Installing a Zenoss Cloud Collector virtual appliance

The Zenoss Cloud Collector virtual appliance is distributed in a variety of formats to meet your virtualization requirements.

Collectors are deployed in pools of N+1 hosts in one subnet. In general, Zenoss recommends deploying larger individual hosts rather than larger numbers of minimally-configured hosts—scale up rather than out. Also, collector pools should include no more than five hosts—four active hosts plus one failover host, all identically configured—and smaller pools are common. Always deploy collector pools with N+1 redundancy.

The resource requirements of individual hosts in a pool depend on the number of devices to monitor and the type of monitoring to perform. A host that is more capable than the minimum requirements (next section) may not be capable enough. For assistance sizing your collector hosts, please contact your Zenoss representative.

Resource requirements

Importing the virtual appliance creates a guest system that requires the following resources:

4 CPU cores
16 GiB (16384 MiB) memory
30 GB storage (10,000 r.p.m. serial-attached SCSI, SSD, or equivalent, such as 250 IOPS)
a minimum of 5 Mb/s (megabits per second) download and 5 Mb/s upload capacity
- appliances that include multiple collectors may require additional upload capacity
- appliances that use additional features such as duration thresholds may require additional download capacity

In addition, virtual appliances must be able to meet the networking requirements (next section).

Networking requirements

Info

Zenoss Cloud uses the 100.64.36.1/24 address space for communication among Docker containers. If you are already using it in your environment, please contact Zenoss Support.

Required ports

SSL

The SSL port is only used during initialization.

Direction	From	To	Protocol	Port
Outbound	Collector	`<tenant>.zenoss.io`	TCP	443

OpenVPN

The OpenVPN port is for the VPN server dedicated to your Collection Zone. The IP address of the server is provided during initialization. The hostname uses the following convention:

<tenant>-<czname>-<cznumber>-outboard.zenoss.(io|eu)

For example, acme-production-cz0-outboard.zenoss.io.

Direction	From	To	Protocol	Port
Outbound	Collector	`<unique>-outboard.zenoss.(io\|eu)`	UDP	1194

When UDP/1194 is not an option, TCP/443 can be used for OpenVPN data traffic. However, both performance and reliability are reduced. Please contact Zenoss Operations to enable this configuration.

SSH

The SSH port is for your administrative access.

Direction	From	To	Protocol	Port
Inbound	Your network	Collector	TCP	22

DNS

The DNS port is for resolving intranet addresses.

Direction	From	To	Protocol	Port
Outbound	Collector	Internal DNS server(s)	UDP	53

Redis cluster

The Redis cluster port allows individual collector hosts in a single network location (collection pool) to communicate among themselves.

Direction	From	To	Protocol	Port
Outbound	Collector	Collector	TCP	22250

Commonly-used ports

The following table identifies some of the ports that commonly-used collector services require to monitor and model devices in your environment. For more information about additional ports, see the ZenPack Catalog.

Purpose	Direction	From	To	Protocol	Port
syslog	Inbound	syslog daemon or server	Collector	UDP	514
SNMP traps	Inbound	SNMP agents	Collector	UDP	162
SNMP queries	Outbound	Collector	SNMP agents	UDP	161
SSH	Outbound	Collector	Devices	TCP	22
WinRM over HTTP	Outbound	Collector	Devices	TCP	5985
WinRM over HTTPS	Outbound	Collector	Devices	TCP	5986

In multi-host collector pools, you must assign a virtual IP address to the pool before inbound services can be enabled. For more information, please contact Zenoss Support.

Dedicated VPN servers

Zenoss Cloud Collector virtual machines communicate with Collection Zone instances through a VPN server that is dedicated to your organization. When you enter the collector key during the initialization process, the IP address of the VPN server that you need to whitelist is displayed.

If your organization uses more than one Collection Zone, you will have a dedicated VPN server for each Collection Zone instance.

Example configuration

The following illustration shows the network configuration for the ACME organization. The Zenoss Cloud deployment includes two Collection Zones, which is rare. Most organizations have just one.

Also:

The SSH and DNS connections are only illustrated on one collector virtual machine. The connections are required on all collector virtual machines.
None of the commonly-used ports are shown.

Installation overview

Please follow the documented procedure

Please follow the documented procedure (links below) every time you deploy a collector virtual appliance. In many cases, an instruction refers to specific IDs for the latest images. In the near future, a collector created with anything other than the latest published version of an appliance image may be blocked at Zenoss' discretion. Cloning an existing collector to create a new collector is not supported.

