the server. It will also display the padlock icon that indicates a secure connection in the address bar. Qbo web service uses an SSL certificate to authenticate and encrypt all interactions between a web client and server. This ensures that no sensitive information flows over between a client and server in clear text form.

Purchase an SSL certificate from a vendor or download one for free from an organization such as Let’s Encrypt.

Commercial SSL certificates are typically verified and accepted by mainstream web browsers such as Google Chrome and Mozilla Firefox.

SSL certificates can also be provided by any entity hosting a Public Key Infrastructure (PKI). These certificates work just like commercial certificates, but they aren’t produced by recognized CAs. Because of this, most browsers will produce a warning or rejection when visiting the web server. If the web server will only be accessed by employees, you can add the certificate to the browser’s list of accepted certificates.

You can use Qbo with either type of certificate, but we strongly recommend that you use a certificate from an officially recognized commercial or non-profit CA.

Install Qbo


If you’ll be making Qbo available to users via HTTPS-secured web access, before installing Qbo:

  • Configure a DNS entry that will provide a user-friendly URL.

  • Purchase a commercial SSL certificate for that URL.

It might be helpful to become familiar with the infrastructure used to provide HTTPS access to Qbo by reading the steps outlined in the Configure web proxy section before attempting the installation steps.

Follow the steps below carefully.

Extract the tarball


Install Qbo using the same username that you’ll use to manage it post-installation. We recommend you use the default username of chai.

The Qbo installation tarball includes:

  • The Qbo software platform itself, comprising all the necessary components to run Qbo-supported solutions.

  • The pre-configured Python virtualenv environment, comprising all Python dependencies required by Qbo solutions to run.

  • The pre-configured npm node modules directory, comprising all Node.js dependencies required by Qbo solutions to run.

  • The external open source software required by Qbo; for example, Node.js, Oracle JVM.

To extract the tarball, run the following command:

$ tar xvfz cloudVm-<version>-<os>.tar.gz

Where:

  • <version> is the product version, and

  • <os> is the specific operating system you’re installing it on.

For example, if installing on RedHat 7:

$ tar xvfz cloudVm-7.1.2-rhel07.tar.gz

Extract the software:

$ mkdir -p /opt/unscrambl/cloudVm/rhel07

$ tar xzvf cloudVm-<version>-rhel07.tar.gz -C /opt/unscrambl/cloudVm/rhel07

/opt/unscrambl/cloudVm/rhel07 is the recommended path; however, you can substitute a different path.

If you’re using a different operating system, like RedHat 8, substitute the abbreviation in the tarball and path. For example:

$ tar xvfz cloudVm-<version>-rhel08.tar.gz

Run the installer


Run the installer. For example, if you extracted the tarball to a directory called $UNSCRAMBL_HOME:

Note: Assuming Qbo is installed at location /opt/unscrambl/chai/rhel07.

$ cd /opt/unscrambl/chai/rhel07/chai/bin

$ ./installer

installer is an interactive program that will guide you through specific installation and configuration choices.

Unscrambl chAI is a commercial product, subjected to End-User License Agreement terms. A paper-based or digital
copy of these terms must have been signed and agreed by someone authorized to do so in your organization,
prior to carrying out this configuration. A non-customer specific copy of these terms is included for your
reference in this installation package (unscrambl/license/eula.pdf).
Do you confirm that you are authorized to proceed with the configuration based on the terms specified in your
organization's own license agreement with Unscrambl Inc. (y/n)?

Enter the directory that will host the Qbo instance. This is the location in the file system where Qbo will host its services, logs, and the data used by Qbo data management services.

Select a network interface to use for external TCP/IP traffic. Choose the interface that provides connectivity to other hosts in the cluster (if any) and external services that Qbo will need to interface with.

Please select the network interface to use for external TCP/IP traffic (default: 'eth0'):

[0] lo: 127.0.0.1
[1] eth0 10.0.0.123
[2] tun0: 10.8.0.45

Select the number corresponding to the interface you want (default: 1 for interface 'eth0'): 1

The 'eth0' network interface will be used for all external TCP/IP traffic.

