Configuring SSH Access for Apcera CE

This section describes how to configure SSH access to the Apcera Platform Community Edition, including how to generate custom SSH keys.

You must configure custom SSH access the first time you configure or install an Apcera CE cluster. You cannot add a custom SSH key after the platform is deployed.

Configuring SSH access is optional but recommended for production deployments where troubleshooting may be necessary.

Using the Apcera-provided SSH key

Beginning with version 2.1.0 of apcera-setup, you can choose to have Apcera generate and apply an SSH key pair that you can use to access cluster hosts. You do this simply by pressing enter at the SSH key prompt.

Path to a public key for SSH access to the cluster using other clients
(Enter 'none' if you only want to use SSH via apcera-setup ssh) [none]:

Once your cluster is deployed, you can use this key pair to access cluster hosts. To do this you use the apcera-setup ssh command.

Usage:

  apcera-setup ssh <name> [flags]

Examples:

  apcera-setup ssh orchestrator

Flags:

  -h, --help   help for ssh

Global Flags:

  -c, --config string   config file (default "config.json")

For example:

1) Get the machine hostname so you can access it using SSH, run the command apcera-setup status.

$ ./apcera-setup status

[ Apcera Setup - Status ]
Please wait a moment while we query your cluster...

[ Cluster Status ]
╭────────────┬──────────────┬────────────────────────────────╮
│ Provider   │ Status       │ Apcera Platform Version        │
├────────────┼──────────────┼────────────────────────────────┤
│ virtualbox │ Bootstrapped │ 2:2.0.1apc189 (build: 8eea66b) │
╰────────────┴──────────────┴────────────────────────────────╯

[ Machine Status ]
╭──────────────┬────────────────────────────────────────────────┬────────────┬─────────╮
│ Role         │ Name                                           │ IP Address │ Status  │
├──────────────┼────────────────────────────────────────────────┼────────────┼─────────┤
│ Orchestrator │ twonero-apcera-setup-vm-orchestrator-138694647 │ 10.0.0.68  │ running │
│ Central      │ twonero-apcera-setup-vm-central-1-138694647    │ 10.0.0.69  │ running │
│ IM           │ twonero-apcera-setup-vm-im-1-138694647         │ 10.0.0.70  │ running │
╰──────────────┴────────────────────────────────────────────────┴────────────┴─────────╯

2) Run the apcera-setup ssh <cluster-host> command to access one of the cluster hosts.

For example:

$ ./apcera-setup ssh orchestrator
Connecting to twonero-apcera-setup-vm-orchestrator-138694647
ubuntu@vm:~$ ls
chef-client-20160610031106.log  chef-server-20160610031106.log  cluster.conf  martini-debug-20160610031106.log
ubuntu@vm:~$ exit
logout
$

Configuring custom SSH key access

During the initial apcera-setup config or apcera-setup install process, you are prompted to provide an SSH key.

Path to a public key for ssh access to the cluster (Type 'none' if you do not wish to use ssh) [none]:

You can access any of your VMs using the "apcera-setup ssh" command (if you used the default SSH key) as described above. Or, you can enable SSH
access via other tools by providing a public key during "apcera-setup config" when you create your cluster for the first ime.

To configure SSH access using a custom SSH key, complete these steps:

  1. Generate SSH key pair
  2. Load SSH private key into local agent
  3. Provide SSH public key to apcera-setup
  4. Verify SSH access

Generating SSH key pair

Follow these instructions to generate a SSH key pair on Unix machines where the ssh-keygen tool is installed.

1) Generate SSH key pair.

ssh-keygen

For example:

ssh-keygen
Generating public/private rsa key pair.

2) Enter file name and path in which to save the key, or use the default.

For example:

ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/user/.ssh/id_rsa): /Users/user/apcera-setup/my-ssh-key

If you use the default, it will generate a private and public key pair (id_rsa with id_rsa.pub) in the /.ssh directory.

Or you can specify a custom-key-name and a different path, as shown above.

3) Enter and confirm a passphrase, or leave empty for no passphrase.

The ssh-keygen tool returns the name and location of your private and public keys, as well as the key fingerprint and image.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/user/apcera-setup/my-ssh-key.
Your public key has been saved in /Users/user/apcera-setup/my-ssh-key.pub.
The key fingerprint is:
SHA256:XK6YAcU93xOLQCAfH6tEXxNb54mYnJ4AYHMq2xNQlBE user@Users-MacBook-Pro-2.local
The key's randomart image is:
+---[RSA 2048]----+
| .E++oo. .       |
| ....=* * . . .  |
|. . o= * B.B + . |
| + o .+.=oB + o  |
|. +  ..oSo.o .   |
|   .  .+..o .    |
|      o .. . .   |
|          . .    |
|                 |
+----[SHA256]-----+
Users-MacBook-Pro-2:apcera-setup user$ 

Loading SSH key into local SSH agent

1) CD to the location of the SSH key pair you generated.

