FineOps Help

Preparing the FineOps Server

  • Last update: 2025-04-24

    • Overview 

    The resource requirements that a server must meet for deploying FineOps are detailed in this article.

    Server Quantity 

    Virtual machines are prone to issues such as resource contention, which may cause unexpected system failure, making them unsuitable for deploying FineOps.

    FineOps Edition
    		Recommendation
    FineOps Standard Edition

    It is recommended that FineOps monopolize one server.

    That is, only deploy FineOps on the server, and do not deploy other applications or FanRuan projects to ensure the independence of operation and maintenance.

    FineOps Basic Edition

    FineOps can share a server with a single-node FanRuan project.

    That is, deploy FineOps and a FanRuan application (a standalone project) on the server, and do not deploy other content.

    Docker Installation Check 

    When using the FineKey tool to deploy FineOps, the Docker container is automatically installed.

    Ensure that the server where FineOps is located has no pre-installed Docker. Otherwise, the FineOps deployment may fail due to version and permission issues.

    Execute the following command. 

    docker version

    • If it returns nothing, no Docker is installed.

    • If it returns the version number, Docker has been installed. Uninstall Docker or replace the server.

    Operating System  Verification

    Configuration

    		Requirement
    Operating system typeLinux
    Operating system architectureX86_64

    Operating system kernel

    Version 3.10 and above

    Operating system software

    Recommended: Ubuntu 22

    Supported: 

    Ubuntu 18.04.4 and later releases (except for Ubuntu 20.04)

    CentOS 7.3 to 7.9

    Red Hat 7.6 and later releases

    Rocky Linux 8.8 to 9.4

    iconNote:

    You are advised to use Ubuntu since CentOS is discontinued. 

    Ensure the user you use has relevant permission if the operating system is Ubuntu (as the default root user is not a superuser).

    Resource Allocation Confirmation

    The server on which FineOps is deployed shall meet the following requirements.

    Item

    Requirement

    CPUAt least four cores
    Disk typeXFS
    Remaining free disk space of the root directory

    1 GB

    Remaining free disk space of the installation directory

    Take the larger value between the following listed ones as the configuration requirement.

    1. Ensure the server contains a partition with at least 100 GB (200 GB recommended) of free space.

    iconNote:
    If you are preparing a new disk, the one with a minimum free space of 120 GB is recommended. As the system takes up some space, the free space may be less than 100 GB.

    2. The required disk space of the FineOps server increases with the number of daily visits and nodes of the O&M project to be connected (if any). An extra 100 GB is required per 50000 daily visits and an extra 50 GB is required per node.

    iconNote:
    You can use the df-h command to query the disk space. There must be a partition that meets the condition. 
    Remaining free physical memory

    For an exclusive server of FineOps Standard Edition, the memory larger than 16 GB is recommended and should be at least 12 GB. 

    For an inclusive server of FineOps Standard Edition, the memory should be larger than 16 GB.

    For the server of FineOps Basic Version, the memory should be larger than 4 GB.

    iconNote:

    1. If the number of main application nodes of O&M projects to be connected exceeds 10, an extra 100 MB of memory is required per main application node.  

    2. For projects deployed on the same server as FineOps, you must perform registration authentication after deployment.

    • For the intranet environment that can be connected to the Fanruan cloud or the extranet environment, you are advised to authenticate registration via a public cloud. For details, see Public Cloud Authentication.

    • For the pure intranet environment, you need to install a registration service component on the project component server and authenticate registration via private cloud on FineOps. Therefore, you must ensure an additional 2 GB of free physical memory on this server. For details, see New Project Registration

    Extranet bandwidth

    Greater than or equal to 5 MB/s

    The configuration requirements in the above table must be met because each component of FineOps has default configuration requirements, as shown in the following table.

    iconNote:

    A resource-sharing strategy is used to prevent resource over-provisioning, as the components do not run at full load simultaneously.

    The total amount of required server resources are not the sum of the maximum usage amount of each container.


