Skip to main content
Version: 4.12.x.x LTS

Deployment via SSH

To establish a connection to remote hosts during deployment, nevisAdmin 4 provides two methods:

  • private key authentication (recommended), or
  • authentication via user name and password, which can be different for each host.

Both options are described in more detail below.

The complete process to setup SSH and deploy a configuration is as follows:

  1. Choose your authentication method and follow the instructions below.
  2. If needed, configure [configure host connection variables] in your inventory.
  3. To perform the deployment, see:
  • Deployment of the configuration using the GUI.
  • Generation Engine for command-line based deployment.

The connection user must have sudo permissions as well as permissions to change the owner, group and permissions of deployed files. You can take, for example, the users root or nvluser for deploying on nevisAppliance hosts.

SSH is the only deployment protocol supported by nevisAdmin 4. The nevisAgent that was used by nevisAdmin 3 is not supported.

Private Key Authentication

For security reasons, we recommend configuring a private key for the SSH connections, instead of logging in with a password.

The private key must be the same for all hosts that you connect to.

You can define the path to the private key in the nevisadmin4.yml file. If not set, nevisAdmin 4 will use the private key of the runtime user nvbuser, which is located at /home/nvbuser/.ssh/id_rsa. If the target user is root, then you do not need to define host connection variables in the inventory. To login as another user, specify the global __connection_user inventory variable.

If there is no private key yet, create one using the following command:

su nvbuser
ssh-keygen -m PEM

If the private key is password-protected, also set the passphrase in the nevisadmin4.yml file. Here is an example configuration:

nevisadmin:
deployment:
ssh:
known-hosts: /home/nvbuser/.ssh/known_hosts # optional setting to connect to known hosts only (if omitted, all hosts are trusted)
privatekey:
file: /home/nvbuser/.ssh/id_rsa
passphrase: password # The passphrase needed to access the private key file (required only if key is password protected)

Protecting Passwords or Other Settings

It is possible to retrieve sensitive values, such as passwords, from external sources. To do this, specify the following values instead of the password:

  • ${env:<VAR_NAME>} to use an environment variable
  • ${exec:<shell command>} to run a shell command and use its output as the value

For example, assuming the environment variable IDENTITY_FILE_LOCATION and a script called get-password.sh are available:

nevisadmin:
deployment:
ssh:
privatekey:
file: "${env:IDENTITY_FILE_LOCATION}"
passphrase: "${exec:/home/nvbuser/bin/get-password.sh --password-key identity-phrase}"

Creating the known_hosts File

As an example, if you use the private key of the nevisAdmin 4 runtime user nvbuser, you can populate the known_hosts file as follows:

su nvbuser
ssh-copy-id -i <path-to>/id_rsa -o HostKeyAlgorithms=ssh-rsa <connection-user>@<host>

User Name / Password Authentication

An alternative option for the connection to remote hosts is to define a user name and password for each host.

The remote user name and the password are defined in the inventory. See Configuring Host Connections for details.