- Overview
- Requirements
- Deployment templates
- Manual: Preparing the installation
- Manual: Preparing the installation
- Step 2: Configuring the OCI-compliant registry for offline installations
- Step 3: Configuring the external objectstore
- Step 4: Configuring High Availability Add-on
- Step 5: Configuring SQL databases
- Step 7: Configuring the DNS
- Step 8: Configuring the disks
- Step 9: Configuring kernel and OS level settings
- Step 10: Configuring the node ports
- Step 11: Applying miscellaneous settings
- Step 12: Validating and installing the required RPM packages
- Step 13: Generating cluster_config.json
- Cluster_config.json Sample
- General configuration
- Profile configuration
- Certificate configuration
- Database configuration
- External Objectstore configuration
- Pre-signed URL configuration
- ArgoCD configuration
- Kerberos authentication configuration
- External OCI-compliant registry configuration
- Disaster recovery: Active/Passive and Active/Active configurations
- High Availability Add-on configuration
- Orchestrator-specific configuration
- Insights-specific configuration
- Process Mining-specific configuration
- Document Understanding-specific configuration
- Automation Suite Robots-specific configuration
- AI Center-specific configuration
- Monitoring configuration
- Optional: Configuring the proxy server
- Optional: Enabling resilience to zonal failures in a multi-node HA-ready production cluster
- Optional: Passing custom resolv.conf
- Optional: Increasing fault tolerance
- Adding a dedicated agent node with GPU support
- Adding a Dedicated Agent Node for Automation Suite Robots
- Step 15: Configuring the temporary Docker registry for offline installations
- Step 16: Validating the prerequisites for the installation
- Running uipathctl
- Manual: Performing the installation
- Post-installation
- Cluster administration
- Managing products
- Getting Started with the Cluster Administration portal
- Migrating Redis from in-cluster to external High Availability Add-on
- Migrating data between objectstores
- Migrating in-cluster objectstore to external objectstore
- Migrating from in-cluster registry to an external OCI-compliant registry
- Switching to the secondary cluster manually in an Active/Passive setup
- Disaster Recovery: Performing post-installation operations
- Converting an existing installation to multi-site setup
- Guidelines on upgrading an Active/Passive or Active/Active deployment
- Guidelines on backing up and restoring an Active/Passive or Active/Active deployment
- Scaling a single-node (evaluation) deployment to a multi-node (HA) deployment
- Monitoring and alerting
- Migration and upgrade
- Migrating between Automation Suite clusters
- Upgrading Automation Suite
- Downloading the installation packages and getting all the files on the first server node
- Retrieving the latest applied configuration from the cluster
- Updating the cluster configuration
- Configuring the OCI-compliant registry for offline installations
- Executing the upgrade
- Performing post-upgrade operations
- Product-specific configuration
- Best practices and maintenance
- Troubleshooting
- How to troubleshoot services during installation
- How to reduce permissions for an NFS backup directory
- How to uninstall the cluster
- How to clean up offline artifacts to improve disk space
- How to clear Redis data
- How to enable Istio logging
- How to manually clean up logs
- How to clean up old logs stored in the sf-logs bucket
- How to disable streaming logs for AI Center
- How to debug failed Automation Suite installations
- How to delete images from the old installer after upgrade
- How to disable TX checksum offloading
- How to manually set the ArgoCD log level to Info
- How to expand AI Center storage
- How to generate the encoded pull_secret_value for external registries
- How to address weak ciphers in TLS 1.2
- How to check the TLS version
- How to work with certificates
- How to schedule Ceph backup and restore data
- How to collect DU usage data with in-cluster objectstore (Ceph)
- How to install RKE2 SELinux on air-gapped environments
- How to clean up old differential backups on an NFS server
- Error in downloading the bundle
- Offline installation fails because of missing binary
- Certificate issue in offline installation
- SQL connection string validation error
- Azure disk not marked as SSD
- Failure after certificate update
- Antivirus causes installation issues
- Automation Suite not working after OS upgrade
- Automation Suite requires backlog_wait_time to be set to 0
- Temporary registry installation fails on RHEL 8.9
- Frequent restart issue in uipath namespace deployments during offline installations
- DNS settings not honored by CoreDNS
- Upgrade fails due to unhealthy Ceph
- RKE2 not getting started due to space issue
- Upgrade fails due to classic objects in the Orchestrator database
- Ceph cluster found in a degraded state after side-by-side upgrade
- Service upgrade fails for Apps
- In-place upgrade timeouts
- Upgrade fails in offline environments
- snapshot-controller-crds pod in CrashLoopBackOff state after upgrade
- Upgrade fails due to overridden Insights PVC sizes
- Upgrade failure due to uppercase hostname
- Setting a timeout interval for the management portals
- Authentication not working after migration
- Kinit: Cannot find KDC for realm <AD Domain> while getting initial credentials
- Kinit: Keytab contains no suitable keys for *** while getting initial credentials
- GSSAPI operation failed due to invalid status code
- Alarm received for failed Kerberos-tgt-update job
- SSPI provider: Server not found in Kerberos database
- Login failed for AD user due to disabled account
- ArgoCD login failed
- Update the underlying directory connections
- Failure to get the sandbox image
- Pods not showing in ArgoCD UI
- Redis probe failure
- RKE2 server fails to start
- Secret not found in UiPath namespace
- ArgoCD goes into progressing state after first installation
- Missing Ceph-rook metrics from monitoring dashboards
- Mismatch in reported errors during diagnostic health checks
- No healthy upstream issue
- Redis startup blocked by antivirus
- Running High Availability with Process Mining
- Process Mining ingestion failed when logged in using Kerberos
- Unable to connect to AutomationSuite_ProcessMining_Warehouse database using a pyodbc format connection string
- Airflow installation fails with sqlalchemy.exc.ArgumentError: Could not parse rfc1738 URL from string ''
- How to add an IP table rule to use SQL Server port 1433
- Automation Suite certificate is not trusted from the server where CData Sync is running
- Running the diagnostics tool
- Using the Automation Suite support bundle
- Exploring Logs
- Exploring summarized telemetry
Automation Suite on Linux installation guide
Security and compliance
Security context for UiPath® services
This section provides details on the security context of the UiPath® services.
