All Products
Search
Document Center

CloudOps Orchestration Service:Use OOS to configure password-free logon for multiple ECS instances

Last Updated:Dec 05, 2024

CloudOps Orchestration Service (OOS) is an automated O&M service provided by Alibaba Cloud to help you manage and execute O&M tasks. You can create templates to define execution tasks, the execution sequence of the tasks, input parameters, and output parameters, and use the templates to automatically run O&M tasks.

SSH-based password-free logon is mostly used for automated O&M. This allows you to automate the management of a large number of servers in a secure and convenient way. If you have a large number of Elastic Compute Service (ECS) instances, you can configure password-free logon for some or all of the instances. This topic describes how to use OOS to configure password-free logon for a large number of ECS instances.

Important

  1. Make sure that ECS instances are available. If no instance is available, purchase ECS instances. For more information, see Getting started.

  2. The user used to connect to ECS instances for which you want to configure password-free logon must be the same.

  3. Only Linux-based ECS instances are supported.

Procedure

  1. Log on to the OOS console.

  2. Add a user that is used to connect to ECS instances without a password. If a user is added, skip this step. If no user is available, you can execute a script to add a user to ECS instances on the Batch Instance Operations page of the OSS console. The following figure shows the details.image

  3. Create a template.

In this example, a template is used to configure password-free logon for ECS instances. For more information about the template, see the Appendix 1: Template for password-free logon section of this topic.

Copy the script and paste it into the input box and click Create Template. This template is used to select and obtain the public keys of some ECS instances. You need to select the ECS instances for which you want to configure password-free logon, and configure the public keys for the specified user.freelogin-02

  1. Execute the template.

On the Custom Template page, find the template that you created in the previous step and click Create Execution in the Actions column. On the Create page, configure the basic information about the template and click Next Step: Parameter Settings.freelogin-03

  1. Configure the parameters in the Parameter Settings step. You can manually select ECS instances or specify tags to select ECS instances. The following figure shows the details.freelogin-05

  2. Click Next Step: OK. Confirm the parameters and click Create. Then, you can execute the template.freelogin-06

  3. After the template is executed, check whether the password-free configuration takes effect.

Connect to an ECS instance for which password-free logon is configured. Run the ssh command by using the user. This way, you can connect to another ECS instance without the need to enter a password. The following figure shows an example. The su command is run to switch to the freelogin user. The ssh command is run as the freelogin user to connect to another ECS instance. This indicates that the password-free logon takes effect.freelogin-07

Appendix 1: Template for password-free logon

The following table describes the parameters that are required in the template.

Parameter

Description

regionId

The region ID of the cluster.

sourceTarget

The ECS instance whose public key is required for password-free logon.

destinationTarget

The ECS instance for which you want to configure password-free logon.

userName

The name of the user that is used to connect to ECS instances.

rateControl

The concurrency ratio of task executions.

OOSAssumeRole

The Resource Access Management (RAM) role that is used by OOS.

The following script shows the content of the template:

FormatVersion: OOS-2019-06-01
Description:
  en: 'In the instance, a user is linked without encryption by means of an authorization key.'
   
Parameters:
  regionId:
    Type: String
    Description:
      en: The id of region.
       
    AssociationProperty: RegionId
    Default: '{{ ACS::RegionId }}'
  sourceTarget:
    Type: Json
    Description:
      en: Example of obtaining the secret-free public key when configuring the secret-free login.
       
    AssociationProperty: Targets
    AssociationPropertyMetadata:
      ResourceType: 'ALIYUN::ECS::Instance'
      RegionId: regionId
  destinationTarget:
    Type: Json
    Description:
      en: Need to open an instance of password-free login.
       
    AssociationProperty: Targets
    AssociationPropertyMetadata:
      ResourceType: 'ALIYUN::ECS::Instance'
      RegionId: regionId
    Default:
      Type: ResourceIds
      ResourceIds: []
  userName:
    Description:
      en: Password-free login username in the instance.
       
    Type: String
  rateControl:
    Description:
      en: Concurrency ratio of task execution.
       
    Type: Json
    AssociationProperty: RateControl
    Default:
      Mode: Concurrency
      MaxErrors: 0
      Concurrency: 10
  OOSAssumeRole:
    Description:
      en: The RAM role to be assumed by OOS.
       
