paulmataruso/tacticalrmm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8b95362af4dc242bcedee80b5a44fa8f93670a3
tacticalrmm/docs/migration-0.3.0.md
wh1te909 67cc47608d add hosts check to migration doc
2021-01-19 23:25:35 +00:00

7.1 KiB
Raw Blame History

Upgrading to Tactical RMM 0.3.0

  • Some of these steps may not apply to you depending on when you installed but please go through all of them just to make sure you have all.
  1. stop all services
for i in salt-master salt-api rmm celery celerybeat celery-winupdate meshcentral nginx; do sudo systemctl stop $i; done
  1. Edit /etc/nginx/sites-available/rmm.conf and add the following location block. You can add it right after the location /builtin/ {...} block. This file needs to be opened with sudo
location ~ ^/(natsapi) {
    allow 127.0.0.1;
    deny all;
    uwsgi_pass tacticalrmm;
    include     /etc/nginx/uwsgi_params;
    uwsgi_read_timeout 500s;
    uwsgi_ignore_client_abort on;
}

Add the following to the top of the file right under the upstream tacticalrmm {...} block

map $http_user_agent $ignore_ua {
    "~python-requests.*" 0;
    "~go-resty.*" 0;
    default 1;
}

Look for this line

access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log;

and change to

access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua;

Example of what entire file should look like:

server_tokens off;

upstream tacticalrmm {
    server unix:////rmm/api/tacticalrmm/tacticalrmm.sock;
}

map $http_user_agent $ignore_ua {
    "~python-requests.*" 0;
    "~go-resty.*" 0;
    default 1;
}

server {
    listen 80;
    server_name api.EXAMPLE.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name api.yourdomain.com;
    client_max_body_size 300M;
    access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=$ignore_ua;
    error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
    ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';

    location /static/ {
        root /rmm/api/tacticalrmm;
    }

    location /private/ {
        internal;
        add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com";
        alias /rmm/api/tacticalrmm/tacticalrmm/private/;
    }

    location /saltscripts/ {
        internal;
        add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com";
        alias /srv/salt/scripts/userdefined/;
    }

    location /builtin/ {
        internal;
        add_header "Access-Control-Allow-Origin" "https://rmm.EXAMPLE.com";
        alias /srv/salt/scripts/;
    }

    location ~ ^/(natsapi) {
        allow 127.0.0.1;
        deny all;
        uwsgi_pass tacticalrmm;
        include     /etc/nginx/uwsgi_params;
        uwsgi_read_timeout 9999s;
        uwsgi_ignore_client_abort on;
    }

    location / {
        uwsgi_pass  tacticalrmm;
        include     /etc/nginx/uwsgi_params;
        uwsgi_read_timeout 9999s;
        uwsgi_ignore_client_abort on;
    }
}
  1. Edit /etc/nginx/sites-available/meshcentral.conf and change to match the example below. Don't forget to replace mesh.EXAMPLE.COM with your mesh domain. This file needs to be opened with sudo
server {
  listen 80;
  server_name mesh.EXAMPLE.com;
  return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    proxy_send_timeout 330s;
    proxy_read_timeout 330s;
    server_name mesh.example.com;
    ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
    ssl_session_cache shared:WEBSSL:10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://127.0.0.1:4430/;
        proxy_http_version 1.1;

        proxy_set_header Host $host; ## this line is new
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
  1. Edit /meshcentral/meshcentral-data/config.json and change to match the example below. Replace mesh.example.com with your mesh domain. After editing, use a json linter like https://jsonlint.com/ to verify no syntax errors, otherwise meshcentral will fail to start.
{
  "settings": {
    "Cert": "mesh.example.com",
    "MongoDb": "mongodb://127.0.0.1:27017",
    "MongoDbName": "meshcentral",
    "WANonly": true,
    "Minify": 1,
    "Port": 4430,
    "AliasPort": 443,
    "RedirPort": 800,
    "AllowLoginToken": true,
    "AllowFraming": true,
    "_AgentPing": 60,
    "AgentPong": 200,
    "AllowHighQualityDesktop": true,
    "TlsOffload": "127.0.0.1",
    "agentCoreDump": false,
    "Compression": true,
    "WsCompression": true,
    "AgentWsCompression": true,
    "MaxInvalidLogin": { "time": 5, "count": 5, "coolofftime": 30 }
  },
  "domains": {
    "": {
      "Title": "Tactical RMM",
      "Title2": "Tactical RMM",
      "NewAccounts": false,
      "CertUrl": "https://mesh.example.com:443/",
      "GeoLocation": true,
      "CookieIpCheck": false,
      "mstsc": true
    }
  }
}
  1. Replace /rmm/api/tacticalrmm/app.ini with the following:
[uwsgi]

chdir = /rmm/api/tacticalrmm
module = tacticalrmm.wsgi
home = /rmm/api/env
master = true
processes = 6
threads = 6
enable-threads = True
socket = /rmm/api/tacticalrmm/tacticalrmm.sock
harakiri = 300
chmod-socket = 666
# clear environment on exit
vacuum = true
die-on-term = true
max-requests = 500
max-requests-delta = 1000
  1. Replace /etc/salt/master.d/rmm-salt.conf with the following. This file needs to be opened with sudo
timeout: 20
gather_job_timeout: 25
max_event_size: 30485760
external_auth:
  pam:
    saltapi:
      - .*
      - '@runner'
      - '@wheel'
      - '@jobs'

rest_cherrypy:
  port: 8123
  disable_ssl: True
  max_request_body_size: 30485760
  1. Edit /etc/conf.d/celery.conf and /etc/conf.d/celery-winupdate.conf and change
CELERYD_LOG_LEVEL="INFO"

to

CELERYD_LOG_LEVEL="ERROR"
  1. Clear log files
baselog="/rmm/api/tacticalrmm/tacticalrmm/private/log"
for i in ${baselog}/access.log ${baselog}/error.log ${baselog}/debug.log ${baselog}/uwsgi.log; do sudo rm -f $i; done
sudo rm -f /var/log/celery/*
  1. Verify nginx syntax is correct. If any errors check steps above and fix nginx configs
sudo nginx -t
  1. Edit /etc/hosts and make sure the line starting with 127.0.1.1 or 127.0.0.1 has your 3 subdomains in it like this:
127.0.0.1 localhost
127.0.1.1 yourservername api.example.com rmm.example.com mesh.example.com
  1. Start services
for i in rmm celery celerybeat celery-winupdate salt-master salt-api nginx meshcentral; do sudo systemctl start $i; done
  1. Delete whatever update.sh script you currently have and download the latest one and run it
wget https://raw.githubusercontent.com/wh1te909/tacticalrmm/master/update.sh
chmod +x update.sh
./update.sh
Reference in New Issue View Git Blame Copy Permalink