Hitachi

JP1 Version 12 JP1/Performance Management - Remote Monitor for Virtual Machine Description, User's Guide and Reference

2.5.4 For Docker environment

If the virtual environment to be monitored uses Docker environment, communication between PFM - RM for Virtual Machine and the virtual environment is encrypted using SSL/TLS. Therefore, the following certificates and passwords are required:

For the physical server running Docker environment to be monitored:

  • Root certificate of the certificate authority

    A root certificate of the certificate authority is needed. In this case, the certificate authority must be the same certificate authority that issues a certificate of the physical server.

  • Certificate of the physical server running Docker environment

    A certificate issued to the physical server is needed. In this case, the host name of the physical server is designated as an issuing destination of the certificate. This certificate is required for each physical server running Docker environment.

  • Private key for the certificate of the physical server

    A private key, which is used when the certificate of the physical server is issued, is needed.

For the Windows server running PFM - RM for Virtual Machine:

  • Root certificate of the certificate authority

    A root certificate of the certificate authority is needed. In this case, the certificate authority must be the same certificate authority that issues a certificate of the physical server.

  • Client certificate used for connecting with Docker environment (Personal Information Exchange format)

    A client certificate must be issued from the certificate authority that issues the certificate of the physical server. If the issuers of the client certificate and the certificate of the physical server differ, monitoring cannot be performed. When all certificates of the physical server are issued by the same certificate authority, monitoring can be performed with a single client certificate. When the certificates of the physical server are issued from various certificate authorities, each client certificate must be issued from each certificate authority.

  • Password for Personal Information Exchange

    For client certificates with Personal Information Exchange format, a password is set to protect the private key. This password is required when you register a certificate with the Windows certificate store.

    Important

    If no CA certificate has been embedded when you use SSL/TLS to communicate with Docker environment, the following problems may occur:

    • During performance data collection, it may take quite a while to receive a response from the Docker environment at the connection destination.

    • Because of the delay in receiving a response from the Docker environment at the connection destination, performance data collection might not be completed within the prescribed collection interval, resulting in a collection failure.

    If the client certificate is not embedded, collection fails due to connection rejection by the Docker environment.

The following figure shows how to place each certificate.

Figure 2‒6:  Placement of certificates

[Figure]

The Docker environment specifies root certificate files, server certificate files and server private key files using arguments during execution of the Docker Engine.

PFM - RM for Virtual Machine uses the certificates and private keys that have been registered with the Windows certificate store.

Organization of this subsection

(1) Settings of target for monitoring

The Docker environment daemon enables certificates and TCP to change firewall settings of the physical server.

(a) Placing certificates

Place the root certificate, server certificates, and private keys in a location where the certificates and keys can be accessed by the Docker Engine.

For Docker environment (Linux)
An example of placing on /etc/docker/certs.d

Root certificates : /etc/docker/certs.d/ca.pem

Server certificates : /etc/docker/certs.d/server-cert.pem

Server private keys : /etc/docker/certs.d/server-key.pem

For Docker environment (Windows)
An example of placing on C:\ProgramData\docker\certs.d

Root certificates : C:\ProgramData\docker\certs.d\ca.pem

Server certificates : C:\ProgramData\docker\certs.d\server-cert.pem

Server private keys : C:\ProgramData\docker\certs.d\server-key.pem

(b) Enabling TCP connection and SSL/TLS

Set a TCP port number and certificates necessary for encrypted communication so that you can connect with the Docker environment remotely.

For Docker environment (Linux)

Add -H, --tlsverify, --tlscacert, --tlscert, and --tlskey options as arguments of OPTIONS for the /etc/sysconfig/docker file.

An example of placing the certificate files on /etc/docker/certs.d and receiving them at the port number XXXX is shown below. 
OPTIONS='--selinux-enabled --log-driver=journald
  --tlsverify --tlscacert=/etc/docker/certs.d/ca.pem
  --tlscert=/etc/docker/certs.d/server-cert.pem
  --tlskey=/etc/docker/certs.d/server-key.pem
  -H unix:///var/run/docker.sock -H tcp://0.0.0.0:XXXX'

To enable the changes, restart the Docker Engine.

An example of a command to restart the Docker daemon is shown below. 
systemctl restart docker
For Docker environment (Windows)

Add the hosts, tlsverify, tlscacert, tlscert, and tlskey options to the file C:\ProgramData\Docker\config\daemon.json.

