SSH Support for Cluster Console Panel

 

The Cluster Console Panel (CCP) utility has long been a favorite of users involved with administration of systems having multiple nodes. It provides a single access point to interact simultaneously with a multitude of nodes, thus saving a lot of effort.

In releases of Sun Cluster software until 3.2, the access methods which were available with the CCP utility were rlogin, telnet, and console access over telnet. The missing part was secure connections to nodes and to their consoles.

With the increasing focus on security in production environments, the Cluster Console tool, cconsole, was lacking this support. The newer breed of servers from Sun have platform managers like service processors, which offer secure connections and allow users to manage nodes remotely. The cconsole tool was, however, not equipped to utilize this. There have been repeated requests from customers to incorporate secure connections via Secure Shell (SSH) into cconsole.

The patch to Sun Cluster 3.2 software will add SSH support to both the GUI and command line variants of cconsole. The revamped CCP features include:

  • SSH support for cconsole: The cconsole tool will support connections to node consoles over SSH. This is in addition to the already existing standard telnet connections to consoles. The utility could be used in either of the following ways:

    - Launch the CCP GUI using the ccp command and then click on the cconsole button. The graphical interface for cconsole will have a new check box called “Use SSH" under the "Options" menu. Select this check box for going over SSH to the node consoles. By default, the check box is deselected, meaning that the default mode of connecting to consoles is not secure. Refer to Figure 1.

- Launch cconsole directly from the command line. The command line options for cconsole are:

-s

New option for enabling SSH while connecting to a node's console. The /etc/serialports database has the console access device's name and the port number to be used for the SSH connection. Specify 22 as the port number if using the default SSH configuration on the console access device, otherwise specify a custom port number.

-l user

Optional SSH user name. By default, the user launching the cconsole/ccp command is effective.

If either the console or the ccp command is launched with the "-s" command line option, the “Use SSH” check box is automatically selected. If the “-s” option is not specified, select the “Use SSH” check box under the “Options” menu to enable SSH connection.

  • A new "cssh" command: CCP software will include a new cssh command which could be used to connect to nodes using standard SSH connections, in either of the following ways:

- Launch the CCP GUI with the ccp command, then click on the new cssh button (which is next to the existing crlogin, ctelnet, and cconsole buttons).

- Issue the cssh command directly from the command line. The cssh command takes the following options:

  -l user            Optional SSH user name. By default, the user launching the command is effective.

  -p port            Optional port number to use for the SSH connections. Port 22 is used by default.

 
Here is a screenshot of the modified Cluster Console Panel. It shows the new “cssh” button on the panel for the cssh command. It also shows the new “Use SSH” check box under the Options menu when the cconsole button is clicked.

Cluster Console Panel GUI
           

                Figure 1. Cluster Console Panel GUI

  • Shared options: The ccp command will accept options at the command line that are used by crlogin, cssh, and cconsole. Values passed to the options are effective for all the commands that are hence launched by clicking on the icons from the CCP GUI. For more details about the commands and their options, refer to the cconsole(1M) man page.

As an example, if one launches ccp in this manner:

      #ccp -l joe -s -p 123

then this will be the effect on individual tools that are launched from the buttons on the CCP GUI:

ctelnet

This command ignores all of the -l, -p, and -s options and treats everything else on the command line as cluster or node names.

crlogin

The user name for rlogin would be "joe".

cssh

The SSH user name would be "joe" and the SSH port number would be "123".

cconsole

The cconsole tool would use SSH to connect to the nodes due to the "-s" option. The user name for the SSH connection to the console access device (as determined by the entry in /etc/serialports) would be "joe".

The port number, however, is taken from the serialports database and not from the command-line value of the "-p" option.

In addition, the user could deselect the checkbox "Use SSH" and override the command-line option "-s", in which case the console would be accessed using a telnet connection to the console access device.

With all these changes, the CCP, and cconsole in particular, will be equipped to act as a full-fledged tool for multi-node administration, further adding to ease of use of Sun Cluster 3.2 software.