Enter the port that Qbo should use for HTTP-based backend services, or leave blank to choose the default port, 8081.

Please enter the HTTP port for the REST server to be used by Unscrambl chAI (if left empty, the HTTP port will
be 8081):

If you will keep Qbo behind an nginx or Apache web proxy, enter y to allow Qbo insight’s backend services to bind only to localhost. This is the recommended configuration, as it is more secure.

If you want to enable remote, unencrypted HTTP connections, enter n to allow Qbo insight’s backend services to bind to non-local addresses. This is not recommended, as information is transmitted in the clear and is vulnerable to listeners.

Leave blank to choose the default localhost-only binding.

When using HTTP, do you want to bind only to localhost ([y]es: only a local connection to the REST server will be
possible. This configuration is meant to be used behind a web proxy such as nginx or Apache httpd; / [n]o: remote
HTTP will be possible. This configuration is insecure and STRONGLY discouraged as all interactions between chAI's
client and its backend, including authentication, will go in the clear over network connections) (if left empty,
only a local connection to the REST server will be possible) (y/n)?

Warning

Qbo has access to, handles, and transports potentially sensitive information. It occasionally needs to transfer potentially sensitive information between the web-based interface and the backend. To keep this data safe, we strongly recommend using encryption through the use of HTTPS.

Qbo uses data like:

  • Authentication information: In certain configurations, Qbo requires a user account. It can be configured to authenticate using external services, such as OpenID and OAuth providers. These authentication connections can include user credentials. Qbo does not store user passwords in the clear.

  • Metadata and personal information about users and corporate data: Qbo carries out analytics with data that is often private and sensitive, including information from conversations and corporate data sources.

  • While in certain configurations Qbo may be hosted in an internal network, never facing non-corporate users, it does integrate with other segments of an enterprise computing environment.

We recommend that you take every possible precaution to protect the integrity and confidentiality of the data consumed and produced by this platform.

There are two possible configurations to choose from:

  • HTTP, available network-wide (STRONGLY DISCOURAGED): this is the simplest form of installing Qbo. However, it is insecure, and potentially sensitive information is transmitted in the clear, flowing from the user’s browser to the server without any encryption. This could include passwords and credentials used for authenticating via external services.

  • HTTP, available only in the localhost interface, proxied by an HTTPS web proxy (STRONGLY RECOMMENDED): HTTPS web proxy servers are designed and hardened to offer remote data connections. This configuration is more secure and minimizes the chances of a sensitive data breach. Interactions between the browser-based user interface and the web proxy in front of Qbo’s backend is HTTPS encrypted. The web proxy runs as root and employs a regular local HTTP connection to the Qbo backend. To install and configure a web proxy to act as an HTTPS endpoint, see Configure web proxy.

If everything is correctly configured, a success status message will be printed out:

the Unscrambl chAI environment has been configured successfully...

Configuring web proxy


Web proxy prerequisites

Before installing and configuring the web proxy, set up a DNS CNAME entry to point to Qbo and obtain an SSL certificate for the web proxy.

Qbo consists of a set of backend services, accessible via a web-based user interface and optionally via third-party messaging platforms.

Communication between the web-based user interface and the backend employs REST APIs over HTTP or HTTP via an HTTPS proxy. If you plan to use Qbo with a messaging-based channel, you need to set up a web proxy.

Unscrambl strongly recommends that you use HTTP via an HTTPS proxy, to ensure encryption of any sensitive information transmitted over the network.

This option requires installing Qbo with HTTP support, where the backend is bound only to the local lo network interface, allowing HTTP access only within the host where the Qbo web server runs.

You can use an Apache or nginx web proxy to provide HTTPS access to Qbo. Both are packaged and available in Linux distributions:

Configure a DNS CNAME Entry to point to Qbo (Optional)

Ideally, the URL used to access Qbo will be in the form https://Unscrambl.example.com/chai, where:

  • Unscrambl designates this locator as an Unscrambl product installation at example.com (your internet domain).

  • chai indicates the name of the product.

Usually, the friendlier Unscrambl name will map to an internal server hosting the Qbo installation, whose name will follow an (often less friendly) internal IT convention; for example, chai-cluster003-node001.acme.com. We recommend that you configure a DNS alias before installing Qbo.

