2.5.7 SSH connection settings
This subsection describes how to set up an SSH connection. To use SSH, the PFM - RM host must have PuTTY or OS-standard OpenSSH installed. If SSH connection settings are not specified, PFM - RM for Virtual Machine will not be able to collect performance data. The settings for public key authentication must also be specified because public key authentication is used to authenticate the SSH server. In addition, because performance data is collected by using OS commands, necessary software and RPM packages might need to be installed on the PFM - RM host and the monitoring-target host.
- Notes on installing PuTTY:
-
-
Perform installation as a member of the Administrators group.
-
Make sure that the name of the installation folder does not include multi-byte characters.
-
- Organization of this subsection
(1) Specifying the SSH connection settings
To enable connection to an SSH server, the following operations must be performed:
-
Enable public key authentication of the SSH server.
Do this on the monitoring-target host.
-
Create keys.
Do this on the PFM - RM host.
-
Deploy the private key on the PFM - RM host.
Do this on the PFM - RM host.
-
Deploy the public key on the monitoring-target host.
Do this on the monitoring-target host.
The following figure shows the concept of public key authentication.
In a cluster system, there are two methods of public key authentication. One method uses the same keys for the executing and standby nodes, and the other method uses different keys for those nodes.
If you choose to use the same keys for both the executing and standby nodes, copy the key files on the executing node to the standby node, overwriting the existing key files on the standby node. The following figure shows public key authentication using the same keys for both nodes.
If you choose to use different keys for the executing and standby nodes, register the keys on the monitoring-target host. The following figure shows public key authentication using different keys for the executing and standby nodes.
(2) User account settings
To use SSH, accounts of both the PFM - RM host and the monitoring-target host are required.
-
PFM - RM host account
Set values that are described as HostUserID, HostPassword, and HostDomain in Table 2-5. The account that is set is specified during instance setup.
If you use PFM - RM for Virtual Machine in a cluster system, specify the same user name and password on the executing and standby nodes. This will let the account logon to both of these nodes.
-
Monitoring-target host account
Use superuser as the monitoring-target host account.
(3) Installing necessary software and RPM packages
Different monitoring targets need different software and packages. The following describes what are required for each monitoring target.
(a) For KVM
■ Software required on the PFM - RM host
The table below lists the software that is required for PFM - RM for Virtual Machine to acquire monitoring-target information. For details, see the Release Notes.
Software name |
OS |
Version |
Default |
---|---|---|---|
PuTTY |
Windows Server 2012 |
|
N |
Windows Server 2012 R2 |
|
N |
|
Windows Server 2016 |
|
N |
|
Windows Server 2019 |
|
N |
|
OpenSSH |
Windows Server 2019 |
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 or later |
Y |
- Legend:
-
Y: Installed by default.
N: Not installed by default.
■ RPM packages required on the monitoring-target host
In order for PFM - RM for Virtual Machine to acquire monitoring-target information, the RPM packages listed below are required.
Software name |
OS |
RPM package name |
Default |
---|---|---|---|
OpenSSH |
Red Hat Enterprise Linux 6 (64-bit x86_64) |
openssh-5.3p1-20.el6 or later openssh-server-5.3p1-20.el6 or later |
Y |
Red Hat Enterprise Linux(R) Server 7 |
openssh-6.6.1p1-11.el7 or later openssh-server-6.6.1p1-11.el7 or later |
Y |
|
Red Hat Enterprise Linux(R) Server 8 |
openssh-7.8p1-4.el8 or later openssh-server-7.8p1-4.el8 or later |
Y |
- Legend:
-
Y: Installed by default.
■ Packages and commands required on the monitoring-target host
The command required for record collection differs depending on the record to be collected, and the required RPM package also differs depending on the command. To check the required package for a command, execute the following:
/bin/rpm -qf full-path-name-of-the-prerequisite-command
■ Records and the commands required for collecting the records
The following table lists records and the commands that are required for collecting the records.
