By default, the Anbox Management Client (AMC) runs on the same machine as the Anbox Management Service (AMS) and connects to it through a UNIX socket.
If you want to control AMS remotely, you can install the AMC on a separate machine and configure it to connect to AMS through a secure HTTP connection.
Install the AMC on a separate machine
To install the AMC on a machine other than the machine running AMS, you must first install it.
To do so, use the following command:
snap install amc
Install a trusted certificate
Controlling AMS remotely requires trusted security certificates. You can generate self-signed certificates or use certificates signed by a Certificate Authority. See Security certificates for remote clients for more information.
To use a self-signed certificate, complete the following steps:
amccommand on the client machine, for example:
amc remote ls
To generate a self-signed certificate, you can invoke any
amccommand because AMC automatically generates a self-signed certificate the first time it is invoked.
$HOME/snap/amc/current/client/client.crtcertificate on the client machine and copy it to the machine that runs AMS.
Log on to the machine that runs AMS and configure AMS to trust the new client by adding the client certificate:
amc config trust add client.crt
Certificate Authority (CA)
To use a CA certificate, complete the following steps:
Generate a CA certificate and key. There are different ways of how to do this. For example, you can use a PKI like easy-rsa.
Copy the generated CA certificate to the machine that runs AMS.
Log on to the machine that runs AMS and configure AMS to trust the CA certificate (and with that, all certificates that are based on it):
amc config trust add ca.crt
For each client, generate a client key and certificate based on the CA certificate. You should use the same method for this as you did in the first step.
Copy the generated credentials to the client machine:
- Copy the client certificate to
- Copy the client key to
- Copy the client certificate to
Expose the AMS HTTPS service
To be able to access AMS remotely, its HTTPS service must be exposed.
If you are running the Anbox Cloud Appliance, you can expose the service with the following command:
anbox-cloud-appliance ams expose
If you are running a full Anbox Cloud deployment, the service is automatically exposed within the internal subnet. If this is sufficient, you do not need further configuration. If you want to access AMS from a machine that is in a different subnet, use
juju expose to expose the service (see How to expose a deployed application for instructions). Note that if you expose services externally, you should also add a load balancer or proxy to your deployment.
Configure AMC to connect to AMS
After setting up the security certificates, configure AMC to connect to the remote AMS. To do this, choose a name for the remote and enter the following command:
amc remote add <your remote name> https://<IP address of the AMS machine>:8444
If you haven’t changed the port AMS is listening on, it’s 8444 by default.
The command connects to AMS and shows you the fingerprint of the server certificate. If it matches what you expect, acknowledge the fingerprint by typing “yes”.
Finally, switch to the new remote by running the following command:
amc remote set-default <your remote name>
All invocations of the
amc command will from now on use the new remote.