Manually install a Console agent on-premises
Suggest changes
PDFs
Install a Console agent on-premises and then log in and set it up to work with your Console organization.
|
If you are a VMWare user, you can use an OVA to install a Console agent in your VCenter. Learn more about installing an agent in a VCenter. |
Before you install, you'll need to ensure your host (VM or Linux host) meets requirements and ensure that the Console agent will have outbound access to the internet as well as targeted networks. If you plan to NetApp data services, or cloud storage options such as Cloud Volumes ONTAP, you'll need to create credentials in your cloud provider to add to the Console so that the Console agent can perform actions in the cloud on your behalf.
Prepare to install the Console agent
Before you install a Console agent, you should ensure you have a host machine that meets installation requirements. You'll also need to work with your network administrator to ensure that the Console agent has outbound access to required endpoints and connections to targeted networks.
Review Console agent host requirements
Run the Console agent on a x86 host that meets operating system, RAM, and port requirements. Ensure that your host meets these requirements before you install the Console agent.
|
|
The Console agent reserves the UID and GID range of 19000 to 19200. This range is fixed and cannot be modified. If any third-party software on your host is using UIDs or GIDs within this range, the agent installation will fail. NetApp recommends using a host that is free of third-party software to avoid conflicts. |
- Dedicated host
-
The Console agent is not supported on a host that is shared with other applications. The host must be a dedicated host. The host can be of any architecture that meets the following size requirements:
-
CPU: 8 cores or 8 vCPUs
-
RAM: 32 GB
-
Disk space: 165 GB is recommended for the host, with the following partition requirements:
-
/opt: 120 GiB of space must be availableThe agent uses
/optto install the/opt/application/netappdirectory and its contents. -
/var: 40 GiB of space must be availableThe Console agent requires this space in
/varbecause Docker or Podman are architected to create the containers within this directory. Specifically, they will create containers in the/var/lib/containers/storagedirectory. External mounts or symlinks do not work for this space.
-
-
- Hypervisor
-
A bare metal or hosted hypervisor that is certified to run a supported operating system is required.
- Operating system and container requirements
-
The Console agent is supported with the following operating systems when using the Console in standard mode or restricted mode. A container orchestration tool is required before you install the agent.
Operating system Supported OS versions Supported agent versions Required container tool SELinux
aRed Hat Enterprise Linux
9.1 to 9.4
8.6 to 8.10
-
English language versions only.
-
The host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during agent installation.
3.9.50 or later with the Console in standard mode or restricted mode
Podman version 4.6.1 or 4.9.4
Supported in enforcing mode or permissive mode
-
Management of Cloud Volumes ONTAP systems is NOT supported by agents that have SELinux enabled on the operating system.
Ubuntu
24.04 LTS
3.9.45 or later with the NetApp Console in standard mode or restricted mode
Docker Engine 23.06 to 28.0.0.
Not supported
22.04 LTS
3.9.50 or later
Docker Engine 23.0.6 to 28.0.0.
Not supported
-
Set up network access for the Console agent
Set up network access to ensure the Console agent can manage resources. It needs connections to target networks and outbound internet access to specific endpoints.
- Connections to target networks
-
The Console agent requires a network connection to the location where you're planning to create and manage systems. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.
- Outbound internet access
-
The network location where you deploy the Console agent must have an outbound internet connection to contact specific endpoints.
- Endpoints contacted from computers when using the web-based NetApp Console
-
Computers that access the Console from a web browser must have the ability to contact several endpoints. You'll need to use the Console to set up the Console agent and for day-to-day use of the Console.
- Endpoints contacted from the Console agent
-
The Console agent requires outbound internet access to contact the following endpoints to manage resources and processes within your public cloud environment for day-to-day operations.
The endpoints listed below are all CNAME entries.
|
|
A Console agent installed on your premises cannot manage resources in Google Cloud. If you want to manage Google Cloud resources, you need to install an agent in Google Cloud. |
When the Console agent is installed on-premises, it needs network access to the following AWS endpoints in order to manage NetApp systems (such as Cloud Volumes ONTAP) deployed in AWS.