No. |
Record |
Command |
---|---|---|
1 |
Host CPU Status (PI_HCI) |
/bin/date /bin/cat |
2 |
Host Logical Disk Status (PI_HLDI) |
/bin/date /bin/df |
3 |
Host Memory Status (PI_HMI) |
/bin/date /bin/ps /usr/bin/free /usr/bin/getconf /usr/bin/vmstat |
4 |
Host Network Status (PI_HNI) |
/bin/date /sbin/ifconfig /usr/bin/virsh |
5 |
Host Physical Disk Status (PI_HPDI) |
/bin/date /usr/bin/iostat |
6 |
Host Status Detail (PD) |
/usr/bin/virsh /bin/hostname |
7 |
Host Status (PI) |
/bin/date /bin/cat /bin/ps /usr/bin/top |
8 |
VM CPU Status (PI_VCI) |
/bin/date /usr/bin/virsh |
9 |
VM Logical Disk Status (PI_VLDI) |
-- |
10 |
VM Memory Status (PI_VMI) |
/bin/date /usr/bin/pmap /usr/bin/virsh |
11 |
VM Network Status (PI_VNI) |
/bin/date /sbin/ifconfig /bin/cat /usr/bin/virsh |
12 |
VM Physical Disk Status (PI_VPDI) |
/bin/date /usr/bin/virsh |
13 |
VM Status Detail (PD_VM) |
/usr/bin/virsh |
14 |
VM Status (PI_VI) |
/bin/date /usr/bin/virsh /bin/ps /usr/bin/top |
The following lists the RPM packages required by the commands that are required for record collection.
No. |
Command name |
Package name |
Default |
---|---|---|---|
1 |
/bin/cat |
coreutils-8.4-13.el6 or later |
Y |
2 |
/bin/date |
coreutils-8.4-13.el6 or later |
Y |
3 |
/bin/df |
coreutils-8.4-13.el6 or later |
Y |
4 |
/bin/ps |
procps-3.2.8-17.el6 or later |
Y |
5 |
/usr/bin/free |
procps-3.2.8-17.el6 or later |
Y |
6 |
/usr/bin/getconf |
glibc-common-2.12-1.25.el6 or later |
Y |
7 |
/usr/bin/iostat |
sysstat-9.0.4-18.el6 or later |
N |
8 |
/usr/bin/pmap |
procps-3.2.8-17.el6 or later |
Y |
9 |
/usr/bin/top |
procps-3.2.8-17.el6 or later |
Y |
10 |
/usr/bin/virsh |
libvirt-client-0.8.7-18.el6 or later |
N |
11 |
/usr/bin/vmstat |
procps-3.2.8-17.el6 or later |
Y |
12 |
/sbin/ifconfig |
net-tools-1.60-105.el6 or later |
Y |
13 |
/bin/hostname |
net-tools-1.60-105.el6 or later |
Y |
- Legend:
-
Y: Installed by default.
N: Not installed by default.
Table 2‒18: RPM packages required by the commands that are required for record collection (For Red Hat Enterprise Linux(R) Server 7) No.
Command name
Package name
Default
1
/bin/cat
coreutils-8.22-11.el7 or later
Y
2
/bin/date
coreutils-8.22-11.el7 or later
Y
3
/bin/df
coreutils-8.22-11.el7 or later
Y
4
/bin/ps
procps-ng-3.3.10-3.el7 or later
Y
5
/usr/bin/free
procps-ng-3.3.10-3.el7 or later
Y
6
/usr/bin/getconf
glibc-common-2.17-78.el7 or later
Y
7
/usr/bin/iostat
sysstat-10.1.5-7.el7 or later
N
8
/usr/bin/pmap
procps-ng-3.3.10-3.el7 or later
Y
9
/usr/bin/top
procps-ng-3.3.10-3.el7 or later
Y
10
/usr/bin/virsh
libvirt-client-1.2.8-16.el7 or later
N
11
/usr/bin/vmstat
procps-ng-3.3.10-3.el7 or later
Y
12
/bin/hostname
hostname-3.13-3.el7 or later
Y
- Legend:
-
Y: Installed by default.
