Registering a PEM agent v8
You must register each PEM agent installed on a separate host with the PEM server. (The PEM agent is different from the PEM server host.) The registration process provides the PEM server with the information it needs to communicate with the agent. The PEM agent graphical installer for Windows supports self-registration for the agent. On a Linux host, you must use the pemworker utility to register the agent.
The PEM agent package installer places the PEM agent in the /usr/edb/pem/agent/bin directory. To register an agent, include the --register-agent keywords along with registration details when invoking the pemworker utility:
pemworker --register-agent
Note
- The PEM agent installed on the PEM server host is registered with the PEM server by default.
- After upgrading the PEM agent, you need to restart it. It doesn't require registration.
Append command line options to the command string when invoking the pemworker utility. Follow each option with a corresponding value.
| Option | Description |
|---|---|
--pem-server | The IP address of the PEM backend database server. This parameter is required. |
--pem-port | The port of the PEM backend database server. The default value is 5432. |
--pem-user | The name of the database user having superuser privileges of the PEM backend database server. This parameter is required. |
--pem-agent-user | The agent user to connect the PEM server backend database server. |
--cert-path | The complete path to the directory where certificates are created. If you don't provide a path, certificates are created in ~/.pem on Linux and %APPDATA%/pem on Windows |
--config-dir | The directory path for the configuration file. The default is <pemworker path>/../etc. |
--display-name | A user-friendly name for the agent to display in the PEM browser tree. The default is the system hostname. |
--force-registration | Include the force_registration clause to register the agent with the arguments provided. This clause is useful if you're overriding an existing agent configuration. The default value is Yes. |
--group | The name of the group in which the agent is displayed. |
--team | The name of the database role on the PEM backend database server with access to the monitored database server. |
--owner | The name of the database user on the PEM backend database server who owns the agent. |
--allow_server_restart | Enable the allow-server_restart parameter to allow PEM to restart the monitored server. The default value is True. |
--allow-batch-probes | Enable the allow-batch-probes parameter to allow PEM to run batch probes on this agent. The default value is False. |
--batch-script-user | The operating system user to use for executing the batch/shell scripts. The default value is none. The scripts don't execute if you leave this parameter blank or the specified user doesn't exist. |
--enable-heartbeat-connection | Enable the enable-heartbeat-connection parameter to create a dedicated heartbeat connection between the PEM agent and server to update the active status. The default value is False. |
--enable-smtp | Enable the enable-smtp parameter to allow the PEM agent to send the email on behalf of the PEM server. The default value is False. |
--enable-snmp | Enable the enable-snmp parameter to allow the PEM agent to send the SNMP traps on behalf of the PEM server. The default value is False. |
-o | Specifies whether you want to override the configuration file options. |
If you want to use any PEM feature for which a database server restart is required by the pemagent (such as Audit Manager, Log Manager, or the Tuning Wizard), then you must set the value for allow_server_restart to true in the agent.cfg file.
Note
When configuring a shell/batch script run by a PEM agent that has PEM version 7.11 or later installed, you must specify the user for the batch_script_user parameter. We strongly recommend that you use a nonroot user to run the scripts. Using the root user might result in compromising the data security and operating system security. However, if you want to restore the pemagent to its original settings using root user to run the scripts, then you must set the batch_script_user parameter to root.
Before any changes are made on the PEM database, the connecting agent is authenticated with the PEM database server. When invoking the pemworker utility, you must provide the password associated with the PEM server administrative user role (postgres). You can specify the administrative password in three ways:
- Set the
PEM_MONITORED_SERVER_PASSWORDenvironment variable. - Provide the password on the command line with the
PGPASSWORDkeyword. - Create an entry in the
.pgpassfile.
If you don't provide the password, a password authentication error occurs. You are prompted for any other missing required information. When the registration is complete, the server confirms that the agent was successfully registered.
Unregistering a PEM agent
You can use the pemworker utility to unregister a PEM agent. To unregister an agent, include the --unregister-agent keywords along with the details when invoking the pemworker utility:
pemworker --unregister-agent
Append command line options to the command string when invoking the pemworker utility. Follow each option with a corresponding value:
| Option | Description |
|---|---|
--pem-user <username> | Specifies the name of the database user (member of pem_admin role) of the PEM backend database server. This parameter is required. |
--config-dir | Specifies the directory path for the configuration file. The default is "<pemworker path>/../etc". |
Setting PEM agent configuration parameters
The PEM agent RPM installer creates a sample configuration file named agent.cfg.sample in the /usr/edb/pem/agent/etc directory. When you register the PEM agent, the pemworker program creates the actual agent configuration file, named agent.cfg.