DNS server record update procedures vary. We recommend that you contact a local IT specialist to carry out the actual DNS registration.

For example, an organization using TinyDNS might add the following entry to its configuration: Cunscrambl.acme.com:chai-cluster003-node001.acme.com:120 and invoke the tinydns-data utility to activate this entry.

Obtain an SSL certificate

SSL certificates come in different forms. You can obtain a certificate for a single host name, for multiple host names, or as a wildcard, accepting any name under a particular domain. All of these ought to work with Qbo. However, a single-host certificate is sufficient and this option is often the most economical as well.

Procedures to obtain a certificate vary both for commercial as well as for self-signed internal certificates. Consult a local IT specialist to understand which alternative best suits your environment.

The rest of this document assumes that you have a commercial certificate available as you configure the web proxy.

A set of files related to the certificate must be available. The example below assumes that the certificates are kept in a directory called unscrambl.acme.com:

Once you have the certificate and can locate these files, install and configure Apache httpd or nginx.

In the following sections, we assume that you are installing on a RedHat 7 (or CentOS 7) server, where the Qbo web backend will eventually run.

Since the installation and configuration require you to update system-owned resources, you’ll need either sudo or root access to complete the next stage.

Configure Apache httpd

Download and install required OS packages:

$ yum install -y httpd mod_ssl

Enable the httpd service to ensure that it is started on boot:

$ systemctl enable httpd

Enable proxying by adding a new virtual host entry in httpd’s main configuration file, /etc/httpd/conf/httpd.conf:

virtual host entry
    <VirtualHost *:443>
        # Unscrambl chAI will be accessible at https://unscrambl.example.com/chai
        ServerName unscrambl.example.com

        # Unscrambl chAI must be configured with HTTP access restricted to localhost binding to port 8081
        # Note that the IPv6 address being used, [::1], is the IP address corresponding to the loopback
        # interface. Unscrambl chAI's server instance will use the IPv6 protocol stack by default
        ProxyPass /chai http://[::1]:8081/chai
        ProxyPassReverse /chai http://[::1]:8081/chai

        # Unscrambl chAI's web interface requires a WebSocket endpoint called 'directLine' to be exposed
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} websocket
        # The port used for the 'directLine' WebSocket endpoint (8081 in this example) must match the port
        # specified for the 'chai' endpoint above
        RewriteRule ^/(.*)$ ws://[::1]:8081/$1 [P]
        ProxyPass /directLine http://[::1]:8081/directLine
        ProxyPassReverse /directLine http://[::1]:8081/directLine

        ProxyPreserveHost on
        ProxyRequests off
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
        SSLCertificateFile /etc/httpd/stash/unscrambl.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/httpd/stash/unscrambl.example.com/privkey.pem
        SSLEngine on
        SSLProtocol TLSv1.2
        SSLProxyEngine on
        <Location "/directLine">
            ProxyPass "ws://[::1]:8081/directLine"
        </Location>
    </VirtualHost>

Note that in the configuration above, we chose to install the certificate-related files under /etc/httpd/stash. This is not essential, but does make it simpler for you to apply the correct SE Linux context to these files:

$ restorecon -vr /etc/httpd/stash

Next, start or restart httpd:

$ systemctl start httpd

If the configuration is correct, you can start Qbo, open a browser and point it to https://unscrambl.example.com/chai.

To start Qbo, see Managing Qbo Services.

Configure nginx

Download and install the required OS packages:

$ yum install -y nginx

Enable the nginx service to ensure that it is started on boot:

$ systemctl enable nginx

Enable proxying by adding a new server entry to the nginx main configuration file, /etc/nginx/nginx.conf:

new server entry
http {
...
    server {

        listen 443;
        server_name unscrambl.example.com;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        ssl on;
        ssl_certificate /etc/nginx/stash/unscrambl.acme.com/fullchain.pem;
        ssl_certificate_key /etc/nginx/stash/unscrambl.acme.com/privkey.pem;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;

