[Server-devel] Parallel Distributed Shell (pdsh)

Anna aschoolf at gmail.com
Fri Dec 14 02:50:11 EST 2012 

During the XSCE (XS Community Edition) meeting tonight, someone brought up
that Puppet for individual XOs would really be too much fuss, so is there
something simpler and easier?  I remembered that back in 2008, I had looked
into Distributed Shell:  http://wiki.laptop.org/go/Dsh

Dsh is deprecated, but now there's something that seems a little more
sophisticated.  Parallel Distributed Shell (pdsh) is mostly like dsh, but
now you can define groups, among other options.  Very useful if you want to
push different content to different grade levels or if the environment
contains a mixture of XO flavors.

I have no idea how pdsh scales, just throwing this out as an idea.  Client
XOs don't need much setup, just add a key to authorized_keys and enable ssh.

What follows are very rudimentary instructions if you are curious and keen
to hack around with this.

On the "Supervisor" machine:

Yum install this stuff on non-ARM Fedora machines:
    pdsh
    pdsh-mod-dshgroup
    openssh-askpass

You have to compile it on the XO-1.75, as it's not in the repos, and you
might need, in addition to the usual dev tools:
    libtool-ltdl-devel
    mingw32-libltdl (not sure on this one?)

Compiling it on the XO-1.75 tonight was very, very ugly and I don't think
it came out quite right, though eventually it did work.

There can be multiple Supervisor machines, just add their id_rsa.pub to the
XO's authorized_keys file.  Remember, this is all basically just ssh.

I know this is a no-no in "grownup security world," but for testing, put
this at the bottom of /etc/ssh/ssh_config and then restart ssh:

Host *
    StrictHostKeyChecking no

Generate keys on the Supervisor machine:

ssh-keygen

Fix permissions on Supervisor machine:

chmod 700 /home/olpc/.ssh
chmod 600 /home/olpc/.ssh/id_rsa

Set up your groups as the olpc user in /home/olpc/.dsh/group:
A flat text file with the IPs of your target XOs, one per line.  For
example, in my testing tonight, I have a couple of XO-1's in the xo1 group
and a brand new XO4 (So cool, thanks Adam!) in the xo4 group.  So in my
/home/olpc/.dsh/groups dir, I have two text files:  xo1 and xo4.

On the target XOs:

mkdir /home/olpc/.ssh

Put the Supervisor machine's /home/olpc/.ssh/id_rsa into the target XO's
/home/olpc/.ssh/authorized_keys
cat id_rsa.pub >> /home/olpc/.ssh/authorized_keys

Permissions!

chmod 700 /home/olpc/.ssh
chmod 644 /home/olpc/.ssh/authorized_keys

Start ssh

sudo systemctl start sshd.service

Enable ssh on boot

sudo systemctl enable sshd.service

Here's a quick and dirty script I set up on my XS that makes the XO setup a
matter of seconds.  Just wget and then run, super simple.

---------------start my half a**sed script------------------------------

#!/bin/bash

mkdir /home/olpc/.ssh

#insert the Supervisor's machine id_rsa.pub inside the quotation marks.
Make sure it's a single line.
echo "ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDVail7ZD10xxowC3QlIAHPpUdIgo9JlaFboa2vGyjw1sGO2Pk5GhscA26wEGZkA6r2iH+ShiA5GB0+0yFsQwGgY3uU/BvdLNAJ03uIhQGRa9JW9cogFqM1PYR2Sd7Qm1LS/oQxWl0d7IDPJfziremMj4Zi5bcB9d9sxu5daFz1vjsbTTSnhX4xghIZMo3zGMqTWlvBsOHKDPfo3Y4G7pkJXNQ9mlMR61Et4owaXCDQtS/ACfuWuWPpfaOXDweRqQPRX0pmW3PRpjs48wySMYEk5PdSVGHFWIQItK5piAhquD01DXqnquIaF8d0QLTU+aRropX5nfGDyNPqtoMFBTGZ
olpc at localhost" >> /home/olpc/.ssh/authorized_keys

chmod 700 /home/olpc/.ssh
chmod 644 /home/olpc/.ssh/authorized_keys

su -c 'systemctl start sshd.service'
su -c 'systemctl enable sshd.service'

---------------------end
script-------------------------------------------------------

>From the supervisor machine, you can test:

pdsh -g xo1 -g xo4 'aplay /usr/share/sounds/alsa/Noise.wav'

Did you hear something?  Then it worked!

When I compiled pdsh on the XO 1.75, I don't think it turned out quite
right.  I had to put the full pathname to the groups:

pdsh -g /home/olpc/.dsh/groups/xo1 -g /home/olpc/.dsh/groups/xo4 'aplay
/usr/share/sounds/alsa/Noise.wav'

It did work with my testing, don't misunderstand, and I should be happy
that the workaround was simply that I had to enter the full pathname.
Considering compiling stuff on the XO 1.75 sometimes ends in total
disappointment, and I was just fiddling with it for a couple hours tonight,
this turned out well considering.

What is also neato, you can download and run scripts from the XS or any web
server.  I just did a simple test with scripting the above aplay command.
The -N flag on wget ensures that script.sh gets overwritten if it's been
changed on the XS.

pdsh -g xo1 'wget -N http://schoolserver/olpc/script.sh && sh script.sh'

We're accustomed to running scripts with "su -c 'yum install something'"
but that doesn't work.  You can't do anything sudo via this.  Though you
probably could edit sshd_config on the XO clients, add authorized_keys to
/root/.ssh and do up direct root pdsh.

Another thing, supposedly pdcp is like a bulk scp (imagine a teacher
pdcp'ing a syllabus to all her student's XOs, for example), but I haven't
managed to get it to work yet.


Relevant links:
http://code.google.com/p/pdsh/
http://jaclindley.com/2009/04/20/system-administration-pdsh/
http://linux.die.net/man/1/pdsh
http://linux.die.net/man/1/pdcp


Anna Schoolfield
Birmingham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20121214/105f41bb/attachment.html>

More information about the Server-devel mailing list