Versions Compared

Old Version 4

changes.mady.by.user Pinnapureddy Dileep

Saved on

compared with

New Version Current

changes.mady.by.user Karl Henselin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel7

...

Info

See Endpoint Defaults to setup default values for new Endpoints to save time.

...

Field Name

Required

Description

Endpoint Name

Yes

The name of the Endpoint.

Description

No

An optional description for the Endpoint.

Active

Yes

Whether or not the endpoint is active in the system. Defaults to "Yes".

Connection Type

Yes

The connection type used for connection to the Endpoint.

Supports:

  • localhost

Unix -

  • SSH

WIndows - SSH     Supported

    • When using Windows, this is supported on Windows Server 2019+ where native OpenSSH is available.

Windows -

  • SSH (Cygwin)

     See
Endpoint

  • HTTPS

Operating System

Yes

Unix or Windows

Address

Yes

The DNS name or IP address of the Endpoint.

Port

Yes

The SSH port of the Endpoint (typically port 22).

Base Directory

Yes

A working directory on the Endpoint used by FlexDeploy. ~ is not supported here. See Permissions information below for details on how to create this folder automatically (Recommended).

For example, /app/flexdeploy.

If you have two FlexDeploy installations that may connect to same Endpoint, you must use unique folders for both FlexDeploy Servers. In most cases, separate FlexDeploy is installed to perform testing of FlexDeploy patches, which may connect to same Endpoint, in which case you can use different folder like /app/flexdeploytest and /app/flexdeploy.

Working directory under /var/tmp or /tmp folder is not recommended as administrators generally have cron jobs to purge files based on age and that will cause issues when plugin files are deleted. For example, Error: Could not find or load main class flexagon.fd.core.plugin.ExternalPluginServer will be encountered when plugin lib files are deleted.

Permissions

  • Base directory must be owned by

User Name

  • Username or Run

As

  • as (if using

sudo

  • privilege escalation) and it's group.

  • Ideal option is to point base directory where

User Name

  • Username or Run

As

  • as (if using

sudo

  • privilege escalation) has access to create sub-folder. In such case, FlexDeploy will automatically create folder with necessary permissions.

  • Permissions required are 755. Keep in mind that FlexDeploy may temporarily change permissions specifically when using Run

As

  • as option.

  • When using Run

As

  • as, Base Directory is owned by Run

As

  • as and there is subfolder name scratch which is owned by

User Name

  • Username. The scratch directory is used to stage files transferred by

User Name

  • Username, and then copied to other directories for use by the Run

As

  • as User. It’s not important to understand this detail, and is only provided since you may notice ownership differences on the scratch directory.

JDK Home

Yes

The JDK Home directory on the Endpoint. For example, /usr. FlexDeploy will look for /bin/java under specified JDK Home folder. Not required if the Endpoint is a Docker Host.

Source Script 

No

An optional script executed right before plugins are executed on the endpoint. Script can source some other environment script as well. Script should be Unix shell or Windows bat commands depending on type of Endpoint. If using Windows Cygwin SSH then script should be written as Unix shell.

Some usages of this script include sourcing an environment file (. $HOME/mfile.env)  or exporting a variable (export FLEXAGON_FD_PLUGIN_JAVA_ARGS="-Xmx1024m -Djava.io.tmpdir=/var/tmp"). Variables exported here will become available to plugin executions on this endpoint.

Transfer Protocol

Yes

Protocol/Tool to use to transfer files from FlexDeploy host to endpoint and vice-versa.

Options available are:

  • SCP (default)

  • rsync

To use the rsync option, FlexDeploy should be running on a UNIX machine, the endpoint can be UNIX or Windows (Cygwin) and rsync needs to be installed on BOTH, FlexDeploy host and endpoint and expect needs to be installed on the FlexDeploy host.

Authentication Type

Yes

Mechanism to use for authentication.  The Password, Private Key File, and Passphrase are displayed based on selected type.

Supports:

  • Username and Password

  • Username and SSH Key

  • Username and SSH Key with Passphrase

User Name

Yes

The user account on the Endpoint to connect with. All executions via this endpoint will run as this user.

Password

No

The password for the User Name. Either password or Private Key File is required.

Private Key File

No

Fully-qualified path of the SSH private key file on FlexDeploy server. Either Private Key File or Password is required. ~ is not supported here.

Passphrase

No

An optional passphrase used when the private key was generated. Only valid if a Private Key File is specified.

Run As (sudo

Often a JRE will suffice, unless you are compiling java code with it.

As of 7.0.0.7, this can contain $ and ~. Any variables referenced must be setup by the .bashrc file. The endpoint source script will not have been executed prior to setting the Java Home variables.

Source Script 

No

An optional script executed right before plugins are executed on the endpoint. Script can source some other environment script as well. Script should be Unix shell or Windows bat commands depending on type of Endpoint. If using Windows Cygwin SSH then script should be written as Unix shell.

Some usages of this script include sourcing an environment file (. $HOME/mfile.env)  or exporting a variable (export FLEXAGON_FD_PLUGIN_JAVA_ARGS="-Xmx1024m -Djava.io.tmpdir=/var/tmp"). Variables exported here will become available to plugin executions on this endpoint.

