Using RDS as Opsview's database

Opsview supports using Amazon Relational Database Services (RDS) as its own database. Here's how to set it up.

Preparation and considerations

Prior to setting up Opsview to use a MySQL RDS instance as its database, you must:

  • set up your MySQL RDS instance (other types of database are not supported)
  • have a root-privileged user that Opsview can use on your MySQL RDS instance (it should have the username 'root').
  • set admin_opsview's password so that it matches the one specified in /opt/opsview/deploy/etc/user_secrets.yml on the line starting opsview_database_root_password.

๐Ÿšง

Opsview recommends that encrypted connections using TLS is enabled for external MySQL database servers.

If using a custom CA then the CA public certificate needs to be added to the systems CA bundle or configure Opsview database CA path to your CA public certificate in PEM format:

opsview_database_tls_ca_path: /path/to/ca.crt

This needs to be done on all hosts that access Opsview databases.

In the following steps, you should replace the variables as appropriate for your system.

Study the example configurations carefully before copying them and remember to back up your old settings before making any changes.

The Set Up

1. Configure opsview_deploy.yml

Create an empty section called database_hosts in /opt/opsview/deploy/etc/opsview_deploy.yml.
You can do this by appending the below to this file.

#
# ...
#
database_hosts: {}

๐Ÿ“˜

Why is this section blank?

The existence of this section tells opsview_deploy to set up an external database.

Populating this section, notably with the database IP address, will cause opsview_deploy to fail.

2. Configure user_vars.yml

The following changes must be made to /opt/opsview/deploy/etc/user_vars.yml:

  • Create a section called opsview_database_backend_nodes
    • Declare the database FQDN
    • Declare the database name
  • Declare the database root username (root)
#
# ...
#
opsview_database_backend_nodes:
  - ip_addr: opsview6.aaal.eu-west-1.rds.amazonaws.com  # replace with your database FQDN
    name: opsview_database                              # replace with your database name

opsview_database_root_username: root
  • (Optional:) Enable TLS encryption to the MySQL server.

Update user_vars.yml as follows:

#
# ...
#
opsview_database_backend_nodes:
  - ip_addr: opsview6.aaal.eu-west-1.rds.amazonaws.com  # replace with your database FQDN
    name: opsview_database                              # replace with your database name

opsview_database_root_username: root

# It is recommended to encrypt connections to external database server.
opsview_database_tls_enabled: True

Note: (itโ€™s possible to customize other database/TLS related settings which are documented in user_variables-example.yml).

3. Run opsview_deploy

Execute the below command as root.

/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-everything.yml

Upgrading existing databases to TLS

  • Ensure that TLS is enabled in the external database configuration.
  • Add the following line to /opt/opsview/deploy/etc/user_vars.yml:
opsview_database_tls_enabled: True
  • Optionally add the CA path to /opt/opsview/deploy/etc/user_vars.yml. This is only required if the database's CA certificate has not been added to the system CA bundle:
opsview_database_tls_ca_path: <path_to_ca_certificate>
  • Run setup everything:
/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-everything.yml
  • Optionally enforce secure transport on the external database by setting
    require_secure_transport = ON in the database configuration.