In this section, we will look at installing MeshCentral on Amazon AWS with “Amazon Linux 2”. This is a low cost instance, and even a free tier is available so you can experiment or run a small instance of MeshCentral.

On AWS EC2, you can launch an instance and select “Amazon Linux 2” as the Amazon Machine Image. It is usually the very first option.

When launching this new option, you will be asked to use or create a security group with the allowed inbound and outbound TCP and UDP ports. You will need the following settings for your security group:

The source for all security groups should have a source0.0.0.0/0 and ::/0. If you are not going to be managing Intel AMT you can also remove port 4433. You could also remove port 80, but it is useful to obtain a Let's Encrypt certificate and to redirect users from the http page to the secure page.

For all of the following sections, we will assume that we are in the ec2-user home path you can always enter the command cd ~ to return the current path to the home folder.

The first prerequisite is to ensure NodeJS is installed on the system. We will install the node version manager, activate it, then install the LTS version of NodeJS.

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash . ~/.nvm/nvm.sh
nvm install --lts

You can verify the versions of NodeJS and NPM just installed with the following commands:

node -v
npm -v

If you are going to be running a large instance, it is advised to use MongoDB as the database. For smaller instances (100 systems or fewer being managed) the default NeDB can be used instead and you can skip this step. If you do want to use MongoDB it can be installed with the instructions below:

Use Nano to create a new file /etc/yum.repos.d/mongodc-org-4.0.repo

sudo nano /etc/yum.repos.d/mongodb-org-4.0.repo

Then put these contents into the file:

[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/amazon/2/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

Then save the file (CTRL+O) and exit Nano (CTRL+X)

This file sets up the repository used by the package manager to install and update MongoDB. Once this file exists you can install MongoDB using yum and get it started with these commands:

sudo yum install -y mongodb-org
sudo service mongod start

We can verify MongoDB is running by entering the MongDB shell like this:

mongo --host 127.0.0.1:27017

Then exit the Mongo shell by pressing CTRL-C.

The database and log files will be created in these locations. This info is useful for making backups of the database.

/var/log/mongodb
/var/lib/mongo

On Linux, as a security feature, ports below 1024 are reserved for processes running as “root” user. In our case, we need MeshCentral to listen/run on ports 80 and 443. To accomplish this, we first need to discover where NodeJS runs from:

whereis node
node: /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node

In this case, the result shows NodeJS binaries are found at /usr/bin/node. We will this path in the next command, which will allow NodeJS to utilize ports below 1024. Note that these permissions may sometimes be lost when updating the Linux Kernel and the command may need to be run again. ²⁾

sudo setcap cap_net_bind_service=+ep /home/ec2-user/.nvm/versions/node/v8.11.3/bin/node

Almost there. Before installing MeshCentral, we need to know the public hostname of our AWS instance. Run this command to display it:

curl http://169.254.169.254/latest/meta-data/public-hostname

The public hostname should look something like this: ec2-1-2-3-4.us-west-2.compute.amazonaws.com

You can use this name, or if you have a public DNS name pointing to this server instance you can use that. Note that MeshCentral will not setup this name for you. The hostname much be correct and must resolve to this AWS Server instance, since this is the name all agents will use to talk to the MeshCentral Server.

We are finally ready to install MeshCentral! We use NPM to install the latest version of MeshCentral with the command below: <HTML> <span style=“color:red;font-size:110%;”>!!DO NOT USE “SUDO” FOR THIS COMMAND!!</span> </HTML>

npm install meshcentral

After the installation completes we can manually run MeshCentral for the first time. We want to run it in WAN mode and have it generate certificates with the same public name as our AWS instance so we will use the –wanonly and –cert command argumants to get the server started:

node ./node_modules/meshcentral --wanonly --cert ec2-1-2-3-4.us-west-2.compute.amazonaws.com

At this point, you should see MeshCentral create its' certificates and start running. You can open a web browser and either enter the name or IP address of the server in the address bar and see the MeshCentral login page.