    ComponentMaximum CPU UsageMaximum Memory UsageMemory Configuration
    OPS2 cores4 GB

    xmx = 2 GB

    -XX:ReservedCodeCacheSize = 250 MB

    -XX:MaxDirectMemorySize = 500MB

    -XX:MaxMetaspaceSize = 500 MB

    OPS Agent1 core1 GB

    xmx= 0.5 GB

    -XX:MaxDirectMemorySize = 100 MB

    MALLOC_ARENA_MAX = 8

    Nginx1 core1 GB/
    Pushgateway2 cores1 GB/
    Prometheus1 core2 GB/
    Grafana1 core1 GB/
    Alertmanager1 core0.5 GB/
    Elasticsearch1 core4 GBxmx = 2 GB
    SkyWalking OAP1 core3 GBxmx = 2 GB
    Registry1 core1 GB/

    Port Availability Confirmation

    FineOps includes many components, and some of them require port mapping to the host machine, occupying server ports for operation.

    Before deployment, ensure the port to be mapped automatically (default port) is not in use. If it is already in use, use a free port.

    iconNote:

    1. For instructions on port occupancy inspection and firewall configuration, see Port Occupancy Inspection and Firewall Configuration.

    2. You do not need to reserve server ports for the OPS, Pushgateway, Prometheus, Grafana, and Alertmanager components, because they require no port mapping to the host machine.

    ComponentDefault Port
    Nginx

    It is the port you use to access FineOps.

    Deployed by a root user: 80

    Deployed by a non-root user: 8090

    OPS Agent9071
    Elasticsearch9200
    SkyWalking OAP11800 and 12800
    Registry5000
    iconNote:
    When opting for custom ports instead of the default ones listed in the table above, steer clear of the following ports. 
    TypeReason
    Ports not available to non-root users

    If using a non-root user for installation, do not use ports below 1024.

    In a Linux environment, non-root users can only use ports 1024 and above.

    Ports deemed insecure by Google Chrome

    Google Chrome identifies the following ports as insecure ports with potential security threats. 

    Do not use the following ports, as doing so will prevent Google Chrome from accessing FineOps. 

    1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 69, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 137, 139, 143, 161, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 548, 554, 556, 563, 587, 601, 636, 989, 990, 993, 995, 1719, 1720, 1723, 2049, 3659, 4045, 5061, 6000, 6566, 6665, 6666, 6667, 6668, 6669, 6697, and 10080

    iconNote:
    Given Google Chrome's ongoing updates, the insecure port list may be updated. For the latest port information, see the official document of Google Chrome.

    Network Connectivity Validation

    Certain server ports must be opened to ensure normal access to FineOps and smooth deployment and monitoring of O&M projects.

    iconNote:
    For instructions on port occupancy inspection and firewall configuration, see Port Occupancy Inspection and Firewall Configuration.

    Extranet and FineOps

    Description
    		Extranet
    		RelationFineOps
    For the admin to access FineOps

    O&M personnel 

    (unlimited IP address)

    		Access ->

    FineOps Nginx 

    The default port is as follows.

    • FineOps deployed by a root user: 80

    • FineOps deployed by a non-root user: 8090

    • FineOps configured with SSL: 443

    For FineOps to pull images from the cloud repository

    FanRuan cloud image repository

    (fineops-registry.cn-hangzhou.cr.aliyuncs.com:443)

    		<- Access

    Registry: 5000

    FineOps and O&M Project

    Description
    		FineOps
    		RelationO&M Project
    Basic O&MFineOps Nginx

    The default port is as follows.

    • FineOps deployed by a root user: 80

    • FineOps deployed by a non-root user: 8090

    • FineOps configured with SSL: 443

    		<- Access

    The application node and the engine node of the project, including FineBI - Application Node, Engine - Metadata Node, Engine - Calculation Node, FineReport, and FineDataLink

    Transmitting the server and component indicator information of the project to FineOpsFineOps Nginx

    The default port is as follows.

