Home

Awesome

Mist Cloud Management Platform - Enterprise Edition

Mist simplifies multicloud management. It offers a unified interface from where you can manage public clouds, private clouds, hypervisors, containers and bare metal servers.

With Mist you can perform common management tasks like provisioning, orchestration, monitoring, automation and cost analysis.

It comes with a RESTful API and a CLI, so you can easily integrate it into your existing workflows.

Mist users include organizations like Juniper Networks, SevOne, Windstream, National Bank of Greece, Shoprite and more. They all report faster roll-outs while reducing their bills and management overheads by 40%-60%.

Mist Community Edition (CE) is licensed under the Apache License v2. It is ideal for teams with a DIY approach.

Mist Enterprise Edition (EE) and Hosted Service (HS) are commercial editions which offer additional plugins for governance, role-based access control & cost insights. You can check them out on our website.

The easiest way to try Mist is to sign up for a 14-day free trial at https://mist.io/sign-up.

<a href="https://www.youtube.com/watch?v=7oYyC-FIaAM" source="_blank"><img src="https://mist.io/landing/images/frontpage/home-dashboard.png" width="768"></a>

Table of Contents

Features

Mist's features include:

Terminology

Some terms are used very often in Mist. Below is a list of the most basic ones to help you avoid any confusion:

Architecture

Mist is a cloud native application split into microservices which are packaged as Docker containers. It can be deployed on a Kubernetes cluster using Helm or a single host with Docker Compose.

The most notable components are the following:

Architecture.png

The user interacts with the RESTful Mist API through client apps like the Mist UI in the browser or command line tools (e.g. cURL, Mist CLI, etc.).

The Mist UI, apart from invoking the RESTful API, also establishes a WebSocket connection. This is used to receive real time updates and to proxy shell connections to machines.

The Mist API server interacts with the respective API's of the target clouds, either directly, or by adding tasks that get executed asynchronously by Dramatiq workers. The messaging is following the AMQP protocol and gets coordinated by RabbitMQ.

The main data store is MongoDB. Logs are being stored in Elasticsearch. Time series data go to either VictoriaMetrics or InfluxDB, depending on the installation.

Rule checks, polling tasks & user tasks are triggered by the scheduler service. Whenever a shell connection is required (e.g. SSH, Docker shell, etc.), Sheller establishes the connection and makes it available through the WebSocket API.

Installation

You can install Mist in several ways, depending on your needs:

Kubernetes

To get started, you will need:

  1. A working and up-to-date Kubernetes cluster, able to allocate 8 CPUs and 16GB of RAM to Mist.
  2. Access rights to run Helm on your cluster.

Run the following commands to install Mist:

helm repo add mist https://dl.mist.io/charts
helm repo update
helm install mist-ce mist/mist-ce

Finally, follow the on-screen instructions after the installation is completed to configure an ingress IP and create the required Mist admin user.

Linode and Vultr users can find detailed installation videos in the respective, official YouTube channels.

Important configuration options

Domain and TLS

The quick installation method described above does not set up TLS. This is done in order to keep things simple and get you to test Mist quickly. However, we strongly recommend using TLS. This requires a domain for your Mist installation.

First, configure your DNS to point to your cluster's IP.

If you want to issue a new certificate, configure the cluster issuer that will be used, e.g.:

helm install mist-ce mist/mist-ce --set http.host=foo.bar.com  \
  --set http.tlsClusterIssuer=letsencrypt-prod \
  --set http.tlsSecret=secretName

For instructions on how to install and configure cert-manager read the docs here.

If you have configured a TLS certificate for this hostname as a Kubernetes secret, you should use the http.tlsSecret option, e.g.:

helm install mist-ce mist/mist-ce --set http.host=foo.bar.com \
  --set http.tlsSecret=secretName
Email

In some cases, such as user registration, forgotten passwords, user invitations etc., Mist needs to send emails. By default, Mist uses a mock mailer.

To see emails sent by Mist, get the relevant pod name:

kubectl get pods -l app=mailmock

Now, view the logs of this pod, e.g.:

kubectl logs -f mailmock-pod-name

If you wish to use an SMTP server, do something like this:

helm install mist-ce mist/mist-ce --set smtp.host=smtp.foo.bar.com \
  --set smtp.username=foo
  --set smtp.password=bar
  --set smtp.port=25
  --set smtp.tls=false
  --set smtp.starttls=true
External Docker host

Mist's orchestration plugin needs to deploy Docker containers. By default, Mist deploys an in-cluster dockerhost pod in privileged mode.