  • If you used the default path: cd /Users/user/.ssh/id_rsa
  • Or, for example, if you used a custom path: cd /Users/user/apcera-setup/my-ssh-key

2) Run the ssh-add command.

  • If you used the default name: ssh-add id_rsa
  • If you used a custom key name: ssh-add custom-key-name

You will be prompted to enter the passphrase you created for the SSH key.

Success is indicated by the following message:

ssh-add custom-key-name
Enter passphrase for custom-key-name: 
Identity added: custom-key-name (custom-key-name)

Or, if you did not use a passphrase:

ssh-add my-ssh-key
Identity added: my-ssh-key (my-ssh-key)

3) Verify that you added the key to your local SSH agent.

ssh-add -l

For example, you should see a result similar to the following:

ssh-add -l
4096 32:14:63:00:80:22:ec:0f:6c:ac:97:f8:78:8e:9f:1f /Users/bobjohnson/.ssh/custom-key-ssh (RSA)

Providing SSH key to apcera-setup

During the apcera-setup config or apcera-setup install process, you are prompted to provide an SSH key.

For example:

Path to a public key for ssh access to the cluster (Type 'none' if you do not wish to use ssh) [none]:

To provide an SSH key, specify the full path to your public SSH key.

For example:

Path to a public key for ssh access to the cluster (Type 'none' if you do not wish to use ssh) [none]: /Users/bobjohnson/.ssh/custom-key-ssh.pub

Verifying SSH access

You can verify that you can access the clsuter VMs using your SSH client by logging in as the user "ubuntu" using your public key located at "/file/path/.ssh/ssh-key-name.pub", or a custom path if you specified one.

For example, to SSH into the Orchestrator host:

1) Get the public IP address of the Orchestrator host.

Use the following command:

apcera-setup status
[ Machine Status ]
╭──────────────┬───────────────────────────────────────────────┬────────────────────────────┬─────────╮
│ Role         │ Name                                          │ IP Address                 │ Status  │
├──────────────┼───────────────────────────────────────────────┼────────────────────────────┼─────────┤
│ Orchestrator │ waylon-apcera-setup-vm-orchestrator-139916696 │ 54.183.204.44, 10.0.50.169 │ running │
│ Central      │ waylon-apcera-setup-vm-central-1-139916696    │ 52.53.207.61, 10.0.50.161  │ running │
│ IM           │ waylon-apcera-setup-vm-im-1-139916696         │ 54.183.250.217, 10.0.50.62 │ running │
│ IM           │ waylon-apcera-setup-vm-im-2-1330938714        │ 54.193.1.181, 10.0.50.10   │ running │
╰──────────────┴───────────────────────────────────────────────┴────────────────────────────┴─────────╯

2) Run the ssh ubuntu@<ip> command to connect to a host via SSH.

For example:

ssh ubuntu@203.0.113.0

Success is indicated by:

$ ssh ubuntu@203.0.113.0
Last login: Tue Feb  2 05:22:15 2016
ubuntu@vm:~$ 

If you can't connect, make sure you loaded the key into your SSH agent, and that you used the public Orchestrator IP address.

Removing SSH access

If you added an SSH key and later want to remove it, rerun the apcera-setup config process and enter none at the SSH key prompt.

For example:

Path to a public key for ssh access to the cluster (Type 'none' if you do not wish to use ssh) [none]: none

Using orchestrator-cli ssh

For some troubleshooting issues, you may want to be able to SSH into other cluster hosts, such as an IM. To do this, you run the orchestrator-cli ssh command from the Orchestrator host. To use the orchestrator-cli ssh command, you must enable the SSH forwarding agent using the -A flag when you connect to Orchestrator.

For example:

ssh -A ubuntu@192.168.1.40
Last login: Thu Apr  7 14:17:08 2016 from 192.168.1.9
ubuntu@vm:~$ orchestrator-cli ssh
Starting up database... done

Multiple nodes matched your query, please select which:

1) IP: 192.168.1.21, Name: 8655e3a4, Tags: central
2) IP: 192.168.1.55, Name: b5e90157, Tags: instance-manager

Pick a host [1]: 1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

user@orch-8655e3a4:~$ exit
logout
Connection to 192.168.1.21 closed.
ubuntu@vm:~$ exit
logout
Connection to 192.168.1.40 closed.