N: Not installed by default.
Table 2‒19: RPM packages required by the commands that are required for record collection (For Red Hat Enterprise Linux(R) Server 8) No.
Command name
Package name
Default
1
/bin/cat
coreutils-8.30-6.el8 or later
Y
2
/bin/date
coreutils-8.30-6.el8 or later
Y
3
/bin/df
coreutils-8.30-6.el8 or later
Y
4
/bin/ps
procps-ng-3.3.15-1.el8 or later
Y
5
/usr/bin/free
procps-ng-3.3.15-1.el8 or later
Y
6
/usr/bin/getconf
glibc-common-2.28-42.el8 or later
Y
7
/usr/bin/iostat
sysstat-11.7.3-2.el8 or later
Y
8
/usr/bin/pmap
sysstat-11.7.3-2.el8 or later
Y
9
/usr/bin/top
procps-ng-3.3.15-1.el8 or later
Y
10
/usr/bin/virsh
libvirt-client-4.5.0-23.module+el8+2800+2d311f65 or later
N
11
/usr/bin/vmstat
procps-ng-3.3.15-1.el8 or later
N
12
/bin/hostname
hostname-3.20-6.el8 or later
Y
- Legend:
-
Y: Installed by default.
N: Not installed by default.
(b) For Podman environment
■ Software required on the PFM - RM host
Software required by PFM - RM for Virtual Machine to acquire monitoring-target information is the same as that for KVM. See Table 2-15 Software required to acquire monitoring-target information.
■ RPM packages required on the monitoring-target host
In order for PFM - RM for Virtual Machine to acquire monitoring-target information, the RPM packages listed below are required.
Software name |
OS |
RPM package name |
Default |
---|---|---|---|
OpenSSH |
Red Hat Enterprise Linux(R) Server 8 |
openssh-7.8p1-4.el8 or later openssh-server-7.8p1-4.el8 or later |
Y |
- Legend:
-
Y: Installed by default.
■ Packages and commands required on the monitoring-target host
The command required for record collection differs depending on the record to be collected, and the required RPM package also differs depending on the command. To check the required package for a command, execute the following:
/bin/rpm -qf full-path-name-of-the-prerequisite-command
■ Records and the commands required for collecting the records
The following table lists records and the commands that are required for collecting the records.
No. |
Record |
Command |
---|---|---|
1 |
Host CPU Status (PI_HCI) |
/usr/bin/date /usr/bin/cat /usr/bin/getconf |
2 |
Host Logical Disk Status (PI_HLDI) |
/usr/bin/date /usr/bin/df /usr/bin/mount |
3 |
Host Memory Status (PI_HMI) |
/usr/bin/date /usr/bin/cat /usr/bin/getconf /usr/bin/vmstat /usr/bin/podman |
4 |
Host Network Status (PI_HNI) |
/usr/bin/date /usr/bin/cat |
5 |
Host Physical Disk Status (PI_HPDI) |
/usr/bin/date /usr/bin/cat /usr/bin/ls |
6 |
Host Status Detail (PD) |
/usr/bin/podman |
7 |
Host Status (PI) |
/usr/bin/date /usr/bin/cat /usr/bin/getconf /usr/bin/podman |
8 |
VM CPU Status (PI_VCI) |
/usr/bin/date /usr/bin/cat /usr/bin/getconf /usr/bin/podman |
9 |
VM Memory Status (PI_VMI) |
/usr/bin/date /usr/bin/cat /usr/bin/getconf /usr/bin/podman |
10 |
VM Network Status (PI_VNI) |
/usr/bin/date /usr/bin/cat /usr/bin/podman |
11 |
VM Physical Disk Status (PI_VPDI) |
/usr/bin/date /usr/bin/cat /usr/bin/podman |
12 |
VM Status Detail (PD_VM) |
/usr/bin/podman |
13 |
VM Status (PI_VI) |
/usr/bin/date /usr/bin/cat /usr/bin/getconf /usr/bin/podman |
14 |
POD Status Detail (PD_PODD) |
/usr/bin/podman |
15 |
POD Status Interval (PI_PODI) |
/usr/bin/date /usr/bin/cat /usr/bin/podman When Cpu_Category or Memory_Category is set to Y /usr/bin/getconf |
16 |
POD Container Status Interval (PI_POCI) |
/usr/bin/date /usr/bin/cat /usr/bin/podman When Cpu_Category or Memory_Category is set to Y /usr/bin/getconf |
The following lists the RPM packages required by the commands that are required for record collection.