    • FineOps deployed by a root user: 80

    • FineOps deployed by a non-root user: 8090

    • FineOps configured with SSL: 443

    		<- Access

    The OPS Agent component on every server of this project (on project nodes and cluster component nodes): 9070

    Tracing

    FineOps SkyWalking OAP:

    11800 and 12800

    		<- Access

    The application node and the engine node of the project, including ineBI - Application Node, Engine - Metadata NodeEngine - Calculation Node, FineReport, and FineDataLink

    Tracing

    FineOps SkyWalking OAP:

    11800 and 12800

    		<- Access

    FineOps Nginx

    The default port is as follows.

    • FineOps deployed by a root user: 80

    • FineOps deployed by a non-root user: 8090

    • FineOps configured with SSL: 443

    Pulling components from the image repository of FineOps for project deploymentregistry: 5000<- Access

    The project node, the BI engine node, and the cluster component node on every server

    Mounting Directory Preparation

    The FineOps mounting path associates essential FineOps files on the host machine with those in the container, realizing data persistence and enabling quick file viewing.

    1. Check the server disk space.

    Use the df-h command to find a mounting point with large free space.

    In this example, the most appropriate mounting point for the server is the /home directory.

    1719992696Lkrq_fixed.jpeg

    2. Create a folder.

    Select an appropriate position in this directory and create a folder as the  FineOps mounting directory.

    • Use the mkdir command to create a folder. (In this example, a folder named fanruan is created in the /home directory.) 

    mkdir/home/fanruan

    • Use the chmod command to grant permission on the folder. (In this example, the 777 permission is assigned.) 

    chmod 777/home/fanruan

    The mounting path (/home/fanruan) is the value of the dataRootPath parameter in the finekey.yaml file used to deploy FineOps.

    iconNote:
    The value of dataRootPath cannot be /, /usr/root, or /usr/local.

    3. Empty ACL rules.

    An access control list (ACL) is a list of rules that specify the access permission of different users or user groups on files and directories.

    If the mounting directory is configured with an ACL, after deployment, the data-root directory of the Docker container will inherit the ACL automatically, which may lead to various issues caused by lack of permission such as container startup failure.

    Therefore, you are advised to remove all ACL rules configured for the mounting directory and retain the UNIX permission only. 

    setfacl -b /Mounting path

    User Permission Confirmation

    Deploying FineOps Using a Superuser Account

    You are advised to use the account with a user ID of 0 and a username of root to upload, decompress, and run the FineKey tool for containerized deployment.

    Ensure the root user can connect to the FineOps server via the SSH protocol. Ensure the password used for SSH connection contains no English single quotation marks, otherwise, the permission will fail to be validated during deployment.

    iconNote:

    1. The user whose user ID is 0 but whose username is not root cannot be used for deployment. Rename it root.

    2. The default root user of a Ubuntu operating system is not a superuser. Ensure the user you use has the following permission.

    Deploying FineOps Using a Regular User Account

    To deploy FineOps using a regular user account, ensure the user has the following permission.

    iconNote:

    1. For permission necessity, see Linux User Permission Explanation.

    2. A Docker environment will be created on the target server and the user you use will be added to the Docker user group automatically during FineOps deployment. You must terminate the current terminal session and reconnect to the server using a new terminal session. This step is essential for the user group changes to take effect, enabling the execution of Docker commands and related operations.

    TypePermission Requirement
    User password

    Ensure the user you use can connect to the FineOps server via the SSH protocol.

    Ensure the password used for SSH connection contains no English single quotation marks, otherwise, the permission will fail to be validated during deployment.

    Permission on the directory where FineKey is stored

    FineOps deployment relies on the FineKey installation package. You are required to upload the FineKey installation package to the server and execute commands to decompress the package and deploy FineOps.

    For the directory to which you want to upload the FineKey installation package and save the extracted package content, ensure that: 

    • The user you use has the necessary permission to execute the tar command in the directory so that you can decompress the FineKey installation package.

