Action Script

Turbonomic uses remote servers to execute Action Script orchestration. Managing the processes remotely means that you do not install custom code on the Turbonomic server. This eliminates associated security risks at that point. However, you are responsible to maintain the security of your Action Script Server, and to ensure the integrity of your custom code.

Resource requirements for the server

The remote server can be a VM or a container. The capacity you configure for the server depends entirely on the processes you intend to run on it. Turbonomic does not impose any special resource requirements on the server.

Configuring command execution

To support execution of your scripts, you must install any software that is necessary to run the scripts, including libraries, language processors, or other processes that your scripts will call.

Turbonomic calls the scripts as commands on the server. The server must run an SSH service that you configured to support command execution and SFTP operations. Currently, IBM tested action scripts with the OpenSSH sshd daemon.

The standard port for SSH is 22. You can configure a different port, and provide that for admins who configure the server as an Action Script target.

Note:

An action script can invoke any process you deployed on the remote server. You do not have to run scripts; however, you must be able to invoke the processes from the command line. The script manifest gives Turbonomic the details it needs to build the command line invocation of each script.

Configuring the action script user account

To run the scripts on your server, Turbonomic logs on using a user account that is authorized to run the scripts from the command line. You provide the user credentials when you configure the Action Script target. To support this interaction, the user account must meet the following requirements:

  • Public Key

    The user must have an RSA public key in the .ssh/authorized_keys file. When you configure the Action Script target, you provide this as the Private Token for the target.

    Note:

    For the Action Script target to validate, the permissions on the authorized_keys file must be set to 600.

  • Security for the .ssh Directory

    The Action Script User should be the only user with authorized access. Set file permissions to 700.

  • Supported Shells

    The Action Script User shell can be either the Bourne shell (usually at /bin/sh) or the Bourne-Again shell (usually at /bin/bash). Turbonomic passes parameters as it invokes your scripts. At this time it only supports script execution through these shells.

Action script manifest

The Action Script Manifest is a file that declares an array of Script Objects for each script you want to expose to Turbonomic. You can create the manifest as either a JSON or a YAML file. You can save the Manifest file to any location on your server, so long as the Scripts User has access to that location, and has read and execute privileges. The location of the manifest is provided as part of the Action Script target configuration.

After Turbonomic validates the target, it then discovers these scripts and presents them in the Orchestration Policy user interface.

For details, see Deploying the Action Script Manifest.

Handling action script timeouts

Turbonomic limits script execution to 30 minutes. If a script exceeds this limit, Turbonomic sends a SIGTERM to stop the execution of the process.

Note that Turbonomic does not make any other attempt to end a process. For example, you might implement the script so it traps the SIGTERM and continues to run. The process should end at the soonest safe opportunity. However, if the process does not end, then you must implement some way to stop it outside of Turbonomic. A runaway process continues to use its execution thread, which can block other processes (action scripts or primary processes) if there are no more threads in the pool.

Adding Action Script targets

Note:

This topic describes features that are available in the new design of the user interface. This new design is enabled by default. If you switched to the legacy design, click New Feature Toggle button in the navigation bar of the user interface and then turn on the toggle to re-enable the new design. For more information, see New Design for the User Interface.

The Action Script target can be added through the UI or the API. For details on adding the target using the API, see Adding Action Script Targets using the API.

  1. Click Settings > Target Configuration.

  2. On the Target configuration page, click Add Target.

  3. On the Select target page, click Action Script.

  4. In the side panel, review the connection requirements and then click Connect Target.

  5. Configure the following settings:

    • Action Script server address

      Specify the IP address or FQDN of the script execution server.

    • Script path

      Specify the path on the script execution server to the Action Script manifest file.

    • SSH port

      Specify the port for the SSH connection. By default, the port is 22.

    • SSH user ID

      Specify the username for SSH access into the server.

    • SSH private token

      Specify the private key for the user that has the public key set up in the .ssh/authorized_keys file on the remote server.

    • Public host key

      Specify the public key that is presented by the SSH server for host authentication.

      If this value is not provided, the presented key is accepted into the target definition for future operations.