Installing self-hosted Rumble
Enterprise
Background
The self-hosted version of Rumble allows you to run the entire platform on-premises or within your own cloud environment. This platform is functionally identical to the hosted service, provides a fully-offline mode, and does not send any inventory data back to Rumble.
While using Self-hosting is less common, here are a few reasons your company may use Self-Hosting:
- SOC2 compliance requirement
- ISO compliance requirement
- Other compliance requirement
- Prefer data on-premise
Self-hosting requires an enterprise license and must be explicitly enabled for your account. Please contact your Rumble sales representative for further information.
Requirements
Before you get started, make sure your system meets the following requirements.
Hardware requirements
- 4 CPU Cores at 2 GHz or faster
- 100 GB of local disk storage
- 32 GB of RAM (more for large sites)
Software requirements
- PostgreSQL 12 or newer (Our installer can install this for you)
Supported operating systems
- Ubuntu 20.04 x86_64
- Ubuntu 18.04 x86_64
- Red Hat Enterprise Linux 8.x x86_64
- Red Hat Enterprise Linux 7.x x86_64
- CentOS Linux 8.x x86_64
- CentOS Linux 7.x x86_64
- Oracle Linux 8.4+ x86_64 with UEK 5.4 or kernel 4.18+
- Oracle Linux 7.9+ x86_64 with UEK 5.4 or kernel 3.10+
- Debian Linux 11.x x86_64
- Debian Linux 10.x x86_64
- Debian Linux 9.x x86_64
Connectivity
The self-hosted Rumble platform requires the following connectivity for online updates:
- Outbound access to console.rumble.run (13.248.161.247, 76.223.34.198) on TCP port 443 for HTTP over TLS.
The system running the Rumble platform should have a static IP address. If the IP is changed at a later date, the explorers may need to be redeployed to receive the updated address.
Offline mode
The self-hosted version of Rumble has the ability to run in offline mode. In this mode, the Rumble update service is not used and offline updates must be applied manually. Enable this mode if you’re in an isolated network or you don’t want your self-hosted Rumble console to make any connections to the internet. In addition to disabling online updates, offline mode also disables certain DNS probes that could reflect responses to the internet during a scan.
Installing with offline mode
- Run the installer with the
--offline
flag in combination with--distro-packages-only
or--postgres-rpm-directory
More information can be found under Offline installation.
Enabling offline mode for existing installs
- Open
/etc/rumble/config
with an editor of your choice. - Look for
OFFLINE=
and change it toOFFLINE=true
. - Restart the Rumble service
rumblectl restart
.
Updating with offline mode
More information can be found under CLI update with offline mode.
Installation steps
For offline installs please see Offline installation.
For installs that use your own database credentials see Installation with your own PostgreSQL database.
Here’s what the installation process will do:
- Set up PostgreSQL and create a passworded user.
- Generate TLS certificates for your IP address located in
/etc/rumble/certs
. - Generate a configuration file at
/etc/rumble/config
and set some defaults. - Create a
systemD
service for the Rumble platform. - Create all the necessary cron jobs required for the Rumble platform.
Step 1: Download and run the installer
- Go to https://console.rumble.run/deploy/download/platform.
- Copy the command directly from the download page and run it in your terminal. This will download the installer and mark it as executable. The download path for the installer is uniquely keyed.
Step 2: Initialize the admin user
After you’ve installed the Rumble platform, you will have access to the Rumble CLI rumblectl
.
To initialize an admin user, run:
rumblectl initial [email address]
Step 3: Log in to your self-hosted console
If everything is set up correctly, you can log in to your console at https://YourInternalIPAddress
.
Note that you may need to enable HTTPS to pass through the Linux system firewall. Example commands:
Ubuntu Linux: sudo ufw allow https/tcp
RHEL/CentOS/Oracle: sudo firewall-cmd --add-service=https
To make a firewall-cmd
change permanent across reboots, run the command a second time with the --permanent
flag added.
Offline installation
The self-hosted Rumble platform comes with a few options for your installation. You can utilize these options by
adding flags to the install command. The current flags available are --offline
, --distro-packages-only
, and --postgres-rpm-directory
--offline
- Install the self-hosted platform in a completely isolated network. No internet connection is required.