    • The user is the directory owner. You can use the following command to grant permission.

    chown -R Username /Absolute path of the FineKey installation package

    • The user has read, write, and execute permission for the directory. You can use the following command to grant permission.

    chmod -R 755 /Absolute path of the FineKey installation package
    Permission on the FineOps installation directory

    Since you need to add and edit files in the FineOps installation directory when installing FineOps, ensure that:

    • The user you use is the owner of the FineOps installation directory prepared in the previous section. You can use the following command to grant permission.

    chown -R Username /Absolute path of the FineOps installation directory

    • The user has read, write, and execute permission for the FineOps installation directory prepared in the previous section. You can use the following command to grant permission.

    chmod -R 755 /Absolute path of the FineOps installation directory
    User's sudo permission

    You must allow the user to execute configuration commands using the sudo command as a root user on any host computer.

    • Modify the /etc/sudoers file. The following is an example.

    Username     ALL=(root) /bin/sh,/bin/mkdir,/bin/rm,/bin/cp,/bin/systemctl,/bin/kill,/usr/sbin/sysctl,/usr/bin/gpasswd,/usr/ sbin/groupadd,/usr/bin/chown,/usr/sbin/modprobe,/usr/bin/echo,/usr/bin/sed,/usr/sbin/swapoff,/bin/sudo

    •  (Optional) Allow the user to execute commands using the sudo command without entering a password if the user still lacks permission.

    Username     ALL=(root) NOPASSWD: bin/sh,/bin/mkdir,/bin/rm,
/bin/cp,/bin/systemctl,/bin/kill,/usr/sbin/sysctl,
/usr/bin/gpasswd,/usr/sbin/groupadd,/usr/bin/chown,
/usr/sbin/modprobe,/usr/bin/echo,/usr/bin/sed,
/usr/sbin/swapoff,/bin/sudo
    The requiretty option

    Ensure the user does not require a TTY session to execute sudo commands. This will allow the execution of sudo commands through scripts/remote commands.

    Comment out the requiretty-related content in the /etc/sudoers file. The following is an example.

    #Defaults: requiretty

    SELinux Disabling

    Security-Enhanced Linux (SELinux) is a security module integrated into the Linux kernel, which strictly restricts access to system resources by programs and users via mandatory access control mechanisms.

    The enabled SELinux may interfere with starting Docker as a service using the systemctl command.

    Disable SELinux before deployment to ensure smooth deployment using FineKey.

    Operation
    		Command
    Check the SELinux status.

    Command: 

    getenforce

    Return value:

    • Enforcing: SELinux is in enforcing mode. All operations violating SELinux policies will be blocked.

    • Permissive: SELinux is in permissive mode. Operations violating SELinux policies will not be blocked but will be logged.

    • Disabled: SELinux is disabled. The system no longer enforces SELinux security policies.

    Disable SELinux if the return value is Enforcing.

    Disable SELinux.

    1. Disabling SELinux Temporarily

    Command: 

    sudo setenforce 0

    This switches SELinux from enforcing mode to permissive mode. No server reboot is required, and the change takes effect immediately.

    2. Disabling SELinux Permanently (Optional)

    • Edit the configuration file: 

    sudo vi /etc/selinux/config

    • Modify the SELinux status:

    SELINUX=disabled

    Reboot the server for the changes to take effect.

    3. Notes

    If you disable SELinux after the ./finekey command gets stuck, terminate the related processes and re-execute ./finekey for deployment.

    • Stop Docker: 

    systemctl stop docker

    (This command may also get stuck. Interrupt it with Ctrl + C.)

    • Kill the stuck process: 

    kill -9 $(pidof dockerd)

    You can now re-execute ./finekey to proceed with the deployment.

    Attachment List


    Theme: FineOps Deployment
    Previous
    Next
    • Helpful
    • Not helpful
    • Only read
    中文(繁體) 中文(简体)
    English