WIXLIB

#TC18Tableau Server on Linux 2018 UpdateRobert S. BrewerManager, EngineeringTableau Software, Inc.

About Me

At Tableau

Why Linux?Because you wanted it!Orgs already using Linux for serversReduce Windows licensing costsBoth on-prem and in public cloudEasy to script & automate

About This TalkUpdated version of my TC17 talkOverview of Server on LinuxInstalling Tableau Server on LinuxUnderstanding Tableau Services Manager (TSM) and security modelChanges from 10.5 to 2018.X & 2019.1 betaThis talk is notHow to switch from Windows to LinuxDeep dive on TSM

Server on Linux 10.5Initial releaseFirst release of TSM

Server on Linux 2018.1 ImprovementsMajor improvements to security model#SudoersZero (no sudo!)Minor improvementsSetting environment variables for TSM servicesServer-specific locale (different from host)New!

Server on Linux 2018.2 ImprovementsAmazon Linux 2 distro supportNew!TSM web UI releasedServer on Windows switches to TSM

Server on Linux 2018.3 ImprovementsMinor improvementsConfigure forward proxy with initialize-tsmtabcmd Bash command completionNew!

Server on Linux 2019.1 Beta ImprovementsInstall packages outside of /optAvoid su for TSM auth via directory serviceNew!

AgendaPreparing for LinuxInstallation & InitializationUpgradesTidbitsRecap, Q&A

Preparing for Linux

Linux Distro SupportDebian–likeLinuxRHEL–likeRed HatEnterprise Linux(RHEL) 7.3 New!Debian(planned)2018.2CentOS7.3 OracleLinux 7.3 AmazonLinux 2Ubuntu 16.04SUSE(planned)

Resource Requirements 1Generally the same as WindowsBare minimum: 2 CPU cores, 8 GBRecommended: 8 CPU cores, 32 GBCPU coresWe count actual cores, not hyperthreadsCloud note: some “vCPUs” (AWS & GCP) are hyperthreads

Resource Requirements 2Disk spaceInstallation directory: binaries go here, 3 GB per versionData directory: all your data goes here, go large ( 50 GB)Account passwordNeed to have a password set (see TSM authentication)Cloud note: if logging in via ssh pubkey, you might not have a password!To set one: sudo passwd username

Tableau Services Manager (TSM)TSM is a client/server system for managementSeparates server management from server itselftsm command REST clientControllerservice endpoint REST APIApplies action tomanaged service i.e.,Tableau ServerTSM is REST API endpoints with thin clientsLinux is TSM–onlyBye-bye classic tabadmin!

TSM & Tableau se ServiceBackgrounderVizportalVizQL ServerGateway[ ]

Differences for Windows AdminsInstallationMajor focus of this talkTableau Services Manager (TSM)Data Connectivity DriversMany drivers available on Linux (but not all)UpgradesFontsBut many things remain the sameConfiguration keysServicesEtc.

Differences for End Users

Installation

Installation ash scriptrun as rootInitializeServerUsing tsm CLI

Package InstallationInstallpackageLinux nativepackageInitializeTSMBash scriptrun as rootInitializeServerUsing tsm CLI

Server Package InstallationWe use distro-native packagesRHEL-based distros: RPMDebian-based distros: debDepend on other packagesAutomatically downloaded from standard distro repositoriesInstalling on RHEL-like distrossudo yum install tableau-server-2018-2-0.x86 64.rpmInstalling on Debian-like distrossudo gdebi -n tableau-server-2018-2-0 amd64.debWe use gdebi (not apt-get) because it works better with local packages

Server Package LayoutInstallation directory/opt/tableau/tableau serverLocation not configurable (for now )Everything owned by root, 7.1415.jsonSide by side 0627.2230[.]

