Enable Advanced Remote Support

By default, members of the Platform9 support team cannot interactively log onto your PMO nodes. In exceptional circumstances, it is sometimes useful to enable the advanced remote support (ARS) mechanism to troubleshoot challenging problems on the nodes. This allows a Platform9 support engineer to securely log onto your host to analyze and resolve issues. This article explains how a customer can enable this mechanism.

Despite being based on SSH, enabling advance remote support does not expose your host to SSH login from any network, only Platform9’s. It leverages the host’s existing secure connection to the Platform9 management plane, and does not require any firewall changes to your host or network.

Enable Advanced Remote Support from PMO UI

Follow these steps to enable advance remote support for a PMO node.

Navigate to Infrastructure>Clusters, and click the applicable cluster name, and then click the Nodes tab or alternatively, navigate to Infrastructure>Nodes.

Next, select the checkboxes next to the node where you want to enable the remote support.

Then, click the ‘Configure Remote Support’ action and select the 'Enable Advanced Support' check box.

Finally, click UPDATE NODE. Advanced Remote support is now enabled for the selected node, as evidenced by the Headset icon shown next to the node name. The node can now be accessed remotely by Platform9 support.

Ensure sshd is Running and Properly Configured

Consult your Linux operating system’s documentation to ensure that the SSH daemon is running and allows key-based authentication.

(Optional, Recommended) Grant sudo Access

Once ARS is enabled, a Platform9 support engineer will log into the node using a user role called ‘pf9’ that was previously created on that node during installation of PMO. By default, the ‘pf9’ user is created with restricted privileges. To gather certain types of information, it is sometimes helpful for a Platform9 support engineer logged in as the ‘pf9’ user to run commands with elevated privileges using the sudo utility. To allow this:

sudo must be enabled for the ‘pf9’ user
sudo must allow the ‘pf9’ user to authenticate without a password.

ARS uses one-time ssh keys for login, and therefore the ‘pf9’ user does not have a password by default.

Consult your Linux operating system’s documentation for specific instructions on how to configure this.

RHEL and CentOS

On RedHat based systems, this can usually be accomplished by adding the pf9 user to the wheel group. Run the following command to accomplish this: usermod -aG groupname username

Bash
    
 
usermod -a -G wheel pf9
Copy

Next, run thevisudo command to edit the sudo rules to ensure that members of the wheel group can authenticate without a password. Below is the line we need to configure:

Bash
    
 
%wheel ALL=(ALL) NOPASSWD: ALL
Copy

Debian and Ubuntu

On Debian based systems, this can be accomplished by adding the upf9 user to the wheel group. Run the command below to add the user.

Bash
    
 
usermod -aG wheel pf9
Copy

Next, run the visudocommand to edit the sudo rules to ensure that members of the wheel group can authenticate without a password. Below is the line we need to configure:

Bash
    
 
pf9 ALL=(ALL) NOPASSWD: ALL
Copy

Notify Platform9 Support Team

Communicate with your Platform9 support representative to:

Securely exchange the pf9 user’s password.
Identify the host that should be logged onto, by sharing the contents of the host’s /etc/pf9/host_id.conf file or the host’s hostname.
Agree on a time window for a support technician to log on to the host.

Disable Advanced Remote Support

To disable Advance Remote Support, simply uncheck the box under host configuration (See step 1 above).

Last updated by Anmol Sachan on Apr 5, 2024

Was this page helpful?