Howto install MeshCentral on NethServer

Howto
, ,
21

Kudos. With those changes I can access MeshCentral management page.

3 Likes
22

Under these setting here. am i supposed to remove the _ for the settings to work?

i tried without removing them, when i try to start the service i get error

[root@monit meshcentral]# systemctl enable --now meshcentral
Failed to execute operation: Bad message
1 Like
23

Yes. See the first line of the config.json file:

"__comment__" : "This is a sample configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",

I updated the howto to avoid misunderstandings. Thanks for testing!

24

I have updated the changes but i am still getting the same error when i run systemctl enable --now meshcentral

Also, visiting the hostname still displays the default nethserver page.

25

Please show the content of /etc/systemd/system/meshcentral.service

Check if files exist:

ls /opt/rh/rh-nodejs10/root/usr/bin/node /opt/meshcentral/node_modules/meshcentral/meshcentral.js

Please check if you entered the hostname in /etc/httpd/conf.d/zz_meshcentral.conf and reloaded httpd.

26

Thank you. the error was with [Unit]

only t] had been copied

1 Like
27

Now, i am still getting default page. with Zabbix icon

28

Could be browser cache or you still have the zabbix config pointing to same domain.

You may use httpd -S to check your virtualhosts.

29

image
image1055×625 33 KB

1 Like
30

I completely misunderstood and thought you talk about favicon :crazy_face:
This zabbix icon has nothing to do with meshcentral…it’s set via application page in server manager.
Please check/post /etc/httpd/conf.d/zz_meshcentral.conf and result of httpd -S

1 Like
31

httpd -S

  [root@monit meshcentral]# httpd -S
    VirtualHost configuration:
    *:80                   is a NameVirtualHost
             default server monit.domain.tld (/etc/httpd/conf.d/zz_guacamole.conf:9)
             port 80 namevhost monit.domain.tld (/etc/httpd/conf.d/zz_guacamole.conf:9)
             port 80 namevhost remote.domain.tld (/etc/httpd/conf.d/zz_guacamole.conf:13)
    *:443                  is a NameVirtualHost
             default server monit.domain.tld (/etc/httpd/conf.d/nethserver.conf:44)
             port 443 namevhost monit.domain.tld (/etc/httpd/conf.d/nethserver.conf:44)
             port 443 namevhost monit.domain.tld (/etc/httpd/conf.d/ssl.conf:56)
             port 443 namevhost remote.domain.tld(/etc/httpd/conf.d/zz_guacamole.conf:18)
             port 443 namevhost mesh.domain.tld (/etc/httpd/conf.d/zz_meshcentral.conf:1)
    ServerRoot: "/etc/httpd"

/etc/httpd/conf.d/zz_meshcentral.conf

<VirtualHost *:443>
   ServerName mesh.domain.tld
   SSLEngine on
   SSLProxyEngine on
   ProxyPreserveHost On
   RewriteEngine on
   RewriteCond %{HTTP:Upgrade} websocket [NC]
   RewriteCond %{HTTP:Connection} upgrade [NC]
   RewriteRule . ws://127.0.0.1:8989%{REQUEST_URI} [P]
   ProxyPass / http://127.0.0.1:8989/
   ProxyPassReverse / http://127.0.0.1:8989/
</VirtualHost>
32

Looks correct.

Did you reload the httpd config?

systemctl reload httpd

EDIT:

Turned out as permission problem again. I’m going to update the howto and place the chown line more often…

EDIT2:
Corrected.

1 Like
33

503 error has returned…

34

Shouldn’t this be port 4443 instead of 444? (since you open port 4443 in Firewall)

1 Like
35

No, we just use default port 443 or 4443 for AMT. The other ports are not necessary.
At the stage you mentioned we just start meshcentral for creating config files, we change the ports afterwards.

36

Where is port 444 coming from then? Where is it configured?

37

It’s opened by default because 443 is in use by apache.

At the end it runs like that (before it’s only a default because at that stage we have no config.json):

Apr 25 02:23:21 server[10146]: MeshCentral HTTP redirection server running on port 81.
Apr 25 02:23:21 server[10146]: MeshCentral v0.5.13, Hybrid (LAN + WAN) mode, Production mode.
Apr 25 02:23:21 server[10146]: MeshCentral Intel(R) AMT server running on server:4433.
Apr 25 02:23:21 server[10146]: MeshCentral HTTP server running on port 8989, alias port 443.

Only port 81 is not needed but meshcentral needs it to start. As it’s not opened to the public it’s no big issue.

/opt/meshcentral/meshcentral-data/config.json

Turned out as syntax error in config file. I am going to update the howto with a little troubleshooting section.

1 Like
38

This solution works superbly.

In a scenraio where you need to give a system admin root access to a server, you can just give them credentials and link to meshcentral, then only define the servers they have access to.

This really saves alot on security and accountability, if you have more than one person having access to a server.

How then can we have sch kind of function for the nethserver admin interface.
From my understanding, if someone must access nethserver, they need to have the root password to be able to access and add or do anything.

39

Yeah, I think so too. Still working here.

It’s already there:

https://docs.nethserver.org/en/v7/base_system2.html#delegation-section

40

Wow, i never knew this was there. Now this is fantastic and wonderful.

Now, why are application only http.
and currently when trying to login, there is a timeout error, authetication failed

EDIT: got it, they need shell acces granted.

EDIT2: After login, there is the error, disconnected,
server has closed connection

1 Like