RMU Build: Teleport Setup
Provision the Teleport container on the Gen-1.5 RMU, install the Teleport software, share RMU services through Teleport, and reference notes on roles, tokens, and upgrades.
This page covers section III of the Gen-1 to Gen-1.5 RMU build runbook. Teleport provides secure remote access to all of the services installed on the RMU.
Complete the Proxmox setup before starting.
A. Create Teleport CT
-
From the main Proxmox page, click Create CT (top right) to open the Create: LXC Container dialog.
-
Tick Advanced and configure:
- CT ID:
122 - Hostname:
<dc>-teleport - Set a non-trivial password for
rootand store it in your password manager under<dc> Teleport. Optionally add your SSH public key.
Click Next.
- CT ID:
-
Select the
ubuntu-22.04-standardtemplate. Click Next. -
Accept the default disk size. Click Next.
-
Set Cores to
4. Click Next. -
Set Memory and Swap to
2048. Click Next. -
Configure the network:
- Bridge:
vmbr1(LAN) - Uncheck Firewall.
- IPv4:
Static, IP10.10.100.22/24(CIDR is required) - Gateway:
10.10.100.1 - IPv6:
SLAAC
Click Next.
- Bridge:
-
No changes are required on the DNS tab. Click Next.
-
Tick Start after created and click Finish.
-
When complete, close the dialog window.
-
After the container starts, ensure Proxmox has it set to Start at boot. Select the VM in the left navigation, click Options, double-click Start at Boot, tick the box, and click OK.
-
Select Network from the left navigation menu and click Add.
-
Configure the second interface:
- Name:
eth1 - Bridge:
vmbr2 - Uncheck Firewall.
- Leave IPv4 as
Staticwith the IP information blank. - IPv6:
SLAAC
Click Add.
- Name:
-
Open the Console tab and run the following in the shell (you may need to log in to the Teleport CT again). Capture the IPv6 address:
ip address show eth1
B. Install Teleport software
-
Update the Teleport host. From RMU > 122 (teleport) > Console, log in with
rootand the password you set when creating the container, then run:apt update apt upgrade -y reboot -
Log back in to the Teleport server, then create a non-root administrator account (replace
adminwith the username you prefer):useradd -u1000 -U -m -c "Admin" -s /bin/bash admin -
Install Teleport. Browse to github.com/gravitational/teleport/releases and find the most recent version tagged Latest. Substitute the version number into the install command:
apt install curl net-tools -y curl https://goteleport.com/static/install.sh | bash -s <teleport version> -
Configure Teleport. Edit the email address and cluster name to your own. The
cluster-nameshould match theteleport.<domain>DNS record you created in Prerequisites:teleport configure -o file \ --acme --acme-email=<email address> \ --cluster-name=teleport.<domain> -
Open
/etc/teleport.yamlin your editor and adjust:-
Under
ssh_service:, add alabels:section:labels: dc: "<dc>" login: "<admin user login>" -
Remove the
commands:section:commands: - name: hostname command: [hostname] period: 1m0s -
Save and quit the file.
-
-
Start the Teleport service:
systemctl enable teleport systemctl start teleport -
Create a
teleportdirectory inroot's home:mkdir teleport -
Create a YAML role file in
/root/teleport/(you can name the file freely; if you change it, also changemetadata.nameto match). Replace<admin>inlogins:with your administrator username./root/teleport/team.yaml:kind: role version: v7 metadata: name: team spec: allow: # List of logins to try for ssh logins: [root, ubuntu, <admin>, '{{internal.logins}}'] # Allow PFOps access to all nodes (ssh) node_labels: '*': '*' # Automatic sudoers entry upon login host_sudoers: - 'ALL=(ALL) NOPASSWD: ALL' # Allow PFOps to access all Apps (web, etc) app_labels: '*': '*' # Future K8S stuff kubernetes_groups: ['{{internal.kubernetes_groups}}'] kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: ['*'] -
Import the role into the Teleport server:
tctl create -f /root/teleport/team.yaml -
Create users (invitation links are valid for 24 hours). Use this exact syntax:
for USER in <username> <username> <username> <username>; do tctl users add --roles=team --ttl=24h ${USER} doneThe command produces a URL for every user listed. Each user clicks their link, sets a password, and configures multi-factor authentication by scanning the QR code with an MFA app.