- Endpoints contacted from the Console agent
-
The Console agent requires outbound internet access to contact the following endpoints to manage resources and processes within your public cloud environment for day-to-day operations.
The endpoints listed below are all CNAME entries.
Endpoints Purpose AWS services (amazonaws.com):
-
CloudFormation
-
Elastic Compute Cloud (EC2)
-
Identity and Access Management (IAM)
-
Key Management Service (KMS)
-
Security Token Service (STS)
-
Simple Storage Service (S3)
To manage AWS resources. The endpoint depends on your AWS region. Refer to AWS documentation for details
https://mysupport.netapp.com
To obtain licensing information and to send AutoSupport messages to NetApp support.
https://signin.b2c.netapp.com
To update NetApp Support Site (NSS) credentials or to add new NSS credentials to the NetApp Console.
https://api.bluexp.netapp.com
https://netapp-cloud-account.auth0.com
https://netapp-cloud-account.us.auth0.com
https://console.netapp.com
https://components.console.bluexp.netapp.com
https://cdn.auth0.comTo provide features and services within the NetApp Console.
https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.ioTo obtain images for Console agent upgrades.
-
When you deploy a new agent, the validation check tests connectivity to current endpoints. If you use previous endpoints, the validation check fails. To avoid this failure, skip the validation check.
Although the previous endpoints are still supported, NetApp recommends updating your firewall rules to the current endpoints as soon as possible. Learn how to update your endpoint list.
-
When you update to the current endpoints in your firewall, your existing agents will continue to work.
-
When the Console agent is installed on-premises, it needs network access to the following Azure endpoints in order to manage NetApp systems (such as Cloud Volumes ONTAP) deployed in Azure.
| Endpoints | Purpose |
|---|---|
https://management.azure.com |
To manage resources in Azure public regions. |
https://management.chinacloudapi.cn |
To manage resources in Azure China regions. |
https://mysupport.netapp.com |
To obtain licensing information and to send AutoSupport messages to NetApp support. |
https://signin.b2c.netapp.com |
To update NetApp Support Site (NSS) credentials or to add new NSS credentials to the NetApp Console. |
https://api.bluexp.netapp.com |
To provide features and services within the NetApp Console. |
https://bluexpinfraprod.eastus2.data.azurecr.io |
To obtain images for Console agent upgrades.
|
- Proxy server
-
NetApp supports both explicit and transparent proxy configurations. If you are using a transparent proxy, you only need to provide the certificate for the proxy server. If you are using an explicit proxy, you'll also need the IP address and credentials.
-
IP address
-
Credentials
-
HTTPS certificate
-
- Ports
-
There's no incoming traffic to the Console agent, unless you initiate it or if it is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.
-
HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.
-
SSH (22) is only needed if you need to connect to the host for troubleshooting.
-
Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.
If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, the Console automatically configures those systems to use a proxy server that's included with the Console agent. The only requirement is to ensure that the Console agent's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Console agent.
-
- Enable NTP
-
If you're planning to use NetApp Data Classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the Console agent and the NetApp Data Classification system so that the time is synchronized between the systems. Learn more about NetApp Data classification
Create Console agent cloud permissions for AWS or Azure
If you want to use NetApp data services in AWS or Azure with an on-premises Console agent, then you need to set up permissions in your cloud provider and then you add the credentials to the Console agent after you install it.
|
You must install the Console agent in Google Cloud to manage any resources that reside there. |
When the Console agent is installed on-premises, you need to provide the Console with AWS permissions by adding access keys for an IAM user who has the required permissions.
You must use this authentication method if the Console agent is installed on-premises. You can't use an IAM role.
-
Log in to the AWS console and navigate to the IAM service.
-
Create a policy:
-
Select Policies > Create policy.
-
Select JSON and copy and paste the contents of the IAM policy for the Console agent.
-
Finish the remaining steps to create the policy.