To use an external Docker host, set the following:

helm install mist-ce mist/mist-ce --set docker.host=dockerIP \
  --set docker.port=dockerPort \
  --set docker.key=TLSKey \
  --set docker.cert=TLSCert \
  --set docker.ca=TLSCACert

All configuration options

To review and customize all available configuration options:

  1. Export the default chart values.
helm show values mist/mist-ce > values.yaml
  1. Edit the exported values.yaml.
  2. Run helm install with values.yaml as input.
helm install mist-ce mist/mist-ce -f values.yaml

The following table lists all the configurable parameters in Mist's Helm chart and their default values.

ParameterDescriptionDefault
http.hostFQDN or IP of Mist installation.localhost
http.http2Use HTTP/2.false
http.tlsSecretKubernetes secret containing the tls.crt and tls.key data.''
http.tlsHostsArray of TLS hosts for ingress record.[]
http.tlsAnnotations{}
http.tlsClusterIssuerTLS cluster issuer.''
smtp.hostSMTP mail server address.''
smtp.portSMTP port.8025
smtp.usernameSMTP username.''
smtp.passwordSMTP password.''
smtp.tlsUse TLS with SMTP.false
smtp.starttlsSend the starttls command. Typically, it is not used with smtp.tls=true.false
portalAdmin.enabledCreate a Mist admin user upon chart installation.true
portalAdmin.organizationMist organization name.example.com
portalAdmin.mailMist admin's email address.admin@example.com
portalAdmin.passwordMist admin's password.example.com
portalAdmin.createApiTokenCreate an API token upon chart installation.true
docker.deployDeploy a dockerhost pod in-cluster. The pod will run in privileged mode.true
docker.hostExternal Docker host address.''
docker.portExternal Docker host port.2375
docker.keyExternal Docker host SSL private key.''
docker.certExternal Docker host SSL certificate.''
docker.caExternal Docker host CA certificate.''
vault.addressHashiCorp Vault address to use.http://vault:8200
vault.tokenAuthentication token for HashiCorp Vault.''
vault.roleIdHashiCorp Vault RoleID.''
vault.secretIdHashiCorp Vault SecretID.''
vault.secret_engine_path{}
vault.clouds_pathDefault HashiCorp Vault path for Mist cloud credentials.mist/clouds/
vault.keys_pathDefault HashiCorp Vault path for Mist key credentials.mist/keys
elasticsearch.hostElasticSearch host.''
elasticsearch.portElasticSearch port.9200
elasticsearch.usernameUsername for ElasticSearch with basic auth.''
elasticsearch.passwordPassword for ElasticSearch with basic auth.''
elasticsearch.tlsConnect to ElasticSearch using TLS.false
elasticsearch.verifyCertsVerify ElasticSearch TLS.false
influxdb.hostInfluxDB host.''
influxdb.portVerify InfluxDB TLS.8086
influxdb.dbInfluxDB database to use.telegraf
influxdb.monitoringtrue
influxdb.storageSizeSize of the InfluxDB pvc.1024Mi
victoriametrics.enabledtrue
victoriametrics.deployDeploy a VictoriaMetrics cluster.true
victoriametrics.readEndpointExternal VictoriaMetrics cluster read endpoint.''
victoriametrics.writeEndpointExternal VictoriaMetrics cluster write endpoint.''
victoriametrics.vmstorage.persistentVolume.storageClassStorageClass of the VictoriaMetrics pvc.standard
victoriametrics.vmstorage.persistentVolume.sizeSize of the VictoriaMetrics pvc.1024Mi
rabbitmq.deployDeploy RabbitMQ cluster.true
rabbitmq.replicaCountRabbitMQ replicas to deploy.1
rabbitmq.replicationFactorDefault replication factor for queues.1
rabbitmq.auth.usernameRabbitMQ username.guest
rabbitmq.auth.passwordRabbitMQ password.guest
rabbitmq.auth.erlangCookieErlang cookie to determine whether nodes are allowed to communicate with each other.guest
rabbitmqExternal.hostExternal RabbitMQ address. Only used when rabbitmq.deploy is false.''
rabbitmqExternal.portExternal RabbitMQ port.5672
rabbitmqExternal.usernameExternal RabbitMQ username.guest
rabbitmqExternal.passwordExternal RabbitMQ password.guest
mongodb.deployDeploy MongoDB cluster.true
mongodb.hostExternal MongoDB address. Only used when mongodb.deploy is false.''
mongodb.portExternal MongoDB port.27017
memcached.hostMemcached host in the format {host}:{port}.''
monitoring.defaultMethodAvailable options: telegraf-victoriametrics and telegraf-influxdbtelegraf-influxdb
auth.email.signupAllow signups with email & password.false
auth.email.signinAllow signins with email & password.true
auth.google.signupAllow signups with Google oAuth.false
auth.google.signinAllow signins with Google oAuth.false
auth.google.keyGoogle oAuth client ID.''
auth.google.secretGoogle oAuth client Secret.''
auth.github.signupAllow signups with Github oAuth.false
auth.github.signinAllow signins with Github oAuth.false
auth.github.keyGithub oAuth client ID.''
auth.github.secretGithub oAuth client secret.''
backup.keyAWS API key.''
backup.secretAWS API secret.''
backup.bucketAWS S3 bucket name used to store backups.''
backup.regionAWS S3 bucket region.''
backup.gpg.recipientEmail recipient of the encrypted backup.''
backup.gpg.publicGPG public key.''
githubBotToken''
deployment.gocky.replicasReplicas in Gocky deployment.1
deployment.api.replicasReplicas in API server deployment.2
deployment.sockjs.replicasReplicas in sockjs deployment1
deployment.ui.replicasReplicas in Mist UI deployment.1
deployment.nginx.replicasReplicas in NGINX deployment.1
deployment.landing.replicasReplicas in Mist's landing webpage deployment.1
deployment.dramatiq.dramatiq.enabledEnable Dramatiq consumers for all queues.true
deployment.dramatiq.dramatiq.replicas2
deployment.dramatiq.default.enabledEnable Dramatiq consumers for default queue.false
deployment.dramatiq.default.replicas1
deployment.dramatiq.provisioning.enabledEnable Dramatiq consumers for dramatiq_provisioning queue.false
deployment.dramatiq.provisioning.replicas1
deployment.dramatiq.polling.enabledEnable Dramatiq consumers for dramatiq_polling queue.false
deployment.dramatiq.polling.replicas1
deployment.dramatiq.machines.enabledEnable Dramatiq consumers for dramatiq_machines queue.false
deployment.dramatiq.machines.replicas1
deployment.dramatiq.clusters.enabledEnable Dramatiq consumers for dramatiq_clusters queue.false
deployment.dramatiq.clusters.replicas1
deployment.dramatiq.networks.enabledEnable Dramatiq consumers for dramatiq_networks queue.false
deployment.dramatiq.networks.replicas1
deployment.dramatiq.zones.enabledEnable Dramatiq consumers for dramatiq_zones queue.false
deployment.dramatiq.zones.replicas1
deployment.dramatiq.volumes.enabledEnable Dramatiq consumers for dramatiq_volumes queue.false
deployment.dramatiq.volumes.replicas1
deployment.dramatiq.buckets.enabledEnable Dramatiq consumers for dramatiq_buckets queue.false
deployment.dramatiq.buckets.replicas1
deployment.dramatiq.mappings.enabledEnable Dramatiq consumers for dramatiq_mappings and dramatiq_sessions queues.false
deployment.dramatiq.mappings.replicas1
deployment.dramatiq.scripts.enabledEnable Dramatiq consumers for dramatiq_scripts queue.false
deployment.dramatiq.scripts.replicas1
deployment.dramatiq.probe.enabledEnable Dramatiq consumers for dramatiq_ssh_probe queue.false
deployment.dramatiq.probe.replicas1
deployment.dramatiq.ping.enabledEnable Dramatiq consumers for dramatiq_ping_probe queue.false
deployment.dramatiq.ping.replicas1
deployment.dramatiq.rules.enabledEnable Dramatiq consumers for dramatiq_rules queue.false
deployment.dramatiq.rules.replicas1
deployment.dramatiq.schedules.enabledEnable Dramatiq consumers for dramatiq_schedules queue.false
deployment.dramatiq.schedules.replicas1
deployment.scheduler.scheduler.enabledEnable scheduler for all polling schedules.true
deployment.scheduler.scheduler.replicas1
deployment.scheduler.builtin.enabledEnable scheduler for builtin schedules.false
deployment.scheduler.builtin.replicas1
deployment.scheduler.user.enabledEnable scheduler for user schedules.false
deployment.scheduler.user.replicas1
deployment.scheduler.polling.enabledEnable scheduler for polling schedules.false
deployment.scheduler.polling.replicas1
deployment.scheduler.rules.enabledEnable scheduler for rules schedules.false
deployment.scheduler.rules.replicas1

Single host

To get started, you will need:

  1. A machine with at least 4 CPU cores, 8GB RAM and 10GB disk (accessible to /var/lib/docker/).
  2. The OS should be the latest stable Debian or Ubuntu.
  3. The OS should include openssh-server, docker and docker-compose packages.

