Install Minion
Objectives
-
Install a Meridian Minion on one of the supported operating systems.
-
Secure access to the Karaf shell with encrypted passwords.
-
Configure connection to message broker for communication with the Meridian core instance.
-
Verify the setup.
Requirements
-
A Meridian core instance running and configured with a message broker.
-
A Linux physical server or a virtual machine running a supported Linux operating system.
-
Internet access to download the installation packages.
-
Java installed OpenJDK 11.
-
DNS configured so that
localhostand your server’s host name resolve properly. -
A Meridian core instance runs on latest stable release.
-
A Minion server can access desired message broker nodes (for example, ActiveMQ
61616/tcp, Apache Kafka9092/tcp). -
A system user with administrative permissions (sudo) to perform the installation tasks.
| Time synchronization is a critical part of operating a monitoring system. Ensure you have a functional time synchronization process running with your operating system. If you are not familiar with this topic, the knowledgebase article Ensure time synchronization for your OpenNMS components is a good starting point. |
Install the Minion package
Install OpenJDK 11 JRE runtime
sudo dnf -y install java-11-openjdk-headlessAdd repository and import GPG key
cat << EOF | sudo tee /etc/yum.repos.d/opennms-meridian.repo
[meridian]
name=Meridian for Red Hat Enterprise Linux and CentOS
baseurl=https://REPO_USER:REPO_PASS@meridian.opennms.com/packages/2022/stable/rhel8(1)
gpgcheck=1
gpgkey=http://yum.opennms.org/OPENNMS-GPG-KEY
EOF
sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY| 1 | Replace the REPO_USER and REPO_PASS with your Meridian subscription credentials. |
Install the Meridian Minion package
sudo dnf -y install meridian-minion| Disable the OpenNMS Meridian repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Meridian requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, we recommend that you exclude the Meridian packages from update except when you plan to perform an upgrade. |
Disable auto updates for Meridian Minion
sudo dnf config-manager --disable meridianVerify directory structure with the tree command
sudo dnf -y install tree
tree /opt/minion -L 1Directory structure after successful installation
/opt/minion
├── bin
├── COPYING
├── deploy
├── etc
├── lib
├── repositories
└── systemEnable Meridian Minion on system boot and start immediately
sudo systemctl enable --now minionInstall OpenJDK 11 JRE runtime
sudo yum -y install java-11-openjdk-headlessAdd repository and import GPG key
cat << EOF | sudo tee /etc/yum.repos.d/opennms-meridian.repo
[meridian]
name=Meridian for Red Hat Enterprise Linux and CentOS
baseurl=https://REPO_USER:REPO_PASS@meridian.opennms.com/packages/2022/stable/rhel7(1)
gpgcheck=1
gpgkey=http://yum.opennms.org/OPENNMS-GPG-KEY
EOF
sudo rpm --import https://yum.opennms.org/OPENNMS-GPG-KEY| 1 | Replace the REPO_USER and REPO_PASS with your Meridian subscription credentials. |
Install the Meridian Minion package
sudo yum -y install meridian-minion| Disable the OpenNMS Meridian repository after installation to prevent unwanted upgrades when upgrading other packages on the server. After upgrade, Meridian requires manual steps to upgrade configuration files or migrate database schemas to a new version. For this reason, we recommend that you exclude the Meridian packages from update except when you plan to perform an upgrade. |
Disable auto updates for Meridian Minion
sudo yum -y install yum-utils
sudo yum-config-manager --disable meridianVerify directory structure with the tree command
sudo yum -y install tree
tree /opt/minion -L 1Directory structure after successful installation
/opt/minion
├── bin
├── COPYING
├── deploy
├── etc
├── lib
├── repositories
└── systemEnable Meridian Minion on system boot and start immediately
sudo systemctl enable --now minionSecure access to Karaf shell
| Change the default username and password (admin/admin) for the Karaf shell and encrypt it. |
Login to the Karaf shell
ssh -p 8201 admin@localhostEnable password encryption using SHA-512
config:edit org.apache.karaf.jaas
config:property-set encryption.enabled true
config:property-set encryption.algorithm SHA-512
config:updateSet a new secure admin password
jaas:realm-manage --index 1 --realm karaf
jaas:user-add admin my-secure-password(1)
jaas:update| 1 | Replace my-secure-password with a strong password |
Logout and try login to verify your new password is set.
