Cyclades AlterPath Manager E200
Price: $8,950 US
Global console namespace across managed devices.
Global user management across managed devices.
Access via SSH and Web.
Automated firmware updates.
A little pricey.
Passwords stored clear text and world-readable.
Needs more comprehensive documentation.
Cyclades makes a number of excellent products aimed at easing system administration and data center management. These include console (serial and KVM) and remote power management. In the past, these devices were all islands unto themselves needing individual management. Authentication and authorization could be unified easily with a directory service such as LDAP, Radius, NIS or Kerberos, but the configuration of the devices would need to be managed individually and manually.
In modern complex data center environments, infrastructure must be flexible to keep up with changing circumstances and requirements. A central management system was needed.
Serial Consoles in the Data Center
For most computers, the console is the video monitor and a directly attached keyboard. This is where kernel and boot messages go as a system is coming up. The console eventually becomes a login terminal, either graphical or text mode, after a system is fully booted. On servers, however, graphical consoles are not needed and are often unwanted. Consoles on servers usually are used only to recover an ailing system or install a new OS. In these cases, a serial port is used as the console. This provides a very simple device for the kernel to deliver messages without the complexity or wasted CPU cycles of a graphics device. Serial consoles have the added benefit of remote access when used in conjunction with a console server such as the Cyclades ACS series products. These devices literally allow you to use SSH (secure shell) to connect directly to a server's console and manage it from anywhere. Remote access to a server console allows the system administrator to recover and even re-install the OS from anywhere, if the server is running Linux or UNIX. For more information on implementing serial consoles on Linux see my LJ article in the August 2004 issue.
Some of Cyclades' most popular products are the TS and ACS serial console management devices. These thin 1U-rackmount enclosures allow secure remote console access to servers and serial-port-equipped appliances such as filers, routers, firewalls, SAN arrays and switches. The AlterPath Manager (APM) is designed to sit above multiple ACS and TS units and centralize configuration and authentication.
The APM unit sports an 850MHz Intel Celeron CPU, 256MB RAM, 40GB disk, two 10/100 Ethernet ports and two serial ports, one for the APM's console and another for an optional dial-in modem. Not much horsepower by today's standards, but more than enough for what the APM needs to do. This is all basically off-the-shelf hardware; the APM is primarily a software product that includes integrated hardware.
The hardware is packaged nicely in a sturdy 1U-rack enclosure. Indicators are on the front with all connectors on the rear.
The APM runs a small customized Linux OS. Cyclades' management application is Web-based and runs under the Tomcat Java servlet engine. The servlet engine serves on both HTTP and HTTPS (encrypted) ports, and Cyclades provides simple instructions for disabling the non-encrypted port. All configuration and control of the managed devices is done over encrypted SSH connections.
The APM uses password-style authentication to the managed devices using expect. I would have liked to see public key authentication, but passwords are easier to understand for most people and at least it's still all encrypted. The root passwords for all managed devices are stored in a MySQL database running on the APM. This database allows connections only from localhost and stores these passwords in clear text. It also appears that the MySQL databases on all APM devices use the same hard-coded database root password. All the database passwords can be found in the world-readable configuration file /var/apm/apm.properties. It needs to be assumed that any user with shell access to the APM will have complete control of the managed devices because of the unfettered access to the root passwords. This security situation should be significantly tightened up by Cyclades' developers.
Free DevOps eBooks, Videos, and more!
Regardless of where you are in your DevOps process, Linux Journal can help!
We offer here the DEFINITIVE DevOps for Dummies, a mobile Application Development Primer, and advice & help from the expert sources like:
- Linux Journal
- New Products
- Flexible Access Control with Squid Proxy
- Users, Permissions and Multitenant Sites
- Security in Three Ds: Detect, Decide and Deny
- High-Availability Storage with HA-LVM
- Tighten Up SSH
- DevOps: Everything You Need to Know
- Solving ODEs on Linux
- Non-Linux FOSS: MenuMeters
- diff -u: What's New in Kernel Development