Depending on the NetApp data services that you're planning to use, you might need to create a second policy.
For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Console agent.
-
-
Attach the policies to an IAM user.
-
Ensure that the user has an access key that you can add to the NetApp Console after you install the Console agent.
You should now have access keys for an IAM user who has the required permissions. After you install the Console agent, associate these credentials with the Console agent from the Console.
When the Console agent is installed on-premises, you need to provide the Console agent with Azure permissions by setting up a service principal in Microsoft Entra ID and obtaining the Azure credentials that the Console agent needs.
-
Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.
For details, refer to Microsoft Azure Documentation: Required permissions
-
From the Azure portal, open the Microsoft Entra ID service.
-
In the menu, select App registrations.
-
Select New registration.
-
Specify details about the application:
-
Name: Enter a name for the application.
-
Account type: Select an account type (any will work with the NetApp Console).
-
Redirect URI: You can leave this field blank.
-
-
Select Register.
You've created the AD application and service principal.
-
Create a custom role:
Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation
-
Copy the contents of the custom role permissions for the Console agent and save them in a JSON file.
-
Modify the JSON file by adding Azure subscription IDs to the assignable scope.
You should add the ID for each Azure subscription from which users will create Cloud Volumes ONTAP systems.
Example
"AssignableScopes": [ "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz", "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz", "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz" -
Use the JSON file to create a custom role in Azure.
The following steps describe how to create the role by using Bash in Azure Cloud Shell.
-
Start Azure Cloud Shell and choose the Bash environment.
-
Upload the JSON file.
-
Use the Azure CLI to create the custom role:
az role definition create --role-definition Connector_Policy.jsonYou should now have a custom role called Console Operator that you can assign to the Console agent virtual machine.
-
-
-
Assign the application to the role:
-
From the Azure portal, open the Subscriptions service.
-
Select the subscription.
-
Select Access control (IAM) > Add > Add role assignment.
-
In the Role tab, select the Console Operator role and select Next.
-
In the Members tab, complete the following steps:
-
Keep User, group, or service principal selected.
-
Select Select members.
-
Search for the name of the application.
Here's an example:
-
Select the application and select Select.
-
Select Next.
-
-
Select Review + assign.
The service principal now has the required Azure permissions to deploy the Console agent.
If you want to deploy Cloud Volumes ONTAP from multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. In the NetApp Console, you can select the subscription that you want to use when deploying Cloud Volumes ONTAP.
-
-
In the Microsoft Entra ID service, select App registrations and select the application.
-
Select API permissions > Add a permission.
-
Under Microsoft APIs, select Azure Service Management.
-
Select Access Azure Service Management as organization users and then select Add permissions.
-
In the Microsoft Entra ID service, select App registrations and select the application.
-
Copy the Application (client) ID and the Directory (tenant) ID.
When you add the Azure account to the Console, you need to provide the application (client) ID and the directory (tenant) ID for the application. The Console uses the IDs to programmatically sign in.
-
Open the Microsoft Entra ID service.
-
Select App registrations and select your application.
-
Select Certificates & secrets > New client secret.
-
Provide a description of the secret and a duration.
-
Select Add.
-
Copy the value of the client secret.
Manually install a Console agent
When you manually install a Console agent, you need to prepare your machine environment so that it meets requirements. You'll need an Linux machine and you'll need to install Podman or Docker, depending on your Linux operating system.
Install Podman or Docker Engine
Depending on your operating system, either Podman or Docker Engine is required before installing the agent.
-
Podman is required for Red Hat Enterprise Linux 8 and 9.
-
Docker Engine is required for Ubuntu.
Follow these steps to install and configure Podman:
-
Enable and start the podman.socket service
-
Install python3
-
Install the podman-compose package version 1.0.6
-
Add podman-compose to the PATH environment variable
-
If using Red Hat Enterprise Linux 8, verify that your Podman version is using Aardvark DNS instead of CNI
|
|
Adjust the aardvark-dns port (default: 53) after installing the agent to avoid DNS port conflicts. Follow the instructions to configure the port. |
-
Remove the podman-docker package if it's installed on the host.
dnf remove podman-docker rm /var/run/docker.sock -
Install Podman.