You must add the location of the ca-bundle.crt certificate authority file. By default, the installer creates a ca-bundle.crt file in the location specified in your agent.cfg.sample file. You can copy the default parameter value from the sample file or, if you use a ca-bundle.crt file that's stored in a different location, specify that value in the ca_file parameter:
ca_file=/usr/libexec/libcurl-pem7/share/certs/ca-bundle.crt
Then, use a platform-specific command to start the PEM agent service. The service is named pemagent.
On a RHEL or CentOS 7.x or 8.x host, use systemctl to start the service:
systemctl start pemagent
The service confirms that it's starting the agent. When the agent is registered and started, it appears on the Global Overview dashboard and in the Object browser tree of the PEM web interface.
For information about using the pemworker utility to register a server, see Registering a database server.
Using a nonroot user account to register a PEM agent
To use a nonroot user account to register a PEM agent, you must first install the PEM agent as a root user. After installation, assume the identity of a nonroot user, such as edb. Then:
Log in as edb. Create
pemandlogsdirectories and assign read, write, and execute permissions:$ mkdir /home/edb/pem $ mkdir /home/edb/pem/logs $ chmod 700 /home/edb/pem $ chmod 700 /home/edb/pem/logs
Register the agent with PEM server:
$ export PEM_SERVER_PASSWORD=edb # Use the following command to create agent certificates and an agent # configuration file (`agent.cfg`) in the `/home/edb/pem` directory. $ /usr/edb/pem/agent/bin/pemworker --register-agent --pem-server <172.19.11.230> --pem-user postgres --pem-port 5432 --display-name non_root_pem_agent --cert-path /home/edb/pem --config-dir /home/edb/pem # Use the following command to assign read and write permissions to # these files: $ chmod -R 600 /home/edb/pem/agent*
Change the parameters of the
agent.cfgfile:$ vi /home/edb/pem/agent.cfg agent_ssl_key=/home/edb/pem/agent<id>.key agent_ssl_crt=/home/edb/pem/agent<id>.crt log_location=/home/edb/pem/worker.log agent_log_location=/home/edb/pem/agent.log
Where
<id>is the assigned PEM agent ID.Create a
tmpdirectory, set the environment variable, and start the agent:$ mkdir /home/edb/pem/tmp # Create a script file, add the environment variable, give permissions, and execute: $ vi /home/edb/pem/run_pemagent.sh #!/bin/bash export TEMP=/home/edb/agent/tmp /usr/edb/pem/agent/bin/pemagent -c /home/edb/agent/agent.cfg $ chmod a+x /home/edb/pem/run_pemagent.sh $ cd /home/edb/pem $ ./run_pemagent.sh
Your PEM agent is now registered and started with the edb user. If your machine restarts, then this agent doesn't restart automatically. You need to start it manually using the previous command.
Optionally, you can create the service for this PEM agent as the root user to start this agent automatically at machine restart as follows:
a. Update the values for the configuration file path and the user in the
pemagentservice file as superuser:$ sudo vi /usr/lib/systemd/system/pemagent.service [Service] Type=forking WorkingDirectory=/home/edb/pem Environment=LD_LIBRARY_PATH=/usr/edb/pem/agent/lib:/usr/libexec/edb-snmp++/lib Environment=TEMP=/home/edb/pem/tmp ExecStart=/usr/edb/pem/agent/bin/pemagent -c /home/edb/pem/agent.cfg
b. Stop the running agent process, and then restart the agent service:
# Find the process id of the running pem agent and pem worker process and kill that process $ ps -ax | grep pemagent $ kill -9 <process_id_of_pemagent> $ ps -ax | grep pemworker $ kill -9 <process_id_of_pemworker> # Enable and start pemagent service $ sudo systemctl enable pemagent $ sudo systemctl start pemagent $ sudo systemctl status pemagent
Check the agent status on the PEM dashboard.
Note
Any probes and jobs that require root permission or access to a file owned by another user (for example, enterprisedb) fail.