Install Server Anywhere (2019.1 beta)Install packages in arbitrary locationsNew!Install package dependencies manuallysudo rpm -i --prefix 234.x86 64.rpmEverything else just works as normalOnly available on RHEL-like distrosEquivalent functionality not available deb package format

Driver Package InstallationDrivers distributed separatelySome directly from TableauOthers downloaded from vendorInstallation directory/opt/tableau/tableau driverConfiguration file: tgresql-odbc[.]Required to display Site Status dashboards

Package InstallationInstallpackageLinux nativepackageInitializeTSMBash scriptrun as rootInitializeServerUsing tsm CLI

TSM Background

TSM Security Model (10.5.X)Privilege separationTSM Agent runs as privileged userDefault username: tsmagentEverything else runs as unprivileged userDefault username: bleau)Privilege provided by sudoTSM initialization installs sudoers fileEnumerates commands we need to run as rootFile access via shared groupGroup read/write access on filesShared group must be their primary groupDefault name: tableauUser & group names are configurableServerauthorizedgroup(tableau)

TSM Security Model (10.5.X 2018.1 )Privilege separationTSM Agent runs as privileged userDefault username: tsmagentEverything else runs as unprivileged userDefault username: bleau)Privilege provided by sudo#SudoersZeroTSM initialization installs sudoers fileEnumerates commands we need to run as rootFile access via shared groupGroup read/write access on filesShared group must be their primary groupDefault name: tableauUser & group names are configurableServerauthorizedgroup(tableau)

TSM Security Model (2018.1 )Tableau Server w/o privilegesEverything runs as unprivileged userNew!Default username: tableauUnprivilegeduser(tableau)Certain actions require privilegeInstalling & initializingUpgradingFiles owned by unpriv user’s groupTSM admins added as convenienceDefault name: tableauUser & group names are configurableFileGroup(tableau)

TSM Access ControlTSM delegates access control to underlying OSOn Linux, ruled by PAM configurationBenefits from any PAM policies like auditing, throttling, etc.Uses whatever directory service is configured (if any)Authentication by username & passwordUses su command to verify credentialsWorks however PAM is configuredAuthorization by group membershipTo log in, users must belong to TSM authorized groupDefault name: tsmadmin

TSM User & Groups OverviewUserGroupsUnprivileged UserRuns: everything(tableau)File GroupShared file accessTSM Auth. GroupTSM access(tableau)(tsmadmin)

Initializing TSMInstallpackageLinux nativepackageInitializeTSMBash scriptrun as rootInitializeServerUsing tsm CLI

Initializing TSMWhy a separate step?Package installation doesn’t allow configuration parametersE.g. picking the data directoryinitialize-tsmBash script, must be run as rootLots of configuration options: data directory, user & group names, etc.Defaults should work for many customers

Live DemoLet’s initialize TSM

Initializing TSM: A One Time Operationinitialize-tsm runs onceOnly needed the first time you initialize TSMNot part of upgrading to a new versionMost options can’t be changed after initUser & group namesData directory pathChoose wisely

Initializing TSMInstallpackageLinux nativepackageInitializeTSMBash scriptrun as rootInitializeServerUsing tsm CLI

Initializing Tableau ServerInstallpackageLinux nativepackageInitializeTSMBash scriptrun as rootInitializeServerUsing tsm CLI

Interacting with TSM: web UI (2018.2)New!

Interacting with TSM: CLITSM command line interface: tsmREST API clientPrompts for username & passwordAll communication is TLS-securedOodles of commandsFor the full list: tsm help commandsAll your favorites: backup, restore, ziplogs, start, stopNow organized into categories and eenablelistmutual-ssl[ ]

Live DemoLet’s initialize Tableau Server

Adding “Worker” NodesNo distinction between nodesJust initial node with TSM controller, and additional nodesSame install package for additional nodesObtain bootstrap file from controller nodetsm topology nodes get-bootstrap-file --file bootstrap.jsonAdditional parameters for initialize-tsmBootstrap file from first nodeUsername/password for TSMsudo ./initialize-tsm --accepteula –b bootstrap.json -u thomasa

The Easy Life: Automated InstallerInstallpackageLinux nativepackageInitializeTSMAutomatedInstallerBash scriptrun as rootInitializeServerUsing tsm CLI

