diff --git a/docs/Reference/MPS/configuration.md b/docs/Reference/MPS/configuration.md index 78262697e..e80a12d5f 100644 --- a/docs/Reference/MPS/configuration.md +++ b/docs/Reference/MPS/configuration.md @@ -1,25 +1,46 @@ --8<-- "References/abbreviations.md" -# MPS Configuration Options +## MPS Configuration + +The `.env` variables set have priority and overwrite the corresponding `.mpsrc` variables. + +| `.env` Variable Name | `.mpsrc` Variable Name | Default | Description | +| :-------------------------------| :----------------------------| :---------------------------------| :-------------------------------------------------------------------------------- | +| MPS_VAULT_ADDRESS | vault_address |`http://vault:8200` or `http://localhost:8200`| Address of where the vault is hosted | +| MPS_GENERATE_CERTS | generate_certificates |`true` | Enables/Disables generation of self signed certificates based on MPS_COMMON_NAME | +| MPS_COMMON_NAME | common_name |`localhost` | Common Name of MPS server. May be an IP or FQDN. Used when generating self-signed CIRA certificate. | +| MPSPORT | port |`4433` | CIRA connection port to listen on | +| MPSWEBPORT | web_port |`3000` | Web API port to listen on | +| MPS_DEBUG | |`true` | NOT USED | +| MPS_WEB_ADMIN_USER | web_admin_user |No Value | Username for Sample Web UI and API authentication | +| MPS_WEB_ADMIN_PASSWORD | web_admin_password |No Value | Password for Sample Web UI and API authentication | +| MPS_HTTPS | |`true` | Specifies whether or not to enable https | +| MPS_TLS_OFFLOAD | |`false` | NOT USED | +| MPS_LOG_LEVEL | |`info` | Controls the level of logging provided in the service. Options are (in order of increasing detail): `error`, `warn`, `info`, `verbose`, `debug`, and `silly`. | +| MPS_JWT_EXPIRATION | jwt_expiration |`1440` | The default expiration in minutes for the JWT Token. Default is 24 hours. | +| MPS_JWT_SECRET | jwt_secret |No Value | Secret used for generating a JWT Token. IMPORTANT: This must match the `secret` in your `Kong.yaml` file for the jwt plugin configuration. | +| MPS_JWT_ISSUER | jwt_issuer |`9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc` | The issuer that will be populated in the token. This is a not considered a secret. IMPORTANT: This must match the `key:` property in the `Kong.yaml` file for the jwt plugin configuration. | +| MPS_MQTT_ADDRESS | mqtt_address |No Value | Address of where the mqtt broker is hosted. Mqtt container is named `mosquitto` and is open to port `8883`. Thus unless setting are changed the value should be either empty (off) or `mqtt://mosquitto:8883` (on) | +| MPS_COUNTRY | country | `US` | Country for Self-Signed Certificate | +| MPS_COMPANY | company | `NoCorp` | Company for Self-Signed Certificate | +| MPS_WEB_AUTH_ENABLED | web_auth_enabled | `true` | MPS provides a simple auth using `web_admin_user` and `web_admin_password`. Set web_auth_enabled to `false` to disable this auth mechanism. | +| MPS_VAULT_TOKEN | vault_token | `myroot` | Token used to access the vault | +| MPS_SECRETS_PATH | secrets_path | `secret/data/` | Path for where secrets are stored in the vault | +| MPS_SECRETS_PROVIDER | secrets_provider | `vault` | Secret provider used (`vault`) | +| MPS_CERT_FORMAT | cert_format | `file` | Format to store certificates to Vault | +| MPS_DATA_PATH | data_path | `../private/data.json` | File path to store Vault data locally | +| MPS_CERT_PATH | cert_path | `../private` | File path to store certificates in Vault locally | +| MPS_CORS_ORIGIN | cors_origin | `*` | (NOT USED) Allowed origin for CORS policy | +| MPS_CORS_HEADER | cors_header | `*` | (NOT USED) Allowed headers | +| MPS_CORS_METHODS | cors_methods | `*` | (NOT USED) Allowed methods | +| MPS_DB_PROVIDER | db_provider | `postgres` | Database provider used (`postgres`, `nosql`) | +| MPS_CONNECTION_STRING | connection_string | `postgresql://:@localhost:5432/mpsdb?sslmode=no-verify` | The database connection string | +| MPS_INSTANCE_NAME | instance_name | `localhost` | Value used to record and address specific mps instances. (i.e