22Jul
,
0

Cloud Alert Runbook – remote shell command

How to execute command remotely

Use Runbook Automation to enable anyone to safely execute self-service operations tasks that previously only subject matter experts could perform

Runbook by default uses SSH to execute commands on remote nodes, copy scripts to remote nodes, and locally executes commands and scripts for the local (server) node.

Pre-requirement

  • Remote nodes are on same local network to EKS (Private subnet 01 & Private subnet 02)
  • Credential to access to remote host via SSH (username/password) or (public/private key) or (socket mode)

Security for remote command execution

The restriction of SSH-executable commands is mainly used for automated backup operations or backups. In most cases, dedicated backup users have a private key with no key phrase or key phrase to perform automated backups. At the backup destination server, this user’s public key is placed in the authorized keys file so that it can connect without entering a password. Actually, from this point on, the user would have full access to the backup server, even though he always calls only the command rsync.

A command restriction for the user prevents the backup server from being automatically compromised if the private key is compromised. Since the user is restricted to a command in the authorized keys file, he must not execute any other command or set up a terminal session via SSH.

Ref: https://blog.dxcloudsuite.io/restrict-executable-ssh-commands-with-authorized-keys/

Socket mode

Sockets are interfaces that can "plug into" each other over a network. Once so "plugged in", the programs so connected communicate.

Socket mode allows user to perform remote command execution via socket interface. Accordingly, Airflow server works as client program and connect to server program as remote node. From the server side, it restricts the command collection which runs from the client side.

Runbook comes with pre-canned action runners such as a remote runner and shell runner which provide for user-implemented actions to be run remotely (via SSH) and locally.

The objective is to allow the Action author to concentrate only on the implementation of the action itself rather than setting up the environment.

Remote Command

top

export TERM=linux; top -b -n 5

cp

cp public.pub public-cps.pub

ping

ping -c 5 www.google.com.vn

traceroute

traceroute www.google.com.vn

rm

rm public.pub

df

df -h

Leave a Reply