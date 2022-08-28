Tech
Install the Looker App | Google Cloud
This page describes how to install the Looker application for customer-hosted deployments.
Hosting the Looker application is independent of where your data is stored. Data always remains in the database and is not copied to your Looker instance.
Installation specifications
If you run Looker in a network that does not have internet connectivity, you will need to set up a proxy server to communicate with Looker’s license server, or use a serverless web service that only makes web calls, such as BigQuery.
Install the Looker application on a dedicated machine that meets the following minimum requirements:
1.2 GHz CPU; Looker recommends 2 or more cores. 8 GB of free RAM. 10 GB free disk space. 2 GB of swap file space. Linux. He uses Ubuntu Linux (LTS release) for his internal Looker hosting, which he recommends for customers who don’t like Linux. However, we support Looker on the released versions of all major enterprise Linux distributions, including RedHat, CentOS, and Amazon Linux. Java OpenJDK 11.0.12+, OpenJDK 8.0.181+, or HotSpot 1.8 update 161+. Looker uses OpenJDK (version 11) for improved performance and memory usage. Looker recommends JDK over JRE for additional troubleshooting tools. Additionally, Looker recommends migrating to newer Java updates as they are released. Other versions of Java, Oracle JDK, and OpenJDK are not supported at this time. libssl and libcrypt.so must be present on the system. You must allow inbound traffic to your Looker instance over TCP port 9999. If your users require API access, you must allow inbound traffic to your Looker instance over TCP port 19999.
If Looker is connecting to AWS Redshift from an AWS VCP private network, the MTU should be set to 1500. For more information on this setting, see the Setting His MTU for an Instance section of this Amazon Web Services article. If Looker detects an MTU setting greater than 1500 during a database connection test, you’ll see the following error:
MTU of network interface eth0 is too large (> 1500). If your Looker instance and Redshift cluster are in the same VPC, you can ignore this warning.
The following TCP keepalive settings. To persist across reboots, these should be set in /etc/sysctl.conf or a file within the /etc/sysctl.d directory.
net.ipv4.tcp_keepalive_time=200 net.ipv4.tcp_keepalive_intvl=200 net.ipv4.tcp_keepalive_probes=5
A user named looker in a group named Looker runs the Looker application.
ulimit for looker users greater than or equal to 4096. To do this, add the following lines to /etc/security/limits.conf:
Looker Soft No File 4096 Looker Hard No File 4096
Time synchronization via NTP or equivalent.
Do not mount the /tmp folder with the noexec option.
Do not mount the Looker home directory on an NFS volume.
Setting the server time zone to UTC is recommended, but not required.
Requires Git 1.8 or higher. The latest stable version of Git is not required, but can help troubleshoot Git issues.
Although not required, Netcat can help troubleshoot network connectivity issues. For example, a typical command to install Netcat on an Ubuntu-based server is:
sudo apt-get install netcat
Optionally, you can set up a proxy server to handle the HTTP(S) requests Looker needs to make to the “core” on localhost. To communicate with Looker’s local proxy server, you need to add some special arguments to lookerstart.cfg. Add http.nonProxyHosts=localhost to allow access to Looker’s localhost without going through a proxy. The community topic Connecting Looker to BigQuery through a web proxy contains an example of how to create this connection.
To avoid maintenance and resource conflicts, do not use Looker servers to host other applications.
enable ntpd or chronyd
NTP stands for Network Time Protocol. This ensures that your host’s system clock will always keep the correct time Looker needs to function properly. Looker does not require the use of any specific time synchronization software as long as the time is synchronized. No need to run an NTP server. Only an NTP client is required. You can replace NTP with chronyd.
See your OS vendor’s documentation on how to enable ntpd or chronyd.
Create an encryption key
Looker uses AES-256 Galois/Counter Mode (GCM) encryption to encrypt sensitive data stored internally, including:
Looker’s internal database backups Database and service connection information User credentials User attribute values Customer data that is cached or ready for delivery
For a complete list of data that Looker encrypts, please contact your Looker Account Manager or visit Looker’s Help Center at[お問い合わせ]Click to open a support request.
The data is encrypted using a unique data key and contains a cryptographic envelope that is signed and versioned to ensure verification. This mode requires the use of an external Customer Master Key (CMK). CMKs are used to derive, encrypt, and decrypt key encryption keys (KEKs). KEKs are used to derive, encrypt, and decrypt data keys.
Encryption is only used for Looker’s internal databases and caches. Your database is unaffected by Looker’s encryption. Also, only static data (data stored on disk) is encrypted in this way.
Customer-hosted installations can use their own AWS KMS account or their own custom key management system. All data keys and KEKs are encrypted and used internally by customer-hosted Looker installations. If you’re not using AWS KMS, your external CMK must be stored in a secure, permanent location! Losing the CMK after encrypting the internal database can result in the loss of your instance.
If you’re using AWS KMS
If you’re using AWS KMS, create a CMK using the AWS Management Console or API.
After you create your CMK, Looker recommends creating a new IAM role specific to your CMK and attaching it to your Looker instance.
Below is an example IAM role with the minimum required permissions for a CMK.
{ “Version”: “2012-10-17”, “Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: “kms:GenerateRandom”,
“Resource”: “*”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“kms:Decrypt”,
“kms:Encrypt”,
“kms:Generate*”,
]”resource”: “arn:aws:kms:*:*:key/*” } ]}
After creating the CMK and the new IAM role, set the AWS_REGION environment variable to the AWS Region and the LKR_AWS_CMK environment variable to the CMK’s alias.
Export AWS_REGION=
export LKR_AWS_CMK=alias/
Optionally, you can also set a custom AWS encryption context by setting the LKR_AWS_CMK_EC environment variable. If you don’t set this environment variable, Looker will use the default encryption context, the string Looker_Encryption_Context.
Export LKR_AWS_CMK_EC=
If you’re not using AWS KMS
If you’re not using AWS KMS, generate a Base64, 32-byte CMK. CMKs can be stored in environment variables or files.
To generate a CMK and store it in an environment variable, you can use the following command to generate the CMK.
openssl rand -base64 32
After you generate the CMK, copy it and save the CMK to the LKR_MASTER_KEY_ENV environment variable (location) using the following command.
Export LKR_MASTER_KEY_ENV=
To generate a CMK and save it to a file, you can use the following command (
