StackStorm · arm4b · Apr 14, 2020 · Jan 17, 2020 · Jan 28, 2020 · Feb 4, 2020
diff --git a/docs/source/install/ewc.rst b/docs/source/install/ewc.rst
@@ -41,8 +41,8 @@ replacing ``${EWC_LICENSE_KEY}`` with the license key you received when register
   ./install.sh --user=st2admin --password='Ch@ngeMe' --license=${EWC_LICENSE_KEY}
 
 To understand the full details of the installation procedure, or to install |ewc| manually, follow
-the installation guide for your Linux version: :doc:`/install/u16`, :doc:`/install/u18`, :doc:`/install/rhel7`,
-or :doc:`/install/rhel6`. It will walk you through installing and configuring StackStorm and |ewc|.
+the installation guide for your Linux version: :doc:`/install/u16`, :doc:`/install/u18`, :doc:`/install/rhel6`, :doc:`/install/rhel7`,
+or :doc:`/install/rhel8`. It will walk you through installing and configuring StackStorm and |ewc|.
 The last step of the instructions is "Upgrade to |ewc|".
 
 High Availability deployment

diff --git a/docs/source/install/index.rst b/docs/source/install/index.rst
@@ -15,7 +15,8 @@ Here's an overview of the options:
 * **Manual Installation:** Have custom needs? Maybe no Internet access from your servers? Or just
   don't like using scripted installs? Read the manual installation instructions for your OS
   (:doc:`Ubuntu 16 </install/u16>`, :doc:`Ubuntu 18 </install/u18>`, :doc:`RHEL/CentOS 6 </install/rhel6>`,
-  :doc:`RHEL/CentOS 7 </install/rhel7>`), and adapt them to your needs. Here's some `additional guidance
+  :doc:`RHEL/CentOS 7 </install/rhel7>`, :doc:`RHEL/CentOS 8 </install/rhel8>`) and adapt them to
+  your needs. Here's some `additional guidance
   <https://stackstorm.com/2017/02/10/installing-stackstorm-offline-systems/>`_ for setting up an
   internal mirror for the |st2| repos. 
 * **Ansible Playbooks:** If you are an Ansible user, check these :doc:`/install/ansible` for
@@ -86,8 +87,9 @@ For more details on reference deployments, or OS-specific installation instructi
     system_requirements
     Ubuntu 16.04 <u16>
     Ubuntu 18.04 <u18>
-    RHEL 7 / CentOS 7 <rhel7>
     RHEL 6 / CentOS 6 <rhel6>
+    RHEL 7 / CentOS 7 <rhel7>
+    RHEL 8 / CentOS 8 <rhel8>
     Kubernetes / HA <k8s_ha>
     Ansible Playbooks <ansible>
 