No. |
Command name |
Package name |
Default |
---|---|---|---|
1 |
/usr/bin/cat |
coreutils-8.30-6.el8 or later |
Y |
2 |
/usr/bin/date |
coreutils-8.30-6.el8 or later |
Y |
3 |
/usr/bin/df |
coreutils-8.30-6.el8 or later |
Y |
4 |
/usr/bin/ls |
coreutils-8.30-6.el8 or later |
Y |
5 |
/usr/bin/mount |
util-linux-2.32.1-8.el8 or later |
Y |
6 |
/usr/bin/vmstat |
procps-ng-3.3.15-1.el8 or later |
N |
7 |
/usr/bin/getconf |
glibc-common-2.28-42.el8 or later |
Y |
8 |
/usr/bin/podman |
podman-1.0.0-2.git921f98f.module+el8+2785+ff8a053f or later |
N |
- Legend:
-
Y: Installed by default.
N: Not installed by default.
(4) Settings related to SSH connection
The settings that enable SSH connection must be specified on both the PFM - RM host and the monitoring-target host. The following describe the procedures for specifying these settings.
(a) Enabling public key authentication of the SSH server
To enable public key authentication:
-
Log in to the monitoring-target host as the superuser.
-
Open the /etc/ssh/sshd_config file.
-
Change the value of PubkeyAuthentication to yes.
-
Change the value of PermitRootLogin to yes.
-
Save and close the /etc/ssh/sshd_config file.
-
Restart the sshd service by executing the command shown below.
Note that the command below assumes that the host named targethost1 is set as a monitoring target.
[root@targethost1.ssh]$ /etc/rc.d/init.d/sshd restart
- Important
-
To allow the superuser to collect information, open the /etc/ssh/sshd_config file, and change the value of PermitRootLogin to yes. Then, restart the sshd service.
(b) Creating keys
The procedure for creating keys is described below.
Keys can be created by logging on to the PFM - RM host, and then by using the function provided by the SSH client. The cryptography and the length of the key should be determined according to the documentation of the OS to be monitored. If you monitor a RHEL 8 virtual environment, the RSA encryption key requires 2,048 bits or more in length at the encryption policy level for the entire default RHEL 8 system. In this subsection, the procedure for creating RSA keys is described. To create RSA keys:
- If you use PuTTY as the SSH client
-
-
From the Windows Start menu, select Programs, PuTTY, and then PuTTYgen.
PuTTYgen starts, and the PuTTY Key Generator window appears.
-
Under Parameters, confirm that Type of key to generate is SSH-2 RSA and Number of bits in a generated key: has a value longer than the length acceptable to the SSH client as its key length, and then click the Generate button.
The key generation progress bar appears in Key.
Because PuTTY uses the version 2 of the SSH protocol by default, SSH-2 RSA is selected. However, you might want to change the protocol version to 1. For details about how to change the protocol version to 1, see the PuTTY documentation.
-
Randomly move the mouse pointer in the dialog box until the progress reaches 100% to create a random number that is required to create keys.
When the progress reaches 100%, the created random number is displayed in Key, and keys are created.
-
Click the Save private key button to save a private key.
If no values are entered in Key passphrase and Confirm passphrase, a dialog box appears. In this dialog box, click the Yes button without entering anything in Key passphrase and Confirm passphrase.
-
Click the Save public key button to save a public key.
-
- If you use OpenSSH (which comes with Windows Server 2019) as the SSH client
-
You can select the RSA encryption as the type of key.