Subhadeep Sinha
Sun Cluster Engineering

Comments:

So where is the patch? :-)

Posted by Volker A. Brandt on February 28, 2007 at 01:37 AM PST #

The patch to Sun Cluster 3.2 is expected to come out in early Q4 07. Thanks for your interest.

Posted by Subhadeep Sinha on March 01, 2007 at 05:42 AM PST #

Sorry, I'm unclear as to which Q4 you mean. FY07 or CY07. Please don't tell me that we won't see this until October.

Posted by Boyd Adamson on March 01, 2007 at 06:53 AM PST #

I wonder how the SBD (Secure By Default) initiative let this little gem escape their dragnet... I'm telling! :-)

Even if it's not ssh by default, it's a great feature!

Thanks!

Posted by Dale Sears on March 01, 2007 at 12:30 PM PST #

Boyd Adamson, Sun's FYQ3 ends March 31, so I would interpret "early Q4 07" as "April to May"

But that's only my opinion, and I'm not the developer of said patch, nor am I the one setting a deadline for delivery of said patch, nor are these limitations limited to further limitations...

I just hope "early Q4 07" means the same thing to Subhadeep Sinha as it does to me. :-)

Posted by Dale Sears on March 01, 2007 at 12:43 PM PST #

The expected time frame for the patch is indeed April/May 2007. Thanks !

Posted by Subhadeep Sinha on March 01, 2007 at 03:11 PM PST #

Thanks, I look forward to it :)

Posted by Boyd Adamson on March 01, 2007 at 03:23 PM PST #

cssh has been sort-of available to hacker-admins for a long time, in way which is a lot cleaner than the hack posted on Big Admin some time ago (which relies on PATH-spoofing IIRC).

Note: I still use the cluster administration console that came with Sun Cluster 2.0 on my work desktop in 1998 or so (hey, if it works, don't fix it!), but this technique \*should\* apply to any version.

The key is to realize that crlogin works just fine, with the exception that it's not encrypted, and that ssh and rlogin share the same command line options (no surprise there, ssh was developed as an rsh/rlogin replacement).

What you need to do is copy the crlogin binary (which in SC2.0 is a symlink to cconsole, as is ctelnet) to cssh. This binary determines its run mode by examining argv[0].

Next, load the binary into your favourite binary-safe editor. I used xemacs 19.18; any type of hex-editor, etc., should work.

Finally, change all strings in the binary containing "rlogin" so that they contain "ssh", and DO NOT CHANGE THE FILE SIZE OR STRING OFFSETS.

Remember that C programs find the end of strings by looking for the NUL character, but the programs only "know" the address of the first character of a string.

I found three strings which needed changing in my version

crlogin\\0
rlogin\\0
crlogin: host %s\\0

I simply replaced them in-place with

cssh\\0\\0\\0\\0
ssh\\0\\0\\0\\0
cssh: host %s\\0\\0\\0\\0

Now I can type cssh <clustername> and log into my clusters with ssh, either using password-based authentication or host keys as I see fit.

\*\*\* A note about using xemacs for this patch:To "type" a NUL, simply copy a \^@ from elsewhere in the program with your mouse and paste it where you want. Also, xemacs will add an extra 0x0a at the second-last position of the file. I consider this to be a bug in xemacs, (which may have been fixed in the last seven or eight years..) however, it doesn't matter, as the end of the binary is NUL padding anyhow... About 020000 bytes worth!

Posted by Wes Garland on March 05, 2007 at 02:52 AM PST #

Hi Wes, Thanks for your post ! Very informative. The new changes into CCP would make it ready-to-use for admins, and at the same time not take away anything from what was already existing. In addition to the cssh utility (which has an option for using a non-default SSH port - something which was not possible until now), we have added support for connecting to node consoles over SSH. This was the driving factor behind the feature. We did not want customers to necessarily have to go over telnet to console-access devices in order to access consoles. To add to it, SSH support to cconsole falls in line with modern day hardware, which offer secure platform management services. Thanks, -Subhadeep.