All UiPath® services are configured with a security context defined in their spec section.
The following sample shows a typical configuration for UiPath® services:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
hostPID: false
hostNetwork: false
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
hostPID: false
hostNetwork: false
In some instances, the user IDs and group IDs can be greater than or equal to 1000, depending on your environment. Make sure you configure the user and group IDs according to your security principles and your organization's security guidelines.
Enabling FIPS 140-2
Federal Information Processing Standards 140-2 (FIPS 140-2) is a security standard that validates the effectiveness of cryptographic modules.
You can enable FIPS 140-2 on the machines on which you install Automation Suite in the following scenarios:
- Enable FIPS 140-2 before performing a clean installation of Automation Suite 2023.4 or later. For details, see. Enabling FIPS 140-2 for new installations
- Enable FIPS 140-2 after performing an Automation Suite installation on a machine with FIPS-140-2 disabled. For details, see Enabling FIPS 140-2 for existing installations.
Enabling FIPS 140-2 for new installations
To enable FIPS 140-2 on the machines where you plan to perform a fresh installation of Automation Suite, take the following steps:
-
Before starting the Automation Suite installation, enable FIPS 140-2 on your machines.
For details, see Enabling FIPS 140-2.
-
Perform the Automation Suite installation by following the installation instructions in this guide.
Note:- If you install AI Center on a FIPS 140-2-enabled machine and also use Microsoft SQL Server, some additional configuration is required. For details, see SQL requirements for AI Center.
- Make sure Insights and Integration Service are disabled, as they are not supported on FIPS 140-2.
-
Set the
fips_enabled_nodesflag totruein thecluster_config.jsonfile. -
Make sure your certificates are FIPS 140-2-compatible.
Note:By default, Automation Suite generates self-signed FIPS 140-2-compatible certificates whose expiry date depends on the type of Automation Suite installation you choose. We strongly recommend that you replace these self-signed certificates with CA-issued certificates at installation time. To use Automation Suite on FIPS 140-2-enabled machines, the newly provided certificates must be FIPS 140-2-compatible. For a list of eligible ciphers supported by RHEL, see the RHEL documentation.
- To update the token-signing certificates, run: assignment
./bin/uipathctl config token-signing-certificates update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey./bin/uipathctl config token-signing-certificates update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey- To update the TLS certificates, run: assignment
./bin/uipathctl config additional-ca-certificates update --ca-cert-file /path/to/ca/certs./bin/uipathctl config additional-ca-certificates update --ca-cert-file /path/to/ca/certs
Enabling FIPS 140-2 for existing installations
You can install Automation Suite with FIPS 140-2 disabled, and then enable the security standard on the same machines. This is also possible when you upgrade to a new Automation Suite version.
To enable FIPS 140-2 on the machines where you already performed an Automation Suite installation, take the following steps:
-
Perform a regular Automation Suite installation or upgrade operation on machines with FIPS 140-2 disabled.
-
Enable FIPS 140-2 by running the following command on all your machines:
fips-mode-setup --enablefips-mode-setup --enable -
Make sure your certificates are FIPS 140-2-compatible.
Note:To use Automation Suite on FIPS 140-2-enabled machines, you must replace your certificates with new FIPS 140-2-compatible certificates signed by a CA. For a list of eligible ciphers supported by RHEL, see RHEL documentation.
- To update the token-signing certificates, run: assignment
./bin/uipathctl config token-signing-certificates update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey./bin/uipathctl config token-signing-certificates update --cert-file-path /path/to/cert --cert-key-file-path /path/to/certkey- To update the TLS certificates, run: assignment
./bin/uipathctl config additional-ca-certificates update --ca-cert-file /path/to/ca/certs./bin/uipathctl config additional-ca-certificates update --ca-cert-file /path/to/ca/certsFor more on certificates, see Managing the certificates.
-
Make sure your product selection is in line with the FIPS-140-2 requirements:
- If you install AI Center on a FIPS 140-2-enabled machine and also use Microsoft SQL Server, some additional configuration is required. For details, see SQL requirements for AI Center.
- If you previously enabled Insights or Integration Service, you must disable them as they are not supported on FIPS 140-2. For details on how to disable products post-installation, see Managing products.
-
Reboot your machines and check if you successfully enabled FIPS 140-2.
fips-mode-setup --checkfips-mode-setup --check -
Rerun the
uipathctlinstaller:- In an online environment, run:
./bin/uipathctl rke2 install -i cluster_config.json -o output.json -s --accept-license-agreement - Online -- online./bin/uipathctl rke2 install -i cluster_config.json -o output.json -s --accept-license-agreement - Online -- online - In an offline environment, run:
./bin/uipathctl rke2 install -i ./cluster_config.json -o ./output.json -s --offline-bundle /uipath/tmp/sf.tar.gz --offline-tmp-folder /uipath/tmp --accept-license-agreement./bin/uipathctl rke2 install -i ./cluster_config.json -o ./output.json -s --offline-bundle /uipath/tmp/sf.tar.gz --offline-tmp-folder /uipath/tmp --accept-license-agreement
- In an online environment, run: