SSH Actions
SSH actions extend Flux’s robust palette of workflow and file actions to increase the power and flexibility of Flux workflows. One can orchestrate a workflow to manage their farm of servers and control them from Flux. Some of the common tasks include on-demand backups, file transfers, system monitoring, etc. This technique also enables agent-less scheduling. Without requiring any special software on these remote servers, one can run and manage scripts just like any native application using Flux.
Flux 8.3 implements support for SSH-based interactions with remote servers in your workflow. Flux workflow can run commands on a remote machine or perform file transfers to or from a remote machine. It supports password-based authentication as well as public-key authentication with passphrases.
Setting up key-based authentication between two machines is simple. The first step is to generate ssh key pair on machine A (passphrase recommended for private key encryption):
macpro:.ssh arul$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/arul/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/arul/.ssh/id_rsa.
Your public key has been saved in /Users/arul/.ssh/id_rsa.pub.
The key fingerprint is:
a3:2e:03:c0:0b:98:ed:05:6d:00:a4:60:f6:6f:0c:e3 arul@macpro
The key's randomart image is:
+--[ RSA 2048]----+
|+=.o |
|= o o |
|+o * |
|=.o * |
|.o.E + S |
| .o . . . |
| . . |
| o. |
| o. |
+-----------------+
Copy the public key (id_rsa.pub) of machine A to machine B.
$ scp ~/.ssh/id_rsa.pub ubuntu-vm:
Ssh to machine B and append the copied public key to the authorized_keys file.
$ ssh ubuntu-vm
arul@ubuntu-vm's password:
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_rsa.pub
$ chmod 600 ~/.ssh/authorized_keys
You can do the same setup from your machine B to machine A, in case you want a bi-directional key-based communication over SSH. Once the keys are set up on both machines, you will be able to use public key-based authentication encrypted using a passphrase. You can disable password authentication in your SSH server config, so you avoid sending your clear text password over the network.
This setup allows machine A users to connect to machine B and automate tasks without prompting passwords, thus making interaction seamless and secure. This is a secure and very powerful technique used by IT teams and has been battle-tested for decades in infrastructure automation.
With Flux’s built-in capabilities to perform SSH actions, it brings this power to Flux workflows. One can orchestrate a workflow to manage their fleet of servers and control them from Flux. Some of the common tasks include on-demand backups, file transfers, system monitoring, etc. This technique also enables agent-less scheduling, without requiring special software such as Flux agents run on these remote servers, one can run and manage scripts just like any native application using Flux.
Hostname and username are required properties on these SSH actions. The recommended way to configure them are using Flux’s runtime configuration properties. This allows reusability of configuration across workflows and the ability to make changes at runtime without bringing down your Flux engine.
Here is an example runtime.properties file would look like in this setup.
/host=ubuntu-vm
/username=arul
/fingerprint=e4:af:1f:a3:8b:c0:15:33:71:87:d8:57:8f:d4:1a:3d
/private_key=/Users/arul/.ssh/id_rsa
/passphrase=+KYFTbEq6xaiUwa2Ij4N/Q==
The passphrase can be encrypted using Flux’s CLI API, so no clear-text password is stored in the runtime configuration. Here is how you generate the encrypted password using Flux API.
macpro:flux-8-0-10 arul$ java -cp flux.jar flux.Main encryptpassword flux*help
Flux 8.0.10 (build #1296) ~ Copyright 2015 Flux Corporation
Encrypted password is +KYFTbEq6xaiUwa2Ij4N/Q==