An example of placing the certificate files on C:\ProgramData\docker\certs.d and receiving them at the port number XXXX is shown below. 
{
"hosts": ["tcp://0.0.0.0:XXXX", "npipe://"],
"tlsverify": true,
"tlscacert": "C:\\ProgramData\\docker\\certs.d\\ca.pem",
"tlscert": "C:\\ProgramData\\docker\\certs.d\\server-cert.pem",
"tlskey": "C:\\ProgramData\\docker\\certs.d\\server-key.pem"
}

To enable the changes, restart the Docker Engine service.

The Docker Engine service you need to restart:

Service name : Docker

Indication name : Docker Engine

(c) Changing the firewall settings

If firewall is enabled, change the settings to allow remote connection.

For Docker environment (Linux)
An example of a port number XXXX is shown below. 
firewall-cmd --permanent --zone=public --add-port=XXXX/tcp
firewall-cmd --reload
For Docker environment (Windows)
An example of a port number XXXX is shown below. 
netsh advfirewall firewall add rule name="Docker Engine"
protocol=TCP dir=in localport=XXXX action=allow

To Page Top

(2) Setting PFM - RM for Virtual Machine

When you set target for monitoring for PFM - RM for Virtual Machine, set the following parameters:

To enable encrypted communication with the Docker environment, register certificates.

(a) Registering a root certificate

  1. In Windows, choose Start and then Run.

    The Run dialog box opens.

    [Figure]

  2. In the Run dialog box, enter mmc and click OK.

    Management Console starts.

    [Figure]

  3. In Console1, choose File and then Add/Remove Snap-in.

    The Add/Remove Snap-in dialog box opens.

    [Figure]

  4. Choose Certificates and then click Add.

    The Certificates snap-in dialog box opens.

    [Figure]

  5. Choose Computer account and then click Next.

    The Select Computer dialog box opens.

    [Figure]

  6. Choose Local computer and click Finish.

    [Figure]

  7. Check that Certificates (Local Computer) is added to Selected snap-ins and click OK.

  8. Expand Certificates (Local Computer) and right-click Certificates under Trusted Root Certification Authorities. Then click All Tasks and Import from the displayed menu items.

    [Figure]

    The Certificate Import Wizard dialog box opens.

    [Figure]

  9. Click Next.

    [Figure]

  10. In the File name text box, enter the file name under which to save the certificate, and then click Next.

    Here, C:\Certs\ca.pem is entered as an example.

    Check that the certificate store is set as Trusted Root Certification Authorities.

    [Figure]

  11. Choose Place all certificates in the following store, and then click Next.

    [Figure]

  12. Click Finish.

    [Figure]

  13. Click OK and check that the certificate has been successfully imported.

(b) Registering a client certificate

Log on as a user of the PFM - RM host (that is, user specified as HostUserID in the instance environment setting).

  1. In Windows, choose Start and then Run.

    The Run dialog box opens.

    [Figure]

  2. In the Run dialog box, enter mmc and click OK.

    Management Console starts.

    [Figure]

  3. In Console1, choose File and then Add/Remove Snap-in.

    The Add/Remove Snap-in dialog box opens.

    [Figure]

  4. Choose Certificates and then click Add.

    The Certificates snap-in dialog box opens.

    [Figure]

  5. Select My user account and click Finish.

    [Figure]

  6. Check that Certificates - Current User is added to Selected snap-ins and click OK.

  7. Expand Certificates - Current User and right-click Personal. Then click All Tasks and Import from the displayed menu items.

    [Figure]

    The Certificate Import Wizard dialog box opens.

    [Figure]

  8. Click Next.

    [Figure]

  9. In the File name text box, enter the file name under which to save the certificate, and then click Next.

    Here, C:\Certs\client.pfx is entered as an example.

    [Figure]

  10. Specified the Personal Information Exchange's password and then click Next.

    Check that the certificate store is set as Personal.

    [Figure]

  11. Choose Place all certificates in the following store, and then click Next.

    [Figure]

  12. Click Finish.

    [Figure]

  13. Click OK and check that the certificate has been successfully imported.

To Page Top

Copyright (C) 2019, 2021, Hitachi, Ltd.

Copyright (C) 2019, 2021, Hitachi Solutions, Ltd.