SSH Tunnels
Opsview Monitor can be configured to route all connections to/from the Opsview Collectors via SSH tunnels. This is especially useful when the Collectors are behind restrictive firewalls.
It is possible to use forward and reverse tunnels on your system. A forward tunnel is made from the Orchestrator to a Collector, whereas a reverse tunnel is made from the Collector to the Orchestrator.
Forward tunnels
Forward tunnels are made from the Orchestrator to a Collector.
How to set up a Collector with a forward tunnel
These instructions describe the process for setting up a new Collector, de_collector_01 which communicates with an existing Orchestrator, orchestrator through an SSH tunnel originating from orchestrator.
When using the example commands, you should replace the variables to suit your environment. Below are two tables showing the details of our example hosts (de_collector_01 and orchestrator) that you need to substitute.
Orchestrator
| Variable | Value |
|---|---|
| Hostname | orchestrator |
| FQDN | orchestrator.example.com |
| Local IP | 192.168.10.20 |
| Public IP | 80.80.80.81 |
| Local user | orchestrator_user |
Collector
| Variable | Value |
|---|---|
| Hostname | de_collector_01 |
| FQDN | de_collector_01.example.com |
| Local IP | 192.168.10.31 |
| Public IP | 80.80.80.83 |
| Local user | collector_user |
Local users require full root access
The local users for your Orchestrator and Collector must have full root access. You may use the default root user as this local user.
Making an SSH connection
1. Generate an SSH key on the Orchestrator as orchestrator_user (do not set a password):
--- Check in the ~/.ssh/ directory of the user you are wishing to use and if a SSH key pair already exists, you may use this and skip to the next step
ssh-keygen -t rsa -b 4096
2. Copy the public key you just generated to collector_user on the Collector:
ssh-copy-id collector_user@de_collector_01.example.com
3. Test the connection of your Orchestrator to your Collector:
ssh collector_user@de_collector_01.example.com
You should be able to log in without any password prompts or errors.
Deploy the Collector
1. Edit /opt/opsview/deploy/etc/opsview_deploy.yml to include a new section within collector_clusters like the below example:
collector_clusters:
my-local-cluster: # Cluster name as it will appear in the UI
collector_hosts:
de_collector_01.example.com: # FQDN of the collector
ip: 80.80.80.83 # IP of the collector (known to orchestrator)
ssh_user: collector_user # User making SSH connection
vars:
ansible_ssh_private_key_file: /home/orchestator_user/.ssh/id_rsa # Path to identityfile used for making the SSH connection
2. Edit /opt/opsview/deploy/etc/user_vars.yml and add the below:
# For SSH tunnels initiated from the Opsview Orchestrator.
# NB that that 'reverse' here refers to the perspective of the collector, not the orchestrator
opsview_ssh_tunnels_reverse_collectors:
- de_collector_01 # Replace with hostname (not FQDN) of your collector
If you are using NATed IP addresses...
Follow the additional steps at the bottom of this page.
3. Run the setup-everything and setup-monitoring playbooks on your Orchestrator:
*** If you are deploying one new collector use the -l (l for lima) against the individual collector and then run the ssh-tunnels against the orchestrator
/opt/opsview/deploy/bin/opsview-deploy -l de_collector_01 /opt/opsview/deploy/lib/playbooks/setup-everything.yml
/opt/opsview/deploy/bin/opsview-deploy -l <orchestrator_hostname> /opt/opsview/deploy/lib/playbooks/ssh-tunnels-install.yml
If you are adding the collector into a cluster, please look at the steps on Managing Collectors and Clusters page .
/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-everything.yml
/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-monitoring.yml
Reverse tunnels
Reverse tunnels are made from a Collector to the Orchestrator. You may want to use a Collector with a reverse tunnel if your Collector is behind a restrictive firewall and your Orchestrator is in a different location.
How to set up a Collector with a reverse tunnel
These instructions describe the process for setting up a new Collector, fr_collector_01 which communicates with an existing Orchestrator, orchestrator through an SSH tunnel originating from fr_collector_01.
You will need to open two terminal windows: one with access to your Orchestrator and the other with access to the Collector.
When using the example commands, you should replace the variables to suit your environment. Below are two tables showing the details of our example hosts (fr_collector_01 and orchestrator) that you need to substitute.
Orchestrator
| Variable | Value |
|---|---|
| Hostname | orchestrator |
| FQDN | orchestrator.example.com |
| Local IP | 192.168.10.20 |
| Public IP | 80.80.80.81 |
| Local user | orchestrator_user |
Collector
| Variable | Value |
|---|---|
| Hostname | fr_collector_01 |
| FQDN | fr_collector_01.example.com |
| Local IP | 192.168.10.30 |
| Public IP | 80.80.80.82 |
| Local user | collector_user |
Local users require full root access
The local users for your Orchestrator and Collector must have full root access. You may use the default root user as this local user.
