Howto install MeshCentral on NethServer

I have no plan in that regard. Just bringing it to your attention so that whoever is interested can play with it.

thank you,

I am going through the Install sh script to see how it can be adopted.
tacticalrmm/install.sh at develop · wh1te909/tacticalrmm (github.com)
Among it most of the things are tools already available in nethserver, while others are similar to installations that have already been done,

Its a question of how to adopt it to Nethsevrer and utilize the existing meschentral installation.

We already have a PgSql module, a mongodb install, have already installed Nodejs and python applications before.

Nethseveer already has reverse proxy built-in, as well as and ssl.

Whoever want to help, i am available to help install it, am looking for a starting point.

I tested the docker method. It seems a nice tool but missing linux clients.

Pros:

  • All in one tacticalrmm-meshcentral docker compose images completely preconfigured
  • 2FA
  • 32bit agents

Cons:

  • TacticalRMM supports Windows agents only
  • Some nice features like fail2ban or proxy are not supported as stated here so need to stop httpd :slightly_frowning_face: Maybe try unsupported scripts.
  • Installing the agent on my Windows 10 was a little buggy, I needed to copy Meshcentral.exe to the right directory and turn off Antivirus when installing.

@mrmarkuz i think the best install would be for the non docker standard install. but cant use their install scripts even if it was modified for centos because it installs package components we already have

To me it seems a lot of effort (maybe not possible in the end without stopping httpd that’s a basic component of Neth) and still has following cons:

i dont think that windows only agent is an issue. because it targets different category, most RMM are windows only, or windows mostly.
fail2ban and proxy missing is only for the docker version. which also misses backups. unless you backup the docker container itself.

how would installing a software stop httpd or is that for the docker only install?

have you gone through the sh script they have for debian?

It was just a quick way to test with docker. It has a standard backup/restore process to use instead.

It’s a port conflict because it needs default port 80 and 443 for it’s api and no proxy and fail2ban etc is supported, not only for docker, it’s a main point in the docs.

Yes, this one.

EDIT:

The docker version works except of the agents go offline but are still reachable…I’m still playing around with the proxies…
I tried the native install but I’m stuck at compiling the backend with python manage.py migrate

(env) [root@testserver tacticalrmm]# python manage.py migrate
Traceback (most recent call last):
  File "manage.py", line 21, in <module>
    main()
  File "manage.py", line 17, in main
    execute_from_command_line(sys.argv)
  File "/opt/rmm/api/env/lib64/python3.8/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/opt/rmm/api/env/lib64/python3.8/site-packages/django/core/management/__init__.py", line 395, in execute
    django.setup()
  File "/opt/rmm/api/env/lib64/python3.8/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/opt/rmm/api/env/lib64/python3.8/site-packages/django/apps/registry.py", line 114, in populate
    app_config.import_models()
  File "/opt/rmm/api/env/lib64/python3.8/site-packages/django/apps/config.py", line 301, in import_models
    self.models_module = import_module(models_module_name)
  File "/opt/rh/rh-python38/root/usr/lib64/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 843, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/opt/rmm/api/tacticalrmm/clients/models.py", line 6, in <module>
    from agents.models import Agent
  File "/opt/rmm/api/tacticalrmm/agents/models.py", line 27, in <module>
    class Agent(BaseAuditModel):
  File "/opt/rmm/api/tacticalrmm/agents/models.py", line 325, in Agent
    args: list[str] = [],
TypeError: 'type' object is not subscriptable
Native installation notes:
# install le certs for 
# - api.domain.tld
# - mesh.domain.tld
# - rmm.domain.tld
# and check they are resolvable via DNS (either public and/or local)

# Create workdir
mkdir -p tactical
cd tactical

# Install prerequisites
yum -y install http://mirror.de-labrusse.fr/NethServer/7/x86_64/nethserver-stephdl-1.1.9-1.ns7.sdl.noarch.rpm
yum -y install https://mrmarkuz.dynu.net/mirror/mrmarkuz/7/noarch/nethserver-mrmarkuz-0.0.1-6.ns7.noarch.rpm
yum -y install nethserver-nginx rh-nodejs14 rh-mongodb36 nethserver-postgresql12 nethserver-redis git nethserver-rh-python38 gcc make rh-python38-python-devel

# Enable services
systemctl enable rh-mongodb36-mongod --now

# Create DB for tactical RMM - ignore permission errors
sudo -u postgres scl enable rh-postgresql12 "psql -p 55434 -c\"CREATE DATABASE tacticalrmm\""
sudo -u postgres scl enable rh-postgresql12 "psql -p 55434 -c\"CREATE USER tactical WITH PASSWORD 'SECRET'\""
sudo -u postgres scl enable rh-postgresql12 "psql -p 55434 -c\"ALTER ROLE tactical SET client_encoding TO 'utf8'\""
sudo -u postgres scl enable rh-postgresql12 "psql -p 55434 -c\"ALTER ROLE tactical SET default_transaction_isolation TO 'read committed'\""
sudo -u postgres scl enable rh-postgresql12 "psql -p 55434 -c\"ALTER ROLE tactical SET timezone TO 'UTC'\""
sudo -u postgres scl enable rh-postgresql12 "psql -p 55434 -c\"GRANT ALL PRIVILEGES ON DATABASE tacticalrmm TO tactical\""



