SSH Tunnels
Opsview Monitor can be configured have the Orchestrator route all connections to or from Opsview Collector Clusters via SSH tunnels. This is especially useful when a Collector Cluster is behind restrictive firewalls.
It is possible to use forward and reverse tunnels on your system. A forward tunnel is made from the Orchestrator to a Collector, whereas a reverse tunnel is made from the Collector to the Orchestrator.
Reverse tunnels Copied
Reverse tunnels are made from the Orchestrator to a Collector.
How to set up a Collector with a reverse tunnel Copied
Note
These instructions explain how to set up SSH Tunnels for standard Collectors. For details on SSH Tunnels for Remotely Managed Collectors, instead refer to Remote Collector Management.
These instructions describe the process for setting up a new Collector, de_collector_01
which communicates with an existing Orchestrator, orchestrator
through an SSH tunnel originating from orchestrator
.
When using the example commands, you should replace the variables to suit your environment. Below are two tables showing the details of our example hosts (de_collector_01
and orchestrator
) that you need to substitute.
Orchestrator
Variable | Value |
---|---|
Hostname | orchestrator |
FQDN | orchestrator.example.com |
Local IP | 192.168.10.20 |
Public IP | 80.80.80.81 |
Local user | orchestrator_user |
Collector
Variable | Value |
---|---|
Hostname | de_collector_01 |
FQDN | de_collector_01.example.com |
Local IP | 192.168.10.31 |
Public IP | 80.80.80.83 |
Local user | collector_user |
Note
The local users for your Orchestrator and Collector must have full root access. You may use the default root user as this local user.
Making an SSH connection Copied
- Generate an SSH key on the Orchestrator as
orchestrator_user
(do not set a password). Check in the ~/.ssh/ directory of the user you are wishing to use and if a SSH key pair already exists, you may use this and skip to the next step.
ssh-keygen -t rsa -b 4096
- Copy the public key you just generated to
collector_user
on the Collector:
ssh-copy-id collector_user@de_collector_01.example.com
- Test the connection of your Orchestrator to your Collector:
ssh collector_user@de_collector_01.example.com
You should be able to log in without any password prompts or errors.
Deploy the Collector Copied
- Edit
/opt/opsview/deploy/etc/opsview_deploy.yml
to include a new section withincollector_clusters
like the below example:
collector_clusters:
my-local-cluster: # Cluster name as it will appear in the UI
collector_hosts:
de_collector_01.example.com:
ip: 80.80.80.83 # IP of the collector (known to orchestrator)
ssh_user: collector_user # User making SSH connection
vars:
ansible_ssh_private_key_file: /home/orchestator_user/.ssh/id_rsa # Path to identityfile used for making the SSH connection
- Edit
/opt/opsview/deploy/etc/user_vars.yml
and add the below:
# For SSH tunnels initiated from the Opsview Orchestrator.
opsview_ssh_tunnels_reverse_collectors:
- de_collector_01 # Replace with hostname (not FQDN) of your collector
Note
If you are using NATed IP addresses, follow the additional steps about using NATed IP addresses.
- Run the setup-everything and setup-monitoring playbooks on your Orchestrator:
If you are deploying one new collector use the -l (l for lima) against the individual collector and then run the ssh-tunnels against the orchestrator
/opt/opsview/deploy/bin/opsview-deploy -l de_collector_01 /opt/opsview/deploy/lib/playbooks/setup-everything.yml
/opt/opsview/deploy/bin/opsview-deploy -l <orchestrator_hostname> /opt/opsview/deploy/lib/playbooks/ssh-tunnels-install.yml
If you are adding the collector into a cluster, please look at the steps on Managing Collectors and Clusters page.
Forward tunnels Copied
Forward tunnels are made from a Collector to the Orchestrator. You may want to use a Collector with a forward tunnel if your Collector is behind a restrictive firewall and your Orchestrator is in a different location.
How to set up a Collector with a forward tunnel Copied
Note
These instructions explain how to set up SSH Tunnels for standard Collectors. For details on SSH Tunnels for Remotely Managed Collectors, instead refer to Remote Collector Management.
These instructions describe the process for setting up a new Collector, fr_collector_01
which communicates with an existing Orchestrator, orchestrator
through an SSH tunnel originating from fr_collector_01
.
You will need to open two terminal windows: one with access to your Orchestrator and the other with access to the Collector.
When using the example commands, you should replace the variables to suit your environment. Below are two tables showing the details of our example hosts (fr_collector_01
and orchestrator
) that you need to substitute.
Orchestrator Copied
Variable | Value |
---|---|
Hostname | orchestrator |
FQDN | orchestrator.example.com |
Local IP | 192.168.10.20 |
Public IP | 80.80.80.81 |
Local user | orchestrator_user |
SUDO access | N/A |
Collector Copied
Variable | Value |
---|---|
Hostname | fr_collector_01 |
FQDN | fr_collector_01.example.com |
Local IP | 192.168.10.30 |
Public IP | 80.80.80.82 |
Local user | collector_user |
SUDO access | NOPASSWD |
Note
The local users for your Orchestrator and Collector must have full root access. You may use the default root user as this local user.
