Content Comparison

This instance will be facing the team members for any Roost activity.

5.1 Launch Control Plane Instance

Create an EC2 instance with the steps mentioned below.

1. Launch EC2 instance

2. Choose Ubuntu 20 (ubuntu-focal-20.04) AMI

3. Instance Type as t3.medium

4. Security group to allow control-plane traffic from any source IP or just the private VPC/Subnets.

   • SSH (port 22)

   • HTTP (port 80)

   • HTTPS (port 443) and

   • Custom TCP Port 2502 (for Stun)

   • TCP Port 5000 for Docker Host

   • TCP Port 5002 for Docker Insecure Registry

   • TCP Port 60001 for JumpHost RoostApi Server

   • TCP Port 60002 for ClusterLauncher

   • TCP Port 60003 for EaaS API Server

   • TCP Port 60005 for Cypress Video Server

   • TCP Port 60006 for Web-console(gotty) default service - ubuntu user

   • TCP Port 62020-62050 for dynamic gotty ports - mapped to individual users

5. Root volume storage should be 20 GB or more.

6. Preferred separate EBS volume of 100GB

7. Enable Avoid Accidental Termination and disable EBS delete on termination

8. Add tags and key-pair and launch.

9. Download key-pair; change permissions to 0400

10. Review configuration and Launch Instance

11. Connect to Connect to the previously created EC2 using SSH once it is running

5.2 Mount EBS volume

...

lsblk 

Use the EBS disk name that is not mounted

sudo mkfs -t ext4 /dev/nvme1n1
sudo mkdir /var/tmp/Roost
sudo mount /dev/nvme1n1 /var/tmp/Roost
sudo chown `id -u`:`id -g` /var/tmp/Roost/
if [ ! -d /var/tmp/Roost ]; then
  sudo mkdir /var/tmp/Roost
  sudo chown `id -u`:`id -g` /var/tmp/Roost/
fi

5.3 Install SSL Certs

mkdir /var/tmp/Roost/certs;

cd /var/tmp/Roost/certs
# Copy your organisation SSL certs here 
# OR generate SSL certs

Steps - Install SSL Certs

1. Get the SSL_certs.key and SSL_certs.crt file for your organisation domain and put it under a folder that will be accessible to the current user. Preferred to be kept under /var/tmp/Roost/certs

2. It is possible to use a self generated certificate (not recommended though)

3. You can generate a self-signed certificate using command given below

4. The “root.cer” will have to be installed to the certificate authority on all Roost user systems as a trusted certificate. Article with steps for all OS is mentioned here Install the Certificate Authority

5. Instructions for generating the self-signed certs is given below.
   

   Code Blockcd /var/tmp/Roost/certs curl -L https://remote-roostprod

   (if EC2 is private then you will need another instance to act as jump)

6. Mount EBS volume and fetch RoostInstaller (this step is taken care by the below command, provided you mention the DISK like DISK=nvme1n1)

   Code Block
   # the below command will show the disks available lsblk

curl -s https://roost-stable.s3.us-west-

...

2.amazonaws.com/

...

enterprise/roost.sh 

...

Update the root.cnf and server.cnf to reflect your organisation name and the DNS entries

...

Run the open_ssl commands displayed in the output of get-certs.sh

5.4 Roost Installation

Download Roost Installation Script

...

| SETUP=1 DISK=nvme1n1 CUSTOMER=Lacework bash -

This instance will be facing the team members for any Roost activity.

5.1 Configure Roost JSON

vi /var/tmp/Roost

...

/

...

config.json

...

...

curl -L https://remote-roostprod.s3.us-west-1.amazonaws.com/main-config.json -o config.json

Sample Config looks like the below

1. Replace the values to reflect for your organisation

   Keep values empty of the

   , especially DNS, admin_email

2. Provide at least one set of oAuth client_id/secrets for the 3rd party

   that is not neededKeep

   provider

3. Update ENV_DATABASE detail

   unchanged if database is not external

4. Add JWT_SECRET

5. Recommend value of remote_console_proxy is same as enterprise_dns unless you want to start proxy elsewhere.

If your servers are behind Load Balancer user load_balancer : “true” for different configuration.

to reflect RDS Host, User and Password

Sample config.json

{
  "enterprise_name": "MyCompany",
  "enterprise_logo": "https://roost.ai/hubfs/logos/LOGO-roost.png",
  "enterprise_email_domain": "mycompany.io",
  "enterprise_dns": "mycompany.io",
  "remote_console_proxy": "mycompany.io",
  "admin_email": "admin@mycompany.io",
  "email_sender": "noreply@mycompany.io",
  "email_sender_pass": "",
  "email_smtp_host": "",
  "email_smtp_port" : 465,

  "load_balancer": "

...

true",

  "enterprise_ssl_certificate_path": "/var/tmp/Roost/certs/server.cer",
  "enterprise_ssl_certificate_key_path": "/var/tmp/Roost/certs/server.key",

  "ENV_SERVER": {
    "DEFAULT_PORT": 3000,
    "JWT_SECRET": "32-character-secure-long-secret",

    "GOOGLE_CLIENT_ID": "",
    "GOOGLE_CLIENT_SECRET": "",
    "AZURE_CLIENT_ID": "",
    "AZURE_CLIENT_SECRET": "",
    "GITHUB_CLIENT_ID": "",
    "GITHUB_CLIENT_SECRET": "",
    "LINKEDIN_CLIENT_ID": "",
    "LINKEDIN_CLIENT_SECRET": "",
    "OKTA_CLIENT_ISSUER": "",
    "OKTA_CLIENT_ID": "",
    "OKTA_CLIENT_SECRET": ""
  },

  "is_own_sql": "

...

true",
  "ENV_DATABASE": {
    "MYSQL_HOST": "mysqldb_host_url",
    "MYSQL_PORT": 3306,

    "MYSQL_USERNAME": "Roost",
    "MYSQL_PASSWORD": "Roost#123",
    "MYSQL_ROOT_PASSWORD": "Admin#123",
  

...

...

Start Roost Control Plane Server

cd /var/tmp/Roost
./roost-enterprise.sh -i all -c config.json 

...

Verifying the Roost.ai components

1. Connect to the <dns-name>/login using a browser

2. Use the 3rd party auth to connect to the control-plane
   

...

Next Steps:

Go to Admin Settings and

1. Enable cloud vendor of choice and provide default settings

2. Add the Roost EAAS Server EC2 details in the “Configure EAAS Server”

3. Enable JumpHost and refresh the page

4. Go to JumpHost settings and add the Roost EAAS Server EC2 details as 'default' jumpHost

...

 "MYSQL_DB_NAME": "roostio"
  }
}

<< AWS Route 53, ALB, ACM Setup Start Control Plane >>