diff --git a/docs/source/install/rhel8.rst b/docs/source/install/rhel8.rst
@@ -0,0 +1,287 @@
+RHEL 8/CentOS 8
+===============
+
+.. include:: common/intro.rst
+
+.. contents:: Contents
+   :local:
+
+System Requirements
+-------------------
+
+Please check the :doc:`supported versions and system requirements <system_requirements>`.
+
+.. note::
+
+    |st2| on RHEL 8/CentOS 8 runs all services, actions and sensors using Python 3**only**. It
+    does not support Python2 actions. `More info about python in RHEL 8 and CentOS 8.
+    <https://developers.redhat.com/blog/2019/05/07/what-no-python-in-red-hat-enterprise-linux-8/>`_
+
+    Mistral is not supported on RHEL 8/CentOS 8. All workflows must be written in
+    :doc:`Orquesta </orquesta/index>`.
+
+Minimal Installation
+--------------------
+
+Adjust SELinux Policies
+~~~~~~~~~~~~~~~~~~~~~~~
+
+If your system has SELinux in Enforcing mode, please follow these instructions to adjust SELinux
+policies. This is needed for successful installation. If you are not happy with these policies,
+you may want to tweak them according to your security practices.
+
+* First check if SELinux is in Enforcing mode:
+
+  .. code-block:: bash
+
+    getenforce
+
+* If the previous command returns 'Enforcing', then run the following commands:
+
+  .. code-block:: bash
+
+    # SELINUX management tools, not available for some minimal installations
+    sudo yum install -y policycoreutils-python
+
+    # Allow network access for nginx
+    sudo setsebool -P httpd_can_network_connect 1
+
+    # Allow RabbitMQ to use port '25672', otherwise it will fail to start
+    sudo semanage port --list | grep -q 25672 || sudo semanage port -a -t amqp_port_t -p tcp 25672
+
+.. note::
+
+  If you see messages like "SELinux: Could not downgrade policy file", it means you are trying to
+  adjust policy configurations when SELinux is disabled. You can ignore this error.
+
+Install Dependencies
+~~~~~~~~~~~~~~~~~~~~
+
+.. include:: __mongodb_note.rst
+
+Install MongoDB, RabbitMQ:
+
+.. code-block:: bash
+
+  sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+
+  # Add key and repo for the latest stable MongoDB (4.0)
+  sudo rpm --import https://www.mongodb.org/static/pgp/server-4.0.asc
+  sudo sh -c "cat <<EOT > /etc/yum.repos.d/mongodb-org-4.repo
+  [mongodb-org-4]
+  name=MongoDB Repository
+  baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.0/x86_64/
+  gpgcheck=1
+  enabled=1
+  gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
+  EOT"
+
+  sudo yum -y install crudini
+  sudo yum -y install mongodb-org
+  sudo yum -y install rabbitmq-server
+  sudo systemctl start mongod rabbitmq-server
+  sudo systemctl enable mongod rabbitmq-server
+
+
+Setup Repositories
+~~~~~~~~~~~~~~~~~~
+
+The following script will detect your platform and architecture and setup the appropriate |st2|
+repository. It will also add the the GPG key used for package signing.
+
+.. code-block:: bash
+
+  curl -s https://packagecloud.io/install/repositories/StackStorm/stable/script.rpm.sh | sudo bash
+
+Install |st2| Components
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. code-block:: bash
+
+  sudo yum install -y st2
+
+.. include:: common/configure_components.rst
+
+Setup Datastore Encryption
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: common/datastore_crypto_key.rst
+
+Configure SSH and SUDO
+~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: common/configure_ssh_and_sudo.rst
+
+Start Services
+~~~~~~~~~~~~~~
+
+.. include:: common/start_services.rst
+
+Verify
+~~~~~~
+
+.. include:: common/verify.rst
+
+Configure Authentication
+------------------------
+
+The reference deployment uses a file-based authentication provider for simplicity. Refer to
+:doc:`/authentication` to configure and use PAM or LDAP authentication backends.
+
+To set up authentication with file-based provider:
+
+* Create a user with a password:
+
+  .. code-block:: bash
+
+    # Install htpasswd utility if you don't have it
+    sudo yum -y install httpd-tools
+    # Create a user record in a password file.
+    echo 'Ch@ngeMe' | sudo htpasswd -i /etc/st2/htpasswd st2admin
+
+.. include:: common/configure_authentication.rst
+
+Install WebUI and Setup SSL Termination
+---------------------------------------
+
+`NGINX <http://nginx.org/>`_ is used to serve WebUI static files, redirect HTTP to HTTPS, provide
+SSL termination, and reverse-proxy st2auth and st2api API endpoints. To set it up: install the
+``st2web`` and ``nginx`` packages, generate certificates or place your existing certificates under
+``/etc/ssl/st2``, and configure nginx with |st2|'s supplied :github_st2:`site config file st2.conf
+<conf/nginx/st2.conf>`.
+
+|st2| depends on Nginx version >=1.7.5. RHEL has an older version in the package repositories, so
+you will need to add the official Nginx repository:
+
+.. code-block:: bash
+
+  # Add key and repo for the latest stable nginx
+  sudo rpm --import http://nginx.org/keys/nginx_signing.key
+  sudo sh -c "cat <<EOT > /etc/yum.repos.d/nginx.repo
+  [nginx]
+  name=nginx repo
+  baseurl=http://nginx.org/packages/rhel/\\\$releasever/x86_64/
+  gpgcheck=1
+  enabled=1
+  EOT"
+
+  # Ensure that EPEL repo is not used for nginx
+  sudo sed -i 's/^\(enabled=1\)$/exclude=nginx\n\1/g' /etc/yum.repos.d/epel.repo
+
+  # Install nginx
+  sudo yum install -y nginx
+
+  # Install st2web
+  sudo yum install -y st2web
+
+  # Generate a self-signed certificate or place your existing certificate under /etc/ssl/st2
+  sudo mkdir -p /etc/ssl/st2
+  sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt \
+  -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information \
+  Technology/CN=$(hostname)"
+
+  # Copy and enable the supplied nginx config file
+  sudo cp /usr/share/doc/st2/conf/nginx/st2.conf /etc/nginx/conf.d/
+
+  # Disable default_server configuration in existing /etc/nginx/nginx.conf
+  sudo sed -i 's/default_server//g' /etc/nginx/nginx.conf