containerIp in k8s) | +| MPS_TLS_CONFIG | mps_tls_config | | Used only if `generate_certificates = false` Cert settings for CIRA connection | +| MPS_WEB_TLS_CONFIG | web_tls_config | | NOT USED | +| MPS_REDIRECTION_EXPIRATION_TIME | redirection_expiration_time | `5` | Default expiration for redirection token | +| MPS_CONSUL_ENABLED | consul_enabled | `false` | Enable/disable use of Consul for centralized configuration | +| MPS_CONSUL_HOST | consul_host | `localhost` | Address of where Consul is hosted | +| MPS_CONSUL_PORT | consul_port | `8500` | Consul Port to listen on | +| MPS_CONSUL_KEY_PREFIX | consul_key_prefix | `MPS` | Default prefix key for Consul data structure | + -| Environment Variable | Default | Description | -| :------------------------- | :--------------------- | :-- | -| MPS_IMAGE | mps-microservice:v1 | Only used when using docker-compose.yml. Specifies image to use for MPS | -| MPS_USE_VAULT | true | Whether or not the vault should be used | -| MPS_VAULT_ADDRESS | http://vault:8200 | Address of where the vault is hosted | -| MPS_VAULT_TOKEN | myroot | Token used to access the vault | -| MPS_SECRETS_PATH | secret/data/ | Path to where secrets are stored in the vault | -| MPS_GENERATE_CERTS | true | Enables/Disables generation of self signed certificates based on MPS_COMMON_NAME | -| MPS_COMMON_NAME | localhost | Development system's IP address.
**Note:** For this guide, you **cannot** use localhost because the managed device would be unable to reach the MPS and RPS servers. | For this guide, the address will be used in a self-signed certificate. It may be an IP address or FQDN in real world deployment. | -| MPS_PORT | 4433 | | -| MPS_WEB_PORT | 3000 | | -| MPS_WEB_ADMIN_USER | n/a | Specifies the username for API authentication | -| MPS_WEB_ADMIN_PASSWORD | n/a | Specifies the password for API authentication | -| MPS_WEB_AUTH_ENABLED | n/a | Specifies whether or not to enable MPS authentication | -| MPS_HTTPS | true | Specifies whether or not to enable https | -| MPS_TLS_OFFLOAD | false | | -| MPS_LOG_LEVEL | info | Controls the level of logging provided in the service. Options are (in order of increasing detail): `error`, `warn`, `info`, `verbose`, `debug`, and `silly`. | -| MPS_JWT_SECRET | n/a | Secret used for generating a JWT Token. IMPORTANT: This must match the `secret` in your `Kong.yaml` file for the jwt plugin configuration. -| MPS_JWT_ISSUER | 9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc | The issuer that will be populated in the token. This is a not considered a secret. IMPORTANT: This must match the `key:` property in the `Kong.yaml` file for the jwt plugin configuration. -| MPS_JWT_EXPIRATION | 1440 | The default expiration in minutes for the JWT Token. Default is 24 hours. | -| MPS_MQTT_ADDRESS | No Value | Address of where the mqtt broker is hosted. Mqtt container is named `mosquitto` and is open to port `8883`. Thus unless setting are changed the value should be either empty (off) or `mqtt://mosquitto:8883` (on) | -| MPS_CONNECTION_STRING | `postgresql://postgresadmin@localhost:5432/mpsdb?sslmode=no-verify` | The database connection string | diff --git a/docs/Reference/RPS/configuration.md b/docs/Reference/RPS/configuration.md index dd68f68bb..609d23a1a 100644 --- a/docs/Reference/RPS/configuration.md +++ b/docs/Reference/RPS/configuration.md @@ -1,17 +1,29 @@ --8<-- "References/abbreviations.md" -# RPS Configuration +## RPS Configuration -| Environment Variable | Default | Description | -| :--------------------------- | :------------------------------------ | :---------- | -| RPS_IMAGE | `rps-microservice:v1` | Only used when using docker-compose.yml. Specifies image to use for RPS | -| RPS_CONNECTION_STRING | `postgresql://postgresadmin@localhost:5432/rpsdb?sslmode=no-verify` | The database connection string | -| RPS_WEB_PORT | `8081` | Specifies the Web API port to listen on | -| RPS_WEBSOCKETPORT | `8080` | Specifies the Websocket port to listen on | -| RPS_VAULT_ADDRESS | `http://vault:8200` | Address of where the vault is hosted | -| RPS_VAULT_TOKEN | `myroot` | Token used to access the vault | -| RPS_SECRETS_PATH | `secret/data/` | Specifies the path for where secrets are stored in the vault | -| RPS_LOG_LEVEL | `info` | Controls the level of logging provided in the service. Options are (in order of increasing detail): `error`, `warn`, `info`, `verbose`, `debug`, and `silly` | -| RPS_MPS_SERVER | `http://localhost:3000` | Specifies where the MPS is hosted -- required for metadata registration (i.e. hostname, and tags) | -| RPS_DELAY_TIMER | `12` | Sets the number of seconds to wait after activation but before proceeding with final steps. By default it is set to 12 seconds. During this waiting period, RPS sends heartbeats to RPC to keep the connection alive. | -| RPS_MQTT_ADDRESS | No Value | Address of where the mqtt broker is hosted. Mqtt container is named `mosquitto` and is open to port `8883`. Thus unless setting are changed the value should be either empty (off) or `mqtt://mosquitto:8883` (on) | \ No newline at end of file +The `.env` variables set have priority and overwrite the corresponding `.rpsrc` variables. + +| `.env` Variable Name | `.rpsrc` Variable Name | Default | Description | +| :----------------------------| :------------------------| :------------------------| :------------------------------------------------------------------------------------------------| +| RPS_WEBSOCKETTLS | |`true` | Enable/disable TLS on Websocket Connection | +| RPSWEBPORT | web_port |`8081` | Web API port to listen on | +| RPSWEBSOCKETPORT | websocketport |`8080` | Websocket port to listen on | +| RPS_LOG_LEVEL | |`info` | Controls the level of logging provided in the service. Options are (in order of increasing detail): `error`, `warn`, `info`, `verbose`, `debug`, and `silly` | +| RPS_DELAY_TIMER | delay_timer |`12` | Sets the number of seconds to wait after activation but before proceeding with final steps. By default it is set to 12 seconds. During this waiting period, RPS sends heartbeats to RPC to keep the connection alive. | +| RPS_MQTT_ADDRESS | mqtt_address |No Value | Address of where the mqtt broker is hosted. Mqtt container is named `mosquitto` and is open to port `8883`. Thus unless setting are changed the value should be either empty (off) or `mqtt://mosquitto:8883` (on) | +| RPS_SECRETS_PATH | secrets_path | `secret/data/` | Path for where secrets are stored in the vault | +| RPS_VAULT_ADDRESS | vault_address | `http://localhost:8200` | Address of where the vault is hosted | +| RPS_VAULT_TOKEN | vault_token | `myroot` | Token used to access the vault | +| RPS_DB_PROVIDER | db_provider | `postgres` | Database provider used (`postgres`) | +| RPS_SECRETS_PROVIDER | secrets_provider | `vault` | Secret provider used (`vault`) | +| RPS_CONNECTION_STRING | connection_string | `postgresql://:@localhost:5432/rpsdb` | The database connection string | +| RPS_CORS_ORIGIN | cors_origin | `http://localhost:4200` | (NOT USED) Allowed origin for CORS policy | +| RPS_CORS_HEADER | cors_header | `Origin, X-Requested-With, Accept, Content-Type, csrf-token, authorization` | (NOT USED) Allowed headers | +| RPS_CORS_METHODS | cors_methods | `*` | (NOT USED) Allowed methods | +| RPS_MPS_SERVER | mps_server | `http://localhost:3000` | Specifies where the MPS is hosted -- required for metadata registration (i.e. hostname, and tags) | +| RPS_DISABLE_CIRA_DOMAIN_NAME | disable_cira_domain_name | No Value | When AMT is on a network that matches the specified domain name, CIRA is disabled. If not set, a random domain name is generated to ensure CIRA connection on any network. | +| RPS_CONSUL_ENABLED | consul_enabled | `false` | Enable/disable use of Consul for centralized configuration | +| RPS_CONSUL_HOST | consul_host | `localhost` | Address of where Consul is hosted | +| RPS_CONSUL_PORT | consul_port | `8500` | Consul Port to listen on | +| RPS_CONSUL_KEY_PREFIX | consul_key_prefix | `RPS` | Default prefix key for Consul data structure | diff --git a/docs/Reference/faq.md b/docs/Reference/faq.md new file mode 100644 index 000000000..0dbfa2dd2 --- /dev/null +++ b/docs/Reference/faq.md @@ -0,0 +1,51 @@ +## Frequently Asked Questions + +### How do releases work with Open AMT? + +Open AMT carries two releases, the Rapid ("Monthly") Release and the Long-Term Support (LTS) Release. + +Rapid Releases occur every 4-6 weeks. Support for security and bug fixes is only for the duration of that rapid release. Customers will be encouraged to move to a latest rapid release for the most up to date security and bug fixes. + +LTS Releases occur roughly every 1 to 1.5 years. Support for security and bug fixes exist until the next LTS version is available. At that point, we will provide migration documentation and support to help customers move over to the new LTS release. + +
+ +### How does versioning work with Open AMT? + +Open AMT follows [SemVer](https://semver.org/) practices for versioning. This means: + +- Major Version Increment - Breaking Changes (ex: 2.0.0 -> 3.0.0) +- Minor Version Increment - New Features (ex: 2.0.0 -> 2.1.0) +- Patch Version Increment - Security and Bug Fixes (ex: 2.0.0 -> 2.0.1) + +All microservices with the same minor version should be compatible. + +The separate repos for microservices and libraries are versioned individually. These versions are separate from the `open-amt-cloud-toolkit` repo version. The `open-amt-cloud-toolkit` repo is where we have the monthly release. This repo might carry a higher version than some of the individual repos but is tagged as `{Month} {Year}`. All sub-repos referenced within `open-amt-cloud-toolkit` for a specific release are guaranteed to be compatible. + +
+ +### What versions of Intel® AMT are supported? + +Open AMT aligns to the Intel Network and Edge (NEX) Group support roadmap for Intel vPro® Platform and Intel® AMT devices. This is currently calculated as `Latest AMT Version - 7`. + +
+ +### How do I migrate versions to a new release? + +Resources and information for migrating releases for either a Kubernetes deployment or local Docker deployment can be found in the [Upgrade Toolkit Version documentation](../Deployment/upgradeVersion.md). + +
+ +### What is a Pre-Release Feature? + +Sometimes, newer features may be available as **pre-release**. These are features that are still in-development and subject to change. The team opts to make these available for early feedback. These may have limited functionality or potentially even bugs. When the feature is mature and fully validated, it will move from a **pre-release** state to a full release. + +
+ +### How do I find more information about the MPS and RPS configuration files and security details? + +Details and descriptions of configuration options can be found in [MPS Configuration](../MPS/configuration/) and [RPS Configuration](../RPS/configuration/). + +Security information can be found in [MPS Security Information](../MPS/securityMPS/) and [RPS Security Information](../RPS/securityRPS/). + +
\ No newline at end of file diff --git a/docs/Reference/troubleshooting.md b/docs/Reference/troubleshooting.md index 10d0d1106..6c814ffc7 100644 --- a/docs/Reference/troubleshooting.md +++ b/docs/Reference/troubleshooting.md @@ -1,55 +1,9 @@ --8<-- "References/abbreviations.md" -The sections below detail commonly asked questions about Open AMT Cloud toolkit as well as possible errors that may occur when activating or deactivating managed devices along with some potential solutions. +The sections below detail possible errors that may occur when activating or deactivating managed devices along with some potential solutions. Can't find the answer to your questions or issue below? Reach out to the team [via Discord](https://discord.com/invite/yrcMp2kDWh) for direct help. Or file a GitHub issue. -## Commonly Asked Questions - -### How do releases work with Open AMT? - -Open AMT carries two releases, the Rapid ("Monthly") Release and the Long-Term Support (LTS) Release. - -Rapid Releases occur every 4-6 weeks. Support for security and bug fixes is only for the duration of that rapid release. Customers will be encouraged to move to a latest rapid release for the most up to date security and bug fixes. - -LTS Releases occur roughly every 1 to 1.5 years. Support for security and bug fixes exist until the next LTS version is available. At that point, we will provide migration documentation and support to help customers move over to the new LTS release. - -