You can obtain Podman from official Red Hat Enterprise Linux repositories.
For Red Hat Enterprise Linux 9:
sudo dnf install podman-2:<version>Where <version> is the supported version of Podman that you're installing. View the supported Podman versions.
For Red Hat Enterprise Linux 8:
sudo dnf install podman-3:<version>Where <version> is the supported version of Podman that you're installing. View the supported Podman versions.
-
Enable and start the podman.socket service.
sudo systemctl enable --now podman.socket -
Install python3.
sudo dnf install python3 -
Install the EPEL repository package if it's not already available on your system.
-
If using Red Hat Enterprise:
This step is required because podman-compose is available from the Extra Packages for Enterprise Linux (EPEL) repository.
For Red Hat Enterprise Linux 9:
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpmFor Red Hat Enterprise Linux 8:
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -
Install podman-compose package 1.0.6.
sudo dnf install podman-compose-1.0.6
Using the dnf installcommand meets the requirement for adding podman-compose to the PATH environment variable. The installation command adds podman-compose to /usr/bin, which is already included in thesecure_pathoption on the host. -
If using Red Hat Enterprise Linux 8, verify that your Podman version is using NetAvark with Aardvark DNS instead of CNI.
-
Check to see if your networkBackend is set to CNI by running the following command:
podman info | grep networkBackend -
If the networkBackend is set to
CNI, you'll need to change it tonetavark. -
Install
netavarkandaardvark-dnsusing the following command:dnf install aardvark-dns netavark -
Open the
/etc/containers/containers.conffile and modify the network_backend option to use "netavark" instead of "cni".
If
/etc/containers/containers.confdoesn't exist, make the configuration changes to/usr/share/containers/containers.conf. -
-
Restart podman.
systemctl restart podman -
Confirm networkBackend is now changed to "netavark" using the following command:
podman info | grep networkBackend
Follow the documentation from Docker to install Docker Engine.
-
View installation instructions from Docker
Follow the steps to install a supported Docker Engine version. Do not install the latest version, as it is unsupported by the Console.
-
Verify that Docker is enabled and running.
sudo systemctl enable docker && sudo systemctl start docker
Install the Console agent manually
Download and install the Console agent software on an existing Linux host on-premises.
You should have the following:
-
Root privileges to install the Console agent.
-
Details about a proxy server, if a proxy is required for internet access from the Console agent.
You have the option to configure a proxy server after installation but doing so requires restarting the Console agent.
-
A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.
|
|
You cannot set a certificate for a transparent proxy server when manually installing the Console agent. If you need to set a certificate for a transparent proxy server, you must use the Maintenance Console after installation. Learn more about the Agent Maintenance Console. |
The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Console agent automatically updates itself if a new version is available.
-
If the http_proxy or https_proxy system variables are set on the host, remove them:
unset http_proxy unset https_proxyIf you don't remove these system variables, the installation fails.
-
Download the Console agent software from the NetApp Support Site, and then copy it to the Linux host.
You should download the "online" agent installer that's meant for use in your network or in the cloud.
-
Assign permissions to run the script.
chmod +x NetApp_Console_Agent_Cloud_<version>Where <version> is the version of the Console agent that you downloaded.
-
If installing in a Government Cloud environment, disable the configuration checks. Learn how to disable configuration checks for manual installations.
-
Run the installation script.
./NetApp_Console_Agent_Cloud_<version> --proxy <HTTP or HTTPS proxy server> --cacert <path and file name of a CA-signed certificate>You'll need to add proxy information if your network requires a proxy for internet access. You can add either a transparent or explicit proxy. The --proxy and --cacert parameters are optional and you won't be prompted to add them. If you have a proxy server, you will need to enter the parameters as shown.