--distro-packages-only
- Install without using third-party repositories. (Not available on RHEL/CentOS 7)
--postgres-rpm-directory [directory]
- Install using supplied PostgreSQL RPM files. (Requires RHEL or CentOS)
PostgreSQL RPMs required for --postgres-rpm-directory
RHEL/CentOS 8 RPMs can be found here: https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-8-x86_64/
RHEL/CentOS 7 RPMs can be found here: https://yum.postgresql.org/13/redhat/rhel-7-x86_64/repoview/
There are four RPMs we require for installing PostgreSQL 13:
- postgresql13
- postgresql13-server
- postgresql13-contrib
- postgresql13-libs
Example install commands for offline mode
The first step is to download the Rumble platform
RHEL/CentOS 7 or 8
- Download the required RPMs above and store them in a directory.
- Run this install command:
./rumble-platform-[VERSION]-linux-amd64.bin install --offline
--postgres-rpm-directory [RPM_DIRECTORY]
Ubuntu 18.04+, Debian 10+, or RHEL/CentOS 8
- Run this install command.
./rumble-platform-[VERSION]-linux-amd64.bin install --offline --distro-packages-only
Installation with your own PostgreSQL database
Rumble defaults to installing and configuring a PostgreSQL user and database for you. If you would like to provide your own details this option will allow you to override that behavior.
Requirements
- PostgreSQL 13 or newer.
- Password authentication must be enabled.
- Two extensions are required: pg_trgm and uuid-ossp. These may be supplied as part of a
contrib
package rather than as part of the main PostgreSQL server install, depending on where you obtain your PostgreSQL packages.
PostgreSQL example to enable extensions and add a database/user
CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
CREATE DATABASE rumble;
CREATE USER rumble WITH PASSWORD 'YOURPASSWORD';
GRANT ALL PRIVILEGES ON DATABASE rumble TO rumble;
Steps to install the self-hosted Rumble platform with your own database credentials
- Run this install command.
./rumble-platform-[VERSION]-linux-amd64.bin install --manual-database
- Edit your Rumble configuration and add your database details in
/etc/rumble/config
. The line you need to edit is:
DATABASE_URL=postgres://rumble:{DB_PASSWORD}@127.0.0.1:5432/rumble?sslmode=disable
Change this to match your credentials. You need to set the user, password, host, port, and database name. Here is the format:
DATABASE_URL=postgres://{DB_USER}:{DB_PASSWORD}@{DB_HOST}:{DB_PORT}/{DB_NAME}?{DB_OPTIONS}
- Verify the self-hosted Rumble platform can connect to your database with this command.
sudo rumblectl database verify
- Once your database is configured and verified you can restart the self-hosted Rumble platform service
sudo systemctl restart rumble-console
Rumble updates
For offline updates please see CLI update with offline mode.
The self-hosted Rumble platform must be updated prior to first use. The rumblectl
command can be used to download the update and then restart the service after the update is complete.
You can update the platform and scanners at the same time or separately with the CLI update management commands.
Managing users
You can manage users inside your self-hosted Rumble platform console at https://YourInternalIPAddress/team
or via the Rumble CLI
Some things you can manage:
- Adding, deleting, and listing users
- Resetting passwords
- Changing default roles
- Viewing details
- Changing organization roles
CLI service management
Start the Rumble service
Starts the Rumble platform service.
rumblectl start
Stop the Rumble service
Stops the Rumble platform service.
rumblectl stop
Restart the Rumble service
Restarts the Rumble platform service.
rumblectl restart
Install the Rumble platform
Install the Rumble platform service and all required dependencies such as PostgreSQL. Creates a SystemD service, generates cron
jobs, and generates a configuration file in /etc/rumble
.
rumblectl install
Uninstall the Rumble platform
Stop and remove the Rumble platform service from SystemD and removes the generated cron jobs. This does not remove your PostgreSQL database, and it retains your data.
rumblectl uninstall
Purge the Rumble platform
Stop and remove the Rumble platform service from SystemD and removes the generated cron jobs. This will delete your Rumble
database and remove all the Rumble directories /etc/rumble
and /opt/rumble
.
rumblectl purge
You can uninstall and purge everything except the database and your PostgreSQL settings with this flag:
rumblectl uninstall --purge --ignore-database
Run the Rumble platform manually
Starts the Rumble platform manually. Logs will be written to standard output.
