X

News, tips, partners, and perspectives for the Oracle Solaris operating system

SSH Support for Cluster Console Panel

Guest Author

The Cluster Console Panel
(CCP) utility has long been a favorite of users involved with
administration of systems having multiple nodes. It provides a single
access point to interact simultaneously with a multitude of nodes,
thus saving a lot of effort.

In releases of Sun
Cluster software until 3.2, the access methods which were available
with the CCP utility were rlogin, telnet, and console access over
telnet. The missing part was secure connections to nodes and to their
consoles.

With the increasing focus
on security in production environments, the Cluster Console tool,
cconsole, was lacking this support. The newer breed of servers
from Sun have platform managers like service processors, which offer
secure connections and allow users to manage nodes remotely. The
cconsole tool was, however, not equipped to utilize this. There have
been repeated requests from customers to incorporate secure
connections via Secure Shell (SSH) into cconsole.

The patch to Sun Cluster
3.2 software will add SSH support to both the GUI and command line
variants of cconsole. The revamped CCP features include:


  • SSH support for

    cconsole: The cconsole tool will support connections to node

    consoles over SSH. This is in addition to the already existing

    standard telnet connections to consoles. The utility could be used

    in either of the following ways:


    - Launch the CCP GUI

    using the ccp command and then click on the cconsole button. The

    graphical interface for cconsole will have a new check box called

    “Use SSH" under the "Options" menu. Select this

    check box for going over SSH to the node consoles. By default, the

    check box is deselected, meaning that the default mode of connecting

    to consoles is not secure. Refer to Figure 1.


- Launch
cconsole directly from the command line. The command line options for
cconsole are:





















-s



New option for enabling

SSH while connecting to a node's console. The /etc/serialports

database has the console access device's name and the port number

to be used for the SSH connection. Specify 22 as the port number

if using the default SSH configuration on the console access

device, otherwise specify a custom port number.



-l user



Optional SSH user name.

By default, the user launching the cconsole/ccp command is

effective.











If either the
console or the ccp command is launched with the "-s"
command line option, the “Use
SSH” check box is automatically selected. If the “-s” option is
not specified, select the “Use
SSH” check box under the “Options” menu to enable SSH
connection.

  • A new "cssh"

    command: CCP software will include a new cssh command which

    could be used to connect to nodes using standard SSH connections, in

    either of the following ways:


- Launch the CCP GUI with the ccp command, then click on the new
cssh button (which is next to the existing crlogin, ctelnet, and
cconsole buttons).

- Issue the cssh command directly from the command line. The cssh
command takes the following options:








  -l
user           








Optional
SSH user name. By default, the user launching the command is
effective.








  -p port           








Optional port number to use
for the SSH connections. Port 22 is used by default.

 
Here is a screenshot of the modified
Cluster Console Panel. It shows the new “cssh” button on the
panel for the cssh command. It also shows the new “Use SSH” check
box under the Options menu when the cconsole button is clicked.

Cluster Console Panel GUI
           

                Figure 1. Cluster Console Panel GUI

  • Shared options:

    The ccp command will accept options at the command line that are

    used by crlogin, cssh, and cconsole. Values passed to the options

    are effective for all the commands that are hence launched by

    clicking on the icons from the CCP GUI. For more details about the

    commands and their options, refer to the cconsole(1M) man page.

As an example, if one launches ccp in this manner:

      #ccp -l joe -s -p 123

then this will be
the effect on individual tools that are launched from the buttons on
the CCP GUI:





























ctelnet



This command ignores all

of the -l, -p, and -s options and treats everything else on the

command line as cluster or node names.



crlogin



The user name for rlogin

would be "joe".



cssh



The SSH user name would

be "joe" and the SSH port number would be "123".



cconsole



The cconsole tool would

use SSH to connect to the nodes due to the "-s" option.

The user name for the SSH connection to the console access device

(as determined by the entry in /etc/serialports) would be "joe".


The port number, however,

is taken from the serialports database and not from the

command-line value of the "-p" option.


In addition, the user

could deselect the checkbox "Use SSH" and override the

command-line option "-s", in which case the console

would be accessed using a telnet connection to the console access

device.



With all these changes,
the CCP, and cconsole in particular, will be equipped to act as a
full-fledged tool for multi-node administration, further adding to
ease of use of Sun Cluster 3.2 software.

Subhadeep Sinha
Sun Cluster
Engineering

Join the discussion

Comments ( 24 )
  • Volker A. Brandt Wednesday, February 28, 2007
    So where is the patch? :-)
  • Subhadeep Sinha Thursday, March 1, 2007
    The patch to Sun Cluster 3.2 is expected to come out in early Q4 07.
    Thanks for your interest.
  • Boyd Adamson Thursday, March 1, 2007
    Sorry, I'm unclear as to which Q4 you mean. FY07 or CY07. Please don't tell me that we won't see this until October.
  • Dale Sears Thursday, March 1, 2007
    I wonder how the SBD (Secure By Default) initiative let this little gem escape their dragnet... I'm telling! :-)

    Even if it's not ssh by default, it's a great feature!

    Thanks!

