Skip to main content

Deploying tbot on Linux

Report an Issue

This page explains how to deploy the Machine & Workload Identity agent, tbot, on a Linux host.

How it works

The process in which tbot initially authenticates with the Teleport cluster is known as joining. A join method is a specific technique for the bot to prove its identity.

On platforms where there is no native form of identity available to the machine, the preferred join method is bound_keypair. Unlike other join methods, a bound_keypair join token can only be used to join a single bot. Read more about Bound Keypair Joining.

Prerequisites

  • A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl and tsh clients.

    Installing tctl and tsh clients

    1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

      TELEPORT_DOMAIN=teleport.example.com:443
      TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tctl and tsh clients:

      Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

      curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

      In Finder double-click the pkg file to begin installation.

      danger

      Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email@example.com to your Teleport username: 
    tsh login --proxy=teleport.example.com --user=email@example.com
    tctl status
    Cluster  teleport.example.com
    Version  19.0.0-dev
    CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
  • A Linux host that you wish to install tbot onto.
  • A Linux user on that host that you wish tbot to run as. In the guide, we will use teleport for this.

Step 1/4. Install tbot

This step is completed on the Linux host.

First, tbot needs to be installed on the VM that you wish to use Machine & Workload Identity on.

Install Teleport as appropriate for your platform:

To install a Teleport Agent on your Linux server:

The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster.

  1. Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https://).

  2. Run your cluster's install script:

    curl "https://teleport.example.com:443/scripts/install.sh" | sudo bash

Step 2/4. Create a bot user

This step is completed on your local machine.

Create the bot with tctl bots add:

tctl bots add example
The bot joining URI: tbot+proxy+bound-keypair://bot-example-abc123:secret@example.teleport.sh:443This token must be used within 59 minutes after which it must be recreated.
[...]

Take note of the joining URI as it will be used in the next step. Joining URIs contain all the information needed for the tbot client to connect to and authenticate with your Teleport cluster. Be aware that this URI contains a single use secret value (shown as secret in the above example) and should be copied with care.

Step 3/4. Configure tbot

This step is completed on the Linux host.

Create /etc/tbot.yaml:

version: v2
join_uri: tbot+proxy+bound-keypair://bot-example-abc123:secret@example.teleport.sh:443
storage:
  type: directory
  path: /var/lib/teleport/bot
# services will be filled in during the completion of an access guide.
services: []

Replace:

  • The join_uri field value with the joining URI printed by tctl in step 2.
note

The first time that tbot runs, the registration secret contained within the joining URI will be used to authenticate the first connection. After the first successful join, the registration secret is invalidated. You may remove it from the join URI (shown as secret in the example token) in your configuration file after the first run has completed, but there is no tangible security benefit to doing so.

Prepare the storage directory

Create the bot data directory and grant permissions to access it to the Linux user (in our example, teleport) which tbot will run as.

Make the bot directory and assign ownership to teleport user
sudo mkdir -p /var/lib/teleport/bot
sudo chown teleport:teleport /var/lib/teleport/bot
Allow teleport user to open directory
sudo chmod +x /var/lib/teleport /var/lib/teleport/bot

Create a systemd service

By default, tbot will run in daemon mode. However, this must then be configured as a service within the service manager on the Linux host. The service manager will start tbot on boot and ensure it is restarted if it fails.

If tbot was installed using the Teleport install script or teleport-update command, the tbot systemd service is automatically created for you.

After tbot.yaml is created, enable and start the service::

sudo systemctl enable tbot --now

Check the service has started successfully:

sudo systemctl status tbot

Service properties like User and Group may be configured using systemctl edit tbot.`

If tbot was installed manually, service configuration will need to be performed manually as well.

For this guide, systemd will be demonstrated but tbot should be compatible with all common alternatives.

Use tbot install systemd to generate a systemd service file:

sudo tbot install systemd \   --write \   --config /etc/tbot.yaml \   --user teleport \   --group teleport \   --anonymous-telemetry

Ensure that you replace:

  • teleport with the name of Linux user you wish to run tbot as.
  • /etc/tbot.yaml with the path to the configuration file you have created.

You can omit --write to print the systemd service file to the console instead of writing it to disk.

--anonymous-telemetry enables the submission of anonymous usage telemetry. This helps us shape the future development of tbot. You can disable this by omitting this.

Next, enable the service so that it will start on boot and then start the service:

sudo systemctl daemon-reload
sudo systemctl enable tbot --now

Check the service has started successfully:

sudo systemctl status tbot

Step 4/4. Configure services

You have now prepared the base configuration for tbot. At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use.

Follow one of the access guides to configure a service that meets your access needs.

Next steps