    Type: String
    Default: OOSServiceRole
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: getSourceInstance
    Description:
      en: Get an instance that needs to be logged in without password.
       
    Action: 'ACS::SelectTargets'
    Properties:
      ResourceType: 'ALIYUN::ECS::Instance'
      RegionId: '{{ regionId }}'
      Filters:
        - '{{ sourceTarget }}'
    Outputs:
      instanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: getDestinationInstance
    Description:
      en: Views the ECS instances than to ssh without password.
       
    Action: 'ACS::SelectTargets'
    Properties:
      ResourceType: 'ALIYUN::ECS::Instance'
      RegionId: '{{ regionId }}'
      Filters:
        - '{{ destinationTarget }}'
    Outputs:
      instanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: generateOrGetPublicKey
    Action: 'ACS::ECS::RunCommand'
    Description:
      en: Generate or get a public key.
       
    Properties:
      regionId: '{{ regionId }}'
      commandContent: |-
        #!/bin/bash
        username="{{ username }}"

        if [ $username == root ]; then
            if [ ! -e "/root/.ssh/id_rsa.pub" ]; then
              ssh-keygen -f "/root/.ssh/id_rsa" -P "" >> /dev/null
            fi
            cat /root/.ssh/id_rsa.pub
        else
            if [ ! -e "/home/$username/.ssh/id_rsa.pub" ]; then
                su $username -l -c "ssh-keygen -f /home/$username/.ssh/id_rsa -P '' >> /dev/null"
            fi
            chmod 700 /home/$username/.ssh
            cat /home/$username/.ssh/id_rsa.pub
        fi
      instanceId: '{{ ACS::TaskLoopItem }}'
      commandType: RunShellScript
    Loop:
      RateControl: '{{ rateControl }}'
      Items: '{{ getSourceInstance.instanceIds }}'
      Outputs:
        publicKeys:
          AggregateType: 'Fn::ListJoin'
          AggregateField: publicKey
    Outputs:
      publicKey:
        Type: String
        ValueSelector: invocationOutput
  - Name: converPublicKeyToStr
    Action: 'ACS::ECS::SMCConversionConstantByJqScript'
    Description:
      en: Convert public key to string.
       
    Properties:
      parameter:
        'Fn::Jq':
          - First
          - 'join(",")'
          - '{{ generateOrGetPublicKey.publicKeys }}'
      jqScript:
        - '.[0] | .'
        - '.[0] | .'
    Outputs:
      publicKey:
        Type: String
        ValueSelector: 'firstValue | split(",") | join("\n")'
  - Name: authorizedInstances
    Action: 'ACS::ECS::RunCommand'
    Description:
      en: Enable password-free login for users in the instance.
       
    Properties:
      regionId: '{{ regionId }}'
      commandContent: |-
        #!/bin/bash
        username="{{ username }}"
        publicKey="{{ converPublicKeyToStr.publicKey }}"
        if [ $username == root ]; then
            if [ ! -e "/root/.ssh/id_rsa.pub" ]; then
                ssh-keygen -f "/root/.ssh/id_rsa" -P "" >> /dev/null
            fi
            cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
        else
            if [ ! -e "/home/$username/.ssh/id_rsa.pub" ]; then
                su $username -l -c "ssh-keygen -f /home/$username/.ssh/id_rsa -P '' >> /dev/null"
            fi
            chmod 700 /home/$username/.ssh
            cat /home/$username/.ssh/id_rsa.pub >> /home/$username/.ssh/authorized_keys
        fi
        if [ $username == root ]; then
        cat >> /root/.ssh/authorized_keys << eof
        $publicKey
        eof
        else
        cat >> /home/$username/.ssh/authorized_keys << eof
        $publicKey
        eof
        fi
      instanceId: '{{ ACS::TaskLoopItem }}'
      commandType: RunShellScript
    Loop:
      RateControl: '{{ rateControl }}'
      Items: '{{ getDestinationInstance.instanceIds }}'
      Outputs:
        commandOutputs:
          AggregateType: 'Fn::ListJoin'
          AggregateField: commandOutput
    Outputs:
      commandOutput:
        Type: String
        ValueSelector: invocationOutput
Outputs:
  commandOutputs:
    Type: List
    Value: '{{ generateOrGetPublicKey.publicKeys }}'