6.4. SSH into another machine and run a command

This is probably one of the most useful things OliveTin is used for - just plain old SSH, which allows it to easily connect from a container to any server running on your network to run commands. This is also the preferred method of running commands on the server that is hosting the OliveTin container image as well.

Installation type Difficulty to do this

Running as a Systemd service

Easy

Running in a container

Needs some setting up - see the SSH Container setup instructions

6.4.1. Example config.yaml

OliveTin config.yaml
actions:
    # This will SSH into a server an run the command 'service httpd restart'
   - title: Restart httpd on Server 1
     shell: ssh root@server-with-olivetin 'service httpd restart'
     icon: ping
     timeout: 5

Note about SSH keys: You should make sure that the user that OliveTin is running as has access to a SSH key. This applies to container images as well. The setup instructions below briefly explain how to generate a SSH key and make it accessible to OliveTin which is running inside a container.

6.4.2. SSH from inside a Container - setup instructions

This is a two step process;

  1. Setup a volume mount for the ~/.ssh/ directory, that contains a SSH Key.

  2. OliveTin uses the SSH key to connect back to server-with-olivetin or across to server2.

Visually, this is what it looks like;

ssh diagram

  1. Setup a volume mount for the ~/.ssh/ directory, that contains a SSH Key.

    1. On server-with-olivetin, run mkdir /opt/OliveTinSshKeys to create a shared directory for your SSH key file.

      This will later be used as a "volume mount" when you create a docker container.

      1. On server-with-olivetin, run ssh-keygen to generate a SSH key (if you haven’t already got one).

    2. Enter the file in which to save the key: /opt/OliveTinSshKeys/id_rsa

    3. Enter passphrase (empty for no passphrase): <enter>

      This will create a passwordless SSH key that OliveTin can use. It is safe as long as nobody steals your SSH key file!

      You should get something that looks like this. If you get a "permission denied" error when creating files, you could run chmod 0777 /opt/OliveTinSshKeys and try again.

      root@server-with-olivetin: ssh-keygen
      Generating public/private rsa key pair.
      Enter file in which to save the key (/root/.ssh/id_rsa): /opt/OliveTinSshKeys/id_rsa
      Enter passphrase (empty for no passphrase):
      Enter same passphrase again:
      Your identification has been saved in /opt/OliveTinSshKeys/id_rsa
      Your public key has been saved in /opt/OliveTinSshKeys/id_rsa.pub
      The key fingerprint is:
      SHA256:t+vGUn+MTeOtRDpxKanO3Cg63+gvAHslZCe3YVNnfWU root@server-with-olivetin
      The key's randomart image is:
      +---[RSA 3072]----+
      |         .. o.  E|
      |      + *  o  ...|
      |     o = +     . |
      |    . . o    . . |
      |     o oS . + +  |
      |    . o  ..o *o  |
      |     . . oo.o*.o |
      |      . +*o+oo= .|
      |      .=+BX .... |
      +----[SHA256------+

      This will create two files, /opt/OliveTinSshKeys/id_rsa (your private key) and /opt/OliveTinSshKeys/id_rsa.pub (your public key).

      1. Copy your public key to every server you want to connect to.

        ssh-copy-id is a really quick and safe way to do this.

        root@server-with-olivetin: ssh-copy-id root@server-with-olivetin
        (enter your SSH password)
        root@server2: ssh-copy-id root@server2
        (enter your SSH password)

        You will be asked to login with a password for each server.

        After you have done that, you will then be able to login with the ssh key instead;

        root@server-with-olivetin: ssh -i /opt/OliveTinSshKeys/id_rsa root@server2
        (you should login without a password)
      2. Give the SSH key to the OliveTin container.

        The way to do this is via a "volume mount". When you create the container, you use "-v" to specify a volume.

        You should mount your SSH keys directory into the OliveTin user’s home directory by creating the container like this;

        docker run -v /opt/OliveTinSshKeys/:/home/olivetin/.ssh/ --name OliveTin jamesread/olivetin

        This also works for things like SSH configuration files, if you want to use them. This is step 1 complete from the diagram above.

      3. Thankfully, step 2 is very simple! ssh commands in your OliveTin config.yaml should work without a password!, and allow OliveTin to access services, files, and other stuff outside of the OliveTin container.

        OliveTin config.yaml
        actions:
            # This will SSH into a server an run the command 'service httpd restart'
           - title: Restart httpd on Server 1
             shell: ssh root@server-with-olivetin 'service httpd restart'
             icon: ping
             timeout: 5