- -### How does versioning work with Open AMT? - -Open AMT follows [SemVer](https://semver.org/) practices for versioning. This means: - -- Major Version Increment - Breaking Changes (ex: 2.0.0 -> 3.0.0) -- Minor Version Increment - New Features (ex: 2.0.0 -> 2.1.0) -- Patch Version Increment - Security and Bug Fixes (ex: 2.0.0 -> 2.0.1) - -All microservices with the same minor version should be compatible. - -The separate repos for microservices and libraries are versioned individually. These versions are separate from the `open-amt-cloud-toolkit` repo version. The `open-amt-cloud-toolkit` repo is where we have the monthly release. This repo might carry a higher version than some of the individual repos but is tagged as `{Month} {Year}`. All sub-repos referenced within `open-amt-cloud-toolkit` for a specific release are guaranteed to be compatible. - -
- -### What versions of Intel® AMT are supported? - -Open AMT aligns to the Intel Network and Edge (NEX) Group support roadmap for Intel vPro® Platform and Intel® AMT devices. This is currently calculated as `Latest AMT Version - 7`. - -
- -### How do I migrate versions to a new release? - -Resources and information for migrating releases for either a Kubernetes deployment or local Docker deployment can be found in the [Upgrade Toolkit Version documentation](../Deployment/upgradeVersion.md). - -
- -### How do I find more information about the MPS and RPS configuration files and security details? - -Details and descriptions of configuration options can be found in [MPS Configuration](../MPS/configuration/) and [RPS Configuration](../RPS/configuration/). - -Security information can be found in [MPS Security Information](../MPS/securityMPS/) and [RPS Security Information](../RPS/securityRPS/). - -
- ## Most Common Issues @@ -113,6 +67,24 @@ This warning typically means that the Sample Web UI and RPS is unable to reach t
+## Known Issues + +### RPC Returns `Failed to Add MPS Root Certificate` + +RPC may return `Failed to Add MPS Root Certificate` when running the `activate` command. The following resolution steps may help. + +1. Restart the device and then rerun the `activate` command. + +2. If not resolved, stop the LMS service. Rerun the `activate` command. Full service name: Intel(R) Management and Security Application Local Management Service + +### RPC Freezes/Hangs when Executing a Command + +This can occur due to the WSMan messages being received out of order during communication with RPS. + +1. After RPC times out or you've stopped the execution, rerun the `activate` command. + +
+ ## Specific Microservice or Library Errors ### RPC diff --git a/mkdocs.yml b/mkdocs.yml index 41c2ab393..cbf0a0e26 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -53,6 +53,7 @@ nav: - Video Walkthroughs: videos.md - License: license.md - Get Help: + - FAQ: Reference/faq.md - Troubleshooting: Reference/troubleshooting.md - Get Started: - Prerequisites: GetStarted/prerequisites.md @@ -67,6 +68,7 @@ nav: - Build & Run RPC: GetStarted/buildRPC.md - Manage AMT Device: GetStarted/manageDevice.md - Get Help: + - FAQ: Reference/faq.md - Troubleshooting: Reference/troubleshooting.md - Deployment: - Overview: Deployment/overview.md @@ -88,6 +90,7 @@ nav: - EKS: Tutorials/Scaling/Kubernetes/deployingk8s-eks.md - KUMA Service Mesh: Tutorials/Scaling/Kubernetes/service-mesh.md - Get Help: + - FAQ: Reference/faq.md - Troubleshooting: Reference/troubleshooting.md - Reference: - Architecture Overview: Reference/architectureOverview.md @@ -131,6 +134,7 @@ nav: - Provisioning Certificate: Reference/Certificates/remoteProvisioning.md - TLS Certificate: Reference/Certificates/tls.md - Get Help: + - FAQ: Reference/faq.md - Troubleshooting: Reference/troubleshooting.md - APIs: - Management Presence Server: APIs/indexMPS.md