Skip to content

repo sync #25771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 31, 2023
Merged

repo sync #25771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions ...g-your-instance-from-the-management-console/accessing-the-management-console.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ The first time that you access the {% data variables.enterprise.management_conso
## Accessing the {% data variables.enterprise.management_console %} as an unauthenticated user

1. Visit this URL in your browser, replacing `hostname` with your actual {% data variables.product.prodname_ghe_server %} hostname or IP address:
```shell
http(s)://HOSTNAME/setup
```
```shell
http(s)://HOSTNAME/setup
```
{% data reusables.enterprise_management_console.type-management-console-password %}
{% data reusables.enterprise_management_console.click-continue-authentication %}
128 changes: 64 additions & 64 deletions ...nfiguration/configuring-network-settings/configuring-built-in-firewall-rules.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,32 +30,32 @@ We do not recommend customizing UFW as it can complicate some troubleshooting is

{% data reusables.enterprise_installation.ssh-into-instance %}
2. To view the default firewall rules, use the `sudo ufw status` command. You should see output similar to this:
```shell
$ sudo ufw status
> Status: active
> To Action From
> -- ------ ----
> ghe-1194 ALLOW Anywhere
> ghe-122 ALLOW Anywhere
> ghe-161 ALLOW Anywhere
> ghe-22 ALLOW Anywhere
> ghe-25 ALLOW Anywhere
> ghe-443 ALLOW Anywhere
> ghe-80 ALLOW Anywhere
> ghe-8080 ALLOW Anywhere
> ghe-8443 ALLOW Anywhere
> ghe-9418 ALLOW Anywhere
> ghe-1194 (v6) ALLOW Anywhere (v6)
> ghe-122 (v6) ALLOW Anywhere (v6)
> ghe-161 (v6) ALLOW Anywhere (v6)
> ghe-22 (v6) ALLOW Anywhere (v6)
> ghe-25 (v6) ALLOW Anywhere (v6)
> ghe-443 (v6) ALLOW Anywhere (v6)
> ghe-80 (v6) ALLOW Anywhere (v6)
> ghe-8080 (v6) ALLOW Anywhere (v6)
> ghe-8443 (v6) ALLOW Anywhere (v6)
> ghe-9418 (v6) ALLOW Anywhere (v6)
```
```shell
$ sudo ufw status
> Status: active
> To Action From
> -- ------ ----
> ghe-1194 ALLOW Anywhere
> ghe-122 ALLOW Anywhere
> ghe-161 ALLOW Anywhere
> ghe-22 ALLOW Anywhere
> ghe-25 ALLOW Anywhere
> ghe-443 ALLOW Anywhere
> ghe-80 ALLOW Anywhere
> ghe-8080 ALLOW Anywhere
> ghe-8443 ALLOW Anywhere
> ghe-9418 ALLOW Anywhere
> ghe-1194 (v6) ALLOW Anywhere (v6)
> ghe-122 (v6) ALLOW Anywhere (v6)
> ghe-161 (v6) ALLOW Anywhere (v6)
> ghe-22 (v6) ALLOW Anywhere (v6)
> ghe-25 (v6) ALLOW Anywhere (v6)
> ghe-443 (v6) ALLOW Anywhere (v6)
> ghe-80 (v6) ALLOW Anywhere (v6)
> ghe-8080 (v6) ALLOW Anywhere (v6)
> ghe-8443 (v6) ALLOW Anywhere (v6)
> ghe-9418 (v6) ALLOW Anywhere (v6)
```

## Adding custom firewall rules

Expand All @@ -67,13 +67,13 @@ We do not recommend customizing UFW as it can complicate some troubleshooting is

1. Configure a custom firewall rule.
2. Check the status of each new rule with the `status numbered` command.
```shell
$ sudo ufw status numbered
```
```shell
$ sudo ufw status numbered
```
3. To back up your custom firewall rules, use the `cp`command to move the rules to a new file.
```shell
$ sudo cp -r /etc/ufw ~/ufw.backup
```
```shell
$ sudo cp -r /etc/ufw ~/ufw.backup
```

After you upgrade {% data variables.location.product_location %}, you must reapply your custom firewall rules. We recommend that you create a script to reapply your firewall custom rules.

