SSH Support for Cluster Console Panel
By zoramthanga on Feb 28, 2007
The Cluster Console Panel
(CCP) utility has long been a favorite of users involved with
administration of systems having multiple nodes. It provides a single
access point to interact simultaneously with a multitude of nodes,
thus saving a lot of effort.
In releases of Sun
Cluster software until 3.2, the access methods which were available
with the CCP utility were rlogin, telnet, and console access over
telnet. The missing part was secure connections to nodes and to their
With the increasing focus
on security in production environments, the Cluster Console tool,
cconsole, was lacking this support. The newer breed of servers
from Sun have platform managers like service processors, which offer
secure connections and allow users to manage nodes remotely. The
cconsole tool was, however, not equipped to utilize this. There have
been repeated requests from customers to incorporate secure
connections via Secure Shell (SSH) into cconsole.
The patch to Sun Cluster 3.2 software will add SSH support to both the GUI and command line variants of cconsole. The revamped CCP features include:
SSH support for cconsole: The cconsole tool will support connections to node consoles over SSH. This is in addition to the already existing standard telnet connections to consoles. The utility could be used in either of the following ways:
- Launch the CCP GUI using the ccp command and then click on the cconsole button. The graphical interface for cconsole will have a new check box called “Use SSH" under the "Options" menu. Select this check box for going over SSH to the node consoles. By default, the check box is deselected, meaning that the default mode of connecting to consoles is not secure. Refer to Figure 1.
- Launch cconsole directly from the command line. The command line options for cconsole are:
New option for enabling SSH while connecting to a node's console. The /etc/serialports database has the console access device's name and the port number to be used for the SSH connection. Specify 22 as the port number if using the default SSH configuration on the console access device, otherwise specify a custom port number.
Optional SSH user name. By default, the user launching the cconsole/ccp command is effective.
If either the console or the ccp command is launched with the "-s" command line option, the “Use SSH” check box is automatically selected. If the “-s” option is not specified, select the “Use SSH” check box under the “Options” menu to enable SSH connection.
A new "cssh" command: CCP software will include a new cssh command which could be used to connect to nodes using standard SSH connections, in either of the following ways:
- Launch the CCP GUI with the ccp command, then click on the new cssh button (which is next to the existing crlogin, ctelnet, and cconsole buttons).
- Issue the cssh command directly from the command line. The cssh command takes the following options:
-l user Optional SSH user name. By default, the user launching the command is effective.
-p port Optional port number to use for the SSH connections. Port 22 is used by default.
Here is a screenshot of the modified Cluster Console Panel. It shows the new “cssh” button on the panel for the cssh command. It also shows the new “Use SSH” check box under the Options menu when the cconsole button is clicked.
Figure 1. Cluster Console Panel GUI
Shared options: The ccp command will accept options at the command line that are used by crlogin, cssh, and cconsole. Values passed to the options are effective for all the commands that are hence launched by clicking on the icons from the CCP GUI. For more details about the commands and their options, refer to the cconsole(1M) man page.
As an example, if one launches ccp in this manner:
#ccp -l joe -s -p 123
then this will be the effect on individual tools that are launched from the buttons on the CCP GUI:
This command ignores all of the -l, -p, and -s options and treats everything else on the command line as cluster or node names.
The user name for rlogin would be "joe".
The SSH user name would be "joe" and the SSH port number would be "123".
The cconsole tool would use SSH to connect to the nodes due to the "-s" option. The user name for the SSH connection to the console access device (as determined by the entry in /etc/serialports) would be "joe".
The port number, however, is taken from the serialports database and not from the command-line value of the "-p" option.
In addition, the user could deselect the checkbox "Use SSH" and override the command-line option "-s", in which case the console would be accessed using a telnet connection to the console access device.