  • Subhadeep Sinha Thursday, March 1, 2007
    The expected time frame for the patch is indeed April/May 2007. Thanks !
  • Boyd Adamson Thursday, March 1, 2007
    Thanks, I look forward to it :)
  • Subhadeep Sinha Monday, March 5, 2007
    Hi Wes,
    Thanks for your post ! Very informative. The new changes into CCP would make it ready-to-use for admins, and at the same time not take away anything from what was already existing.
    In addition to the cssh utility (which has an option for using a non-default SSH port - something which was not possible until now), we have added support for connecting to node consoles over SSH. This was the driving factor behind the feature. We did not want customers to necessarily have to go over telnet to console-access devices in order to access consoles. To add to it, SSH support to cconsole falls in line with modern day hardware, which offer secure platform management services.
    Thanks,
    -Subhadeep.
  • Jonathan Board Wednesday, May 16, 2007
    Hi Subhadeep
    It is now May 07; is this patch available yet?
    Cheers JB
  • Subhadeep Sinha Thursday, May 17, 2007
    Hi Jonathan, the patch is expected around the middle of June 07.
    Thanks !
  • Jonathan Board Monday, July 9, 2007
    Hi Subhadeep It is now July 07; is this patch available yet? Cheers JB
  • Subhadeep Sinha Tuesday, July 10, 2007
    Hi Jonathan,


    You can apply the core patch, 125511-02/125512-02/125510-02, and then to use the new cssh functionality, do the following:

    # cd /opt/SUNWcluster/bin

    # ln -s cconsole cssh


    To add cssh to the cpp panel, do the following:

    # mkdir /opt/SUNWcluster/etc/ccp/cssh

    # cd /opt/SUNWcluster/etc/ccp/cssh

    # ln -s ../cconsole/icon icon

    # echo cssh > name

    # echo 'cssh $CLUSTER' > exe


    Let us know if this works. There will be another patch out in some time which will relieve users of doing this little workaround.


    Regards,

    -Subhadeep.
  • Dale Gribble Wednesday, August 8, 2007

    Subhadeep, having one issue. I patched my system, and when I run cconsole <group> where my ALOMs are running SSH, I still connect via telnet to port 23, and the use SSH option is unchecked. If I check that box and exit, it doesnt stay that way, and I have to check the box, then select hosts each time, which is a royal PITA. Is there something I'm missing as far as keeping the options stored across executions?


  • Dale Gribble Wednesday, August 8, 2007

    Oops, fat-fingered the port in my last post, the cconsole is telneting to port 22, instead of using SSH to 22. same question applies as far as retaining the use SSH checkbox.


  • Jay Akula Wednesday, September 19, 2007

    It appears that sun is lacking a product comparable to Veritas Java Console.

    Am I right....if not could you please point me to a GUI tool to

    manage a cluster....


  • Ganesh Ram N Thursday, September 20, 2007

    Jay, I confused the Java Console with the Java WebConsole .. Yes you are right Solaris Cluster doesnt have a stand alone Cluster Manager GUI yet ..


  • Boyd Adamson Sunday, December 9, 2007

    "There will be another patch out in some time which will relieve users of doing this little workaround."

    Any news on this?


  • zoram Monday, December 10, 2007

    Hi Boyd,

    The facility has been available since Sun Cluster core patch 126106-01. The latest rev of the patch is 126106-03, which can be downloaded from sunsolve.


  • Boyd Adamson Monday, December 10, 2007

    Ok, thanks, I hadn't noticed.

    Here's part of the reason: It seems to me that most people will be installing SUNWccon on non-cluster nodes, but the core patch needs to go onto cluster nodes (since, among other things, it patches SUNWscr).

    This means that if I have an administration workstation with cconsole on it I can't patch up to use cssh without installing the rest of cluster packages. Is there some reason for this coupling of otherwise seperate packages at the patch level?


  • zoram Thursday, December 13, 2007

    Hi Boyd,

    I have no idea why SUNWccon is bundled in the core patch. There seems to be an assumption that people would normally get the package from the CDROM of a Sun Cluster release.

    I'd suggest that you download the latest SC3.2 CDROM to get the package.


  • guest Monday, December 17, 2007

    Hi Boyd,

    No, I didn't mean to imply that you have to install the whole SC software on the admin workstation. Just that if you want a new version of the SUNWccon package, it seems that you have to "pkgadd" the package shipped with a new Sun Cluster CD/DVD. So if you want to install the new SUNWccon that supports ssh, you have to (unfortunately and AFAICT) get the SC3.2u1 CD/DVD and install the package from there (after pkgrm'ing the existing package if there's one).

    In short, you can't patch SUNWccon on an admin workstation :( This is really unfortunate, and I'll see if we can't generate a separate patch ID for just the admin workstation.


  • Jonathan Mellors Monday, December 17, 2007

    There seems to be a misconception about patches. You can apply the SC Core patch to an admin workstation. It will patch the applicable packages on the system (SUNWccon), and skip those packages that are not present.


  • Pierre Bernhardt Monday, May 26, 2008

    Erg!

    If using ccp -l admin for using cconsole to an alom interface which allows no root user. But now I cannot login to root via cssh button if admin is not configured on the servers.

    So I think

    1. -l option should only used by cconsole

    2. different options for cssh and cconsole

    3. give user for cconsole in /etc/serialports?

    But it's better than no ssh support. :-)

    MfG...

    Pierre Bernhardt


  • bonncs Tuesday, January 27, 2009

    Great job. Got a question. Is there anyway to change the default window settings for cssh? Font size, window size, and what not, that you can set when running xterm? Thanks.


  • Mick Scott Sunday, May 17, 2009

    Does anyone know if cconsole is supported with M series servers ?


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.