Making an SSH connection Copied
-
Generate an SSH key on the Collector as
collector_user
; ensure the user password is set to a known value (it can be removed later) and that the user has full sudo access withNOPASSWD
set:ssh-keygen -t rsa -b 4096
-
Copy the public key you generated to
orchestrator_user
on the Orchestrator:ssh-copy-id orchestrator_user@orchestrator.example.com
-
Identify an unused port on the orchestrator to test the SSH connection. In this example, port
9022
is used. -
Open an SSH tunnel from your Collector to your Orchestrator forwarding port
9022
:ssh -R 9022:localhost:22 orchestrator_user@orchestrator.example.com
You should be able to log in without any password prompts or errors. Once opened, do not close this session yet.
-
In the other terminal session, generate an SSH key on the Orchestrator as
root
:ssh-keygen -t rsa -b 4096
Check in the
~/.ssh/
directory of the root user and if an SSH key pair already exists, you may use it and then skip to the next step. -
Copy the public key you recently generated to
collector_user
on the Collector, making use of the SSH tunnel steps above:ssh-copy-id -p 9022 collector_user@127.0.0.1
-
Check the SSH connection to the Collector functions without a password:
ssh -p 9022 collector_user@127.0.0.1
If you get prompted for a password, revisit the SSH key steps above.
Preparing the Orchestrator Copied
The following steps must be performed on your Orchestrator while the test tunnel from the Collector is open.
-
Edit
/opt/opsview/deploy/etc/opsview_deploy.yml
to include a new section withincollector_clusters
like the below example:collector_clusters: # New section for reverse tunnel collector my-forward-cluster: # Cluster name that will appear in the UI collector_hosts: fr_collector_01.example.com: # FQDN of collector ip: 80.80.80.82 # Public IP of collector ssh_user: collector_user # Username of local root user on collector ssh_port: 9022 # Previously identified unused port vars: opsview_ssh_tunnels_connections: - name: 80.80.80.81 # Public IP of orchestrator local_ports: '{{ opsview_ssh_tunnels_collector_ports }}' remote_ports: - '127.0.0.1:9022:127.0.0.1:22' # Replace '9022' with the value of ssh_port defined above
Note
Foropsview_deploy.yml
, more information on correct formatting and syntax for this file can be found in Managing Clusters and Collectors.
-
Edit the SSH config file (
/home/root/.ssh/config
) forroot
to include an entry similar to the example below:Host 192.168.10.30 fr_collector_01.example.com collector # Replace these with the local IP, FQDN, and hostname of your Collector Hostname 127.0.0.1 Port 9022 # Replace with the open port you are using User collector_user # Replace with the username of the local user on the collector
-
Edit
/opt/opsview/deploy/etc/user_vars.yml
and add the below:# For SSH tunnels initiated from the Opsview Collectors. opsview_ssh_tunnels_forward_collectors: - fr_collector_01 # Replace with the hostname (not FQDN) of your Collector
Deploy the Collector Copied
-
Run the setup-everything playbook on your Orchestrator:
/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-everything.yml
-
Close the test SSH tunnel from your Collector to your Orchestrator.
-
Restart all Opsview components on the Collector.
/opt/opsview/watchdog/bin/opsview-monit restart all
-
Wait for all the Opsview components to restart:
/opt/opsview/watchdog/bin/opsview-monit summary -B
-
Run the
setup-monitoring
playbook on your Orchestrator./opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-monitoring.yml
Your new collector should now be registered in the UI as described in Managing Clusters and Collectors.
Additional steps for NATed IP addresses Copied
Forward tunnels Copied
-
Edit the SSH config file (
/home/orchestrator_user/.ssh/config
) fororchestrator_user
onorchestrator
to include an entry like the below:Host 192.168.10.31 de_collector_01.example.com collector # Replace these with the local IP, FQDN, and hostname of your Collector Hostname 80.80.80.83 # Replace with public IP of the collector User collector_user # Replace with the username of the local user on the collector
-
Edit the newly added section in
/opt/opsview/deploy/etc/opsview_deploy.yml
to mirror the below example:collector_clusters: # New section for forward tunnel collector my-cluster: # Cluster name that will appear in the UI collector_hosts: de_collector_01.example.com: # FQDN of collector ip: 192.168.10.31 # Local IP of collector ssh_user: collector_user # Username of local root user on collector vars: ansible_ssh_private_key_file: /home/orchestator_user/.ssh/id_rsa # Path to identityfile used for making the SSH connection opsview_host_alt_address: de_collector_01: 80.80.80.83 # Replace with hostname and public IP of the collector IF your orchestrator is nated if orchestrator has nated ip, collectors need config if collecter has nated, orchestrator needs config
Troubleshooting Copied
SSH tunnels keep starting but never staying open Copied
Check the permissions of /opt/opsview/
. They should be 755 root:root
.