-
Once a user completes setup they are taken to the Teleport home screen.
C. Share RMU services via Teleport
Reference video: Sharing services via Teleport.
[!TIP] Use Proxmox to open separate shell windows for the Teleport server and the RMU server — it makes copy/paste between them easier.
On the Teleport server
-
Create a short-lived token to "invite" the Proxmox application. Edit
<dc>for your data center code:sudo tctl tokens add \ --type=app,node \ --app-name=<dc>-proxmox-webui \ --app-uri=https://localhost:8006Take note of the
tokenandca_pinvalues.
On the RMU server
-
Install pre-requisite packages:
apt update -y && apt upgrade -y && apt install sudo -y -
Install the Teleport agent. Use the same Teleport version you installed earlier:
sudo curl https://goteleport.com/static/install.sh | bash -s <Teleport Version> -
Create the Teleport application config. Point
--proxyat your Teleport domain name and set--app-nameto match your data center code (for exampletp1,bu1,dl1):sudo teleport configure --output=file \ --proxy=teleport.<domain name>:443 \ --token=/var/lib/teleport/token \ --roles=app,node \ --app-name=<dc>-proxmox-webui \ --app-uri=https://localhost:8006 -
Save the token generated on the Teleport server:
sudo vi /var/lib/teleport/token -
Save the
ca_pingenerated on the Teleport server:sudo vi /var/lib/teleport/ca_pin -
Edit
/etc/teleport.yamlto update theca_pinresource and labels:sudo vi /etc/teleport.yaml-
Set the
ca_pinresource path to/var/lib/teleport/ca_pin. -
Under
ssh_service:, at the same indentation asenabled: "yes", add:labels: dc: "<dc>" login: "root" -
Remove the
commands:section:commands: - name: hostname command: [hostname] period: 1m0s -
Under
name: <dc>-proxmox-webui, at the same indentation asinsecure_skip_verify:, changeinsecure_skip_verify:totrueand add:labels: dc: "<dc>"
Sample
/etc/teleport.yaml:version: v3 teleport: nodename: rmu data_dir: /var/lib/teleport join_params: token_name: /var/lib/teleport/token method: token proxy_server: teleport.<dc>.<domain.name>:443 log: output: stderr severity: INFO format: output: text ca_pin: /var/lib/teleport/ca_pin diag_addr: "" auth_service: enabled: "no" ssh_service: enabled: "yes" labels: dc: "<dc>" login: "root" proxy_service: enabled: "no" https_keypairs: [] https_keypairs_reload_interval: 0s acme: {} app_service: enabled: "yes" debug_app: false apps: - name: <dc>-proxmox-webui uri: https://localhost:8006 public_addr: "" insecure_skip_verify: true labels: dc: "<dc>" -
-
Add Teleport to
/etc/hosts:sudo vi /etc/hostsAdd an entry of:
10.10.100.22 teleport.<domain>This matches the entry created in Prerequisites — Domain Name.
Save and quit.
-
Start the Teleport agent:
sudo systemctl enable teleport sudo systemctl start teleport
D. Teleport notes
These reference notes cover Teleport upkeep and access control.
Fat clients
Download and install Teleport Community Edition.
Reference doc for access controls
Access Controls Reference Documentation.
Notes
- To see all apps and SSH connections, a user must have the
accessrole. - If you ever lock yourself out with a bad role update, run
tctl edit user/usernameasrooton the Teleport server.
Process for version upgrades
Upgrading the Teleport Binary.
- Visit
github.com/gravitational/teleport/releases
to find the latest release version to feed to the
curl | bashcommand.
Teleport token types
Join Services with a Secure Token.
Teleport signal reference
Adding additional user attributes and traits
User traits and roles can be imported via a YAML resource:
kind: user
version: v2
metadata:
name: showard
spec:
roles: ['admin','pfops']
traits:
logins: ['maas']
kubernetes_groups: ['edit']
---
Continue
Proceed to Create Proxmox CT for MaaS.
Related
- RMU build — Gen-1.5 — the parent runbook index.
- RMU Build: Proxmox Setup — the previous section.
- RMU Build: MaaS Setup — the next section.