What is the Automated Installer?Bash scriptInstalls package, initializes TSM, initializes serverFully customizableParameters GaloreAll initialize-tsm parametersAdditional parameters: config, license key, etc.AutomatablePasswords can be provided in secrets fileTableau uses it extensively for internal testingExample invocationsudo ./automated-installer -s secrets -r registration.json -f config.json--accepteula -v -k SUPER-KOOL-LICENSE-KEY tableau-server-2018-2-0.x86 64.rpm

How Do I Get It?Chicken & egg problemIt installs server package, so can’t be inside the packageDistributed as separate packageFind it on rInstall via yum or gdebiVersioned along with Tableau ServerInstallation location/opt/tableau/tableau server automated installer/automated-installer. vers

When Not to Use Automated InstallerFirst time installsEasier to correct any issues and then move to the next stepParameter validationSetting up authentication, like AD bindingChanging topologyInstalling outside of /opt (2019.1 beta)Roll your own automation

Upgrades

Violating Linux Packaging NormsUpgrading a normal packagesudo yum update acme-normal-packageServer upgrades require more TLC than yum/apt providesTableau Server package names include version rpm -qpi tableau-server-2018-1-4.x86 64.rpmName: tableau-server-20181.18.0807.1415 rpm -qpi tableau-server-2018-2-0.x86 64.rpmName: tableau-server-20182.18.0627.2230 Upgrade by installing a new package, not updating old package

Tableau Server Upgrade ParadigmInstall new package versionAll install bits are versionedMultiple versions live side-by-sideInstalling a new package version is harmless!For clusters, install package on all nodesUpdate data directory to new version and start serverupgrade-tsm script on controller nodeDelete old packages at your leisureReclaims disk space, nothing moreNever need to upgrade a packagesudo yum update tableau-server-20182.18.0627.2230.x86 64Safe, but does nothing

Upgrade Example: 2018.1.4 to 2018.2Running version 20181.18.0807.1415 (2018.1.4)Install new package versionsudo yum install tableau-server-2018-2-0.x86 64.rpmYou can do this whenever, since it doesn’t take down your serverBack up your serverUpgrade data dir to new version and start serversudo /opt/tableau/tableau tsm --accepteula -u usernameAlways run the new upgrade-tsm!Make sure server is running OKSometime later, remove old packagesudo yum erase tableau-server-2018-1-4

Upgrade Don’tsDon’t uninstall the running version!But if you do, you can recoverReinstall same packageRerun initialize-tsmWill just restart the TSM servicesDon’t run initialize-tsm from new versionStick with upgrade-tsm

Server TSMInitializeServerUninstallOldPackageUpgradeTSM

Tidbits

Obliterate ScriptSometimes you want to start from scratchRemoves (almost) all traces of Tableau ServerWill delete all your workbooks, extracts, users, everything!Will remove all server packagesNot something you will use oftentableau-server-obliterateLives in /opt/tableau/tableau server/packages/scripts. version What if I removed the package before obliterating?We stash a copy in /var/tmp when uninstalling a package

Logs for Install Scripts (2018.1 )Install scripts now write logs to /var/tmpHelpful for debuggingNot grabbed by ziplogs or rootrootrootroot13266428994611184057Feb 27 20:37 migrate-to-single-user-18.0227.2037.06.logMar 7 22:53 12.logMar 7 22:52 .23OURCE.logMar 7 22:22 24.logFeb 27 20:47 upgrade-tsm-18.0227.2037.37.log

Using a Forward Proxy (2018.3 )Want to send all outbound traffic to a proxy?Now easy to configure a forward proxyNew parameters for initialize-tsm--http proxy value --https proxy value Example invocationsudo initialize-tsm --http proxy http://example.com:3128/

Setting Environment Variables (2018.1 )Want to change the environment of TSM services?They run via systemd, so can’t set env vars by normal meansNow easy to set via config directoryDrop file in:/var/opt/tableau/tableau server/.config/systemd/tableau server.conf.d/Restart TSM services