The documents in this section discusses the actions used for executing commands and securely transferring files in Flux between remote systems using SSH.
SSH actions extend Flux’s robust palette of workflow and file actions to increase the power and flexibility of Flux workflows. One can orchestrate a workflow to manage their farm of servers and control them from Flux. Some of the common tasks include, on-demand backups, file transfers, system monitoring, etc. This technique also enables agent-less scheduling. Without requiring any special software on these remote servers, one can run and manage scripts just like any native application using Flux.
Flux 8.0.10 implements support for SSH based interactions with remote servers in your workflow. Flux workflow can run commands on remote machine or perform file transfers to or from remote machine. It supports password based authentication as well as public key authentication with passphrase.
Setting up key based authentication between two machines is simple. The first step is to generate ssh key pair on machine A (passphrase recommended for private key encryption):
macpro:.ssh arul$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/arul/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/arul/.ssh/id_rsa. Your public key has been saved in /Users/arul/.ssh/id_rsa.pub. The key fingerprint is: a3:2e:03:c0:0b:98:ed:05:6d:00:a4:60:f6:6f:0c:e3 arul@macpro The key's randomart image is: +--[ RSA 2048]----+ |+=.o | |= o o | |+o * | |=.o * | |.o.E + S | | .o . . . | | . . | | o. | | o. | +-----------------+
Copy the public key (id_rsa.pub) of machine A to machine B.
$ scp ~/.ssh/id_rsa.pub ubuntu-vm:
Ssh to the machine B and append the copied public key to authorized_keys file.
$ ssh ubuntu-vm arul@ubuntu-vm's password: $ mkdir ~/.ssh $ chmod 700 ~/.ssh $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_rsa.pub $ chmod 600 ~/.ssh/authorized_keys
You can do the same setup from your machine B to machine A, in case if you want a bi-directional key-based communication over SSH. Once the keys are setup on both the machines, you will be able to use public key based authentication encrypted using passphrase. You can disable password authentication in your SSH server config, so you avoid sending your clear text password over network.
This setup allows machine A user to connect to machine B and automate tasks without prompting passwords, thus making interaction seamless and secure. This is a secure and very powerful technique used by IT teams and has been battle-tested for decades in infrastructure automation.
With Flux’s built-in capabilities to perform SSH actions, it brings this power to Flux workflows. One can orchestrate a workflow to manage their fleet of servers and control them from Flux. Some of the common tasks include, on-demand backups, file transfers, system monitoring, etc. This technique also enables agent less scheduling, without requiring a special software such as Flux agents run on these remote servers, one can run and manage scripts just like any native application using Flux.
Hostname and username are required properties on these SSH actions. The recommended way to configure them are using Flux’s runtime configuration properties. This allows reusability of configuration across workflows and ability to make changes at runtime without bringing down your Flux engine.
Here is an example runtime.properties file would look like in this setup.
/host=ubuntu-vm /username=arul /fingerprint=e4:af:1f:a3:8b:c0:15:33:71:87:d8:57:8f:d4:1a:3d /private_key=/Users/arul/.ssh/id_rsa /passphrase=+KYFTbEq6xaiUwa2Ij4N/Q==
The passphrase can be encrypted using Flux’s CLI API, so no clear text password is stored in the runtime configuration. Here is how you generate the encrypted password using Flux API.
macpro:flux-8-0-10 arul$ java -cp flux.jar flux.Main encryptpassword flux*help Flux 8.0.10 (build #1296) ~ Copyright 2015 Flux Corporation Encrypted password is +KYFTbEq6xaiUwa2Ij4N/Q==