# Deploying tbot on Linux This page explains how to deploy the Machine & Workload Identity agent, `tbot`, on a Linux host. ## How it works The process in which `tbot` initially authenticates with the Teleport cluster is known as joining. A join method is a specific technique for the bot to prove its identity. On platforms where there is no native form of identity available to the machine, the preferred join method is [`bound_keypair`](https://goteleport.com/docs/ver/19.x/reference/deployment/join-methods.md#bound-keypair-bound_keypair). Unlike other join methods, a `bound_keypair` join token can only be used to join a single bot. [Read more about Bound Keypair Joining](https://goteleport.com/docs/ver/19.x/reference/machine-workload-identity/bound-keypair.md). ## Prerequisites - A running Teleport cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/ver/19.x/get-started/deploy-community.md). - The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/ver/19.x/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username: ``` $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status Cluster teleport.example.com Version 19.0.0-dev CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 ``` If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions. * A Linux host that you wish to install `tbot` onto. * A Linux user on that host that you wish `tbot` to run as. In the guide, we will use `teleport` for this. ## Step 1/4. Install `tbot` **This step is completed on the Linux host.** First, `tbot` needs to be installed on the VM that you wish to use Machine & Workload Identity on. Install Teleport as appropriate for your platform: To install a Teleport Agent on your Linux server: The recommended installation method is the cluster install script. It will select the correct version, edition, and installation mode for your cluster. 1. Assign teleport.example.com:443 to your Teleport cluster hostname and port, but not the scheme (https\://). 2. Run your cluster's install script: ``` $ curl "https://teleport.example.com:443/scripts/install.sh" | sudo bash ``` ## Step 2/4. Create a bot user **This step is completed on your local machine.** Create the bot with `tctl bots add`: ``` $ tctl bots add example The bot joining URI: tbot+proxy+bound-keypair://bot-example-abc123:secret@example.teleport.sh:443 This token must be used within 59 minutes after which it must be recreated. [...] ``` Take note of the joining URI as it will be used in the next step. Joining URIs contain all the information needed for the `tbot` client to connect to and authenticate with your Teleport cluster. Be aware that this URI contains a single use secret value (shown as `secret` in the above example) and should be copied with care. ## Step 3/4. Configure `tbot` **This step is completed on the Linux host.** Create `/etc/tbot.yaml`: ``` version: v2 join_uri: tbot+proxy+bound-keypair://bot-example-abc123:secret@example.teleport.sh:443 storage: type: directory path: /var/lib/teleport/bot # services will be filled in during the completion of an access guide. services: [] ``` Replace: - The `join_uri` field value with the joining URI printed by `tctl` in step 2. --- NOTE The first time that `tbot` runs, the registration secret contained within the joining URI will be used to authenticate the first connection. After the first successful join, the registration secret is invalidated. You may remove it from the join URI (shown as `secret` in the example token) in your configuration file after the first run has completed, but there is no tangible security benefit to doing so. --- ### Prepare the storage directory Create the bot data directory and grant permissions to access it to the Linux user (in our example, `teleport`) which `tbot` will run as. ``` Make the bot directory and assign ownership to teleport user $ sudo mkdir -p /var/lib/teleport/bot $ sudo chown teleport:teleport /var/lib/teleport/bot Allow teleport user to open directory $ sudo chmod +x /var/lib/teleport /var/lib/teleport/bot ``` ### Create a systemd service By default, `tbot` will run in daemon mode. However, this must then be configured as a service within the service manager on the Linux host. The service manager will start `tbot` on boot and ensure it is restarted if it fails. **If tbot was installed using the Teleport install script or `teleport-update` command, the `tbot` systemd service is automatically created for you.** After `tbot.yaml` is created, enable and start the service: ``` $ sudo systemctl enable tbot --now ``` Check the service has started successfully: ``` $ sudo systemctl status tbot ``` Service properties like `User` and `Group` may be configured using `systemctl edit tbot`. **If tbot was installed manually, service configuration will need to be performed manually as well.** For this guide, systemd will be demonstrated but `tbot` should be compatible with all common alternatives. Use `tbot install systemd` to generate a systemd service file: ``` $ sudo tbot install systemd \ --write \ --config /etc/tbot.yaml \ --user teleport \ --group teleport \ --pid-file /run/tbot.pid \ --anonymous-telemetry ``` Ensure that you replace: - `teleport` with the name of Linux user you wish to run `tbot` as. - `/etc/tbot.yaml` with the path to the configuration file you have created. - `/run/tbot.pid` with a path that the user configured for `tbot` has write access to. By default, `tbot` writes its PID file to `/run/tbot.pid`. You can omit `--write` to print the systemd service file to the console instead of writing it to disk. `--anonymous-telemetry` enables the submission of anonymous usage telemetry. This helps us shape the future development of `tbot`. You can disable this by omitting this. Next, enable the service so that it will start on boot and then start the service: ``` $ sudo systemctl daemon-reload $ sudo systemctl enable tbot --now ``` Check the service has started successfully: ``` $ sudo systemctl status tbot ``` ## Step 4/4. Configure services You have now prepared the base configuration for `tbot`. At this point, it identifies itself to the Teleport cluster and renews its own credentials but does not output any credentials for other applications to use. Follow one of the [access guides](https://goteleport.com/docs/ver/19.x/machine-workload-identity/access-guides.md) to configure a service that meets your access needs. ## Next steps - Follow the [access guides](https://goteleport.com/docs/ver/19.x/machine-workload-identity/access-guides.md) to finish configuring `tbot` for your environment. - Read the [configuration reference](https://goteleport.com/docs/ver/19.x/reference/machine-workload-identity/configuration.md) to explore all the available configuration options. - [More information about `TELEPORT_ANONYMOUS_TELEMETRY`.](https://goteleport.com/docs/ver/19.x/reference/machine-workload-identity/telemetry.md)