-
Log on to the PFM - RM host.
-
Execute the ssh-keygen -t rsa command.
-
Determine the output destination and name of the private key.
They are defaulted to %userprofile%\.ssh\id_rsa.
-
Press the Enter key twice.
When you are asked to enter the passphrase for the private key, press the Enter key without typing anything. When you are asked to confirm it, press the Enter key again without typing anything.
The following shows an example of executing the ssh-keygen command:
C:\work>ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\username\.ssh\id_rsa): <Enter> Enter passphrase (empty for no passphrase): <Enter> Enter same passphrase again: <Enter> Your identification has been saved in C:\Users\username\.ssh\id_rsa. Your public key has been saved in C:\Users\username\.ssh\id_rsa.pub. The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx username @PFM - RM host name
-
(c) Deploying the public key (PFM - RM host)
If there are multiple monitoring-target hosts, perform the following procedure on all of the hosts.
■ Transfer the public key
Transfer the public key to the .ssh directory under the home directory on a monitoring-target host. To do this:
-
Log in to the monitoring-target host as the superuser (account specified for UserID during setup of the monitoring target).
-
Use the cd command to move to the .ssh directory under the home directory.
If the .ssh directory does not exist under the home directory, create the .ssh directory. For the access permission attribute of the .ssh directory, set 700 or 755. For the owner and group, set values that are appropriate for the user specified during setup of the monitoring-target host.
If the home directory, .ssh directory attribute, owner, and group settings are not correct, SSH connection might fail.
For details about how to set the directory attribute, see the OS documentation.
-
On the PFM - RM host, open the Command Prompt window, and then execute the following commands.
If you use PuTTY as the SSH client:
Navigate to the folder where PuTTY is installed, and then execute the pscp command, which is provided by PuTTY.
The following shows an example of executing the command when the public key is located in the PuTTY installation directory:
C:\Program Files\PuTTY>pscp.exe agt8.pub ClientUser@TargetHost:.ssh ClientUser@TargetHost's password:password (Enter the superuser's password here.) agt8.pub | 0 kB | 0.3 kB/s | ETA: 00:00:00 | 100% C:\Program Files\PuTTY>
If a message asking you whether you want to register the fingerprint appears, enter n.
If you use OpenSSH (which comes with Windows Server 2019) as the SSH client:
The following shows an example of executing the command when the public key is located in the .ssh directory:
C:\Users\username\.ssh\>scp.exe id_rsa.pub ClientUser@TargetHost:.ssh The authenticity of host 'PFM - RM hostname' can't be established. ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added xxx.xxx.xxx.xxx (ECDSA) to the list of known hosts. ClientUser@TargetHost's password:password agt8.pub 100% 404 0.4KB/s 00:00
■ Registering the public key (monitoring-target host)
Log in to the monitoring-target host as the superuser that was set during setup of the monitoring target (account specified for UserID), and then register the public key. To do this:
-
Log in to the monitoring-target host as the superuser that was set during setup of the monitoring target.
-
Use the cd command to move to the .ssh directory.
-
Execute the following command.
If you use PuTTY as the SSH client:
Execute the ssh-keygen command with the -i and -f options specified. When you execute the command, the public key created by PuTTY is converted into the authentication key file format available to OpenSSH.
If you use OpenSSH (which comes with Windows Server 2019) as the SSH client:
Execute the cat command with the public key file and the authentication key file as the redirect destination specified. When you execute the command, the contents of the public key file are redirected to the authentication key file. Furthermore, the contents of the received public key are added to the authentication key file.
-
Use the rm command to delete the public key file that was received by the procedure in Transferring the public key.
-
Execute the chmod command to change the attribute of the key authentication file to 600.