rumblectl server
Verify your database is reachable
Attempts to connect to your database using your self-hosted Rumble platform configuration. It will either succeed or display an error.
rumblectl database verify
CLI update management
Update the Rumble platform and scanners
Updates the Rumble platform service and Rumble scanners. You can use the optional parameter force
to force
the update even if the current installation is the latest version.
rumblectl update [--force]
Update the Rumble platform
Updates just the Rumble platform service. You can use the optional parameter force
to force the update even if
the current install is the latest version.
rumblectl update-platform [--force]
Update the Rumble scanners
Updates just the Rumble scanners. You can use the optional parameter force
to force the update even if
the current installation is the latest version.
rumblectl update-scanner [--force]
CLI update with offline mode
The self-hosted Rumble platform must be updated prior to first use.
Update the Rumble platform and scanners with an offline update
- Go to https://console.rumble.run/deploy/download/platform.
- Copy the command directly from the download page and run it in your terminal, or you can use one of the following commands to update using the zip archive you downloaded.
rumblectl update rumble-platform-update-[VERSION].zip
rumblectl update --offline --zip-file-path rumble-platform-update-[VERSION].zip
You will need to change the version to match the zip archive you downloaded.
CLI user management
Create the initial administrator account
Creates the initial admin user for a new installation. You must provide an email address.
rumblectl initial <email>
List user accounts
Lists all the users along with their email address, full name, and current roles
.
rumblectl user list
Add a user account
Creates a new user account under the initial administrator user. You must provide an email address.
rumblectl user add <email>
Delete a user account
Deletes a user account. You must provide an email address. This cannot be undone.
rumblectl user delete <email>
Get user details
Gets the details for a user account. You must provide an email address. Provides information such as full name, date created, last login IP, last login time, last activity, default organization role, and their current roles
. You
must provide an email address.
rumblectl user details <email>
Set a user role
Sets a user’s role to the role provided. Email and role must be provided. The organization is optional. If the organization isn’t provided this sets their default role.
rumblectl user set-role <email> [organization name or organization ID]:<role>
Reset a user password
This will generate and apply a new password for the specified user. The password will be printed to the terminal. You must provide an email address.
rumblectl user reset <email>
CLI organization management
List all organizations
Lists all the organizations by their name and ID.
rumblectl organization list
Advanced configuration
The file at /etc/rumble/config can be modified to support a wide variety of configurations.
After making changes, apply them by running rumblectl restart
.
Email server
Rumble uses a SMTP server for user account invitations and notifications. The default configuration assumes that a SMTP server is available on localhost that does not require authentication:
SMTP_SERVER=127.0.0.1:25
SMTP_AUTH_METHOD=none
Rumble will automatically use STARTTLS with plaintext SMTP servers and validate the certificate. In internal environments where the SMTP server is not using a valid TLS certificate, verification can be disabled by setting:
SMTP_TLS_NOVERIFY=true
Transport-layer TLS (instead of STARTTLS) can be configured with:
SMTP_TLS=true
If authentication is required, the following three settings should be configured:
SMTP_AUTH_METHOD=plain
SMTP_AUTH_USER=YourUsername
SMTP_AUTH_PASS=YourPassword
Emails are sent from noreply@rumble.run
by default, but this can be changed by setting the FROM_EMAIL
option:
FROM_EMAIL=rumble@yourcompany.int
Hostname and port
The RUMBLE_CONSOLE variable is used for creating inbound links, configuring deployed explorers, and generating the default self-signed TLS certificate. This setting is how both users and deployed explorers connect to the platform. Changing this setting may require regeneration of the TLS certificate and redeployment of explorers.
RUMBLE_CONSOLE=https://{IP ADDRESS OR HOSTNAME}:443
Rumble can be configured to run on a different port with the CONSOLE_PORT setting. This port defines where the console listens, but users and explorers still connect to the RUMBLE_CONSOLE value. In most cases this should match the port specified by the RUMBLE_CONSOLE.
CONSOLE_PORT=443
TLS configuration
Rumble will generate a self-signed TLS certificate and serve all web requests using HTTP over TLS. The standard configuration uses a self-signed certificate stored in the filesystem:
TLS=true
TLS_CERT=/etc/rumble/certs/cert.pem
TLS_KEY=/etc/rumble/certs/key.pem
The certificate and key file are PEM encoded and can be replaced with any valid certificate. Please ensure that any new certificate lists the value of RUMBLE_CONSOLE in the list of Subject Alternative Names.