Max Concurrent Executions

No

Sets a limit on the number of concurrent executions on this endpoint. If not specified, the default of 5 will be used.

Transfer Protocol

Yes

Protocol/Tool to use to transfer files from FlexDeploy host to endpoint and vice-versa.

Options available are:

  • SCP (default)

  • rsync

To use the rsync option, FlexDeploy should be running on a UNIX machine, the endpoint can be UNIX or Windows (Cygwin) and rsync needs to be installed on BOTH, FlexDeploy host and endpoint and expect needs to be installed on the FlexDeploy host.

Authentication Type

Yes

Mechanism to use for authentication.  The Password, Private Key File, and Passphrase are displayed based on selected type.

Supports:

  • Username and Password

  • Username and SSH Key

  • Username and SSH Key with Passphrase

Username

Yes

The user account on the Endpoint to connect with. All executions via this endpoint will run as this user.

Password

No

The password for the Username. Either password or Private Key File is required.

Private Key File

No

Fully-qualified path of the SSH private key file on FlexDeploy server. Either Private Key File or Password is required. ~ is not supported here.

Passphrase

No

An optional passphrase used when the private key was generated. Only valid if a Private Key File is specified.

Privilege Escalation Type

No

An optional type of privilege escalation to use after establishing connection to the endpoint.

Supports:

  • sudo

  • pbrun

  • other

Privilege Escalation Syntax

No

An optional syntax which wraps all commands to be executed on the endpoint. You can use property replacement syntax i.e. $${{RUN_AS_USER_NAME}}, with this input and the variable will be replaced with the appropriate value at runtime. The following variables are available:

  • ${{USER_NAME}} - Username value on this endpoint

  • ${{RUN_AS_USER_NAME}} - Run as (user) value on this endpoint

  • ${{COMMAND}} - The command to be executed on this endpoint

  • ${{ENDPOINT_ADDRESS}} - Endpoint Address value on this endpoint

Important notes:

  • Privilege Escalation Syntax must contain ${{COMMAND}} at a minimum.

  • When Privilege Escalation Type is changed the Privilege Escalation Syntax will default to sudo -u ${{RUN_AS_USER_NAME}} bash -c '${{COMMAND}}'" for sudo type and pbrun -f ${{ENDPOINT_ADDRESS}} -u ${{RUN_AS_USER_NAME}} bash -c '${{COMMAND}}'" for pbrun type. The other type has no default value. Use other to define a custom privilege escalation.

  • To remove privilege escalation, first clear Run as (User) then clear Privilege Escalation Type. Host option (--host/-h) is not supported with any value except ${{ENDPOINT_ADDRESS}}

Run as (user)

No

An optional user to run as

(using sudo)

after establishing connection to the endpoint when working with Unix OS. For example, flexdeploy

See below for necessary setup information for type of Privilege Escalation Type:

sudo:

  • Add sudoers rule, such that

User Name

  • Username can sudo to Run

As

  • as (user) without prompting for a password.

  • something like initialLoginUser ALL=(RunAsUser) NOPASSWD: ALL

    • For example: flexdeploy ALL=(oracle) NOPASSWD: ALL

  • Test by executing the following from FlexDeploy server terminal, connected as

User Name

  • Username:

 “sudo

  •  “sudo -u

<run as user>

  • <Run as (user)> bash -c

whoami”

  • whoami.  Output should be the name of the Run

As

  • as (user) without prompting for a password.

  • After

completing endpoint configuration, click “Test Connection” on the Endpoint.

If there is a need to adjust sudo commands, then it can be done by setting up a description value like shown below. Please consult with Flexagon support if you have questions on this topic.

Code Block
sudoPrefix:sudo su - 
sudoSuffix:bash -c
Note that there is space at the end of each line. Both prefix and suffix should be on it's own line in Description input. In this example, FlexDeploy will run sudo as per this example command: “sudo su - <run as user> bash -c whoami

  • completing endpoint configuration, click “Test Connection” on the Endpoint.

pbrun:

  • IP address or hostname with domain is required for the Address of your endpoint, as this is used for the host argument in the pbrun command. runhost and submithost will always be the endpoint’s Address

  • The Username on the endpoint becomes the user in pbrun and Run as (user) becomes the requestuser in pbrun. Policies should be configured accordingly.

Optionally, click the Test Connection button to validate that the FlexDeploy server can connect to the configured Endpoint.

...

To inactivate an endpoint click the Active link on the desired Endpoint, and it will toggle to Inactive. This will hide that Endpoint after leaving the screen, until the Active checkbox is unchecked. To reactivate an Endpoint, click the Inactive link and it will toggle back to Active. This endpoint is now active in the system again and ready for use.

SSH Authentication

FlexDeploy utilizes SSH to connect to its configured Endpoints .  SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user. FlexDeploy supports Creating an SSH Endpoint using Password Authentication or using SSH Keysusing Password authentication or SSH public-private keys.

