2.5 Setting a relay server

By using a relay server, Ops I operations can be performed in a hybrid cloud to leverage the advantages of cloud and on-premise environments. This section describes the procedure for setting a relay server.
Setting the relay server function “outpost” allows the automation application (AWX) jobs to be performed from an on-premise environment.
Communications between Ops I and relay servers are encrypted with TLS and SSH. In addition, communications between relay servers and managed servers are encrypted with TLS or SSH.


(Figure) System configuration of relay server System configuration of relay server System configuration of relay server

(1) Components of relay server function “outpost”

Outpost consists of the following components.

(Table) Configuration of outpost

Component Outline
Control plane
  • Outpost component working in Ops I (cloud)
  • Sever component for k3s*1 and chisel*2
Agent
  • Outpost component working in a relay server (on-premise)
  • Client component for k3s*1 and chisel*2
Node
  • Linux server on which the agent works
Node group
  • Group of nodes
  • Creating a node group automatically creates a corresponding AWX instance group. When a job is executed for a node group, the job is executed on one of the nodes belonging to the node group.
IP block
  • Range of IP addresses that jobs can access. (Specified in the CIDR format.) Associated with a node group to set the range of IP addresses that AWX jobs can access.
  • A job executed on a node group with no IP block associated with it can access all IP addresses.

The following functions are used to connect Ops I (cloud) and relay servers (on-premises).

*1: k3s: OSS that manages and automates operations of the container virtualization tool. Builds a cluster between Ops I (cloud) and relay servers (on-premises).
*2: chisel: TCP tunnel using Web sockets. Connects k3s on the cloud side and on-premise side.


(Figure) Configuration of outpost
Configuration of outpost Configuration of outpost

(2) Flow of configuring outpost

The flow consists of the following Steps ① to ⑦.
Steps ① to ④ are performed in Ops I and Steps ⑤ to ⑦ are performed in the relay server.

[Setting in Ops I]

① Setting up users and assigning roles

Create an Ops I user for the outpost configuration and assign it the Pre-Installed role "Outpost". The Pre-Installed role "Outpost" is assigned the Primitive role "outpost". For a non-billing user, the primitive role "free_user" must also be assigned.
Use a user dedicated for the outpost configuration (recommended) or an existing user assigned the Pre-Installed role "Outpost".
The Primitive role "automation_manager" or "automation_auditor" must also be assigned to watch Ops I outpost management and download the RPM package.
For information on creating users, see "Users". For information on assigning roles, see "Roles".

② Obtaining Ops I tokens

Obtain an Ops I token for the user created in Step ①. An Ops I token is issued by clicking the [Issue Token] button on the user details window, and the issued Ops I token will appear in a dialog box.
The issued Ops I token will not be able to be viewed once you move to another window. Keep a note of the Ops I token.
For details, see "API reference overview" > "Prerequisite knowledge" > "Obtaining Ops I tokens" in "JP1 Cloud Service/Operations Integration API Reference".

③ Checking control plane information

Click the [Copy] button to obtain the control plane information (fingerprint and agent token) on the Control Plane window. For details on control plane information, see "Control plane management".

④ Downloading RPM package

From [Download Agent] on the Control Plane window, download the RPM package "Linux x86_64 RPM". "Linux x86_64 RPM Signature" can also be downloaded for verifying the RPM package. For details on the Signature file for the RPM package, see "Signature file for RPM package".

(Figure) Control Plane window (Figure) Control Plane window (Figure) Control Plane window

For information on the Control Plane window, see “Control plane management”.


[Setting in relay server]

⑤ Installing RPM package

Install the RPM package downloaded in Step ④ on the relay server.
The downloaded RPM package is an rpm file. Check the prerequisites for the server in advance and install the package using the rpm command. For detail on the prerequisites, see "Prerequisites for installing RPM package". For information on the contents of the installed RPM package, see "Contents of RPM package".

<Execution example>

# rpm -ivh opsi-outpost-RPM Package Version.x86_64.rpm


⑥ Editing user-configured file

The template file for the user-configured file is stored in "/etc/opsi/outpost/outpost-config.env.template" by installing the RPM package. Save a copy of the template file as "/etc/opsi/outpost/outpost-config.env" and configure the following setting items in it.
For information on the contents of the installed RPM package, see "Contents of RPM package".

(Table) Setting items in user-configured file

Item Setting name*1 What to set
Ops I domain name OPSI_DOMAIN_NAME -
HTTP proxy URL (optional)*2 HTTP_PROXY HTTP proxy server URL
If the environment in which the agent is deployed is required to communicate with Ops I via a proxy server, specify the proxy server.
Control plane fingerprint FINGERPRINT Fingerprint obtained in Step ③
Control plane agent token*2 AGENT_TOKEN Agent token obtained in Step ③
Ops I token*2 OPSI_TOKEN Ops I token created in Step ②
Node name NODE_NAME Set an arbitrary name. However, use one-byte lowercase letters and do not set any name duplicated within the outpost configuration.
The name that you set appears on the Node window of Ops I.
TCP port of the agent REGISTRATION_PORT
TUNNEL_PORT1
TUNNEL_PORT2		 TCP port used by the agent to communicate with the control plane
All three ports should be specified in the actual environment. TUNNEL_PORT2 should be commented out because it is not specified in the verification environment.
[Default values]
REGISTRATION_PORT:21400
TUNNEL_PORT1:21401
TUNNEL_PORT2:21402
*1: Setting names used in the user-configured file
*2: AES-256 encryption is performed for storage.