Making an SSH connection
1. Generate an SSH key on the Collector as collector_user (do not set a password):
ssh-keygen -t rsa -b 4096
2. Copy the public key you just generated to orchestrator_user on the Orchestrator:
ssh-copy-id [email protected]
3. Generate an SSH key on the Orchestrator as orchestrator_user (do not set a password):
--- Check in the ~/.ssh/ directory of the user you are wishing to use and if a SSH key pair already exists, you may use this and skip to the next step
ssh-keygen -t rsa -b 4096
4. Copy the public key you just generated to collector_user on the Collector:
ssh-copy-id collector_user@fr_collector_01.example.com
5. Identify an unused port on the orchestrator to test the SSH connection. We use port 9022 in this example.
6. Open a test reverse SSH tunnel from your Collector to your Orchestrator:
ssh -R 9022:localhost:22 [email protected]
You should be able to log in without any password prompts or errors. Do not close this session yet!
7. Test the connection of your Orchestrator to the Collector now that the reverse tunnel is open:
--- If you receive any password prompts here, you will need to revisit the SSH key steps
ssh -p 9022 [email protected]
You should be able to log in without any password prompts or errors.
Preparing the Orchestrator
The following steps must be performed on your Orchestrator while the test tunnel from the Collector is open.
1. Edit /opt/opsview/deploy/etc/opsview_deploy.yml to include a new section within collector_clusters like the below example:
collector_clusters:
# New section for reverse tunnel collector
my-reverse-cluster: # Cluster name that will appear in the UI
collector_hosts:
fr_collector_01.example.com: # FQDN of collector
ip: 80.80.80.82 # Public IP of collector
ssh_user: collector_user # Username of local root user on collector
ssh_port: 9022 # Previously identified unused port
vars:
opsview_ssh_tunnels_connections:
- name: 80.80.80.81 # Public IP of orchestrator
local_ports: '{{ opsview_ssh_tunnels_collector_ports }}'
remote_ports:
- '127.0.0.1:9022:127.0.0.1:22' # Replace '9022' with the value of ssh_port defined above
opsview_deploy.yml
More information on correct formatting and syntax for this file can be found in Managing Clusters and Collectors.
2. Edit the SSH config file (/home/orchestrator_user/.ssh/config) for orchestrator_user to include an entry like the below. If you are using the root user, edit /root/.ssh/config instead.
Host 192.168.10.30 fr_collector_01.example.com collector # Replace these with the local IP, FQDN, and hostname of your Collector
Hostname 127.0.0.1
Port 9022 # Replace with the open port you are using
User collector_user # Replace with the username of the local user on the collector
3. Edit /opt/opsview/deploy/etc/user_vars.yml and add the below:
# For SSH tunnels initiated from the Opsview Collectors.
# NB that that 'forward' here refers to the perspective of the collector, not the orchestrator
opsview_ssh_tunnels_forward_collectors:
- fr_collector_01 # Replace with the hostname of your Collector
Deploy the Collector
1. Run the setup-everything playbook on your Orchestrator:
/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-everything.yml
2. Close the test SSH tunnel from your Collector to your Orchestrator.
3. Restart all Opsview components on the Collector.
/opt/opsview/watchdog/bin/opsview-monit restart all
4. Run the setup-monitoring playbook on your Orchestrator.
/opt/opsview/deploy/bin/opsview-deploy /opt/opsview/deploy/lib/playbooks/setup-monitoring.yml
You should now be able to register your new collector in the UI as described in Managing Clusters and Collectors.
Additional steps for NATed IP addresses
Forward tunnels
1. Edit the SSH config file (/home/orchestrator_user/.ssh/config) for orchestrator_user on orchestrator to include an entry like the below:
Host 192.168.10.31 de_collector_01.example.com collector # Replace these with the local IP, FQDN, and hostname of your Collector
Hostname 80.80.80.83 # Replace with public IP of the collector
User collector_user # Replace with the username of the local user on the collector
2. Edit the newly added section in /opt/opsview/deploy/etc/opsview_deploy.yml to mirror the below example:
collector_clusters:
# New section for forward tunnel collector
my-cluster: # Cluster name that will appear in the UI
collector_hosts:
de_collector_01.example.com: # FQDN of collector
ip: 192.168.10.31 # Local IP of collector
ssh_user: collector_user # Username of local root user on collector
vars:
ansible_ssh_private_key_file: /home/orchestator_user/.ssh/id_rsa # Path to identityfile used for making the SSH connection
opsview_host_alt_address: de_collector_01: 80.80.80.83 # Replace with hostname and public IP of the collector IF your orchestrator is nated
if orchestrator has nated ip, collectors need config
if collecter has nated, orchestrator needs config
Updated almost 3 years ago