Install the virtual appliance on a hypervisor or in a cloud environment:
Connect to a Collection Zone (next section).

Initializing a collector appliance

Use these procedures to initialize a collector appliance.

To perform these procedures, you need:

A virtual machine created from a Zenoss Cloud Collector virtual appliance package.
The collector key for the virtual machine.

To obtain the key, please contact Zenoss Support.
Command-line access to the console of the Zenoss Cloud Collector virtual machine.
For AWS EC2 instances, the private key of the named AWS key pair used to create the instance.
A terminal client that supports cut-and-paste, such as PuTTY.

A client with this feature prevents transcription errors when you add the collector key.

Adding the collector key

Use this procedure to initialize a newly-installed Zenoss Cloud Collector.

To perform this procedure, you need the collector key provided to you by Zenoss Support through a support ticket. You must have a unique collector key, supplied by Zenoss Support, for each collector you install. Re-using collector keys wastes time.

Gain access to the console interface of the virtual machine, through your hypervisor or through a remote shell utility such as PuTTY.

A utility that supports cut-and-paste is recommended (PuTTY does).
Log in to the system as ccuser.

On AWS, Azure, and IBM systems, you must have the private key of the named key pair used to create the instance.
In the appliance menu, select Initialize Collector, and then press Enter.
In the Please enter your collector key field, enter the collector key for this virtual machine.

To avoid transcription errors, Zenoss strongly recommendeds using cut-and-paste to enter the collector key.
Press TAB, and then press Enter.

The menu is replaced by a dialog box that displays progress messages.
- The first message includes the name and IP address of the VPN server that is dedicated to your organization. Use its IP address to configure your firewall.
- If an initialization step fails, see Troubleshooting.

When the process is complete, press Enter to return to the appliance menu. The title of the menu is updated to include the following fields:

The hostname of the virtual machine.

Warning

Please do not change the virtual machine hostname.
The IP address of the virtual machine in your environment.
The virtual IP address of the virtual machine in the Zenoss network reserved for your organization.

Finally, update the Zenoss support ticket in which you were provided your collector key, to request Zenoss complete the on-boarding of your collector appliance.

Troubleshooting

Common troubleshooting steps for connectivity and other issues you may encounter while configuring the Zenoss Cloud Collector appliance.

Address resolution

Error

[FAIL] ... Ping Zenoss dedicated VPN server <name>-outboard.zenoss.io

Issue

The initialization script cannot resolve the FQDN of the Zenoss VPN server that is dedicated to your organization.

Resolution

Contact the Zenoss Cloud operations team to verify that the FQDN is propagated to public DNS servers.
Update the DNS servers in your environment with the latest public database, or get the IP address from Zenoss Support and add an entry to the DNS servers in your environment for the VPN server.

Port closed

Error: [FAIL] ... Connect to Zenoss dedicated VPN server <name>-outboard.zenoss.io
Issue: The initialization script cannot communicate with the Zenoss VPN server that is dedicated to your organization because port 1194/udp is not open.
Resolution: Configure the firewall in your environment to allow UDP traffic through port 1194. If the attempt to ping the VPN server succeeded, its IP address is displayed in the initialization dialog box.

Failed download

Error: [FAIL] ... Fetch collector bundle from <name>-outboard.zenoss.io
[FAIL] ... Install config bundle: unpack <name>-collector-1.tgz not found
[FAIL] ... Install config bundle: failed to unpack <name>-collector-1.tgz
[FAIL] ... Install config bundle: could not find client.install.sh
Issue: The initialization script was unable to download the initialization package properly.
Resolution: The collector key may have been entered incorrectly. Try the initialization step again.

Script error

Error: [FAIL] ... Install config bundle: <name>-collector-1.tgz
Issue: The initialization script encountered an error while performing one of the initialization steps.
Resolution: Please contact Zenoss Support.

VPN server

Error: [FAIL] ... VPN Server 203.0.113.10 pings
Issue: The Zenoss dedicated VPN server is not working properly.
Resolution: Please contact Zenoss Support.

VPN tunnel

Error: [FAIL] ... VPN Tunnel tun0 up
Issue: The VPN tunnel could not be established.
Resolution: Please contact Zenoss Support.

Local services

Error: [FAIL] ... ServiceD started
Issue: Local Docker and Docker-dependent services could not be started.
Resolution: Please contact Zenoss Support.