Pre-requisites for Monitoring a XenServer

There are several pre-requisites for an eG agent to be able to monitor a XenServer and the guest VMs hosted on it.

  1. If an eG agent is installed on the control domain, allow the eG agent to communicate back to the eG management console: Make sure that the firewall on the XenServer is configured to allow outbound traffic from the eG agent to the eG management console. The port used for this communication is determined at the time the eG manager and agents are installed in your environment; port 7077 is the default. To configure the agent-manager communication, do the following:

    • Login to the XenServer host.
    • Edit the iptables file in the /etc/sysconfig/ directory.
    • To open the eG manager port, insert the following line anywhere in the file, but before the reject line:

      -A RH-Firewall-1-INPUT -p tcp -m tcp -dport 7077 -j ACCEPT  

    • Save the file.
    • Restart the network service by issuing the command: /sbin/service iptables restart
  2. Enable auto-discovery of VMs by eG Enterprise: Xentools must be installed on all guest operating systems hosted on a XenServer. Using Xentools, the eG agent determines the IP addresses of the guest VMs and the operating systems that they are configured with. If the eG Enterprise monitor shows “N/A” against the IP address field or the operating system type of any VM, this is usually a good indicator that Xentools has not been installed on that VM.
  3. Enable the eG agent to access the XenServer API (for agentless monitoring or for agent-based monitoring):

    • In order to ensure that the eG agent uses XenServer API to discover the guest operating systems executing on a target XenServer host, all the tests that the agent executes should be configured with the name and password of a registered user of the XenServer.
    • By default, the Xen Server is not SSL-enabled. This indicates that by default, the eG agent communicates with the XenServer using HTTP. Accordingly, the ssl flag of all tests executed by the eG agent is set to No by default.

      If you configure the XenServer to use SSL, then make sure that the SSL flag is set to Yes for all tests executed by the eG agent, so that the eG agent communicates with the XenServer using HTTPS.

      Note that a default SSL certificate comes bundled with every XenServer installation. If you want the eG agent to use this default certificate for communicating with an SSL-enabled XenServer, then no additional configuration is required. However, if you do not want to use the default certificate, then you can generate a self-signed certificate for use by the XenServer. In such a case, you need to explicitly follow the broad steps given below to enable the eG agent to communicate with the XenServer via HTTPS:

      • Obtain the server-certificate for the XenServer
      • Import the server-certificate into the local certificate store of the eG agent

      For a detailed discussion on each of these steps, refer to the Troubleshooting section of this document.

  4. Enabling the eG agent to collect “inside view” metrics from Linux guests:

    To allow the eG agent to obtain the “inside view” of Linux VMs, simply ensure that SSH is enabled on all Linux guests to be monitored.

  5. Enabling the eG agent to collect “inside view” metrics from Windows guests, without using the eG VM Agent:

    To allow the eG agent to obtain the “inside view” of Windows VMs without using the eG VM Agent, the following pre-requisites need to be fulfilled:

    • The admin$ share should be enabled for all Windows-based virtual guests being monitored and the administrative account must have permissions to this share drive. Refer to Enabling ADMIN$ Share Access on Windows Virtual Guests for a step-by-step procedure to achieve this.
    • In case of VMs with the Windows XP/Windows 2003/Windows Vista operating systems, the firewall on the guest should be explicitly configured to allow Windows File and Print Sharing services which are required for the eG agent on the Xen host to communicate with the guest operating system.
    • Make sure that the XenServer firewall allows the eG agent to communicate with the Windows File and Print Sharing port (typically, this is port 139). To configure this communication, do the following on the XenServer host:

      • Login to the XenServer host.
      • Edit the iptables file in the /etc/sysconfig/ directory.
      • To open the Windows File and Print Sharing port, insert the following line anywhere in the file, but before the rejectline:

        -A RH-Firewall-1-INPUT -p tcp -m tcp -dport 139 -j ACCEPT

      • Save the file.
      • Restart the network service by issuing the command: /sbin/service iptables restart
    • Also, ensure that the XenServer firewall allows the eG agent on the server to communicate with the Linux guests of the server using SSH. For instance, to allow the eG agent to communicate with the Linux guests listening on port 22 on a XenServer, do the following:

      • Login to the XenServer host.
      • Edit the iptables file in the /etc/sysconfig/ directory.
      • To open the SSH port 22, insert the following line anywhere in the file, but before the reject line:

        -A RH-Firewall-1-INPUT -p tcp -m tcp -dport 22 -j ACCEPT  

      • Save the file.
      • Restart the network service by issuing the command: /sbin/service iptables restart
    • To enable the eG agent to communicate with the guest operating systems, an administrative account login and password (either a local account or a domain account) must be provided when configuring the eG monitoring capabilities; different logins can be provided for different VMs on the same XenServer. However, ensure that this account is available or is explicitly created on each of the virtual machines being monitored on a XenServer.
    • Set the inside view using flag for all the “inside view” tests to Remote connection to VM (Windows).
  6. Enabling the eG agent to collect “inside view” metrics from Windows guests, with the help of the eG VM Agent:

    To allow the eG agent to obtain the “inside view” of Windows VMs using the eG VM Agent, the following pre-requisites need to be fulfilled:

    • Install the eG VM Agent
    • Set the inside view usingflag for all the “inside view” tests to eG VM Agent (Windows).
  7. Ensure connectivity from the eG agent to the XenServer being monitored and the VMs:

    Since the same agent is used to monitor the outside view of the VMs and the inside view of the VMs, ensure that the agent has IP connectivity to the XenServer and to at least one of the network interfaces of the VMs.

  8. If agentless monitoring is used, ensure communication between the eG remote agent (which performs the agentless monitoring) and the individual VMs.

    • For monitoring a Windows VM, TCP port 139 must be accessible from the remote agent to the VM.
    • To enable the remote agent (on Windows) to obtain the inside view of Windows VMs, the eGurkhaAgent service should run using domain administrator privileges.
    • For monitoring a Linux VM, the SSH port (TCP port 22) must be enabled for communication between the remote agent and the VM being monitored.
  9. Ensure that the XenServer is configured to allow remote performance monitoring:

    When configuring monitoring for XenServers in the eG Enterprise administration console, you will be prompted to enter a user name which will be used by the agent to collect performance metrics from the XenServer. For monitoring XenServer 5.5 (or below), you must specify the “root” user credentials for the eG agent to be able to collect metrics. However, if you are monitoring XenServer 5.6 (or above) and you prefer not to expose the credentials of the root user, then, you have the option of configuring a user with pool-admin privileges as the xen user. If you do not want to expose the credentials of a root/pool-admin user when monitoring XenServer 5.6 (or above), then you can configure the tests with the credentials of a xen user with Read-only privileges to the XenServer. However, if this is done, then the Xen Uptime test will not run, and the Xen CPU and Xen Memory tests will not be able to report metrics for the control domain descriptor. To avoid such an outcome, do the following before attempting to configure the eG tests with a xen user who has Read-only privileges to the XenServer:

    • Modify the target XenServer’s configuration in the eG Enterprise system. For this, follow the Infrastructure -> Components -> Add/Modify menu sequence, pick Citrix XenServer as the Component type, and click the Modify button corresponding to the target XenServer.
    • In the modify component details page that then appears, make sure that the os is set to Xen and the Mode is set to ssh.
    • Then, in the same page, proceed to provide the User and Password of a user who has the right to connect to the XenServer console via SSH.
    • Then, click the Update button to save the changes.

Once this is done, you can configure the eG tests with the credentials of a xen user with Read-only privileges.