The following shows an example of executing the commands in steps 2 through 5:
If you use PuTTY as the SSH client:
[root @targethost1 ~]$ cd .ssh [root @targethost1 .ssh]$ ssh-keygen -i -f agt8.pub >> authorized_keys [root @targethost1 .ssh]$ rm agt8.pub [root @targethost1 .ssh]$ chmod 600 authorized_keys
If you use OpenSSH (which comes with Windows Server 2019) as the SSH client:
[root@targethost1 ]$ cd .ssh [root@targethost1 .ssh]$ cat id_rsa.pub >> authorized_keys [root@targethost1 .ssh]$ rm id_rsa.pub [root@targethost1 .ssh]$ chmod 600 authorized_keys
The name of the key authentication file is set by AuthorizedKeysFile in the /etc/ssh/sshd_config file.
By default, ~/.ssh/ authorized_keys is set.
(d) Confirming connectivity and registering the fingerprint (PFM - RM host)
To confirm connectivity and register the fingerprint:
-
Log in to the PFM - RM host.
Make sure that you use the account that was set for HostUserID during setup of the instance environment.
-
Open the Command Prompt window.
-
Execute the following command using the private key that has been created.
- If you use PuTTY as the SSH client:
-
plink.exe of PuTTY
- If you use OpenSSH (which comes with Windows Server 2019) as the SSH client:
-
ssh.exe of OpenSSH
Connection is attempted.
-
Upon achieving the initial connection, register the fingerprint.
Enter y to register the fingerprint of the public key on the monitoring-target host.
When y is entered, the prompt of the monitoring-target host is displayed.
-
Log out.
When the prompt of the monitoring-target host is displayed, enter exit to log out from the host.
-
Execute the PuTTY plink command to reconnect to the monitoring-target host.
If you are not prompted to enter anything and reconnection succeeds, the connection settings are completed. Enter exit to log out from the monitoring-target host.
If an error occurs or you are prompted to enter something, check for problems with operations performed by the procedure.
The following shows an example of performing the procedure for checking connectivity:
If you use PuTTY as the SSH client:
C:\WINDOWS\system32>"C:\Program Files\PuTTY\plink.exe" -ssh -noagent -i "C:\Program Files\PuTTY\agt8.ppk" -l root -P 22 targethost1 The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: ssh-rsa 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y Using username "root". Last login: Wed Aug 4 13:29:55 2010 from xxx.xxx.xxx.xxx [root@targethost1]$ exit logout C:\WINDOWS\system32>"C:\Program Files\PuTTY\plink.exe" -ssh -noagent -i "C:\Program Files\PuTTY\agt8.ppk" -l root -P 22 targethost1 Using username "root". Last login: Wed Aug 4 13:30:00 2010 from xxx.xxx.xxx.xxx [root@targethost1]$ exit logout C:\WINDOWS\system32>
If you use OpenSSH (which comes with Windows Server 2019) as the SSH client:
C:\Users\username\.ssh>ssh -i "C:\Users\username\.ssh\id_rsa" -l root -p 22 targethost1 The authenticity of host '[xxx.xxx.xxx.xxx]:22 ([xxx. xxx. xxx. xxx]:22)' can't be established. RSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[xxx.xxx.xxx.xxx]:22' (RSA) to the list of known hosts. Last login: Wed Sep 25 09:08:14 2019 from xxx.xxx.xxx.xxx [root@targethost1]$ exit logout C:\Users\username\.ssh>
- Important
-
-
PFM - RM for Virtual Machine assumes that fingerprint authentication has already finished. If the fingerprint has not yet been registered before PFM - RM for Virtual Machine connects to the SSH client for the first time, always register the fingerprint at the initial connection.
In a cluster environment, make sure that you also check connectivity and register the fingerprint on the standby node.
-
If you changed the user account specified for HostUserID during the setup of the instance environment, register the fingerprint again.
-
In the PFM - RM host, execute the uname or other commands on the monitored host to confirm that you will get a response in less than 10 seconds.
-
If you use OpenSSH, which comes with Windows Server 2019, as the SSH client, the connection may fail when users other than the user specified for HostUserID in the instance settings can access the private key file. In this case, go to Properties, Security, and Advanced for the private key file, and remove the permissions of the users other than the user specified for HostUserID.