# Get tacticalRMM
mkdir -p /opt/rmm
chown ${USER}:${USER} /opt/rmm
mkdir -p /var/log/celery
chown ${USER}:${USER} /var/log/celery
git clone https://github.com/wh1te909/tacticalrmm.git /opt/rmm/
cd /opt/rmm
git config user.email "admin@example.com"
git config user.name "Bob"
git checkout master

# Get NATS server
NATS_SERVER_VER=$(grep "^NATS_SERVER_VER" /rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
nats_tmp=$(mktemp -d -t nats-XXXXXXXXXX)
wget https://github.com/nats-io/nats-server/releases/download/v${NATS_SERVER_VER}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -P ${nats_tmp}
tar -xzf ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64.tar.gz -C ${nats_tmp}
sudo mv ${nats_tmp}/nats-server-v${NATS_SERVER_VER}-linux-amd64/nats-server /usr/local/bin/
sudo chmod +x /usr/local/bin/nats-server
sudo chown ${USER}:${USER} /usr/local/bin/nats-server
rm -rf ${nats_tmp}

# Install meshcentral
MESH_VER=$(grep "^MESH_VER" /opt/rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')

useradd -r -s /sbin/nologin meshcentral
mkdir -p /opt/meshcentral/meshcentral-data
chown meshcentral:meshcentral -R /opt/meshcentral
cd /opt/meshcentral
scl enable rh-nodejs14 "npm update"
scl enable rh-nodejs14 "npm install meshcentral@${MESH_VER}"
chown meshcentral:meshcentral -R /opt/meshcentral

meshcfg="$(cat << EOF
{
  "settings": {
    "Cert": "${meshdomain}",
    "MongoDb": "mongodb://127.0.0.1:27017",
    "MongoDbName": "meshcentral",
    "WANonly": true,
    "Minify": 1,
    "Port": 4430,
    "AliasPort": 443,
    "RedirPort": 800,
    "AllowLoginToken": true,
    "AllowFraming": true,
    "_AgentPing": 60,
    "AgentPong": 300,
    "AllowHighQualityDesktop": true,
    "TlsOffload": "127.0.0.1",
    "agentCoreDump": false,
    "Compression": true,
    "WsCompression": true,
    "AgentWsCompression": true,
    "MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 }
  },
  "domains": {
    "": {
      "Title": "Tactical RMM",
      "Title2": "Tactical RMM",
      "NewAccounts": false,
      "CertUrl": "https://mesh.mrmarkuz.ddnss.eu:443/",
      "GeoLocation": true,
      "CookieIpCheck": false,
      "mstsc": true
    }
  }
}
EOF
)"
echo "${meshcfg}" > /opt/meshcentral/meshcentral-data/config.json

# Configure components
localvars="$(cat << EOF
SECRET_KEY = "SECRET"

DEBUG = False

ALLOWED_HOSTS = ['mesh.mrmarkuz.ddnss.eu']

ADMIN_URL = "admin/"

CORS_ORIGIN_WHITELIST = [
    "https://rmm.mrmarkuz.ddnss.eu"
]

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'tacticalrmm',
        'USER': 'tactical',
        'PASSWORD': 'SECRET',
        'HOST': 'localhost',
        'PORT': '55434',
    }
}

MESH_USERNAME = "tactical"
MESH_SITE = "https://mesh.mrmarkuz.ddnss.eu"
REDIS_HOST    = "localhost"
KEEP_SALT = False
ADMIN_ENABLED = True
EOF
)"
echo "${localvars}" > /opt/rmm/api/tacticalrmm/tacticalrmm/local_settings.py


cp /opt/rmm/natsapi/bin/nats-api /usr/local/bin
chown ${USER}:${USER} /usr/local/bin/nats-api
chmod +x /usr/local/bin/nats-api

# Installing the backend

cd /opt/rmm/api
scl enable rh-python38 bash
python -m venv env
source /opt/rmm/api/env/bin/activate
cd /opt/rmm/api/tacticalrmm
SETUPTOOLS_VER=$(grep "^SETUPTOOLS_VER" /opt/rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
WHEEL_VER=$(grep "^WHEEL_VER" /opt/rmm/api/tacticalrmm/tacticalrmm/settings.py | awk -F'[= "]' '{print $5}')
pip install --no-cache-dir --upgrade pip
pip install --no-cache-dir setuptools==${SETUPTOOLS_VER} wheel==${WHEEL_VER}
pip install --no-cache-dir -r /opt/rmm/api/tacticalrmm/requirements.txt
python manage.py migrate

