Compute Node Remote Access#
By default, remote access to compute nodes is provided through SSH
using key-based authentication, although administrators may also
enable password-based SSH in the compute node image by configuring a
password for the root user. Every head node generates a public/private
key pair and places these files in directory
/opt/scyld/clusterware/.ssh/ using the names id_rsa.clusterware
and id_rsa.clusterware.pub. These keys are used by the head nodes
to execute commands on the compute nodes. All head node public keys
are downloaded by compute nodes at boot time by the update_keys.sh
script and appended to /root/.ssh/authorized_keys. This allows any
head node to execute a command on any compute node. The
/opt/scyld/clusterware/.ssh/id_rsa.clusterware key can be used by
system administrators as an "automation" key for tasks like cron
jobs. It is also useful in recovery situations where an administrator
may need to use this private key to directly access compute nodes
This same script that downloads the head node public keys also
downloads the public keys attached to every cluster administrator
account. These accounts are created using the scyld-adminctl tool
as follows:
scyld-adminctl create name=admin keys=@~/.ssh/id_rsa.pub
This allows anyone with the corresponding id_rsa to SSH into
the root account on any compute node booted after the key was
added. The key can also be added as a string or updated for an
existing administrator. For example:
scyld-adminctl -i admin update keys='ssh-rsa AAAAB3NzaC1yc2EAAAADA....'
Cluster administrators are also welcome to add SSH keys to compute
node images in small private clusters. Although adding administrator
accounts with public keys simplifies management of larger clusters
with multiple node images or cluster administrators,
administrator accounts stored in the database or listed in the
base.ini use the same authentication mechanisms described in
the previous section.