Changes to the password and encryption algorithm are applied immediately. You do not need to restart the Minion.
By default, the Karaf Shell is restricted to 127.0.0.1.
To enable remote access, set sshHost=0.0.0.0 in org.apache.karaf.shell.cfg.
The change is applied immediately and you do not need to restart the Minion.
If you have a firewall running on your host, allow 8201/tcp to grant access to the Karaf shell.
|
Configure connectivity to the core instance
Set configuration settings in the Meridian etc directory.
We reference etc relative to the OpenNMS Meridian core home directory.
Depending on your operating system, the home directory is /usr/share/opennms for Debian and Ubuntu or /opt/opennms for CentOS and RHEL.
Create a file to prevent installing ActiveMQ features on Minion start-up
sudo vi etc/featuresBoot.d/disable-activemq.bootAdd the following lines to disable ActiveMQ features and save the file
!minion-jms
!opennms-core-ipc-jmsCreate a file to install Kafka features on Minion startup
sudo vi etc/featuresBoot.d/kafka.bootAdd the following lines to install the remote producer call (RPC), sink, and twin feature for Kafka on Minion startup and save the file
opennms-core-ipc-kafkaConfigure the Kafka features and the Minion location via the Karaf shell
ssh -p 8201 admin@localhostConfigure the Minion location
config:edit org.opennms.minion.controller(1)
config:property-set location my-location(2)
config:update(3)| 1 | Edit the Minion configuration. |
| 2 | Replace my-location with a location name that represents the remote location where the Minion is running. |
| 3 | Save the configuration. |
By default, the Minion generates a unique ID.
Provide a human-readable Minion identifier yourself with config:property-set id my-minion-name.
Configure the Kafka endpoints for IPC feature
config:edit org.opennms.core.ipc.kafka
config:property-set bootstrap.servers my-kafka-ip-1:9092,my-kafka-ip-2:9092(1)
config:update| 1 | Connect to the specified Kafka nodes and adjust the IPs or FQDNs with the Kafka port (9092) accordingly. |
If you set more than one Kafka node as bootstrap.servers. the driver attempts to connect to the first entry.
If that is successful, the whole broker topology will be discovered and will be known by the client.
The other entries are used only if the connection to the first entry fails.
| Ensure you use the FQDN or IP for your Kafka nodes as configured as advertised listener. |
You can still configure module-specific config for sink IPC at org.opennms.core.ipc.sink.kafka.cfg; similarly for RPC and twin.
Module-specific config takes precedence over common config specified on org.opennms.core.ipc.kafka.cfg.
|
Exit the Karaf shell with Ctrl+d
Restart the Minion to apply the configuration
sudo systemctl restart minionVerify the configuration using the health check in the Karaf shell
ssh -p 8201 admin@localhostRun the health check command
opennms:health-checkVerify all components are configured properly
Verifying the health of the container
Verifying installed bundles [ Success ]
Connecting to Kafka from RPC [ Success ]
Connecting to Kafka from Sink Producer [ Success ]
Connecting to Kafka from Twin [ Success ]
=> Everything is awesomeConnect to the Karaf shell with user
admin and password adminssh -p 8201 admin@localhostConfigure ActiveMQ and remote location name
config:edit org.opennms.minion.controller(1)
config:property-set location my-location(2)
config:property-set broker-url failover:tcp://core-instance-ip:61616(3)
config:update(4)| 1 | Edit the Minion configuration. |
| 2 | Replace my-location with a location name that represents the remote location where the Minion is running. |
| 3 | Replace the broker URL that goes to your Meridian Core instance. If you have ActiveMQ with SSL running, replace tcp with ssl. |
| 4 | Save the configuration. |
By default, the Minion generates a unique ID.