If a TLS-terminating reverse proxy is used (AWS ELB, nginx, etc), TLS can be disabled at the application level:
TLS=false
Please note that while the web interface can be accessed over plain HTTP in this scenario, explorers will refuse to connect to a plain HTTP port, and features like WebAuthn MFA will not work unless the site is accessed through TLS.
Specific TLS versions and ciphers can be configured.
TLS versions are chosen by minimum and maximum:
TLS_VERSION_MIN=1.2
TLS_VERSION_MAX=1.3
TLS ciphers may be chosen by profile name:
- default: A set of strong ciphers, great for most configurations
- nist80052: A set of strong ciphers, approved in NIST 800-52r2.
- nist80052-aes256: A set of strong ciphers, approved in NIST 800-52r2, restricted to AES-256 variants
Please note that TLS 1.3 ciphers work differently and if a specific set of ciphers is required, both TLS_VERSION_MIN and TLS_VERSION_MAX should be set to 1.2
.
For example, to restrict Rumble to only NIST 800-52r2 approved ciphers using AES-256, the following configuration should be used:
TLS_VERSION_MIN=1.2
TLS_VERSION_MAX=1.2
TLS_CIPHERS=nist80052-aes256
TLS ciphers may also be chosen using comma-separated list of cipher constants.
Database configuration
Rumble uses a PostgreSQL database for all platform data, except for raw scan files, change reports, and images processed from scans. By default, Rumble will configure a local PostgreSQL server on the same system, with a random password, and without TLS encryption:
DATABASE_URL=postgres://rumble:{DB_PASSWORD}@127.0.0.1:5432/rumble?sslmode=disable
If separate database is preferred, any PostgreSQL server running 12.x or newer should work. TLS (sslmode=require) should be enabled when a non-local database server is configured.
The default database pool (connection count) can be modified for high throughput environments:
DATABASE_POOL_COUNT=50
Proxy configuration
Rumble makes outbound connections to receive platform updates (in online mode), to connect to third-party APIs, and to delivery webhooks for notifications. If a proxy server is required, it can be configured with this setting:
HTTPS_PROXY=host:port
Storage configuration
Rumble uses local file storage to store raw scan data, change reports, and images retrieved from assets.
This storage directory must be owned by the rumble
user and be mounted below the /opt/rumble path.
RUMBLE_STORAGE_MODE=local
RUMBLE_STORAGE_PATH=/opt/rumble/storage
Files within the storage directory are split up into two groups, assets and scans. The names of these can be changed by setting:
ASSET_BUCKET=assets
SCAN_BUCKET=scans
To use AWS S3 for file storage instead, the following configuration can be set:
RUMBLE_STORAGE_MODE=s3
ASSET_BUCKET=company-rumble-assets
SCAN_BUCKET=company-rumble-scans
If S3 is used, AWS must also be configured.
Secret configuration
Rumble uses three randomly generated secret tokens to secure the platform. These keys are hexadecimal strings generated by 16 bytes of random. Compatible values can be generated by OpenSSL:
$ openssl rand -hex 16
The authentication key used for local storage HMAC operations. This key can be rotated as long as the service is restarted afterwards:
RUMBLE_STORAGE_KEY_SECRET={SECRET_32_HEX}
The session secret key is used to sign and validate browser session cookies. This key can be rotated, but doing so will invalidate all existing web logins:
SESSION_SECRET={SECRET_32_HEX}
The DB key is used for encryption of sensitive fields (user password bcrypt hashes). This key cannot be rotated, as password authentication will no longer work. If this key is changed, users must reset their password from the command-line or web interface using email before they can sign back in:
DB_KEY={SECRET_32_HEX}
AWS configuration
The AWS region is required:
AWS_REGION=us-east-1
The Access Key ID and Secret must be valid and correlated to a user with read-write access to the S3 buckets and read-only access to Secrets Manager.
AWS_ACCESS_KEY_ID=AKIA....
AWS_SECRET_ACCESS_KEY=SECRET....