Posted by Subhadeep Sinha on March 05, 2007 at 03:51 AM PST #

Hello, Subhadeep!

Glad to see that ssh-cconsole is going to arrive on the SC administrative workstations in the near future -- this is truly a "killer feature" which will prompt an upgrade from someone like me. (I have been administering Sun Cluster, from hundreds of miles away, for a long time -- I can remember when the Enterprise 450 first became Sun Cluster 2.1 certified!)

My current work-around to achieve a similar goal is to configure /etc/serialports to "trick" cconsole into telnetting back into localhost; then I type the appropriate ssh commands into each of the windows, then start using cconsole as usual. This is quite unwieldy, but it does the job.

Something which I think might be interesting for future cconsole releases is a way to allow a remote administrator to ssh into older terminal concentrators, such as the Sun-branded Bay Networks microAnnex series, which don't support ssh.

This could be accomplished by using ssh's facilities dynamic application port forwarding to open a tunnel to a cluster-local DMZ box (maybe even the mediator host for a two-node cluster).. The /etc/serialports configuration file might look like

mckay 10.0.0.1 9001 via dmz.cluster.com
zelenka 10.0.0.2 9002 via dmz.cluster.com

Then, to access mckay's serial console, cconsole would ssh to dmz.cluster.com with command line options suitable to open 10.0.0.1, port 9001 for telnet.

While this does not ensure end-to-end secure communication, it is significantly better than transmitting root passwords in plain text across the Internet!

Posted by Wes Garland on March 05, 2007 at 05:31 AM PST #

Hi Subhadeep It is now May 07; is this patch available yet? Cheers JB

Posted by Jonathan Board on May 15, 2007 at 05:17 PM PDT #

Hi Jonathan, the patch is expected around the middle of June 07. Thanks !

Posted by Subhadeep Sinha on May 16, 2007 at 07:21 PM PDT #

Hi Subhadeep It is now July 07; is this patch available yet? Cheers JB

Posted by Jonathan Board on July 08, 2007 at 07:42 PM PDT #

Hi Jonathan,

You can apply the core patch, 125511-02/125512-02/125510-02, and then to use the new cssh functionality, do the following:
# cd /opt/SUNWcluster/bin
# ln -s cconsole cssh

To add cssh to the cpp panel, do the following:
# mkdir /opt/SUNWcluster/etc/ccp/cssh
# cd /opt/SUNWcluster/etc/ccp/cssh
# ln -s ../cconsole/icon icon
# echo cssh > name
# echo 'cssh $CLUSTER' > exe

Let us know if this works. There will be another patch out in some time which will relieve users of doing this little workaround.

Regards,
-Subhadeep.

Posted by Subhadeep Sinha on July 10, 2007 at 02:25 PM PDT #

Subhadeep, having one issue. I patched my system, and when I run cconsole <group> where my ALOMs are running SSH, I still connect via telnet to port 23, and the use SSH option is unchecked. If I check that box and exit, it doesnt stay that way, and I have to check the box, then select hosts each time, which is a royal PITA. Is there something I'm missing as far as keeping the options stored across executions?

Posted by Dale Gribble on August 08, 2007 at 12:16 PM PDT #

Oops, fat-fingered the port in my last post, the cconsole is telneting to port 22, instead of using SSH to 22. same question applies as far as retaining the use SSH checkbox.

Posted by Dale Gribble on August 08, 2007 at 12:19 PM PDT #

It appears that sun is lacking a product comparable to Veritas Java Console.

Am I right....if not could you please point me to a GUI tool to
manage a cluster....

Posted by Jay Akula on September 19, 2007 at 05:05 AM PDT #

Hi Jay,

Solaris cluster too has a Java webconsole based administration GUI. You can manage the cluster by logging in to one of the cluster node @ https://<clusternode1>:6789/

Cheers,
Ganesh Ram
Solaris Cluster Engineering

Posted by Ganesh Ram N on September 19, 2007 at 05:36 PM PDT #

Jay, I confused the Java Console with the Java WebConsole .. Yes you are right Solaris Cluster doesnt have a stand alone Cluster Manager GUI yet ..