Provide a human-readable Minion identifier yourself with config:property-set id my-minion-name
Configure credentials for the ActiveMQ message broker and exit Karaf shell
opennms:scv-set opennms.broker my-minion-user my-minion-password(2)
The credentials are encrypted on disk in ${MINION_HOME}/etc/scv.jce.
|
Exit the Karaf shell with Ctrl+d
Restart the Minion to apply the configuration
sudo systemctl restart minionVerify the configuration using the health check in the Karaf shell
ssh -p 8201 admin@localhostRun the health check to verify connectivity
opennms:health-checkThe result should show success for each component
Verifying installed bundles [ Success ]
Connecting to JMS Broker [ Success ]
=> Everything is awesomeCreate a file to prevent installing ActiveMQ features on Minion start-up
sudo vi etc/featuresBoot.d/disable-activemq.bootAdd the following lines to disable ActiveMQ features and save the file
!minion-jms
!opennms-core-ipc-jmsCreate a file to install gRPC features on startup
sudo vi etc/featuresBoot.d/grpc.bootAdd the gRPC client features
opennms-core-ipc-grpc-clientConfigure the gRPC client and the Minion location via the Karaf shell
ssh -p 8201 admin@localhostConfigure the Minion location
config:edit org.opennms.minion.controller(1)
config:property-set location my-location(2)
config:update(3)| 1 | Edit the Minion configuration. |
| 2 | Replace my-location with a location name that represents the remote location where the Minion is running. |
| 3 | Save the configuration. |
By default, the Minion generates a unique ID.
Provide a human-readable Minion identifier yourself with config:property-set id my-minion-name
Configure the gRPC endpoint
config:edit org.opennms.core.ipc.grpc.client
config:property-set host core-instance-ip(1)
config:property-set port 8990(2)
config:update(3)| 1 | Set the host to connect to the gRPC server running on the Meridian Core instance. Replace the core-instance-ip accordingly. |
| 2 | Set the port of the gRPC server, which is 8990 by default. |
| 3 | Save the configuration. |
Restart the Minion to apply the changes
systemctl restart minionVerify the configuration using the health check in the Karaf shell
ssh -p 8201 admin@localhostRun the health check command
opennms:health-checkVerify all components are configured properly
admin@minion> opennms:health-check
Verifying the health of the container
Verifying installed bundles [ Success ]
Connecting to gRPC IPC Server [ Success ]
=> Everything is awesomeOptional. To enable TLS for gRPC you must provide certificate files and enable it. The commands for TLS appear below.
Connect to the Karaf shell
ssh -p 8201 admin@localhostConfigure TLS and certificate parameters
config:edit org.opennms.core.ipc.grpc.client
config:property-set tls.enabled true(1)
config:property-set trust.cert.filepath /custom-path/ca.crt(2)
config:property-set client.cert.filepath /custom-path/client.crt(3)
config:property-set client.private.key.filepath /custom-path/client.pem(4)
config:update(5)| 1 | Enable TLS for the gRPC server. |
| 2 | Set the path to your CA certificate file. |
| 3 | Set the path to your client certificate file. |
| 4 | Set the path client certificate key file. |
| 5 | Save and update the configuration. |
This is optional, and you can set a maximum message size for gRPC. The maximum size must be the same on the Meridian Core instance. The default message size is 10 MiB.
Configure maximum message size for gRPC in the Karaf shell
config:edit org.opennms.core.ipc.grpc.client
config:property-set max.message.size 10485760
config:updateRestart the Meridian Core instance to apply changes
sudo systemctl restart opennms