+
+  sudo systemctl restart nginx
+  sudo systemctl enable nginx
+
+If you modify ports, or url paths in the nginx configuration, make the corresponding changes in
+the st2web configuration at ``/opt/stackstorm/static/webui/config.js``.
+
+Use your browser to connect to ``https://${ST2_HOSTNAME}`` and login to the WebUI.
+
+.. _ref-rhel8-firewall:
+
+If you are unable to connect to the web browser, you may need to change the default firewall
+settings. You can do this with these commands:
+
+.. code-block:: bash
+
+  firewall-cmd --zone=public --add-service=http --add-service=https
+  firewall-cmd --zone=public --permanent --add-service=http --add-service=https
+
+This will allow inbound HTTP (port 80) and HTTPS (port 443) traffic, and make those changes
+survive reboot.
+
+.. include:: common/api_access.rst
+
+Setup ChatOps
+-------------
+
+If you already run a Hubot instance, you can install the `hubot-stackstorm plugin
+<https://github.com/StackStorm/hubot-stackstorm>`_ and configure |st2| environment variables, as
+described below. Otherwise, the easiest way to enable :doc:`StackStorm ChatOps </chatops/index>`
+is to use the `st2chatops <https://github.com/stackstorm/st2chatops/>`_ package.
+
+* Validate that the ``chatops`` pack is installed, and a notification rule is enabled:
+
+  .. code-block:: bash
+
+    # Ensure chatops pack is in place
+    ls /opt/stackstorm/packs/chatops
+    # Create notification rule if not yet enabled
+    st2 rule get chatops.notify || st2 rule create /opt/stackstorm/packs/chatops/rules/notify_hubot.yaml
+
+* Add `NodeJS v10 repository <https://nodejs.org/en/download/package-manager/>`_:
+
+  .. code-block:: bash
+
+    curl -sL https://rpm.nodesource.com/setup_10.x | sudo -E bash -
+
+* Install the ``st2chatops`` package:
+
+  .. code-block:: bash
+
+    sudo yum install -y st2chatops
+
+.. include:: common/configure_chatops.rst
+
+* Start the service:
+
+  .. code-block:: bash
+
+    sudo systemctl start st2chatops
+
+    # Start st2chatops on boot
+    sudo systemctl enable st2chatops
+
+* Reload st2 packs to make sure the ``chatops.notify`` rule is registered:
+
+  .. code-block:: bash
+
+    sudo st2ctl reload --register-all
+
+* That's it! Go to your Chat room and begin ChatOps-ing. Read more in the :doc:`/chatops/index` section.
+
+A Note on Security
+------------------
+
+.. include:: common/security_notes.rst
+
+Upgrade to |ewc|
+----------------
+
+.. include:: common/ewc_intro.rst
+
+.. code-block:: bash
+
+  # Set up Extreme Workflow Composer repository access, install Enterprise packages and configure RBAC
+  curl -sSL -O https://stackstorm.com/ewc/install.sh && chmod +x install.sh
+  ./install.sh --user=st2admin --password='Ch@ngeMe' --license=${EWC_LICENSE_KEY}
+
+.. rubric:: What's Next?
+
+* Check out the :doc:`/start` Guide to build a simple automation.
+* Get more actions, triggers, rules:
+
+
+    * Install integration packs from `StackStorm Exchange <https://exchange.stackstorm.org>`__  - follow the :doc:`/packs` guide.
+    * :ref:`Convert your scripts into StackStorm actions. <ref-actions-converting-scripts>`
+    * Learn how to :ref:`write custom actions <ref-actions-writing-custom>`.
+
+* Use workflows to stitch actions into higher level automations - :doc:`/workflows`.
+* Check out `tutorials on stackstorm.com <https://stackstorm.com/category/tutorials/>`__
diff --git a/docs/source/install/system_requirements.rst b/docs/source/install/system_requirements.rst
@@ -22,6 +22,9 @@ be automatically added when you install |st2|.
 +-------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | `Ubuntu 18.04 <http://cdimage.ubuntu.com/releases/18.04.2/release/ubuntu-18.04.2-server-amd64.iso>`_  | `bento/ubuntu-18.04 <https://app.vagrantup.com/bento/boxes/ubuntu-18.04>`_   | `Ubuntu Server 18.04 LTS Bionic  <https://aws.amazon.com/marketplace/pp/B07CQ33QKV/>`_                                                                            |
 +-------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+| `RHEL 8 <https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux>`_ /                 | `bento/centos-8.1 <https://app.vagrantup.com/bento/boxes/centos-8.1>`_       | `Red Hat Enterprise Linux (RHEL) 8 (HVM)  <https://aws.amazon.com/marketplace/pp/B07T4SQ5RZ?qid=1581005023484&sr=0-5&ref_=brs_res_product_title>`_                |
+| `CentOS 8.1 <http://mirrors.rit.edu/centos/8.1.1911/isos/x86_64/>`_                                   |                                                                              |                                                                                                                                                                   |
++-------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | `RHEL 7 <https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux>`_ /                 | `bento/centos-7.4 <https://app.vagrantup.com/bento/boxes/centos-7.4>`_       | `Red Hat Enterprise Linux (RHEL) 7.2 (HVM)  <https://aws.amazon.com/marketplace/pp/B019NS7T5I/ref=srh_res_product_title?ie=UTF8&sr=0-2&qid=1457037671547>`_       |
 | `CentOS 7 <http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1708.iso>`_     |                                                                              |                                                                                                                                                                   |
 +-------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+

diff --git a/docs/source/install/uninstall.rst b/docs/source/install/uninstall.rst
@@ -70,6 +70,15 @@ below. Only execute the instructions for your distribution.
     sudo systemctl stop mongod
     sudo systemctl stop rabbitmq-server
 
+* RHEL/CentOS 8.x:
+
+  .. sourcecode:: bash
+
+    sudo st2ctl stop
+    sudo systemctl stop nginx
+    sudo systemctl stop mongod
+    sudo systemctl stop rabbitmq-server
+
 
 2. Remove Packages
 ------------------