Posted by Ganesh Ram N on September 19, 2007 at 08:02 PM PDT #

"There will be another patch out in some time which will relieve users of doing this little workaround."

Any news on this?

Posted by Boyd Adamson on December 09, 2007 at 08:15 AM PST #

Hi Boyd,

The facility has been available since Sun Cluster core patch 126106-01. The latest rev of the patch is 126106-03, which can be downloaded from sunsolve.

Posted by zoram on December 09, 2007 at 07:27 PM PST #

Ok, thanks, I hadn't noticed.

Here's part of the reason: It seems to me that most people will be installing SUNWccon on non-cluster nodes, but the core patch needs to go onto cluster nodes (since, among other things, it patches SUNWscr).

This means that if I have an administration workstation with cconsole on it I can't patch up to use cssh without installing the rest of cluster packages. Is there some reason for this coupling of otherwise seperate packages at the patch level?

Posted by Boyd Adamson on December 10, 2007 at 05:56 AM PST #

Hi Boyd,

I have no idea why SUNWccon is bundled in the core patch. There seems to be an assumption that people would normally get the package from the CDROM of a Sun Cluster release.

I'd suggest that you download the latest SC3.2 CDROM to get the package.

Posted by zoram on December 12, 2007 at 08:17 PM PST #

Zoram,

Sorry if I didn't make myself clear. My question is nothing to do with where the packages are installed from.

My point is that, even when installing from the CDROM I'm probably going to install SUNWccon on my workstation and not the entire cluster product. In fact, that's exactly what the documentation[1] tells me to do.

That means that I'm going to end up unable to install this core patch (since I don't have other cluster packages installed), and therefore can't get the cssh functionality without manual hacks.

Are you saying that it's expected that users will install the whole of SunCluster on their admin workstations, rather than just SUNWccon? If so, the documentation should be updated to reflect that, and somewhere it should be pointed out that the practice of many years is no longer supportable.

[1] Documentation here: http://docs.sun.com/app/docs/doc/819-2970/cihcgafg?l=en&a=view tells users to install the SUNWccon package only using pkgadd

Posted by Boyd Adamson on December 13, 2007 at 05:25 AM PST #

Hi Boyd,

No, I didn't mean to imply that you have to install the whole SC software on the admin workstation. Just that if you want a new version of the SUNWccon package, it seems that you have to "pkgadd" the package shipped with a new Sun Cluster CD/DVD. So if you want to install the new SUNWccon that supports ssh, you have to (unfortunately and AFAICT) get the SC3.2u1 CD/DVD and install the package from there (after pkgrm'ing the existing package if there's one).

In short, you can't patch SUNWccon on an admin workstation :( This is really unfortunate, and I'll see if we can't generate a separate patch ID for just the admin workstation.

Posted by guest on December 16, 2007 at 07:21 PM PST #

There seems to be a misconception about patches. You can apply the SC Core patch to an admin workstation. It will patch the applicable packages on the system (SUNWccon), and skip those packages that are not present.

Posted by Jonathan Mellors on December 17, 2007 at 04:08 AM PST #

Erg!

If using ccp -l admin for using cconsole to an alom interface which allows no root user. But now I cannot login to root via cssh button if admin is not configured on the servers.
So I think
1. -l option should only used by cconsole
2. different options for cssh and cconsole
3. give user for cconsole in /etc/serialports?

But it's better than no ssh support. :-)

MfG...
Pierre Bernhardt

Posted by Pierre Bernhardt on May 26, 2008 at 12:58 AM PDT #

Great job. Got a question. Is there anyway to change the default window settings for cssh? Font size, window size, and what not, that you can set when running xterm? Thanks.

Posted by bonncs on January 27, 2009 at 04:21 AM PST #

Does anyone know if cconsole is supported with M series servers ?

Posted by Mick Scott on May 17, 2009 at 04:37 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

mkb

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today