Configure the Alation Agent¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
On an existing Alation Agent, you may need to update various configurations, such as:
Configure Agent Address¶
You may need to update the Agent’s address configuration if the Agent is in a disconnected status.
To update the Agent’s address configuration:
Look up the Alation Cloud Service connectivity endpoint for your region in the following table.
Important
For PrivateLink connections, add
[TENANT_NAME].to the beginning of the Agent connectivity endpoint and:8443to the end.For example:
[TENANT_NAME].ocf.use1.alationcloud.com:8443Geography
Location
Agent Connectivity Endpoint
Africa, Europe, & Middle East
Frankfurt
ocf.euc1.eu.alationcloud.comDublin
ocf.euw1.eu.alationcloud.comAmericas
Montreal
ocf.cac1.ca.alationcloud.comVirginia
ocf.use1.alationcloud.comOregon
ocf.usw2.alationcloud.comAsia Pacific
Mumbai
ocf.aps1.ap.alationcloud.comSingapore
ocf.apse1.ap.alationcloud.comSydney
ocf.apse2.ap.alationcloud.comTokyo
ocf.apne1.ap.alationcloud.comIf your organization uses a Web Application Firewall (WAF), inform your firewall admin to allow the Alation Cloud Service connectivity endpoint to pass through.
The Agent configuration file is located on the Agent host machine at /etc/hydra/hydra.toml. Edit the file using your preferred text editor. You may need to use sudo privileges.
In hydra.toml, look for the
addressline. Replace the address value inside the quotation marks with the Alation Cloud Service connectivity endpoint you obtained earlier. If the address is already correct, you don’t need to do anything else.Restart the agent by running the following command:
sudo hydra restart
In Alation, go to the Agents Dashboard and verify that the Agent is now connected to Alation.
Connect with a Proxy¶
If your network routes outgoing traffic through an HTTP CONNECT proxy, you need to:
Add the Alation Cloud Service connectivity endpoint to your proxy server’s allow list.
Add the proxy’s address to the Agent configuration file.
Proxy Allow List
You will need to add the Alation Cloud Service connectivity endpoint to your proxy server’s allow list so the Agent can reach your Alation Cloud Service instance.
The Alation Cloud Service endpoint is shown on the
addressline of the Agent installation command. This is the same address that should be in your Agent configuration file at /etc/hydra/hydra.toml.
Add Proxy Address to Agent Config
This is done on the Agent’s host machine. The steps depend on whether your proxy requires authentication.
No Authentication
For proxies that don’t require authentication, edit /etc/hydra/hydra.toml to add the following line:
web_proxy = "<proxy-address>:<proxy-port>"
Basic Authentication
Starting with Agent version 1.2.1.1168, you can route the Agent through proxies that require basic authentication. Edit /etc/hydra/hydra.toml to add the following line:
web_proxy = "<username>:<password>@<proxy-address>:<proxy-port>"
Replace the parts in angle brackets with the appropriate information for your proxy. Don’t include the angle brackets. Do include the quotes. The proxy address can be a domain name or an IP address. If no port is provided, the Agent defaults to port 80.
Here’s an example with basic authentication:
web_proxy = "jane:[email protected]:3128"
Prevent New Privileges¶
To prevent privilege escalation in the Alation Agent’s containers, you can set the no_new_privileges property in the Agent configuration file. The no_new_privileges property maps directly to the Docker run option --security-opt no-new-privileges. If set, all containers launched within the Agent will be restricted so that no software can execute setuid nor setgid commands.
To set the no_new_privileges property, add the following lines to /etc/hydra/hydra.toml on the Agent machine.
[agent.containers]
no_new_privileges = true
If your Agent is currently running, restart it for the change to take effect:
sudo hydra restart