Deploying the MetalSoft agent

Pre-requisites

Usualy the agent is deployed on am VM with the following configuration:

  1. Hardware configuration: 50GB Disk, 8 vCPU, 16GB RAM
  2. OS: Ubuntu 20.04
  3. Installed applications: Docker, Docker compose
  4. An already configured Datacenter record
  5. (Optional) A working CLI deployment on another machine
  6. Network access to MetalSoft Registry, MetalSoft Repo, MetalSoft controller. More details [here](#Agent firewall configuration).

Install the Datacenter Agents on the DC agents machine

Retrieve the configuration URL using the CLI:

$ metalcloud-cli datacenter get --id uk-london --return-config-url
https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjMUd....   

Alternatively click on the “Retrieve agent configuration URL” button in the UI on the Datacenter’s page.

$ export DCCONF=`https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM...`

Create some required directories:

$ mkdir -p /opt/BSIAgentsVolume /opt/Agent_logs /opt/agents /opt/containerd

Disable systemd:

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved

Put the following line in the [main] section of your network manager configuration /etc/NetworkManager/NetworkManager.conf:(skip this part if NetworkManager is not already installed/running)

 dns=default

Delete the resolv.conf symlink:

rm /etc/resolv.conf

Restart network-manager (Skip this part if it’s not already running):

sudo service network-manager restart

Install docker & docker compose

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo   "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update && apt --yes upgrade
apt-get install docker-ce docker-ce-cli containerd.io
curl -skL $(curl -s https://api.github.com/repos/docker/compose/releases/latest|grep browser_download_url|grep "$(uname -s|tr '[:upper:]' '[:lower:]')-$(uname -m)"|grep -v sha25|head -1|cut -d'"' -f4) -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose
mkdir -p /root/agents /opt/BSIAgentsVolume /opt/Agent_logs /opt/agents /opt/containerd

Login into docker registry

docker login registry.metalsoft.dev

Create a docker compose file in the current directory:

version: '3'
services:
  agents:
    network_mode: host
    container_name: agents
    image: registry.metalsoft.dev/datacenter-agents-compiled/datacenter-agents-compiled-v2:4.9-RC01
    restart: always
    privileged: true
    #command: bash -c "update-ca-certificates"
    volumes:
      - /opt/BSIAgentsVolume:/etc/BSIDatacenterAgents
      #- /opt/pm2_logs:/root/.pm2/logs
      - /opt/pm2_logs:/var/log
      - /opt/.ssh:/root/.ssh
      - /opt/mon:/var/lib/mon/data
      - /etc/ssl/certs:/etc/ssl/certs
      - /usr/local/share/ca-certificates:/usr/local/share/ca-certificates
       # Use only if custom CA is needed
        #- /root/agents/supervisor.conf:/var/vhosts/datacenter-agents-binary-compiled/supervisor.conf
    ports:
      - 9080:9080/tcp
      - 8067:8067/tcp
      - 3205:3205/tcp
      - 8069:8069/tcp
      - 8080:8080/tcp
      - 81:81/tcp
      - 172.17.108.71:53:53/tcp
      - 35280:35280/udp
      - 3205:3205/udp
      - 172.17.108.71:53:53/udp
      - 67:67/udp
      - 69:69/udp
      - 6343:6343/udp
    environment:
      - TZ=Etc/UTC
      - URL=${DCCONF}
      # Use only if custom CA is needed
      #- NODE_EXTRA_CA_CERTS=/etc/ssl/certs/dell_local_RootCA.pem
    hostname: agents
  haproxy:
    network_mode: host
    container_name: dc-haproxy
    image: registry.metalsoft.dev/datacenter-agents/dc-haproxy:latest
    restart: always
    privileged: true
    volumes:
      - /root/agents/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
      - /root/agents/ssl-cert.pem:/etc/ssl/certs/poc.metalsoft.io.pem
    environment:
      - TZ=Etc/UTC
    hostname: dc-haproxy
  remote-console:
    network_mode: host
    container_name: dc-remoteconsole
    image: registry.metalsoft.dev/datacenter-agents-compiled/bsi-guac:latest
    restart: always
    privileged: true
    environment:
      - TZ=Etc/UTC
      - GUACAMOLE_BSI_GUACAMOLE_ENDPOINT_URL=https://us-chi-qts-ocient-api.poc2.metalsoft.io/api/internal/ipc_guacamole
      - GUACAMOLE_BSI_GUACAMOLE_ENPOINT_SALT_API_KEY=Ui7Cv98Rtmyilc2yDS82AqP0o1NbcVzX81OoQwertm9uiR69CvlsSdaIc1l3CnmVRnJs3xp3rt

Note: For custom SSL certificates consult with the MetalSoft team.

Use the returned URL to install the datacenter agents:

$ docker-compose up -d

Check if the containers are up:

   CONTAINER ID        IMAGE                                                                      COMMAND                  CREATED             STATUS              PORTS               NAMES
2b3951a31c4db        registry.metalsoft.dev/datacenter-agents/datacenter-agents-compiled-v2:latest   "docker-entrypoint.s…"   5 hours ago         Up 5 hours                              dc-agents
356ba275db5ea        registry.metalsoft.dev/datacenter-agents/dc-haproxy:latest    

Agent firewall configuration

Metalsoft Agent require the following ports open from

Inbound from In-Band and Out-Of-Band networks:

  • TCP ports 80/443 (HTTP/s)
  • TCP Port 53 (DNS)
  • UDP port 67 (DHCP)
  • UDP port 69 (TFTP)
  • UDP port 53 (DNS)

Outbound, it should be able to access:

  • Metalsoft Controller → TCP ports 80/443
  • Metalsoft Controller → TCP ports 9003,9009,9090,9091,9011,9010
  • Metalsoft image registry → TCP port 443 registry.metalsoft.dev
  • Metalsoft assets repo → TCP ports 80,443 repo.metalsoft.io