Operating system requirements

Note

Helix DAM is built on top of Helix TeamHub. To install Helix DAM, you use the Helix TeamHub packages. To administer Helix DAM, you use the web-based TeamHub admin interface.

As mentioned in System overview, Helix DAM is provided as a native operating system package, such as .rpm and .deb for one of our supported 64-bit architecture Linux platforms:

  • Red Hat Enterprise Linux 7, 8, 9
  • Rocky 8, 9
  • CentOS 7, 8
  • Ubuntu 20.04, 22.04

Since some of the above distributions have several minor versions, only the 2 latest minor releases are supported. For example, as of writing this document, the latest two releases of Red Hat Enterprise Linux 8 family are 8.9 and 8.10. To benefit from the OS level security updates, performance optimizations, and compatibility with Helix DAM, closely follow the release cycle of the operating system in use and upgrade in a timely manner.

In addition to the operating system, the following preparations are required:

Ports

The Helix DAM application binds to a number of ports that must be free before proceeding with installations. In some cases, the Linux distribution may already have an installed package that uses the ports Helix DAM needs. Therefore, make sure all the ports listed in Firewall requirements are available. Execute the following command to check if anything is listening on port 80:

netstat -tulpn | grep :80

Local firewall

In addition to the company-wide firewall, the local firewall might also be installed by default, for example iptables. Make sure it is either disabled or configured to accept the ports listed in Firewall requirements.

UID and GID

When Helix DAM is installed, the new hth user account and system group are created with predefined UID and GID of 21212, so make sure they are not reserved.

Tip

You can change the UID and GID values, but they must be changed before you configure Helix DAM for the first time.

To change the UID and GID values, merge the following configuration to the /var/opt/hth/shared/hth.json file. Where <value> is the new UID and GID value you want to use: 

{
  ... (snipped)
  "user": {
    "uid": <value>,
    "gid": <value>
  }
  ... (snipped)
}

Locale

Make sure en_US.UTF-8 locale is installed and no errors are reported when running export LC_ALL=en_US.UTF-8.

Linux security modules

LSMs (Linux Security Modules) such as SELinux can also prevent Helix DAM from running. To disable LSMs:

RHEL and CentOS

Edit /etc/selinux/config and ensure that SELINUX is either in disabled or permissive mode. To avoid restarting the server for changes to come into effect, run the command below to immediately disable SELinux:

setenforce 0

Ubuntu

Does not need any changes.

OpenSSH and repository SSH access

Helix DAM supports accessing repositories over SSH protocol. OpenSSH version 6.9 or later is required with support for AuthorizedKeysCommand with arguments. Repository SSH access can be enabled after installing Helix DAM by either using the system or bundled OpenSSH. It is recommended to use system OpenSSH, but the bundled OpenSSH can be used if upgrading OpenSSH is not otherwise possible.

Use system OpenSSH

Append following configuration to the end of the sshd configuration file (/etc/ssh/sshd_config) and reload sshd:

Match User hth
    AuthorizedKeysCommand /usr/bin/hth-ssh-auth %t %k
    AuthorizedKeysCommandUser hth

Use bundled OpenSSH

When using the bundled OpenSSH, it is important that automatic updates are configured to skip OpenSSH package. OpenSSH updates can be disabled as follows:

RHEL and CentOS

Open /etc/yum.conf and add the following line under [main] section:

exclude=openssh*

Ubuntu

sudo apt-mark hold openssh-server

When using systemd, change the service configuration file (usually in /etc/systemd/system/sshd.service) to use simple type under [Service] section:

Type=simple

Reload systemd configuration after changing service configuration:

systemctl daemon-reload

In order to use the bundled OpenSSH, merge the following configuration to /var/opt/hth/shared/hth.json, run sudo hth-ctl reconfigure and reload sshd:

Note

This will symlink the existing sshd to the bundled sshd.

{
    "opensshp": {
        "enable": true
    }
}

SSH optimization

For Helix DAM setups that are relatively large, setting the following parameters for SSHD helps with security and efficiency of the system overall:

MaxStartups 100
ClientAliveInterval 60
ClientAliveCountMax 3

You can add those parameters manually to /etc/ssh/sshd_config on either the Standard node or the hth-web node.

Memory optimization

Helix DAM requires Redis and MongoDB to be installed. To avoid latencies and memory usage issues in these services, we recommend disabling Transparent Huge Pages (THP) in the kernel for Standard installation and Enterprise DB nodes.

Network optimization

Depends on the load on your installation, it is recommended to increase the limit of the backlog for connections (somaxconn) to higher value. We suggest setting it to 512 at minimum.