Enabling Advanced Remote Support on Linux Hosts Managed by Platform9 Host Agent
By default, members of the Platform9 support team cannot interactively log onto a customer's Linux host. In exceptional circumstances, it is sometimes useful to enable the advanced remote support (ARS) mechanism in order to troubleshoot challenging problems. It allows a support engineer to securely log onto your appliance as the pf9 user in order to analyze and fix issues. This guide explains how a customer can enable this mechanism.
Note: Despite being based on SSH, enabling this capability does not expose your host to SSH login from any network, only Platform9's. It leverages the host's existing secure connection to the Platform9 cloud controller, and does not require any firewall changes to your host or network.
Step 1: Enable 'Advance Remote Support' From Platform9 UI
- Log on to the Platform9 User Interface.
- Under 'Infrastructure' menu, browse to 'Hosts' tab. Then in the hosts grid, locate the host you're enabling Advance Remote Support on, under 'Actions' column, click on 'configure host'
- In Edit Configuration page, under Hypervisor tab, check the 'Advance Remote Support' check box.
Step 2: Ensure sshd is Running and Configured Properly
Consult your Linux operating system's documentation to ensure that the ssh daemon is running and allows key-based authentication.
Step 3: (Optional but Highly Recommended) Grant sudo Access
The pf9 user has restricted privileges. To gather certain types of information, it is sometimes helpful for a Platform9 support technician logged in as pf9 to run commands with elevated privileges through the sudo utility. To allow this, (1) sudo must be enabled for pf9 user, and (2) sudo must allow pf9 to authenticate without a password, since ARS uses one-time ssh keys for login, and the pf9 user does not have a password by default. Consult your Linux operating system's documentation for details on how to configure this. On RedHat and CentOS, this can usually be done by:
- Adding pf9 to the wheel group:
usermod -a -G wheel pf9
- Run visudo to edit sudo rules to ensure that members of the wheel group can authenticate without a password. The line to configure this looks like:
%wheel ALL=(ALL) NOPASSWD: ALL
Step 4: Notify Platform9 Support Team
Communicate with your Platform9 support representative to:
- Securely exchange the pf9 user's password
- Identify the host that should be logged onto, by sharing the contents of the host's /etc/pf9/host_id.conf file or the host's hostname.
- Agree on a time window for a support technician to log on to the host
Disable Advanced Remote Support
To disable Advance Remote Support, just uncheck the box under host configuration (Step 1 above).
November 16, 2015