First, download docker-compose.yml from the latest stable release as shown here.

Make sure you're inside the directory containing the docker-compose.yml file and run:

docker-compose up -d

Then, run docker-compose ps and verify that all containers are in the UP state, except the short-lived container elasticsearch-manage.

Now, you need to create an admin user. Drop in shell with:

docker-compose exec api sh

and add a new user with:

./bin/adduser --admin admin@example.com

Try running ./bin/adduser -h for more options. For example, the --docker-cloud flag will add the docker daemon hosting the Mist installation as a docker cloud in the created account.

You can now visit http://localhost and login with the email and password you specified above.

Alternatively, you can also deploy Mist directly from your cloud provider's marketplace:

Important configuration options

After the initial docker-compose up -d, you will see that a configuration file is created in ./settings/settings.py. Edit this file to modify Mist's configuration.

Any changes to ./settings/settings.py will take effect after a restart with:

docker-compose restart
URL

If running on anything other than localhost, you will need to set the PORTAL_URI setting in ./settings/settings.py.

For example:

PORTAL_URI = "http://198.51.100.12"
Email

In some cases, such as user registration, forgotten passwords, user invitations etc., Mist needs to send emails. By default, Mist uses a mock mailer. To see emails sent by Mist, run:

docker-compose logs -f mailmock

If you wish to use an SMTP server, edit ./settings/settings.py and modify MAILER_SETTINGS.

TLS

We strongly recommend using TLS. Assuming a certificate cert.pem and private key file key.pem in the same directory as the docker-compose.yml file, create a docker-compose.override.yml file with the following contents:

version: '2.0'
services:
  nginx:
    volumes:
      - ./nginx-listen.conf:/etc/nginx/nginx-listen.conf:ro
      - ./cert.pem:/etc/nginx/cert.pem:ro
      - ./key.pem:/etc/nginx/key.pem:ro
    ports:
      - 443:443

Then, create a nginx-listen.conf in the directory of docker-compose.yml, with the following contents:

    listen 80;
    listen 443 ssl;
    server_name www.example.com;
    ssl_certificate     /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/key.pem;
    if ($scheme != "https") {
        rewrite ^ https://$host$uri permanent;
    }

Finally, update PORTAL_URI in Mist's settings and restart it.

LDAP and Active Directory (optional)

Mist ΕΕ supports authentication over LDAP with LDAP and Active Directory (AD) servers. To configure LDAP authentication: First, log in Mist as administrator and note your Mist organization name. Then create the Mist teams that correspond to your LDAP posixGroups or AD teams. For example, if you have a dev group in AD whose members need to access Mist, then create a dev team in Mist. For LDAP, if you have a cn=dev,dc=my,dc=domain posixGroup, note that it must have set the attribute memberUid for each member that needs access to Mist, create a team named dev in Mist. Now edit ./settings/settings.py and add the proper configuration:

LDAP_SETTINGS = {
    'SERVER': 'XXX.XXX.XXX.XXX',  # IP and FQDN will both work
    'OU': 'IT,Employee',  # For LDAP enter Organizational Unit name. For nested OU's separate with a comma. If you have members in separate OU's then add them as a list: ['Devops,Employee', 'QA,Tester,Employee']. For AD ignore.
    'DC': 'my.domain',  # Main domain of LDAP and AD servers
    'ORG_NAME': 'myMistOrg',  # Mist org name which will authenticate over LDAP
    'AD': True  # Set True when using AD. Set False for LDAP server.
}

Finally, restart Mist to apply the configuration changes with docker-compose restart.

Users from your groups will now be able log in Mist by clicking on Sign in with LDAP or Sign in with Active Directory in Mist's login page with their relevant username and password.

Single-sign-on with Microsoft 365 (optional)

Mist EE supports SSO with MS 365 accounts over Azure AD OAuth 2.0. To configure it, log in to Azure's web portal and follow the steps of registering an app as shown here.