Expand All @@ -89,37 +89,37 @@ If something goes wrong after you change the firewall rules, you can reset the r

{% data reusables.enterprise_installation.ssh-into-instance %}
2. To restore the previous backup rules, copy them back to the firewall with the `cp` command.
```shell
$ sudo cp -f ~/ufw.backup/*rules /etc/ufw
```
```shell
$ sudo cp -f ~/ufw.backup/*rules /etc/ufw
```
3. Restart the firewall with the `systemctl` command.
```shell
$ sudo systemctl restart ufw
```
```shell
$ sudo systemctl restart ufw
```
4. Confirm that the rules are back to their defaults with the `ufw status` command.
```shell
$ sudo ufw status
> Status: active
> To Action From
> -- ------ ----
> ghe-1194 ALLOW Anywhere
> ghe-122 ALLOW Anywhere
> ghe-161 ALLOW Anywhere
> ghe-22 ALLOW Anywhere
> ghe-25 ALLOW Anywhere
> ghe-443 ALLOW Anywhere
> ghe-80 ALLOW Anywhere
> ghe-8080 ALLOW Anywhere
> ghe-8443 ALLOW Anywhere
> ghe-9418 ALLOW Anywhere
> ghe-1194 (v6) ALLOW Anywhere (v6)
> ghe-122 (v6) ALLOW Anywhere (v6)
> ghe-161 (v6) ALLOW Anywhere (v6)
> ghe-22 (v6) ALLOW Anywhere (v6)
> ghe-25 (v6) ALLOW Anywhere (v6)
> ghe-443 (v6) ALLOW Anywhere (v6)
> ghe-80 (v6) ALLOW Anywhere (v6)
> ghe-8080 (v6) ALLOW Anywhere (v6)
> ghe-8443 (v6) ALLOW Anywhere (v6)
> ghe-9418 (v6) ALLOW Anywhere (v6)
```
```shell
$ sudo ufw status
> Status: active
> To Action From
> -- ------ ----
> ghe-1194 ALLOW Anywhere
> ghe-122 ALLOW Anywhere
> ghe-161 ALLOW Anywhere
> ghe-22 ALLOW Anywhere
> ghe-25 ALLOW Anywhere
> ghe-443 ALLOW Anywhere
> ghe-80 ALLOW Anywhere
> ghe-8080 ALLOW Anywhere
> ghe-8443 ALLOW Anywhere
> ghe-9418 ALLOW Anywhere
> ghe-1194 (v6) ALLOW Anywhere (v6)
> ghe-122 (v6) ALLOW Anywhere (v6)
> ghe-161 (v6) ALLOW Anywhere (v6)
> ghe-22 (v6) ALLOW Anywhere (v6)
> ghe-25 (v6) ALLOW Anywhere (v6)
> ghe-443 (v6) ALLOW Anywhere (v6)
> ghe-80 (v6) ALLOW Anywhere (v6)
> ghe-8080 (v6) ALLOW Anywhere (v6)
> ghe-8443 (v6) ALLOW Anywhere (v6)
> ghe-9418 (v6) ALLOW Anywhere (v6)
```
30 changes: 15 additions & 15 deletions ...t/admin/configuration/configuring-your-enterprise/troubleshooting-tls-errors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ shortTitle: Troubleshoot TLS errors
If you have a Linux machine with OpenSSL installed, you can remove your passphrase.

1. Rename your original key file.
```shell
$ mv yourdomain.key yourdomain.key.orig
```
```shell
$ mv yourdomain.key yourdomain.key.orig
```
2. Generate a new key without a passphrase.
```shell
$ openssl rsa -in yourdomain.key.orig -out yourdomain.key
```
```shell
$ openssl rsa -in yourdomain.key.orig -out yourdomain.key
```

You'll be prompted for the key's passphrase when you run this command.

Expand Down Expand Up @@ -69,17 +69,17 @@ If your {% data variables.product.prodname_ghe_server %} appliance interacts wit

1. Obtain the CA's root certificate from your local certificate authority and ensure it is in PEM format.
2. Copy the file to your {% data variables.product.prodname_ghe_server %} appliance over SSH as the "admin" user on port 122.
```shell
$ scp -P 122 rootCA.crt admin@HOSTNAME:/home/admin
```
```shell
$ scp -P 122 rootCA.crt admin@HOSTNAME:/home/admin
```
3. Connect to the {% data variables.product.prodname_ghe_server %} administrative shell over SSH as the "admin" user on port 122.
```shell
$ ssh -p 122 admin@HOSTNAME
```
```shell
$ ssh -p 122 admin@HOSTNAME
```
4. Import the certificate into the system-wide certificate store.
```shell
$ ghe-ssl-ca-certificate-install -c rootCA.crt
```
```shell
$ ghe-ssl-ca-certificate-install -c rootCA.crt
```

## Updating a TLS certificate

Expand Down
80 changes: 40 additions & 40 deletions .../admin/enterprise-management/configuring-clustering/monitoring-cluster-nodes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,33 +48,33 @@ You can configure [Nagios](https://www.nagios.org/) to monitor {% data variables

