I have written a public domain remote control tool call rctl.py that runs remote commands on one or more hosts to automate all sorts of different administration tasks. It consists of a single python script that does not require any configuration and does not require client side daemons (sometimes called minions) so no tool based client side installation is needed which makes it much simpler to setup and use compared to tools such as Puppet, Chef or salt. Of course it is not as powerful as those tools but it has met my modest needs for small networks (<100 hosts). I hope that you find it as useful as I have.
Installation is simple. You simply download the file and run it. The host that you run it on must have python 2.7 or later installed with the paramiko package. If you have an earlier version of python it will still work but you will need to install packages like argparse. The clients must have SSH installed.
The file checksum is 15069. Please verify it for security purposes by running the sum tool to make sure that you have an unmodified version like this.
|
1 2 3 4 |
$ wget http://projects.joelinoff.com/rctl/rctl.py $ sum rctl.py 15069 23 rctl.py $ chmod 0755 rctl.py |
It is relatively secure because it is so simple. It uses SSH for host communications. There is no logging code that captures passwords, there are no special ports required (other than SSH) and you can easily inspect the source code because it is written in python.
To use it you simply specify the login information, the commands and the hosts like this:
|
1 2 |
$rctl.py -u root -H host1,host2 -c 'echo -n `hostname`; uptime' Password: |
As you can see, you will be prompted for the password. You can avoid that by specifying the password on the command line using the -p option or you can specify a reference to a password file on the command line using the -f option.
Specifying the password on the command line is a security risk. It should only be done inside of a secure shell script or batch file so that the password does not show up in the command history. On linux a secure shell script would have 0700 chmod permissions as shown in the use case below.
|
1 2 3 4 5 6 7 8 9 |
$ # Never use the -p switch on the command line, always use $ # it in a secure batch file (chmod 0700 file). $ ls -l dostuff.sh -rwx------ 1 dude staff 0 Dec 30 09:08 dostuff.sh* $ cat dostuff.sh #!/bin/bash # Run remote control commands. rctl.py -u dude -p 'secret' -H host1,host2 -c 'echo -n `hostname`; uptime' |
Use a secure password file if you want to avoid the password prompt from the command line. That will guarantee that the password will never appear in the command history. This use case shown below.
|
1 2 3 4 5 6 7 8 9 10 |
$ # Use the -f switch to specify the password from the $ # command line. $ ls -l data.key -rw------- 1 dude staff 0 Dec 30 09:12 data.key $ cat data.key secret $ rctl.py -u dude -f data.key -H host1,host2 \ -c 'echo -n `hostname`; uptime' |
To handle the case where each remote host requires a different password invoke rctl.py for each host separately in a secure command file like this:
|
1 2 3 4 5 6 7 8 9 |
$ # Hosts have different passwords. $ ls -l doit.sh -rwx------ 1 dude staff 0 Dec 30 09:15 doit.sh $ cat doit.sh #!/bin/bash hosts=(host1, host2, host3, host4) for host in ${hosts[@]} ; do rctl.py -u root -f $host.key -H $host -c 'echo -n `hostname`; uptime' |
Multiple commands be specified either by specifying the -c option multiple times or by separating the commands with ‘;’ or ‘&&’ in a single command. Both options are shown below.
|
1 2 3 4 5 6 7 |
$ # Multiple commands with one -c arg. $ rctl.py -u dude -f data.key -H host,host2 -c 'echo -n `hostname`; uptime' $ # Multiple commands with multiple -c args. $ rctl.py -u dude -f data.key -H host,host2 \ -c 'echo host: `hostname`' \ -c 'echo -n uptime: `uptime`' |
You can use the -v switch print a header for each command run on each host.
This tool is protected by the MIT license shown at the top of the source code. It can be freely used in public and commercial tools but please make sure that you include the copyright notice or a reference to this site. I would also appreciate it if you provide enhancements and bug fixes to me for the public domain but that is not required.
Enjoy!
Hi Joe,
I just saw your blog for the first time and I really liked it. Thank you so much for this contribution! It made my life so much easier.