From ecda14da30ad11612606869257b572dd32f7120e Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Mon, 3 Mar 2025 15:58:33 +0100 Subject: [PATCH 1/5] adjust monitoring for container host/server container --- modules/administration/pages/monitoring.adoc | 61 +++++++++++++++++--- 1 file changed, 52 insertions(+), 9 deletions(-) diff --git a/modules/administration/pages/monitoring.adoc b/modules/administration/pages/monitoring.adoc index ee0cbf902b5..68a0585fcd1 100644 --- a/modules/administration/pages/monitoring.adoc +++ b/modules/administration/pages/monitoring.adoc @@ -97,7 +97,7 @@ The Prometheus software is also available for {productname} Proxy and {productna [IMPORTANT] ==== -* To access a shell inside the Server container run [literal]``mgrctl term`` on the container host. +* To access a shell inside the Server container run [literal]``mgrctl term`` on the container host, or to execute one command run [literal]``mgrctl exec -- ``. * To copy files from inside the container use [literal]``mgrctl cp``. ==== @@ -579,15 +579,58 @@ This section demonstrates how to generate client/server certificates for Prometh .Procedure: Creating server/client TLS certificate -. On the {productname} Server, at the command prompt, run following command: +. At the command prompt of the {productname} container host, as root, run the following commands: + ++ + +-- +.. To generate certificate files, run the following command. + ++ + +Ensure that the [systemitem]``set-cname`` parameter is the fully qualified domain name (FQDN) of your Salt client. +You can use the the [systemitem]``set-cname`` parameter multiple times if you require multiple aliases: + + + ---- -rhn-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \ ---set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \ ---set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \ ---set-hostname="minion.example.com" --set-cname="minion.example.com" --no-rpm +mgrctl exec -ti -- mgr-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \ + --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \ + --set-org-unit="ORGANIZATION UNIT" --set-email="name@example.com" \ + --set-hostname="minion.example.com" --set-cname="minion.example.com" --no-rpm ---- -Ensure that the [systemitem]``set-cname`` parameter is the fully qualified domain name (FQDN) of your Salt client. -You can use the the [systemitem]``set-cname`` parameter multiple times if you require multiple aliases. -. Copy ``server.crt`` and ``server.key`` files to the Salt minion and provide read access for ``prometheus`` user. ++ + +Resulting in: + ++ + +---- +Generating the web server's SSL private key: /root/ssl-build/minion/server.key +Generating web server's SSL certificate request: /root/ssl-build/minion/server.csr +Generating/signing web server's SSL certificate: server.crt +---- + +.. Copy [path]``server.crt`` and [path]``server.key`` files from the server container to the host: + ++ + +---- +mgrctl cp server:/root/ssl-build/minion/server.key server.key +mgrctl cp server:/root/ssl-build/minion/server.crt server.crt +---- + +.. Copy [path]``server.crt`` and [path]``server.key`` files from the host to the monitoring client: + ++ + +---- +ssh minion.example.com 'mkdir /etc/ssl/mlm-server-certs' +scp /root/server.* minion.example.com:/etc/ssl/mlm-server-certs +ssh minion.example.com 'chmod go+r /etc/ssl/mlm-server-certs/server.*; ls -la /etc/sslmlm-server-certs' +---- + +-- + +. While configuring Salt minion formular, use minion.example.com as client and mlm-server-certs as directory. From e1fcc8f27c07a59d310a55438d24a83e5df067fa Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Wed, 5 Mar 2025 07:49:06 +0100 Subject: [PATCH 2/5] cont. --- modules/administration/pages/monitoring.adoc | 52 +++++++++++++++++--- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/modules/administration/pages/monitoring.adoc b/modules/administration/pages/monitoring.adoc index 68a0585fcd1..0856a6d1191 100644 --- a/modules/administration/pages/monitoring.adoc +++ b/modules/administration/pages/monitoring.adoc @@ -97,9 +97,9 @@ The Prometheus software is also available for {productname} Proxy and {productna [IMPORTANT] ==== -* To access a shell inside the Server container run [literal]``mgrctl term`` on the container host, or to execute one command run [literal]``mgrctl exec -- ``. +* To access a shell inside the {productname} Server container run [literal]``mgrctl term`` on the container host, or to execute one command run [literal]``mgrctl exec -- ``. -* To copy files from inside the container use [literal]``mgrctl cp``. +* To copy files from inside the container to the container host use [literal]``mgrctl cp``. ==== [NOTE] @@ -126,20 +126,31 @@ For more information about the monitoring formulas, see xref:specialized-guides: .Procedure: Manually Installing and Configuring Prometheus . On the monitoring server, install the [package]``golang-github-prometheus-prometheus`` package: + + + +[source,shell] ---- zypper in golang-github-prometheus-prometheus ---- + . Enable the Prometheus service: + + + +[source,shell] ---- systemctl enable --now prometheus ---- + . Check that the Prometheus interface loads correctly. - In your browser, navigate to the URL of the server where Prometheus is installed, on port 9090 (for example, [literal]``http://example.com:9090``). + In your browser, navigate to the URL of the server where Prometheus is installed, on port 9090 (for example, [literal]``http://example.com:9090``). + . Open the configuration file at [path]``/etc/prometheus/prometheus.yml`` and add this configuration information. - Replace `server.url` with your {productname} server URL and adjust `username` and `password` fields to match your {productname} credentials. + Replace `server.url` with your {productname} server URL and adjust `username` and `password` fields to match your {productname} credentials. + + + ---- # {productname} self-health metrics scrape_configs: @@ -188,9 +199,14 @@ scrape_configs: - source_labels: [__meta_uyuni_scheme] target_label: __scheme__ ---- + . Save the configuration file. + . Restart the Prometheus service: + + + +[source,shell] ---- systemctl restart prometheus ---- @@ -230,15 +246,23 @@ You can choose which dashboards to provision in the formula configuration page. .Procedure: Manually Installing Grafana . Install the [package]``grafana`` package: + + + +[source,shell] ---- zypper in grafana ---- + . Enable the Grafana service: + + + +[source,shell] ---- systemctl enable --now grafana-server ---- + . In your browser, navigate to the URL of the server where Grafana is installed, on port 3000 (for example, [literal]``http://example.com:3000``). . On the login page, enter ``admin`` for username and password. . Click btn:[Log in]. @@ -253,7 +277,9 @@ systemctl enable --now grafana-server . To import a dashboard click the btn:[+] icon in the side menu, and then click btn:[Import]. . For {productname} server overview load the dashboard ID: ``17569``. . For {productname} clients overview load the dashboard ID: ``17570``. + + + image::monitoring_grafana_example.png[scaledwidth=80%] [NOTE] @@ -584,6 +610,7 @@ This section demonstrates how to generate client/server certificates for Prometh + -- + .. To generate certificate files, run the following command. + @@ -628,9 +655,22 @@ mgrctl cp server:/root/ssl-build/minion/server.crt server.crt ---- ssh minion.example.com 'mkdir /etc/ssl/mlm-server-certs' scp /root/server.* minion.example.com:/etc/ssl/mlm-server-certs -ssh minion.example.com 'chmod go+r /etc/ssl/mlm-server-certs/server.*; ls -la /etc/sslmlm-server-certs' +ssh minion.example.com 'chmod go+r /etc/ssl/mlm-server-certs/server.*; ls -la /etc/ssl/mlm-server-certs' ---- -- -. While configuring Salt minion formular, use minion.example.com as client and mlm-server-certs as directory. +. To configure {salt} formulars, enter the directory names specified in the previous steps. + ++ + +-- + +.. formular server +Server Certificate /etc/ssl/mlm-server-certs/server.crt +Server Key /etc/ssl/mlm-server-certs/server.key + + +.. formular minion + +-- From cb14ed1aa6ff84a896cd886b22d9d915499d3492 Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Thu, 10 Apr 2025 10:48:56 +0200 Subject: [PATCH 3/5] Update modules/administration/pages/monitoring.adoc --- modules/administration/pages/monitoring.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/administration/pages/monitoring.adoc b/modules/administration/pages/monitoring.adoc index 0856a6d1191..adefe1aa0e5 100644 --- a/modules/administration/pages/monitoring.adoc +++ b/modules/administration/pages/monitoring.adoc @@ -615,7 +615,7 @@ This section demonstrates how to generate client/server certificates for Prometh + -Ensure that the [systemitem]``set-cname`` parameter is the fully qualified domain name (FQDN) of your Salt client. +Ensure that the [systemitem]``set-cname`` parameter is the fully qualified domain name (FQDN) of your {salt} client. You can use the the [systemitem]``set-cname`` parameter multiple times if you require multiple aliases: + From c3c5f7cc7140d1f9a3da291830bdeaf8541eed47 Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Thu, 10 Apr 2025 11:02:37 +0200 Subject: [PATCH 4/5] add --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae3174333bf..2284b2d137b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,5 @@ +- Improved documentation about monitoring in Administration + Guide - Removed misleading admonition at the beginning of the Replace Certificates section in the Administration Guide - Added note about cache_dir size in Installation and Upgrade From 9716dbc87b4c093cb755793e401cd3e5a7b81287 Mon Sep 17 00:00:00 2001 From: Karl Eichwalder Date: Thu, 10 Apr 2025 12:46:14 +0200 Subject: [PATCH 5/5] use sl-micro --- modules/administration/pages/monitoring.adoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/administration/pages/monitoring.adoc b/modules/administration/pages/monitoring.adoc index adefe1aa0e5..e5112e0faee 100644 --- a/modules/administration/pages/monitoring.adoc +++ b/modules/administration/pages/monitoring.adoc @@ -480,7 +480,7 @@ Every salt_queue value has a label named `queue` with the queue number as value. === Monitoring Managed Systems -Prometheus metrics exporters can be installed and configured on Salt clients using formulas. +Prometheus metrics exporters can be installed and configured on {salt} clients using formulas. The packages are available from the {productname} client tools channels, and can be enabled and configured directly in the {productname} {webui}. These exporters can be installed on managed systems: @@ -494,7 +494,7 @@ These exporters can be installed on managed systems: [NOTE] ==== -On {sle-micro}, only the Node exporter and the Blackbox exporter are available. +On {sl-micro}, only the Node exporter and the Blackbox exporter are available. ==== When you have the exporters installed and configured, you can start using Prometheus to collect metrics from the monitored systems. @@ -620,6 +620,7 @@ You can use the the [systemitem]``set-cname`` parameter multiple times if you re + +[source, shell] ---- mgrctl exec -ti -- mgr-ssl-tool --gen-server --dir="/root/ssl-build" --set-country="COUNTRY" \ --set-state="STATE" --set-city="CITY" --set-org="ORGANIZATION" \