A few things to note:

  1. In the configure platform step choose Web application. The redirect URI should be Mist_CORE_URI/social_auth/complete/azuread-oauth2. See in the paragraphs above how to set Mist's CORE_URI.
  2. When creating the client secret, copy the Value. It will be needed later.
  3. In the API Permissions section, make sure the permissions are set to User.Read or User.ReadBasic.All.
  4. Copy the Application ID from the Overview section.

With the Application ID and secret value at hand, edit Mist's configuration at ./settings/settings.py

ALLOW_SIGNIN_MS365 = True
ALLOW_SIGNUP_MS365 = True  # Set to false if you don't wish users to sign up with MS 365
SOCIAL_AUTH_AZUREAD_OAUTH2_KEY = "myApplicationID"
SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET = "mySecretValue"

Finally, restart Mist to apply the configuration changes with docker-compose restart.

Monitoring methods

Mist stores monitoring metrics in InfluxDB by default. Since Mist v4.6, it is possible to use VictoriaMetrics instead. You can configure that in settings/settings.py:

DEFAULT_MONITORING_METHOD = 'telegraf-victoriametrics'

Restart docker-compose for the changes to take effect and then run the respective migration script:

docker-compose exec api python migrations/0016-migrate-monitoring.py

The above script will update all monitored machines to use the configured monitoring method. It will also update all rules on metrics to use the appropriate query format. However, this will not migrate old monitoring data to the new time series database.

Upgrade

To upgrade to a new Mist version:

  1. Stop your current Mist by running docker-compose down.
  2. Download the docker-compose.yml file of the latest release and place it in the same directory as before. This way the new installation will use the same Docker volumes.
  3. Run docker-compose up -d to bring up the new version.
  4. Check that everything is in order by running docker-compose ps.

Backup

Mist can automatically take and store backups in an S3-compatible bucket. To set this up, first create a bucket on your S3 provider, e.g. AWS, MinIO, etc.

Then, go to settings/setting.py and edit the following part accordingly:

BACKUP_INTERVAL = 24  # hours between each backup
BACKUP = {
    'host': '',  # eg s3.amazonaws.com
    'key': '',
    'secret': '',
    'bucket': '',
    'gpg': {
        'recipient': '',
        'public': '',
        'private': '',
    }
}

Providing a GPG key is optional but strongly recommended. If you provide it, your backups will be encrypted before getting uploaded to your bucket.

Mist also offers a set of manual commands for backing up, listing backups and restoring backups:

docker-compose exec api ./bin/backup
docker-compose exec api ./bin/list-backups
docker-compose exec api ./bin/restore {{myBackupName}}

Backups on time series data stored on VictoriaMetrics will be incremental by default. To perform a full backup, use the --no-incremental flag:

docker-compose exec api ./bin/backup --db victoria --no-incremental

Finally, please keep in mind that backups include MongoDB, InfluxDB & VictoriaMetrics data. Mist logs are stored in Elasticsearch. If you would like to back up these as well, please check out this doc.

Staging version

If you want to install the latest bleeding edge build of Mist, run the following:

mkdir mist-ce && cd mist-ce && echo 'MIST_TAG=staging' > .env
wget https://raw.githubusercontent.com/mistio/mist-ee/staging/docker-compose.yml
docker-compose up -d

Development environment

If you plan to modify Mist's source code, clone this git repo and all its submodules. Then, bring it online. For example:

git clone --recursive https://github.com/mistio/mist-ee.git
cd mist-ee
docker-compose up -d

This will mount the checked out code into the containers and may take some time.

By cloning the directory, there is also a docker-compose.override.yml file in the current directory in addition to docker-compose.yml. This is used to modify the configuration for development mode.

If you are not interested in front-end development, you can comment out the UI & landing sections within the docker-compose.override.yml file and re-run docker-compose up -d.

Otherwise, you will also need to install the UI & landing page dependencies before you can access the Mist UI.

Install all front-end dependencies with the following commands:

docker-compose exec landing npm install
docker-compose exec ui npm install

And then build the landing & UI bundles with:

docker-compose exec landing npm run build
docker-compose exec ui npm run build

When doing front-end development, it is usually more convenient to serve the source code instead of the bundles. To do that, edit settings/settings.py and set JS_BUILD = False. Restart the api container for the changes to take effect with:

./restart.sh api