News, tips, partners, and perspectives for the Oracle Solaris operating system
-
Technologies /
Oracle Solaris Cluster
February 28, 2007
SSH Support for Cluster Console Panel
The Cluster Console Panel
(CCP) utility has long been a favorite of users involved with
administration of systems having multiple nodes. It provides a single
access point to interact simultaneously with a multitude of nodes,
thus saving a lot of effort.
In releases of Sun
Cluster software until 3.2, the access methods which were available
with the CCP utility were rlogin, telnet, and console access over
telnet. The missing part was secure connections to nodes and to their
consoles.
With the increasing focus
on security in production environments, the Cluster Console tool,
cconsole, was lacking this support. The newer breed of servers
from Sun have platform managers like service processors, which offer
secure connections and allow users to manage nodes remotely. The
cconsole tool was, however, not equipped to utilize this. There have
been repeated requests from customers to incorporate secure
connections via Secure Shell (SSH) into cconsole.
The patch to Sun Cluster
3.2 software will add SSH support to both the GUI and command line
variants of cconsole. The revamped CCP features include:
SSH support for
cconsole: The cconsole tool will support connections to node
consoles over SSH. This is in addition to the already existing
standard telnet connections to consoles. The utility could be used
in either of the following ways:- Launch the CCP GUI
using the ccp command and then click on the cconsole button. The
graphical interface for cconsole will have a new check box called
“Use SSH" under the "Options" menu. Select this
check box for going over SSH to the node consoles. By default, the
check box is deselected, meaning that the default mode of connecting
to consoles is not secure. Refer to Figure 1.
- Launch
cconsole directly from the command line. The command line options for
cconsole are:
-s
New option for enabling
SSH while connecting to a node's console. The /etc/serialports
database has the console access device's name and the port number
to be used for the SSH connection. Specify 22 as the port number
if using the default SSH configuration on the console access
device, otherwise specify a custom port number.-l user
Optional SSH user name.
By default, the user launching the cconsole/ccp command is
effective.
If either the
console or the ccp command is launched with the "-s"
command line option, the “Use
SSH” check box is automatically selected. If the “-s” option is
not specified, select the “Use
SSH” check box under the “Options” menu to enable SSH
connection.
A new "cssh"
command: CCP software will include a new cssh command which
could be used to connect to nodes using standard SSH connections, in
either of the following ways:
- Launch the CCP GUI with the ccp command, then click on the new
cssh button (which is next to the existing crlogin, ctelnet, and
cconsole buttons).- Issue the cssh command directly from the command line. The cssh
command takes the following options:
-l
user
Optional
SSH user name. By default, the user launching the command is
effective.-p port
Optional port number to use
for the SSH connections. Port 22 is used by default.
Here is a screenshot of the modified
Cluster Console Panel. It shows the new “cssh” button on the
panel for the cssh command. It also shows the new “Use SSH” check
box under the Options menu when the cconsole button is clicked.
Figure 1. Cluster Console Panel GUI
Shared options:
The ccp command will accept options at the command line that are
used by crlogin, cssh, and cconsole. Values passed to the options
are effective for all the commands that are hence launched by
clicking on the icons from the CCP GUI. For more details about the
commands and their options, refer to the cconsole(1M) man page.
As an example, if one launches ccp in this manner:
#ccp -l joe -s -p 123
then this will be
the effect on individual tools that are launched from the buttons on
the CCP GUI:
ctelnet
This command ignores all
of the -l, -p, and -s options and treats everything else on the
command line as cluster or node names.crlogin
The user name for rlogin
would be "joe".cssh
The SSH user name would
be "joe" and the SSH port number would be "123".cconsole
The cconsole tool would
use SSH to connect to the nodes due to the "-s" option.
The user name for the SSH connection to the console access device
(as determined by the entry in /etc/serialports) would be "joe".The port number, however,
is taken from the serialports database and not from the
command-line value of the "-p" option.In addition, the user
could deselect the checkbox "Use SSH" and override the
command-line option "-s", in which case the console
would be accessed using a telnet connection to the console access
device.
the CCP, and cconsole in particular, will be equipped to act as a
full-fledged tool for multi-node administration, further adding to
ease of use of Sun Cluster 3.2 software.
Thanks for your interest.