EDIT2:

It’s working with docker and proxy, I’ll share a howto…

2 Likes

2 posts were split to a new topic: MeshCentral not reachable

So I get to the Create config fille -

I get to this command and type it in node meshcentral

I get the following…

2022-06-14_05-53

I have search around for a fix, but I am unable to find one. mrmarkuz do you know what I am doing wrong…

Note: I am installing it on my nethserver. I am trying to get it to show up internal and externally as remote.mycomputervisions.com

Anythoughts… that would help… here is my configs…

after typing nano /etc/httpd/conf.d/zz_meshcentral.conf I get the following -

2022-06-14_06-04

after typing nano nano /opt/meshcentral/meshcentral-data/config.json I get the following -

2022-06-14_06-07

Any help to get this going would be great.

Thanks,
-SF-

Did you install the module or did you go through this howto?

1 Like

Hmmm… :smiley: well I went through the HOW-TO…

I didn’t know there is a module to install. It’s does not come up in the software center list like normal, unless I missed it. Which is possible… (nope I looked not there…)

This is good to know. Thanks… now… the next question is… do I remove and uninstall what I have done throught the HOW-TO and then install the module - nethserver-meshcentral?

Also… is there a module to install for the TacticalRMM as well?

Thanks for your help,
-SF-

Yes, it should be enough to remove the meshcentral dir (/opt/meshcentral…)

If you like to install TacticalRMM I recommend following howto because it has everything preconfigured in a docker installation:

If you just want MeshCentral I recommend to use the module.

2 Likes

Just curious… but what if I want to load TacticalRMM and MeshCentral directly to the Nethserver I have and not in a docker?

The direct install of Tactical RMM is aimed to debian/ubuntu so I decided to use the docker version as it’s easier to maintain. Maybe it’s possible to make it work but it’s not worth the effort.

1 Like

Gotcha. good point. I think I will do the docker install. I agree, not worth the headache - I am gonna start the process.

Thanks for your continuing help.

-SF-

1 Like

@mrmarkuz . Thank you for the HowTo,

How can I make any change to config.json permanent?

/opt/meshcentral/meshcentral-data/config.json

After editing it, each change disappears when using:

signal-event nethserver-meshcentral-update

I got this Server Warning:

Server Warnings

WARNING: Unable to find mongodump, MongoDB database auto-backup will not be performed.

But I see that I have all configured (according to this how-to):

image

I wonder if “MongoDumpPath” means to be the “path” only?

“MongoDumpPath”: “/opt/rh/rh-mongodb36/root/usr/bin/”,

instead of

“MongoDumpPath”: “/opt/rh/rh-mongodb36/root/usr/bin/mongodump”,

Finally, if I make changes to the .json file, does this command tell MeshCentral to load the changes?:

signal-event nethserver-meshcentral-update

Regards!

The config.json is templated so you’d need a custom template to make changes permanent.
I’m working on “detemplating” the config.json so that it can be changed without issues.

You may use a symlink as workaround:

This command rewrites the templated config.json file and restarts MeshCentral.

If you want to test a changed config.json, it’s enough to restart MeshCentral by

systemctl restart meshcentral

3 Likes

Hello,
i´ve got meshcentral running with the tutorial in the wiki, at first login (i tried the user “meshcentral”) the user was created and promoted to admin.
But when i try to login with an ldap user, it´s giving me a

WEB: handleLoginRequest: login failed, bad username and password

my config.json looks like: “domains”: {

"": {
  "CertUrl": "meshcentral.test.here",
  "_title": "",
  "_title2": "",
  "_titlePicture": "",
  "_loginPicture": "",
  "_auth": "ldap",
  "ldapUserName": "cn",
  "ldapUserRealName": "displayName",
  "ldapUserKey": "cn",
  "ldapUserBinaryKey": "objectSid",
  "ldapUserEmail": "userPrincipalName",
  "ldapOptions": {
    "url": "ldaps://nsdc-strato.test.ad.here:636",
    "bindDN": "ldapservice@test.ad.here",
    "bindCredentials": "<password>",
    "searchBase": "cn=Users,dc=test,dc=ad,dc=here",
    "searchFilter": "(sAMAccountName={{username}})",
    "strictDN": false

Did i miss something to configure?

maybe the AD DC Certificate:

Meshcentral checks if the used cert on the DC is valid. To use AD you need to either disable strong auth in smb.conf or add the nsdc host to the letsencrypt cert and copy it to the DC.

See NethServer Community for more details.

1 Like

I disabled the strong auth in the smb.conf of the nsdc since i was unsure about copying the certificate. But didn´t work/i forgot something other…