In this article, we will see how to remotely manage in parallel multiple Alibaba Cloud Linux instances using PSSH or parallel-ssh.
Most of time you don’t have a physical access to a server, and you have to manage it remotely. To perform the task, many programs were created. Telnet is one of the earlier protocols developed for the internet in 1969 but it inconvenient is that it was not build with security in mind. The protocol is a plain text send over the wire.
RSH: Similar to telnet, it was originally written for the BSD (Berkeley System Distribution) system in 1953. Like telnet is an insecure protocol. The solve the security problem, ssh was created. SSH stands for secure shell and was create to overcome the security issue of telnet and rsh. The most widely used version of SSH is OpenSSH built upon the concepts of symmetric and asymmetric encryption. Ssh allows you to create a secure tunnel shell between two computers and manage it as is on the local computer. But OpenSSH disadvantage is that you cannot execute same command on multiple hosts at the same time. Pssh is then to overcome this problem.
PSSH or parallel-ssh is a python-based program, which allows you to execute commands on multiple hosts or server in parallel at the same time.
The use of pssh requires passwordless connection. So you have to configure it on your remote server or host. What we have to do, is to configure all our servers to accept root connection based on key exchange (passwordless connection). There are good article written on connection to Linux Instances using Key Pairs. If you did not know how it works, this link will be a good source of information to you. Connecting to Linux Instances Using Key Pairs , Advanced OpenSSH Features to Harden Access to Your Alibaba Cloud ECS
You must have at least two Alibaba Cloud Elastic Computer Service (ECS) instances activated and have verified your payment method. You also need root access or assigned as a user in sudo group.
On Alibaba Cloud, when creating instance for the first time, it allow root connection with password; so to change it, connect to your server, and edit the sshd_config file in the /etc/ssh folder. At the end of the file you will see PermitRootLogin yes. Change it and put PermitRootLogin without-password. And document PubKeyAuthentification at the line 37. By doing this you are allowing root connection with KeyAuthentification.
Note: To do this make sure you have created and added in sudo group another user, if not you will not be able to connect on your ECS instance because root login with password will not be permitted. So if you did bad configuration, you can connect with that user and correct the problem.
After we have configured in all ours servers to permit root login base on KeyAuthentification, we can start with our pssh.
Set Up SSH Key-Based Authentication
Now we are going to generate on our local machine private and public key and then send public key on our server to allow Key-Base Authentication connection.
This is the step:
- Generate ssh key
- Copy the ssh public key to your remote server
- Repeat the second step to all your remote servers so they will have the same key-Base Authentication.
As you can see in the image above, we first use ssh-keygen to generate a key. The -t option is the type of encryption; here is rsa encryption, ssh-keygen.
We then copy the public key on our remote server with the ssh-copy command.
Note: when generating ssh key, passphrase will be ask to protect your file so if someone access your computer he will need the passphrase to connect to your computer. It’s just a security method to protect your key.
SSH-Keygen and SSH-Copy
Ssh-keygen generates two key (private and public) and store it in .ssh folder of the current user.
Ssh-copy copies the public key in the .ssh user folder on the remote computer. So if you check the .ssh folder after generating the key you will see two file (id_rsa, id_rsa.pub). If there is also a known_hosts, that mean you have already connect to a computer and you have exchange key.
If you connect to the remote computer and check the .ssh folder of the user you copy the public key, you will see a file named authorized_keys, check the content and you will see it is the public key you send with the ssh-copy.
As you can see in the above image, on the left we are on the remote Alibaba ECS computer, in the .ssh folder we have our authorized_keys and we cat the file the check the content and we see our public key we generate in the our local computer.
On the right is the local computer and in the .ssh file we have our id_rsa( private key) and id_rsa.pub( public key) when we check the content of the id_rsa.pub file we see that is the same we the content of our authorized_key file on our Alibaba ECS server. We can conclude that we successfully configure our key-Base Authentication connection.
Note: if you have multiple servers that you want to manage in parallel, you have to repeat all the configurations we did above on it.
To install pssh on UBUNTU version, first make your update if not yet and install pssh with the command “apt-get install pssh”
Now that pssh is successful install as you can see in the above image, we can start using pssh. But if you enter pssh on the terminal, you will a good message saying that your command is not found because on Debian base distribution, pssh is parallel-ssh.
Parallel-ssh package come with other tools similar to openssh tools. After pssh package installation, it will include:
- Parallel-ssh : parallel ssh command on multiple hosts
- Parallel-scp : parallel copying file on a number of hosts
- Parallel-rsync : parallel copying file remote number of hosts
- Parallel-nuke : parallel kill process program
- Parallel-slurp : parallel copying file from multiple remote hosts to a central host
How They Work
Now we are going to see how to use all this tools on multiple remote hosts or server
As on all Linux distro, best way to use a program is by a man command or –help option and parallel-ssh is no exception for the rule. So let’s enter how parallel-ssh manual to see how to use it.
As you can see in the image above, to use parallel-ssh there are many options.
-h : this option allow use to give a file with a list of host( host is user@host_or_ipaddr:port)
-l : use the given as the default user for any host. At this point in our host file we don’t need to enter user in the host line if all our servers have the same user for connection.
-i : display standard output and standard error as each host completes.
Let’s first create a file with all host we want to connect in. To do this, you can first create file with touch command then open it with any text editor and enter your host list. Or you can use echo to add host in the file.
The content of our host_file is:
Ok now let’s check IP_address for how remote host.
The command will be
parallel-ssh -i -i host_file
ip addr show
As we can see in the above image, we have successfully check IP address for any of our remote Alibaba ECS.
The first server have as private IP address: 172.25.5.157 and listening on eth0 interface.
The second server have as private IP address: 172.25.5.156 and listening on eth0 interface.
Now let’s say a new vulnerability is out and the simple way to patch it is to update your systems. Even if we have 10 Alibaba ECS instances is easy to solve the problem as we are using the parallel-ssh.
The simple thing to do is to pass the command to our parallel-ssh: parallel-ssh -i -h host_file “apt-get update”
As we can see in the above image, we successfully update all our online servers.
Now imagine we want to send a patch file in all our servers since that they have the same configuration. We will use parallel-scp -h host_file source destination
Let’s see what we did in the image above.
- First we send file named file_to_send on ours two servers. And we see SUCCESS that means file was send.
- Secondly, list the content of our root directory with the ls -arl command.
- Finally, filter the content of our folder with the grep command to only list our file we send and we see that our file_to_send are on our two servers.
We can notice that command send in the remote servers can be in quotation marks (“”) or not. And all command can be send to the servers; there is no restriction even if you want to delete a file.
Now let’s see how to kill process in parallel on server.
The syntax is the same as others parallel command. Just pass the host_file and the process you want to kill as parameter.
Ok let’s kill apache2 on all our servers: parallel-nuke -h host_file apache2
As we can see, it will kill apache2 process in all our servers in parallel. It’s true that by using parallel-ssh we can just send a kill command to kill apache2 but at this point we want to see how parallel-nuke work.
As we can see in the image above, we send file_to_send in root/ folder, we then list and filter the result with grep to display only our file we send to be sure our file have been send successfully.
Note: if during your Key generate you put a passphrase, you have to use the -A option so the program will ask for passphrase or password. If you have different username to login in your server, no matter all you have to do is to put the different username in the file
By the end of this article, we have seen how to manage multiple servers at the same time using pssh or parallel-ssh with it suit of tools. What we did is just a small part of what we can do with this tool. We can conclude that pssh is good tools for system administrator who has multiple servers online and at some time want to manage it all in parallel.