Howto install Tactical RMM including MeshCentral on Nethserver with docker

oneitonitram · October 15, 2021, 1:35pm

how do i do this

mrmarkuz · October 15, 2021, 1:49pm

With the commands I posted.

EDIT:

I added 2FA reset and complete reset to the howto.

oneitonitram · October 27, 2021, 4:09am

i keep getting error 502

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET / .

Reason: Error reading from remote server

on my docker installations, not just this one, what could be causing this issue?

mrmarkuz · October 27, 2021, 4:37am

Are the right containers joined to aqua network?

oneitonitram · October 27, 2021, 4:51am

looking into portainer.
i noticed that they are not, i thought they were to be added automatically.

i added trmm-meshcentral and trmm-nginx to aqua. am not sure if there are any others to be added.

mrmarkuz · October 27, 2021, 4:59am

No, usually only the ones that share ports.

oneitonitram · October 27, 2021, 5:03am

i also tried installing Uptime Kuma

as shown below

docker volume create uptime-kuma


docker run -d --restart=always -p 4381:4381 -v uptime-kuma --name uptime-kuma louislam/uptime-kuma:1


config setprop uptime-kuma status enabled TCPPort 4381 access green,red

signal-event firewall-adjust


docker network connect aqua uptime-kuma

in portainer it shows the container is running, and is joined on aqua.

but when i access the reverse proxy page, it says. 502 error also. not sure what needs to be done again.

EDIT: i got it working, here is a howto for the same: Uptme Kuma On Nethserver

oneitonitram · October 27, 2021, 6:21am

@mrmarkuz were you able to get remote control from rmm working?
mine is not, just says agent online but nothing is happening.

Also on the same note, when you installed tactical rmm agent, did your machine appear on meshcentral screen?

mrmarkuz · October 27, 2021, 9:14am

Yes, the Meshcentral part works. A valid cert like letsencrypt is mandatory.

oneitonitram · October 27, 2021, 9:16am

then i dont understand why my server is acting up, because if i add rmm agent, it does not appear on mesh even after uploading relevant agents of mesh to rmm. which also prevents me from doing rdp through rmm

mrmarkuz · October 27, 2021, 9:22am

Did you upload the agents to RMM, as explained here?

Can you connect from the client to mesh.yourdomain.org via HTTPS using a valid cert?

oneitonitram · October 27, 2021, 9:25am

yes i can acess and login to mesh even.

Shodan_Ki · February 15, 2022, 6:16pm

Markuz you amaze me again
so my question can I combine a Tactical RMM Docker with an existing MeshCentral instance?
Or in my case, i would feel better with a direct 2nd nethserver with a direct Tactical RMM installation or may be on the same system as MeshCentral as a direct install docker and i are still not very good friends at this moment.
Kind Regards

Shodan

mrmarkuz · February 15, 2022, 7:21pm

IIRC that’s possible but it’s preconfigured in the docker version.

The native Tactical RMM install without docker didn’t work for me.

As regards more complex projects, my experience is that it’s easier to put them into a virtualization accepting overhead and performance loss than to fight with sometimes impossible system integration.

oneitonitram · March 20, 2022, 1:17pm

There is a New update for Tactical RMM and it has a number of significant Improvements

Release Release v0.12.0 · amidaware/tacticalrmm (github.com)

There is Now a Linux Agent. (though in beta) tag @Andy_Wismer
The Docker now uses non root container,

and no need to manually add mesh central agents.

Fantastic Progress.

EDIT: i have updated the links to reflect the new changes in the project.

dnutan · June 18, 2022, 9:44pm

This is about 6 months old but just for your information:

ferdinando.arfe · October 31, 2022, 3:13pm

Hi all, i’ve tried to install TacticalRMM with docker but i think that the step for the configuration are not complete: the steps for docker, espacially #nats, give me back some error:

WARNING: The CERT_PUB_KEY variable is not set. Defaulting to a blank string.
WARNING: The CERT_PRIV_KEY variable is not set. Defaulting to a blank string.
ERROR: The Compose file ‘./docker-compose.yml’ is invalid because:
services.tactical-nats.networks.proxy contains unsupported option: ‘default’

Any thoughts?

mrmarkuz · October 31, 2022, 10:07pm

I retested the howto and it still works.

Please check the .env file. The last lines should be like:

# certs
CERT_PUB_KEY=Ab12...
CERT_PRIV_KEY=Ab12...

Did you do the following step?

mrmarkuz:

Add Letsencrypt certs to the .env file (if you do this step more often you need to manually remove duplicated lines):
echo -e "\n# certs" >> .env
echo "CERT_PUB_KEY=$(sudo base64 -w 0 /etc/pki/tls/certs/localhost.crt)" >> .env
echo "CERT_PRIV_KEY=$(sudo base64 -w 0 /etc/pki/tls/private/localhost.key)" >> .env

I think you forgot the colon at the end, it’s default:

mrmarkuz:

  # nats
  tactical-nats:
    container_name: trmm-nats
    image: ${IMAGE_REPO}tactical-nats:${VERSION}
    restart: always
    environment:
      API_HOST: ${API_HOST}
    ports:
      - "4222:4222"
    volumes:
      - tactical_data:/opt/tactical
    networks:
      proxy:
        aliases:
          - ${API_HOST}
      default:

ferdinando.arfe · November 1, 2022, 7:22pm

Hi Mark, thanks for your reply!

I’ve tried to setup Tactical on a Debian VM following the amidaware documentation and the site is online correctly. I’m new to Docker so i’ll try your new steps for test purpose and learning Docker. However in the #nats part of the file my setup differ a bit, maybe I have made a mistake during the configuration

oneitonitram · February 22, 2023, 9:35pm

Looking back at this, i am curious how these updated below, affect the installation, especially in the ports definition

Release v0.14.0

Switched to NATS websocket for agent<->server communication. This removes the need to publicly expose port 4222 TCP and now the only open port needed is 443 TCP. You must leave port 4222 open though until all your agents are updated to v2.1.0 at which point you may close port 4222 in your firewall.

Note for those running UNSUPPORTED setups or proxies (HAProxy, NPM, Traefik, Kubernetes etc. Ignore this section if you are on a traditional or docker install): NATS still listens on 4222 (for internal communication between various trmm services) but now also listens internally on localhost:9235 (websocket protocol). Agent NATS traffic now connects to nginx public port 443 which is proxy passed to localhost:9235 so you will need to implement this manually in your proxy settings. You may refer to this commit to see how a supported nginx setup implements it (make sure to only proxy pass traffic that matches the pattern https://api.example.com/natsws). You must implement this in your custom proxy before upgrading to this release.

If for whatever reason you can’t use NATS websocket or just want to keep things the way they were before this release, check out these docs on how to fall back to NATS standard.

Note for docker users: the docker-compose.yml file has changed this release so make sure to delete the old one and re-download the latest one (just copy paste from the docker update docs).

GEt Agents and Download Agents, no longer NEcessary with VErsions: 0.12.0 and above
they are automatically created. using emsh api

Removed the need to manually upload and manage mesh agents. They are now dynamically generated using meshcentral’s api. Added a new setting in Global Settings > MeshCentral to specify the meshcentral device group name for those that are not using the default device group name that tactical sets up during install.