--- title: OpenShift installation summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/openshift --- The Next-Gen WAF agent can be deployed on the [Red Hat OpenShift Container Platform](https://www.redhat.com/en/technologies/cloud-computing/openshift/features). ## Installation Installing the Next-Gen WAF module and agent in an OpenShift container is similar to a typical Red Hat installation. However, the primary difference for an OpenShift container installation is all processes must run under a [_non root_ account](https://jdob.fedorapeople.org/#users). To meet this requirement, the only extra step is configuring the module and agent to use a socket file that the non root account has read/write access to. ### Installing the agent Follow the [agent installation instructions](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/installing-the-agent) for Red Hat. ### Configuring the agent There are three options for configuring the socket file location. Use the option that works best for your container build process. The examples below use a directory that a non root user would have access to. You can specify a different location, but ensure your non root user account has the read/write permissions to that location. - You can set the `SIGSCI_RPC_ADDRESS` environment variable in your Dockerfile: ```text ENV SIGSCI_RPC_ADDRESS unix:/tmp/sigsci.sock ``` - You can export the `SIGSCI_RPC_ADDRESS` environment variable in a script when your container starts: ```term copy $ export SIGSCI_RPC_ADDRESS=unix:/tmp/sigsci.sock ``` - You can set the `rpc-address` configuration option in your agent configuration file (by default at `/etc/sigsci/agent.conf`): ```text rpc-address="unix:/tmp/sigsci.sock" ``` Additional agent configuration options are listed on the [agent configuration page](https://www.fastly.com/documentation/reference/ngwaf/agent-config/). ### Installing and configuring the module Install and configure your module following one of these sets of instructions. #### Apache module install Follow [the Apache module installation instructions for Red Hat](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/apache-module/installing-the-apache-module). In your Apache configuration file (`httpd.conf`), add the `AgentHost` directive after the Next-Gen WAF module is called: ```text AgentHost "/tmp/sigsci.sock" ``` #### NGINX module install Follow [the NGINX module installation instructions for Red Hat](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/module-agent-deployment/nginx-module/about-the-nginx-module). Update the `sigsci.agenthost` directive in the module's configuration file located at `/opt/sigsci/nginx/sigsci.conf`. You will need to remove `--` to uncomment the line: ```text sigsci.agenthost = "unix:/tmp/sigsci.sock" ``` ## Example Dockerfile Below is an example section of a Dockerfile that installs the Next-Gen WAF agent and module (for Apache HTTPD Server) and configures them to use a socket file location accessible to a non root account. ```text ... # Add the package repository RUN echo "[sigsci_release]" > /etc/yum.repos.d/sigsci.repo && \ echo "name=sigsci_release" >> /etc/yum.repos.d/sigsci.repo && \ echo "baseurl=https://yum.security.fastly.com/release/el/7/\$basearch" >> /etc/yum.repos.d/sigsci.repo && \ echo "repo_gpgcheck=1" >> /etc/yum.repos.d/sigsci.repo && \ echo "gpgcheck=0" >> /etc/yum.repos.d/sigsci.repo && \ echo "enabled=1" >> /etc/yum.repos.d/sigsci.repo && \ echo "gpgkey=https://yum.security.fastly.com/release/gpgkey" >> /etc/yum.repos.d/sigsci.repo && \ echo "sslverify=1" >> /etc/yum.repos.d/sigsci.repo && \ echo "sslcacert=/etc/pki/tls/certs/ca-bundle.crt" >> /etc/yum.repos.d/sigsci.repo # Install the Next-Gen WAF agent RUN yum -y install sigsci-agent # Configure the Next-Gen WAF agent ENV SIGSCI_RPC_ADDRESS=unix:/tmp/sigsci.sock # Install the Next-Gen WAF module RUN yum install -y sigsci-module-apache # Configure your web server with the Next-Gen WAF module # In this example, we enable the module with Apache RUN echo "LoadModule signalsciences_module /etc/httpd/modules/mod_signalsciences.so" >> /etc/httpd/conf/httpd.conf && \ echo 'AgentHost "/tmp/sigsci.sock"' >> /etc/httpd/conf/httpd.conf ... ``` ## Related content - [PaaS overview](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/paas-install-intro) - [Getting started with the agent](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/getting-started-with-the-agent)