Automation in the context of multifactor authentication/fr: Difference between revisions

{{Command|rsync -a datadir/a robot:scratch/testdata}}

= IPv4 vs IPv6 issue =

When connecting to the robot node the SSH client on your computer may choose to use the '''IPv6 addressing''' over the older '''IPv4'''.

This seems to be more probably in Windows environment.  

If this is the case you have to make sure that the IP address mask you put in the <code>restrict,from=</code> field of the key

matches the type your computer will be using when connecting to the node.

You can check your addresses using this web site: https://test-ipv6.com/ .

* An IPv4 address would look like '''199.241.166.5'''.

* An IPv6 address could be similar to '''2620:123:7002:4::5'''.

The possible problem is that if you put the IPv4 address mask, '''199.241.166.*''' into the CCDB SSH key, and  

your SSH client will be connecting the the robot node using IPv6 address, the source address will not match the mask in the key

=== How to identify the problem ===

If you are having difficulties to make the SSH connection to a robot node working.

Try this test command:

This command tries to connect to the robot node on Graham cluster and execute the <code>ls -l</code> command  

using the <code>~/.ssh/automation_key</code> SSH key.

Then it prints the list of files in your home directory on Graham to screen.

This command will produce a lot of debug output due to the <code>-vvv</code> option (be Very Very Verbose).

Look for the '''Connecting to...''' message there.

If it says something like this:

  debug1: Connecting to robot.graham.alliancecan.ca [199.241.166.5] port 22.

it means the IPv4 is being used.

If the message is similar to  

  debug1: Connecting to robot.graham.alliancecan.ca [2620:123:7002:4::5] port 22.

then IPv6 is being used to make the connection.

=== Possible solutions ===

* You can make the SSH client to '''explicitly use either IPv4 or IPv6''' using the <code>-4</code> and <code>-6</code> options, respectively, to match the format you used for the key in CCDB.

* You can try using an '''IP address instead of the name''' to point to the robot node. Using Graham example, try using the  

: <code>ssh -i ~/.ssh/automation_key -vvv username@199.241.166.5 "ls -l"</code>

: instead, to force SSH to use the IPv4 addresses.

* You can try to '''disable the IPv6 addressing''' for your system, to make sure that only IPv4 is used.

: How to disable IPv6 will depend on your system and the operating system.

= Automation using Python and Paramiko =

If you are using the [https://www.paramiko.org/index.html Paramiko Python module] to automate your workflow, this is how you can make it work with the robot nodes:

<source lang=python>

import paramiko

# ====================================================================================================

key = paramiko.Ed25519Key.from_private_key_file("/home/username/.ssh/cc_allowed")

user = "username"

host = "robot.graham.alliancecan.ca"

ssh = paramiko.SSHClient()

# If the host is not known, it is OK.

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect(hostname=host, username=user, pkey=key)

cmd = "ls -l"

stdin, stdout, stderr = ssh.exec_command(cmd)

print("".join(stdout.readlines()))

ssh.close()

# ====================================================================================================

executes the <code>ls -l</code> command to get the list of files.

Then prints the list to the screen.

Note, that it is important to install '''paramiko''' with the

  $ pip install paramiko[all]

command. This will make sure that the support for the '''Ed25519''' key type will also be installed.