### Configuring the Nagios host
1. Generate an SSH key with a blank passphrase. Nagios uses this to authenticate to the {% data variables.product.prodname_ghe_server %} cluster.
```shell
nagiosuser@nagios:~$ ssh-keygen -t ed25519
> Generating public/private ed25519 key pair.
> Enter file in which to save the key (/home/nagiosuser/.ssh/id_ed25519):
> Enter passphrase (empty for no passphrase): LEAVE BLANK BY PRESSING ENTER
> Enter same passphrase again: PRESS ENTER AGAIN
> Your identification has been saved in /home/nagiosuser/.ssh/id_ed25519.
> Your public key has been saved in /home/nagiosuser/.ssh/id_ed25519.pub.
```
{% danger %}

**Security Warning:** An SSH key without a passphrase can pose a security risk if authorized for full access to a host. Limit this key's authorization to a single read-only command.

{% enddanger %}
{% note %}

**Note:** If you're using a distribution of Linux that doesn't support the Ed25519 algorithm, use the command:
```shell
nagiosuser@nagios:~$ ssh-keygen -t rsa -b 4096
```

{% endnote %}
```shell
nagiosuser@nagios:~$ ssh-keygen -t ed25519
> Generating public/private ed25519 key pair.
> Enter file in which to save the key (/home/nagiosuser/.ssh/id_ed25519):
> Enter passphrase (empty for no passphrase): LEAVE BLANK BY PRESSING ENTER
> Enter same passphrase again: PRESS ENTER AGAIN
> Your identification has been saved in /home/nagiosuser/.ssh/id_ed25519.
> Your public key has been saved in /home/nagiosuser/.ssh/id_ed25519.pub.
```
{% danger %}

**Security Warning:** An SSH key without a passphrase can pose a security risk if authorized for full access to a host. Limit this key's authorization to a single read-only command.

{% enddanger %}
{% note %}

**Note:** If you're using a distribution of Linux that doesn't support the Ed25519 algorithm, use the command:
```shell
nagiosuser@nagios:~$ ssh-keygen -t rsa -b 4096
```

{% endnote %}
2. Copy the private key (`id_ed25519`) to the `nagios` home folder and set the appropriate ownership.
```shell
nagiosuser@nagios:~$ sudo cp .ssh/id_ed25519 /var/lib/nagios/.ssh/
nagiosuser@nagios:~$ sudo chown nagios:nagios /var/lib/nagios/.ssh/id_ed25519
```
```shell
nagiosuser@nagios:~$ sudo cp .ssh/id_ed25519 /var/lib/nagios/.ssh/
nagiosuser@nagios:~$ sudo chown nagios:nagios /var/lib/nagios/.ssh/id_ed25519
```

3. To authorize the public key to run *only* the `ghe-cluster-status -n` command, use a `command=` prefix in the `/data/user/common/authorized_keys` file. From the administrative shell on any node, modify this file to add the public key generated in step 1. For example: `command="/usr/local/bin/ghe-cluster-status -n" ssh-ed25519 AAAA....`

Expand All @@ -88,39 +88,39 @@ You can configure [Nagios](https://www.nagios.org/) to monitor {% data variables
```

5. To test that the Nagios plugin can successfully execute the command, run it interactively from Nagios host.
```shell
nagiosuser@nagios:~$ /usr/lib/nagios/plugins/check_by_ssh -l admin -p 122 -H HOSTNAME -C "ghe-cluster-status -n" -t 30
> OK - No errors detected
```
```shell
nagiosuser@nagios:~$ /usr/lib/nagios/plugins/check_by_ssh -l admin -p 122 -H HOSTNAME -C "ghe-cluster-status -n" -t 30
> OK - No errors detected
```

6. Create a command definition in your Nagios configuration.

**Example definition**
**Example definition**

```
define command {
```
define command {
command_name check_ssh_ghe_cluster
command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ -C "ghe-cluster-status -n" -l admin -p 122 -t 30
}
```
}
```
7. Add this command to a service definition for a node in the {% data variables.product.prodname_ghe_server %} cluster.

**Example definition**
**Example definition**

```
define host{
```
define host{
use generic-host
host_name ghe-data-node-0
alias ghe-data-node-0
address 10.11.17.180
}

define service{
define service{
use generic-service
host_name ghe-data-node-0
service_description GitHub Cluster Status
check_command check_ssh_ghe_cluster
}
```
```

After you add the definition to Nagios, the service check executes according to your configuration. You should be able to see the newly configured service in the Nagios web interface.
Loading