Lighthouse Enrollment
Opengear appliances can be enrolled into a Lighthouse instance, providing centralized access to console ports, automation, and central configuration of Opengear devices.
Lighthouse central management uses a persistent, public key authenticated SSH tunnels to maintain connectivity to managed console servers.
All network communications between Lighthouse and each console server (e.g. access to the web UI), and the console server's managed devices (e.g. the serial consoles of network equipment), is tunneled through this SSH management tunnel.
The below articles and Lighthouse user guide contain further information about Lighthouse Enrollment:
Manual enrollment using UI or CLI
How do I add Nodes to Lighthouse
Manual Enrollment Using UI
Note: To enroll your Operations Manager to a Lighthouse instance, you must have Lighthouse installed and have an enrollment token set in Lighthouse.
-
In Lighthouse. Set
Tip: The same token will be entered in the NEW LIGHTHOUSE ENROLLMENT page of the Operations Manager.
-
Enroll your Operations Manager in this Lighthouse instance:
Click CONFIGURE > Lighthouse Enrollment
-
Click on the Add Lighthouse Enrollment button on the top-right of the page. The New Lighthouse Enrollment page opens.
-
Enter the IP address or fully qualified domain name of the Lighthouse instance and the Enrollment Token you created in Lighthouse. Optionally enter a Port and an Enrollment Bundle (see the Lighthouse User Guide for more information about Bundling).
-
Click the Apply button. A flag will confirm the enrollment.
Note: Enrollment can also be done directly via Lighthouse using the Add Node function. See the Lighthouse User Guide for more instructions on enrolling Opengear devices into Lighthouse.
Manual Enrollment Using the CLI
For complete instructions on Lighthouse Enrollment via the CLI please refer to this link: Manual enrollment using UI or CLI .
Automatic Enrollment By Lighthouse Service Portal (LSP)
Lighthouse Service Portal (LSP) is an Opengear solution that enables Operations Manager nodes (OM1200 and OM2200) to perform a zero touch call home and automatic enrollment into a customers Lighthouse instance of choice.
Note: LSP is not configurable and cannot be added in-field.
No User setup is required for LSP. LSP should begin working upon boot or factory reset.
LSP Service Initialization
When the node is initially powered-up or rebooted, ZTP begins to run and sees that device is LSP enabled and ZTP exits before applying any configuration. Systemd triggers the LSP.
The node connects to internet and adds an NTP server to ensure crypto is working. It then pulls an updated docker container which it runs, and waits while the docker container writes out the appropriate lighthouse bundle associated with the serial number, then exits.
Identity is verified by a TPM attestation key with the serial number encoded and signed by the attestation key and a CA running in AWS. An accompanying certificate is stored the secure Trusted Platform Module (TPM).
If there are no connectivity issues the LSP status LED (cloud on OM2200) state changes progressively from amber flashing (LSP is running), green flashing (Lighthouse is connecting) and green solid (Lighthouse connected successfully). See Device Status LEDs.
| LED Off | Amber Flashing | Amber Solid | Green Flashing | Green solid | |
|---|---|---|---|---|---|
| OM Devices Cloud / Internet  |
LSP is disabled and there are no existing Lighthouse enrollments. | LSP is currently running on the device. | An error occurred while running LSP. | The device can reach the lighthouse instance and is attempting to enroll. If a lighthouse is unreachable the LED will not start. | The device is enrolled and connected to a lighthouse. There will be a short delay between the UI status reported and the LED changing to solid green. |
Note: OM1200 series devices do not have a cloud LED, therefore, no LED indication is available for LSP or Lighthouse.
LSP Commands
LSP is run by a systemd service and can be controlled by systemctl commands which are self-explanatory:
systemctl start lsp
systemctl stop lsp
systemctl enable lsp
systemctl disable lsp
The systemd service also checks for the absence of a file /var/lib/lsp/.lsp-disabled before it will actually run the service.
Restarting The Service
If LSP has been disabled due to an error or a successful completion; to re-enable the service, remove the file /var/lib/lsp/.lsp-disabled, after which, LSP can be controlled via standard systemctl commands.
LSP Errors and Exit Codes
LSP initiation can sometimes encounter errors, for example, failure to communicate with the REST-API. In these situations, LSP attempts recovery by running from the start again after waiting for a short period.
Before LSP exits with one of these failures it sets the cloud Status LED to solid amber and it will remain solid amber until the process starts running again to try and recover. If a process error is repeated for an extended time then its likely that something is preventing LSP from completing properly.
LSP Logging & Errors
LSP logs from the systemd service and docker container are all stored in the system journal. The LSP service logs can be accessed with journalctl -u lsp, and the container logs can be viewed with journalctl -b CONTAINER_NAME=LSP_AGENT.
When the docker container runs, it will display the docker registry and digest hash of the running container.
| Log Message/Error Code | Event/Definition |
|---|---|
Device is LSP enabled.
|
The device supports LSP. |
|
|
The device does not support LSP. No logs, the LSP service should disabled without performing any operations. |
Key detected in the TPM without a certificate.
Due to the missing certificate this device is unable to perform LSP.
Opengear Support Required! |
The device contains a key but no certificate. This should not happen in the field, and the device will require that the customer contact Opengear Support. It may require an RMA. |
No existing Lighthouse enrollment found, proceeding with LSP. |
No existing Lighthouse is configured, LSP is able to proceed. |
Running LSP Docker container.
|
The docker container has started. |
LSP Docker container has finished executing.
|
The docker container has finished. |
Configuring Lighthouse enrollment.
|
Lighthouse enrollment configuration has started. |
Lighthouse enrollment configuration applied successfully.
|
Lighthouse enrollment configuration has completed. |
No Internet connectivity.
|
The device has no Internet connectivity and does not have a cellular modem, LSP will retry in 60s. |
Could not confirm Internet connectivity. Enabling failover.
|
The device could not reach the Internet with the ethernet interfaces, failover will be enabled on the cellular interface. |
Exit Codes
The LSP process returns an exit code depending on the status of the process:
| Code | Name | Definition |
|---|---|---|
| 0 | EXIT_SUCCESS |
LSP completed successfully without error.
|
| 151 | EXIT_RETRY | LSP failed, but will retry. |
| 152 | EXIT_UNRECOVERABLE_ERROR | LSP failed but will not succeed, support is required. |
| 153 | EXIT_STOP | LSP has stopped during execution. It can be started manually. |