AWS Secrets Manager can be used to retrieve almost any configuration setting at startup. The Secrets Manager entries should match the key names of the configuration file. The secret name can be defined with:
AWS_SECRETS_MANAGER_KEY=rumble/production
The location of the explorer and scanner binaries can be changed with these settings. Note that these should still live under /opt/rumble or the service will not be able to load them:
RUMBLE_RELEASE_DIR=/opt/rumble/agent/
RUMBLE_SCANNER_RELEASE_DIR=/opt/rumble/scanner/
Content Security Policy
In the case of a non-standard S3 configuration (or S3-like deployment, such as minio), the Content Security Policy headers need to be configured to allow external image loads.
The CSP_IMAGES setting can be used to specify one or more (comma-delimited) external image sources:
CSP_IMAGES=https://*.custom-storage-backend.lan
In additional to CSP_IMAGES, the following additional CSP settings are available:
CSP_SCRIPTS=https://*.myscripts.lan
CSP_FONTS=https://*.myfonts.lan
CSP_STYLES=https://*.mystyles.lan
Logging
The self-hosted Rumble console sends its logging output to standard output. Typically this is picked up by Linux SystemD, and stored in the journal where it can be queried with the usual journalctl
tool.
Rumble’s logs are output in CEE-enhanced JSON format. This is compatible with rsyslog, syslog-ng, lumberjack, DataDog, ElasticSearch, and other common tools.
The environment variable LOG_MAX_LENGTH
can be set in Rumble’s config file to apply a limit to the length of each log line, in bytes of UTF-8 text. A value of 0 means no limit, other values below 480 are treated as 480. Rumble will attempt to preserve the most valuable logging fields when truncating log output. Note that the length limit is applied before any additional information SystemD or syslog adds to the start of the line.
The environment variable LOG_FORMAT
can be set to text
to disable the CEE and JSON format, and log in plain text.
LOG_FORMAT=text
LOG_MAX_LENGTH=512
Permissions
The self-hosted platform requires root access to install and manage from the command-line.
The platform service (rumble-console
) runs as root and spawns a worker subprocess that runs as the rumble user account inside of a chroot environment (/opt/rumble). All substantive work happens within this isolated subprocess.
The following filesystem locations are used by the self-hosted platform:
/etc/rumble
Path | Owner | Permission | Notes |
---|---|---|---|
/etc/rumble |
root | 0700 | Configuration files and certificates |
/etc/rumble/config |
root | 0600 | A plain-text configuration file |
/etc/rumble/certs |
root | 0700 | A directory containing the TLS certificate and key |
/etc/rumble/certs/cert.pm |
root | 0600 | The TLS certificate in PEM format |
/etc/rumble/certs/key.pm |
root | 0600 | The TLS certificate private key in PEM format |
/opt/rumble
Path | Owner | Permission | Notes |
---|---|---|---|
/opt/rumble/tmp |
rumble | 0755 | A temporary directory |
/opt/rumble/storage |
rumble | 0700 | Contains asset and scan artifacts |
/opt/rumble/console |
root | 0755 | Contains the platform executable |
/opt/rumble/console/rumble-console.bin |
root | 0755 | The platform executable |
/opt/rumble/agent |
root | 0755 | Contains the Explorer binaries |
/opt/rumble/agent/rumble-agent-* |
root | 0755 | The Explorer binaries |
/opt/rumble/scanner |
root | 0755 | Contains the Scanner binaries |
/opt/rumble/agent/rumble-scanner-* |
root | 0755 | The Scanner binaries |
/opt/rumble/proc |
root | 0755 | Contains copies of system /proc files |
/opt/rumble/proc/cpuinfo |
root | 0644 | A copy of /proc/cpuinfo |
/opt/rumble/proc/meminfo |
root | 0644 | A copy of /proc/meminfo |
/opt/rumble/proc/version |
root | 0644 | A copy of /proc/version |
/opt/rumble/etc |
root | 0755 | Contains copies of system files |
/opt/rumble/etc/resolv.conf |
root | 0644 | A copy of /etc/resolv.conf |
/opt/rumble/etc/ca-certificates.crt |
root | 0644 | A copy of the system root CA store |
/opt/rumble/etc/rumble |
rumble | 0700 | Contains instance identifiers |
/opt/rumble/etc/rumble/cruncher.id |
rumble | 0700 | A unique ID to identify the cruncher instance |
/opt/rumble/etc/rumble/hub.id |
rumble | 0700 | A unique ID to identify the hub instance |
/opt/rumble/config |
root | 0700 | Unused today |