FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Installing Dynatrace cluster on hardened CIS image (Ubuntu 22.04)

Go to solution
Ardhi
Contributor

‎16 Dec 2022 01:26 AM - last edited on ‎19 Jun 2023 12:15 PM by Community Team

Hi,

We're installing Dynatrace Managed on customer premises but the Nginx service couldn't listen to port 443.
From the log, it seems forbidden. We could try to elevate Nginx user privileges but the concern here is the unknown implication (because it's in the internal steps of dynatrace-managed.sh script).

Right now also Nginx binds to port 8022 and in the Nginx.conf also nowhere to be found the port 443 configurations. Checked with "check" and "status" commands of dynatrace-managed.sh, all services are ok.

We have also pam_faillock(sudo_account):unknown option:unlock error during the installation. Not sure if this is related.

Please advise.

0 Kudos
Reply
5 REPLIES 5

Go to solution
Radoslaw_Szulgo
Dynatrace Guru
Dynatrace Guru

‎16 Dec 2022 08:56 AM

Hi @Ardhi ,

You're struggling to set it up because the "443" port is a "privileged port" in Linux operating systems (pam-related issues) 

The TCP/IP port numbers below 1024 are unique because normal users can't run servers on them. This is a security feature in that if you connect to a service on one of these ports, you can be reasonably sure that you have the real thing and not a fake that some hacker has put up for you.

(source: https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html)

 

That's why by default, in Dynatrace Managed installation, Nginx listens on port :8022, and we have iptables (nftables) rules that redirect the traffic from :443 to :8022. We don't recommend changing that configuration. 

 

If that's needed, then:

setcap 'cap_net_bind_service=+ep' /path/to/dynatrace-managed

And then anytime dynatrace-managed is executed thereafter, it will have the CAP_NET_BIND_SERVICE capability. setcap Is in the Debian package libcap2-bin.

Now for the caveats - You'll need at least a 2.6.24 kernel

Resources:

Note: RHEL first added this in v6. Not sure when Ubuntu has added this.

 

Senior Product Manager,
Dynatrace Managed expert
Reply

Go to solution
Ardhi
Contributor

‎19 Dec 2022 03:35 AM - edited ‎19 Dec 2022 06:19 AM

Screenshot 2022-12-19 at 10.34.34.png

Hi @Radoslaw_Szulgo ,

Thank you for the answer,
I put the setcap command and reinstalled but still not listening to 443 ...
Just wondering, if is this the case (not listening to 443) when the server is blocked for outbound connection to Dynatrace? I just realized cannot connect to mcsvc.dynatrace.com from the server.

EDIT: can connect to outgoing mcsvc.dynatrace.com, so this is not an issue

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to Ardhi

‎19 Dec 2022 07:27 AM

@Ardhi The NGINX does not listen on the 443/tcp for the reasons above, but there is iptables redirect for that purpose:

# ss -alt '( sport = 443 )'
State                 Recv-Q                 Send-Q                                 Local Address:Port                                 Peer Address:Port                 Process                 

# ss -alpt '( sport = :8022 )'
State                  Recv-Q                 Send-Q                                 Local Address:Port                                 Peer Address:Port                Process                 
LISTEN                 0                      511                                          0.0.0.0:8022                                      0.0.0.0:*                    users:(("nginx",pid=1510320,fd=7),("nginx",pid=1510319,fd=7),("nginx",pid=1510318,fd=7),("nginx",pid=1510317,fd=7),("nginx",pid=1510316,fd=7))

# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL tcp dpt:https redir ports 8022

 

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply

Go to solution
Ardhi
Contributor
In response to Julius_Loman

‎19 Dec 2022 07:58 AM - edited ‎19 Dec 2022 08:24 AM

sorry can you elaborate? are you implying we don't have to listen to port 443?
here's attached

Screenshot 2022-12-19 at 14.55.28.png

my ports
Because I cannot open https://<ip address> / port 443 of the server in the browser

EDIT: now I can access after stopping nftables (checking from CIS list), not sure if this is related

0 Kudos
Reply

Go to solution
Julius_Loman
DynaMight Legend
DynaMight Legend
In response to Ardhi

‎19 Dec 2022 08:34 AM

@Ardhi yes, in your case it seems perfectly fine.

First you should check if you can connect locally to the cluster on the node:

# curl -v https://localhost -k


If this works, then most likely there is a firewall or something else between your browser and the cluster node preventing connections.

Certified Dynatrace Master | Alanata a.s., Slovakia, Dynatrace Master Partner
Reply
Ask a question

Featured Posts