The contents of the template file for the user-configured file are as follows.

<Template file for user-configured file>

######################################################
# Ops I Outpost Agent Configuration
#
# This file is a template of the Outpost Agent configuration.
# You must copy this file to /etc/opsi/outpost/outpost-config.env and
# edit it to change the parameters as appropriate for your environment.
######################################################

# The domain name of your Ops I tenant.
OPSI_DOMAIN_NAME=your-tenant.ops-integration.com

# (Optional) A URL of HTTP proxy server the Outpost Agent will use for
# connecting to the Ops I tenant.
# This parameter will be encrypted and replaced with HTTP_PROXY_ENC
# when the Outpost Agent starts for the first time.
# Uncomment the next line to enable this parameter.
# HTTP_PROXY=http://username:password@proxy.example.com:8080

# The fingerprint of the Outpost Control Plane.
FINGERPRINT=your_outpost_control_planes_fingerprint

# The agent token of the Outpost Control Plane.
# This parameter will be encrypted and replaced with AGENT_TOKEN_ENC
# when the Outpost Agent starts for the first time.
AGENT_TOKEN=your_outpost_control_planes_agent_token

# An Ops I token the Outpost Agent will use for accessing the Ops I tenant.
# This parameter will be encrypted and replaced with OPSI_TOKEN_ENC
# when the Outpost Agent starts for the first time.
OPSI_TOKEN=your_opsi_token

# A name of the Outpost Node on which the Outpost Agent will run.
# The name must follow the convention of DNS domain name and
# all alphabet letters in it must be lowercase.
NODE_NAME=outpost-node

# TCP ports the Outpost Agent will open on the Outpost Node.
REGISTRATION_PORT=21400
TUNNEL_PORT1=21401
TUNNEL_PORT2=21402


⑦ Starting outpost agent

The outpost agent is started by executing a command script. Command script files are stored in "/opt/opsi/outpost/bin/" by installing the RPM package. The command scripts can be executed to start and stop the agent, monitor its status, and gather information for troubleshooting. For details on the command scripts, see "Command scripts for RPM package".

The command script "opsiopctl.sh start" starts the agent.

<Execution example>

# ./opsiopctl.sh start
Are you sure to proceed? (y/n)
y
Starting Outpost Agent.
Starting chisel.service.
Starting k3s.service.
Started Outpost Agent successfully


⑧The relay server is registered as a node, and the registered node becomes visible in the Outpost Management window. For details on the Outpost Management window, see "Outpost management".

NotesNotes

When installing anti-virus software on a relay server registered as a node, exclude the following directories from the monitoring target.

  • /etc/rancher/k3s
  • /run/k3s
  • /run/flannel
  • /var/lib/rancher/k3s
  • /var/lib/kubelet
  • /run/netns/cni-
  • /var/lib/cni/
  • /etc/opsi
  • /opt/opsi
  • /var/opt/opsi
  • /etc/opt/opsi

For information on the flow of job execution using a relay server, see “Using a relay server”.

(3) Deleting nodes

To delete nodes, follow the Steps ① to ⑥ below.
Steps ① to ⑤ are performed in the relay server and Step ⑥ is performed in Ops I.

① Stopping and initializing outpost

# /opt/opsi/outpost/bin/opsiopctl.sh stop -f
# reboot

② Deleting RPM package

# rpm -e opsi-outpost-RPM Package Version.x86_64

③ Deleting systemd-related files and reflecting changes

# rm -f /etc/systemd/system/k3s.service
# rm -f /etc/systemd/system/chisel.service
# systemctl daemon-reload

④ Deleting unnecessary directories

# rm -rf /etc/rancher/k3s
# rm -rf /run/k3s
# rm -rf /run/flannel
# rm -rf /var/lib/rancher/k3s
# rm -rf /var/lib/kubelet
# rm -rf "/run/netns/cni-"
# rm -rf /var/lib/cni/
# rm -rf /etc/opsi
# rm -rf /opt/opsi
# rm -rf /var/opt/opsi
# rm -rf /etc/opt/opsi

⑤ Reboot

# reboot

⑥ Deleting nodes in the Outpost Management window

After performing Steps ① to ⑤, the status of the corresponding node becomes "NotReady" on the Node List window. After confirming that the status is "NotReady", select the node and click the Delete button.
Deleting a node in the Outpost Management window allows a node with the same name to be re-registered. An attempt to register a node without deleting another registered node with the same name will time out when performing Step ⑦ in "Flow of configuring outpost".
For details on the Node window, see "Node management".


(4) Upgrade outpost agent

Upgrade the outpost agent by following steps ① through ④ below.
Operations ① and ② are performed by Ops I, and operations ③ and ④ are performed by the relay server.

①Download new RPM package

Download a new RPM package from Ops I system management. Please refer to step ④ of the "Flow of configuring outpost" for the download procedure.

② Confirm that there are no jobs running on the outpost node

  1. Do not run a workflow that executes a job that runs on an outpost node.
  2. In the AWX GUI, confirm that there are no jobs running on the outpost node. If yes, wait until the jobs are completed.

③Upgrade RPM package

Upgrade the RPM packages installed on outpost nodes.

# rpm -Uvh opsi-outpost-RPM package version.x86_64.rpm

④Restart outpost agent

  1. Stop the outpost agent.

    # /opt/opsi/outpost/bin/opsiopctl.sh stop -f


  2. Start the outpost agent.

    # /opt/opsi/outpost/bin/opsiopctl.sh start -f


Section structure

2.5.1 RPM package