Even if it's not ssh by default, it's a great feature!
Thanks!
Thanks for your post ! Very informative. The new changes into CCP would make it ready-to-use for admins, and at the same time not take away anything from what was already existing.
In addition to the cssh utility (which has an option for using a non-default SSH port - something which was not possible until now), we have added support for connecting to node consoles over SSH. This was the driving factor behind the feature. We did not want customers to necessarily have to go over telnet to console-access devices in order to access consoles. To add to it, SSH support to cconsole falls in line with modern day hardware, which offer secure platform management services.
Thanks,
-Subhadeep.
It is now May 07; is this patch available yet?
Cheers JB
Thanks !
You can apply the core patch, 125511-02/125512-02/125510-02, and then to use the new cssh functionality, do the following:
# cd /opt/SUNWcluster/bin
# ln -s cconsole cssh
To add cssh to the cpp panel, do the following:
# mkdir /opt/SUNWcluster/etc/ccp/cssh
# cd /opt/SUNWcluster/etc/ccp/cssh
# ln -s ../cconsole/icon icon
# echo cssh > name
# echo 'cssh $CLUSTER' > exe
Let us know if this works. There will be another patch out in some time which will relieve users of doing this little workaround.
Regards,
-Subhadeep.
Subhadeep, having one issue. I patched my system, and when I run cconsole <group> where my ALOMs are running SSH, I still connect via telnet to port 23, and the use SSH option is unchecked. If I check that box and exit, it doesnt stay that way, and I have to check the box, then select hosts each time, which is a royal PITA. Is there something I'm missing as far as keeping the options stored across executions?
Oops, fat-fingered the port in my last post, the cconsole is telneting to port 22, instead of using SSH to 22. same question applies as far as retaining the use SSH checkbox.
It appears that sun is lacking a product comparable to Veritas Java Console.
Am I right....if not could you please point me to a GUI tool to
manage a cluster....
Jay, I confused the Java Console with the Java WebConsole .. Yes you are right Solaris Cluster doesnt have a stand alone Cluster Manager GUI yet ..
"There will be another patch out in some time which will relieve users of doing this little workaround."
Any news on this?
Hi Boyd,
The facility has been available since Sun Cluster core patch 126106-01. The latest rev of the patch is 126106-03, which can be downloaded from sunsolve.
Ok, thanks, I hadn't noticed.
Here's part of the reason: It seems to me that most people will be installing SUNWccon on non-cluster nodes, but the core patch needs to go onto cluster nodes (since, among other things, it patches SUNWscr).
This means that if I have an administration workstation with cconsole on it I can't patch up to use cssh without installing the rest of cluster packages. Is there some reason for this coupling of otherwise seperate packages at the patch level?
Hi Boyd,
I have no idea why SUNWccon is bundled in the core patch. There seems to be an assumption that people would normally get the package from the CDROM of a Sun Cluster release.
I'd suggest that you download the latest SC3.2 CDROM to get the package.
Hi Boyd,
No, I didn't mean to imply that you have to install the whole SC software on the admin workstation. Just that if you want a new version of the SUNWccon package, it seems that you have to "pkgadd" the package shipped with a new Sun Cluster CD/DVD. So if you want to install the new SUNWccon that supports ssh, you have to (unfortunately and AFAICT) get the SC3.2u1 CD/DVD and install the package from there (after pkgrm'ing the existing package if there's one).
In short, you can't patch SUNWccon on an admin workstation :( This is really unfortunate, and I'll see if we can't generate a separate patch ID for just the admin workstation.
There seems to be a misconception about patches. You can apply the SC Core patch to an admin workstation. It will patch the applicable packages on the system (SUNWccon), and skip those packages that are not present.
Erg!
If using ccp -l admin for using cconsole to an alom interface which allows no root user. But now I cannot login to root via cssh button if admin is not configured on the servers.
So I think
1. -l option should only used by cconsole
2. different options for cssh and cconsole
3. give user for cconsole in /etc/serialports?
But it's better than no ssh support. :-)
MfG...
Pierre Bernhardt
Great job. Got a question. Is there anyway to change the default window settings for cssh? Font size, window size, and what not, that you can set when running xterm? Thanks.
Does anyone know if cconsole is supported with M series servers ?