Here is an example configuring an explicit proxy server with a CA-signed certificate:
./NetApp_Console_Agent_Cloud_v4.0.0--proxy https://user:password@10.0.0.30:8080/ --cacert /tmp/cacert/certificate.cer--proxyconfigures the Console agent to use an HTTP or HTTPS proxy server using one of the following formats:-
http://address:port
-
http://user-name:password@address:port
-
http://domain-name%92user-name:password@address:port
-
https://address:port
-
https://user-name:password@address:port
-
https://domain-name%92user-name:password@address:port
Note the following:
-
The user can be a local user or domain user.
-
For a domain user, you must use the ASCII code for a \ as shown above.
-
The Console agent doesn't support user names or passwords that include the @ character.
-
If the password includes any of the following special characters, you must escape that special character by prepending it with a backslash: & or !
For example:
http://bxpproxyuser:netapp1\!@address:3128
-
-
--cacert specifies a CA-signed certificate to use for HTTPS access between Console agent and the proxy server. This parameter is required for HTTPS proxy servers, intercepting proxy servers, and transparent proxy servers.
+
Here is an example configuring a transparent proxy server. When you configure a transparent proxy, you don't need to define the proxy server. You only add a CA-signed certificate to your Console agent host:
+
./NetApp_Console_Agent_Cloud_v4.0.0 --cacert /tmp/cacert/certificate.cer-
If you used Podman, you'll need to adjust the aardvark-dns port.
-
SSH to the Console agent virtual machine.
-
Open podman /usr/share/containers/containers.conf file and modify the chosen port for Aardvark DNS service. For example, change it to 54.
vi /usr/share/containers/containers.conf ... # Port to use for dns forwarding daemon with netavark in rootful bridge # mode and dns enabled. # Using an alternate port might be useful if other DNS services should # run on the machine. # dns_bind_port = 54 ... Esc:wq -
Reboot the Console agent virtual machine.
-
You'll need to register the Console agent within the NetApp Console.
Register the Console agent with NetApp Console
Log into the Console and associate the Console agent with your organization. How you log in depends on the mode in which you are using Console. If you are using the Console in standard mode, you log in through the SaaS website. If you are using the Console in restricted mode, you log in locally from the Console agent host.
-
Open a web browser and enter the Console agent host URL:
The Console host URL can be a localhost, a private IP address, or a public IP address, depending on the configuration of the host. For example, if the Console agent is in the public cloud without a public IP address, you must enter a private IP address from a host that has a connection to the Console agent host.
-
Sign up or log in.
-
After you log in, set up the Console:
-
Specify the Console organization to associate with the Console agent.
-
Enter a name for the system.
-
Under Are you running in a secured environment? keep restricted mode disabled.
Restricted mode isn't supported when the Console agent is installed on-premises.
-
Select Let's start.
-
Provide cloud provider credentials to NetApp Console
After you install and set up the Console agent, add your cloud credentials so that the Console agent has the required permissions to perform actions in AWS or Azure.
If you just created these AWS credentials, they may take a few minutes to become available. Wait a few minutes before you add the credentials to the Console.
-
Select Administration > Credentials.
-
Select Organization credentials.
-
Select Add Credentials and follow the steps in the wizard.
-
Credentials Location: Select *Amazon Web Services > Agent.
-
Define Credentials: Enter an AWS access key and secret key.
-
Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.
-
Review: Confirm the details about the new credentials and select Add.
-
You can now go to the NetApp Console to start using the Console agent.
If you just created these Azure credentials, they may take a few minutes to become available. Wait a few minutes before you add the credentials the Console agent.
-
Select Administration > Credentials.
-
Select Add Credentials and follow the steps in the wizard.
-
Credentials Location: Select Microsoft Azure > Agent.
-
Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:
-
Application (client) ID
-
Directory (tenant) ID
-
Client Secret
-
-
Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.
-
Review: Confirm the details about the new credentials and select Add.
-
The Console agent now has the permissions that it needs to perform actions in Azure on your behalf. You can now go to the NetApp Console to start using the Console agent.