        # Unscrambl chAI will be accessible at https://unscrambl.example.com/chai
        location /chai {
            # Unscrambl chAI must be configured with HTTP access restricted to localhost binding to port 8081
            # Note that the IPv6 address being used, [::1], is the IP address corresponding to the loopback
            # interface. Unscrambl chAI's server instance will use the IPv6 protocol stack by default
            proxy_pass http://[::1]:8081/chai;
            proxy_redirect off;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Proto "https";
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Real-IP $remote_addr;
        }

        # Unscrambl chAI's web interface requires a WebSocket endpoint called 'directLine' to be exposed
        location /directLine {
            # The port used for the 'directLine' WebSocket endpoint (8081 in this example) must match the port
            # specified for the 'chai' endpoint above
            proxy_pass http://[::1]:8081/directLine;
            proxy_read_timeout 86400;
            proxy_redirect off;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Proto "https";
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

Note that in the configuration above, we chose to install the certificate-related files under /etc/nginx/stash. This is not essential, but does make it simpler for you to apply the correct SE Linux context to these files:

$ restorecon -vr /etc/nginx/stash

Start or restart nginx:

$ systemctl start nginx

If the configuration is correct, you can start Qbo, open a browser and point it to https://unscrambl.example.com/chai.

To start Qbo, see Managing Qbo Services.

Test and troubleshoot the web proxy installation

To use the web interface, enter the access URL in the browser window.

Typical problems that occur in a new installation, where either RHEL or CentOS is being used:

Firewall configuration

If the server running the proxy has firewalld installed, HTTPS access is typically blocked by default. While we provide some helpful directions below, we strongly recommend that you read the firewalld documentation so that you fully understand the impact of these actions.

To check on the current status of firewalld:

$ firewall-cmd --list-all

This should give output:

public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client https ssh
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

If https does not appear in the list of services (as it does above), add it, either temporarily:

$ firewall-cmd --zone=public --add-service=https

$ firewall-cmd --reload

Or permanently:

$ firewall-cmd --zone=public --permanent --add-service=https

Rerun the status command to check that HTTPS access to the server is now enabled:

$ firewall-cmd --list-all

SE Linux access control

The SE Linux configuration SELinux is a set of kernel modifications and tools that have been added to RedHat and CentOS, providing support for access control security policies. It may affect the web proxy.

If the SELinux access control is not properly configured for the web proxy, there will be two symptoms:

  • An access from the browser is rejected, often with a “bad gateway” error message.

  • The SELinux log file (ll /var/log/audit/audit.log) will include a rejection of an operation attempted by the

    web proxy.

Note that you’ll need root access to view the logs or reconfiguring SELinux policies. The example below is from an nginx proxy, but httpd will look similar:

$ grep nginx /var/log/audit/audit.log

This will give output:

type=AVC msg=audit(1490570804.119:555): avc:  denied  { name_connect } for  pid=5725 comm="nginx"
dest=8080
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0
tclass=tcp_socket

Modifying SELinux configuration will have a direct impact on the security of a host as well as on the overall network where that host is located. Unscrambl strongly recommends that the person changing SELinux policies be someone familiar with its configuration. It’s important that your organization understand the potential repercussions of following the procedures below.

Understand this audit entry by running the following command, which also offers possible fixes:

$ ausearch -c nginx | audit2allow -m nginx
possible fixes
    module nginx 1.0;

    require {
        type httpd_t;
        type http_cache_port_t;
        class tcp_socket name_connect;
    }

    #============= httpd_t ==============

    #!!!! This avc can be allowed using one of the these booleans:
    #     httpd_can_network_connect, httpd_can_network_relay
    allow httpd_t http_cache_port_t:tcp_socket name_connect;

Check the current state of these boolean settings - at this point, probably off:

$ getsebool -a | grep httpd

To allow network connections from the web proxy to the actual server so it can act as a relay:

$ setsebool -P httpd_can_network_relay on

Alternatively, add a new SELinux non-base policy:

$ cd /tmp

$ ausearch -c nginx | audit2allow -M nginx</soan>

$ semodule -i nginx.pp

$ rm nginx.pp

The following sections detail the process of starting/stopping the product, performing one-time setup, and configuring other aspects of the product, including the data source and the data model.