FlexDeploy also supports using sudo userprivilege escalation with sudo or pbrun for UNIX. See Privilege Escalation and Run As as (sudouser) details above.

Supported Algorithms for SSH

Info

Flexagon focuses its testing with RSA keys for SSH, since their use is more prevalent by our customers. We therefore recommend using RSA.

Include Page
FD60:Supported Algorithms for SSHFD60:
Supported Algorithms for SSH

Password Authentication
Anchor
PasswordAuth
PasswordAuth

The first mechanism is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on.  In this case you must provide a User NameUsername and Password to connect to the endpoint. perform authentication.

Unix Example

Windows Example

Image RemovedImage Removed

Image RemovedImage Removed

Image AddedImage Added

Image AddedImage Added

Info

MacOS

MacOS endpoints are supported using Unix Connection Type.

Public-Private Key Authentication
Anchor
ppk
ppk

The second technique is to use a manually generated In this case you must use public-private key pair to perform the authentication, allowing the FlexDeploy server to connect to endpoints without having to specify a password.  In this scenario, a public and private key pair are generated on the FlexDeploy server.  The to perform the authentication (password in not required in this case).  The private key is kept secretly on the FlexDeploy server by setting the permissions such that only the owner FlexDeploy server can read it (the userid which the FlexDeploy server is running as).  The public key is copied to all endpoint computers which must allow access to the owner (user running FlexDeploy server) of the matching private key. The public key is copied to endpoint. While authentication is based on the private key, the key itself is never transferred through the network during authentication.  SSH verifies whether the same person offering the public key also owns the matching private key.  In this case you You must provide the User Name, the path to the Private Key File on the server, Username on Endpoint where public key was copied, and an optional Passphrase (an optional password assigned to the private key when it was generatedat generation time).

...

Creating a Public-Private Key Pair

If you do not already have SSH keys generated for the host where FlexDeploy is installed, login (or switch user) as the user which FlexDeploy runs as, and run the following OpenSSH command.

...

It is typical to use the default file name and location to store the private key (which is in the .ssh subfolder of the user's home directory). You can optionally secure the private key file with a passphrase. It is an SSH requirement that the private key be readable only by its owner (e.g. oracle in the example above). So you must change the permissions accordingly (e.g. chmod 600 /home/oracle/.ssh/id_rsa). You will receive an error at connection time similar to the following if you omit this step.

Permissions 0777 for '/home/oracle/.ssh/id_rsa' are too open.

It is recommended that your private key files are NOT accessible by others otherwise private key will be ignored.

Info

The /home/oracle/.ssh folder on the endpoint must have drw------- permissions. For example,

  • chmod -R 700 $HOME/.ssh

  • chmod 700 $HOME

Uploading the Public Key

We must now copy the contents of the public key to each endpoint host. This step can be performed manually or using FlexDeploy UI. To save time and avoid errors, use Upload Public Key button on FlexDeploy UI for specific Endpoint.

...

Sample contents of an authorized_keys file (containing two public keys):

authorized_keys sample
Code Block
ssh-rsa AAAAB3NzaC1yc2EANAADAQABAAABAQC9GvGjUyL1towJF5uxp3jqeFcwaBm0GhqXaPrhWH/iX1H1lalPmwR3N791lR7oTONl6TZShLX2sq64rGL+HYF+W1RxjZqydcWDEJsz2MD525NisTuXI2HjVMYablXobDtv5sc12iM8hdh6nJXAlTHQ1wA4izRX2via5nWWtZUqBTyicpR1odQb4pcoTjPOsEPrwS7/sU51kLqR+y1G5AM307VhLBLumS3gB/kj+pBoIZEk2LwwuMeaRhywe9N2+M+hO7c1TijseACmr0DHN9ZvZhoBBgl7xBUFqxxOrMktst7arpxEvQXz4aUh+58smWSA4iMHXvzMc/xSXUp9eIov comment1
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwnP9Sahi0y1rypBq8i7MbV8QR21g+nC4AIrnSsoyh7T4DyjeScJS6SWzBLSNrv7bX+Lm7pUqMEOKwR68kk8SLcNOStPsyBoZJNeiE6R11rXOufN4aebc3aT4JW/qcb1nQwGnP9ubfGVAMEf3rvU0OBt18CAvNux2Gr8t1kpubZQyXtK9mvjcYPUgvUEQIwL+kShgRMQiqw6FOyUuE22jIqxnr0avALH32fB7B4p7DsfEC3M1+Yb9PptaUQpSkk0OyU3bQh3gCNojqOVMNZ+IJREyhh9TnlHf3/FVED29aC6DxB3bEERymXRSVFlV2dedlXjeTjsVdqurgD4CHF382Q== comment2

...

Validate that the derived name and location of the public key is correct, and enter the password for the Endpoint connection user (if not already provided on the Endpoint definition). Click the Upload button to upload the public key to the Endpoint.

...

Special Note for Oracle Java Cloud Service

The SSH connectivity for the Java Cloud Service is no different than when running on-premise. However, by default you will not know the password for the oracle user. You have two options for configuring endpoints on Java Cloud Service instances.

...