Action Script
Turbonomic uses remote servers to execute Action Script orchestration. Managing the processes remotely means that you do not install custom code on the Turbonomic server. This eliminates associated security risks at that point. However, you are responsible to maintain the security of your Action Script Server, and to ensure the integrity of your custom code.
Resource requirements for the server
The remote server can be a VM or a container. The capacity you configure for the server depends entirely on the processes you intend to run on it. Turbonomic does not impose any special resource requirements on the server.
Configuring command execution
To support execution of your scripts, you must install any software that is necessary to run the scripts, including libraries, language processors, or other processes that your scripts will call.
Turbonomic calls the scripts as commands on the server. The server must run an SSH service that you configured to support command execution and SFTP operations. Currently, IBM tested action scripts with the OpenSSH sshd daemon.
The standard port for SSH is 22. You can configure a different port, and provide that for admins who configure the server as an Action Script target.
An action script can invoke any process you deployed on the remote server. You do not have to run scripts; however, you must be able to invoke the processes from the command line. The script manifest gives Turbonomic the details it needs to build the command line invocation of each script.
Configuring the action script user account
To run the scripts on your server, Turbonomic logs on using a user account that is authorized to run the scripts from the command line. You provide the user credentials when you configure the Action Script target. To support this interaction, the user account must meet the following requirements:
-
Public Key
The user must have an RSA public key in the
.ssh/authorized_keys
file. When you configure the Action Script target, you provide this as the Private Token for the target.Note:For the Action Script target to validate, the permissions on the
authorized_keys
file must be set to600
. -
Security for the
.ssh
DirectoryThe Action Script User should be the only user with authorized access. Set file permissions to
700
. -
Supported Shells
The Action Script User shell can be either the Bourne shell (usually at
/bin/sh
) or the Bourne-Again shell (usually at/bin/bash
). Turbonomic passes parameters as it invokes your scripts. At this time it only supports script execution through these shells.
Action script manifest
The Action Script Manifest is a file that declares an array of Script Objects for each script you want to expose to Turbonomic. You can create the manifest as either a JSON or a YAML file. You can save the Manifest file to any location on your server, so long as the Scripts User has access to that location, and has read and execute privileges. The location of the manifest is provided as part of the Action Script target configuration.
After Turbonomic validates the target, it then discovers these scripts and presents them in the Orchestration Policy user interface.
For details, see Deploying the Action Script Manifest.
Handling action script timeouts
Turbonomic limits script execution to 30 minutes. If a script exceeds this
limit, Turbonomic sends a SIGTERM
to stop the execution of the
process.
Note that Turbonomic does not make any other attempt to end a process. For
example, you might implement the script so it traps the SIGTERM
and continues to
run. The process should end at the soonest safe opportunity. However, if the process does not end,
then you must implement some way to stop it outside of Turbonomic. A runaway
process continues to use its execution thread, which can block other processes (action scripts or
primary processes) if there are no more threads in the pool.
Adding Action Script targets
This topic describes features that are available in the new design of the user interface. This
new design is enabled by default. If you switched to the legacy design, click in the navigation bar of the user interface and then turn on the toggle to
re-enable the new design. For more information, see New Design for the User Interface.
The Action Script target can be added through the UI or the API. For details on adding the target using the API, see Adding Action Script Targets using the API.
-
Click Settings > Target Configuration.
-
On the Target configuration page, click Add Target.
-
On the Select target page, click Action Script.
-
In the side panel, review the connection requirements and then click Connect Target.
-
Configure the following settings:
-
Action Script server address
Specify the IP address or FQDN of the script execution server.
-
Script path
Specify the path on the script execution server to the Action Script manifest file.
-
SSH port
Specify the port for the SSH connection. By default, the port is 22.
-
SSH user ID
Specify the username for SSH access into the server.
-
SSH private token
Specify the private key for the user that has the public key set up in the
.ssh/authorized_keys
file on the remote server. -
Public host key
Specify the public key that is presented by the SSH server for host authentication.
If this value is not provided, the presented key is accepted into the target definition for future operations.
-