If you chose to use MongoDB stop here. You will need to edit the MeshCentral configuration to tell it to use MongoDB. If you are using the built-in NeDB, I would recommend going ahead and creating your administrator account now. The first account created becomes the server administrator account so you should create it as soon as it is practically possible. In either case, MeshCentral is in a usable state now, but there are still a couple of things to do still. Press CTRL-C to stop MeshCentral and we will continue on.

By default, MeshCentral uses NeDB with a database file stored at ~/meshcentral-data/meshcentral.db. While this is great for small servers managing up to around 100 systems, if you chose to install MongoDB in the steps above, it is time to tell MeshCentral to use it instead.

The majority of the configuration options for MeshCentral are stored in a file called config.json, stored in the ~/meshcentral-data directory. We will edit it now to start using MongoDB. We start by opening the file in a text editor:

nano ~/meshcentral-data/config.json

Inside the text editor, we need to make the top section of the file look like this:

{
  "settings": {
    "MongoDb": "mongodb://127.0.0.1:27017/meshcentral",
    "WANonly": true,
    "_Port": 443,
    "_RedirPort": 80,
    "_AllowLoginToken": true,
    "_AllowFraming": true,
    "_WebRTC": false,
    "_ClickOnce": false,
    "_UserAllowedIP" : "127.0.0.1,::1,192.168.0.100"
  },
  <...more stuff here...> 
}

If you are starting with the default config.json file created by the installation, you will need to remove some of the leading underscore characters “_” and add it to the beginning of some other values. This leading underscore character indicated a commented out value. So to enable a setting the value should not start with this underscore. To disable a setting you need to *add* the underscore. For full details on all of the available options in config.json you can see our config.json reference or the Complete config.json schema on GitHub.

Once you have finished editing the config.json file, save it (CTRL-O in nano) and exit the text editor (CTRL-X in nano) and manually run MeshCentral again:

node ./node_modules/meshcentral

Now go ahead and create a new account. The first account created becomes the server administrator, so yo don't want to delay creating this account. Once you have created this account and logged in with it successfully you can close MeshCentral again using CTRL-C. Next we will set up MeshCentral to run automatically in the background.

Since Amazon Linux 2 supports systemd, we are going to use that to auto start MeshCentral in the background. First we need to know what our own username and group are. The simplest way to find this info is (from your home folder) run

ls -l

Doing so should give output similar to this example below:

drwxr-xr-x 2 user default 4096 Jul 20 00:03 Desktop
drwxr-xr-x 2 user default 4096 Jul 20 00:03 Documents
drwxr-xr-x 2 user default 4096 Jul 20 00:03 Download
...

Make note of the username and group. In the sample above, the username is user and the group is default.

We will also need to know the path where NodeJS binaries are at. to find this enter:

whereis node

Node is usually installed at /usr/bin/node but if your check above shows a different path, make note of it and enter it into the appropriate place in the file we are about to create.

We will need all of this information to create the description file for the MeshCentral service we create. To create this description file, enter:

sudo nano /etc/systemd/system/meshcentral.service

In this new file, enter the following lines:

[Unit]
Description=MeshCentral Server

[Service]
Type=simple
LimitNOFILE=1000000
ExecStart=/usr/bin/node /home/user/node_modules/meshcentral
WorkingDirectory=/home/user
Environment=NODE_ENV=production
User=user
Group=default
Restart=always
# Restart service after 10 seconds if node service crashes
RestartSec=10
# Set port permissions capability
AmbientCapabilities=cap_net_bind_service

[Install]
WantedBy=multi-user.target

Be sure you set the username and group values correctly for your specific installation.Notice that the ExecStart and WorkingDirectory lines include the path to the user's home folder. So make sure you have the correct username in there. Also be sure to double check the path to NodeJS in the ExecStart line.

Once we have this file created we can now enable, start, stop and disable MeshCentral:

sudo systemctl enable meshcentral.service
sudo systemctl start meshcentral.service
sudo systemctl stop meshcentral.service
sudo systemctl disable meshcentral.service

Run the first two commands to enable then start MeshCentral. Enabling the service will make MeshCentral start up automatically each time the computer restarts.

Once MeshCentral is started, you can access it via web browser just as we did earlier. You should now refer to the MeshCentral User's Guide or this wiki's configuration guides for information about on how to further configure and use MeshCentral.