-
Notifications
You must be signed in to change notification settings - Fork 2
Node OS SolarSSH
This guide describes how to manually add SolarSSH support to a Debian 8+ based SolarNode. This can be useful for updating older nodes that didn't have SolarSSH support already configured.
Follow the manual platform update guide to update to the latest node framework package. SolarSSH requires the 20170628 platform or newer.
All the scripts referred to in this guide are included in the platform, in the
bin directory.
The SolarNode System SSH Support plugin is required to support SolarSSH.
That can be installed like any other plugin: via the Plugin setup screen (in the
System plugin group) or by manually downloading the
net.solarnetwork.node.system.ssh-X.jar into ~solar/app/main.
The SolarNode SSH plugin relies on a helper script to manage the SSH
connections. By default it looks for this script at ~solar/bin/solarssh. Copy
the solarssh.sh helper script to /usr/share/solarnode. Create a symlink
~solar/bin/solarssh that points to that, e.g.
sudo cp solarssh.sh /usr/share/solarnode/
ln -s /usr/share/solarnode/solarssh.sh ~bin/solarssh
This helper script can be used to control the SSH sessions manually as well. For example the active sessions can be listed by running:
solarssh list
and by taking one line of output from that command, a session can be stopped like this:
solarssh -c session-key-here stop
Run solarssh -? for more options.
The solarssh.sh script uses a solarssh@.service systemd service unit to
manage the SSH connections to SolarSSH. Install this service unit in
/lib/systemd/system and then reload it, e.g.
sudo cp solarssh\@.service /lib/systemd/system/
sudo chmod 644 /lib/systemd/system/solarssh\@.service
systemctl daemon-reload
The solarssh.sh script relies on the solar user using sudo to manage
the systemd service. It must be configured to do this without asking for
a password. This can be accomplished by adding the following to the
/etc/sudoers.d/solarnode file:
/bin/systemctl start solarssh@*, \
/bin/systemctl stop solarssh@*
This file is already included in the standard SolarNode image, so it should look similar to this when complete:
solar ALL = (root) NOPASSWD: /bin/systemctl status systemd-networkd, \
/bin/systemctl restart systemd-networkd, \
/bin/systemctl restart solarnode, \
/sbin/reboot, \
/bin/systemctl start solarssh@*, \
/bin/systemctl stop solarssh@*
Abandoned SolarSSH sessions can be automatically discarded via a systemd timer and associated
service. Install the solarssh-cleaner.service and
solarssh-cleaner.timer units into /lib/systemd/system. Then enable the timer:
sudo cp solarssh-cleaner.service /lib/systemd/system/
sudo cp solarssh-cleaner.timer /lib/systemd/system/
sudo chmod 644 /lib/systemd/system/solarssh-cleaner.*
sudo systemctl daemon-reload
sudo systemctl enable solarssh-cleaner.timer
sudo systemctl start solarssh-cleaner.timer
The node must establish a record of trust with the SolarSSH server. This can be
done by adding the public key(s) of the SolarSSH server to the solar user's
~solar/.ssh/known_hosts file. An easy way to get those keys added to that file
is to simply ssh to the server, responding yes when asked if the server
should be trusted. For example if SolarSSH is running on ssh.solarnetwork.net
using port 8022 then you'd execute the following (as the solar user):
ssh -p 8022 ssh.solarnetwork.net
The authenticity of host '[ssh.solarnetwork.net]:8022 ([52.9.151.60]:8022)' can't be established.
ECDSA key fingerprint is d2:c0:6c:c3:4b:f3:38:24:2f:fe:ab:d8:03:49:ee:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[ssh.solarnetwork.net]:8022,[52.9.151.60]:8022' (ECDSA) to the list of known hosts.
Permission denied (keyboard-interactive,publickey).
The SolarNode will only execute SSH connection requests for hosts that are
configured in a whitelist. The whitelist can be configured by editing the
~solar/conf/services/net.solarnetwork.node.system.ssh.RemoteSshService.cfg file,
using a line like this:
allowedHostsValue = ssh.solarnetwork.net
Note that standard node images include this setting by default. The setting can also be changed in the SolarNode Settings screen, which will override any value configured in this file.
You may want to tune the SolarNode instruction handling settings to it can respond to the SolarSSH requests more quickly.
Under the SolarNet Upload Service Jobs heading is the Bulk Datum Uploader cron expression. This controls how quickly the node can receive any instructions from SolarNet, because nodes receive instructions only when they upload data. By default this is configured to run every 5 minutes. You can make it run more often, for example every minute, with a cron expression like this:
10 * * * * ?
By default the node will only contact the SolarNet server if it has collected some data that needs to be uploaded. If your node doesn't collect data at least as often as the Bulk Datum Uploader is configured to run, it could take a long time before the instruction to connect to SolarSSH can be received by the node. You can configure the node to always connect to SolarNet, even if it doesn't have any data to upload, for the purposes of receiving instructions in a timely manner. Under the SolarNet Upload Service heading, set the Always Upload setting to On.
Under the Reactor Jobs heading is the Instruction Acknowlegement Uploader cron expression. This controls how quickly the node can upload the instruction status after it completes it. By default this is configured to run once/minute. You can make it run more often, for example every 15 seconds, with a cron expression like this:
5/15 * * * * ?
You can test out everything using the SolarSSH Web Terminal. Just change the node ID in the URL to the node you want to connect to, and enter a User level security token that belongs to the SolarNet account that owns that node.