Moogsoft Docs

Configure ToolRunner

ToolRunner allows an administrator to set up custom scripts to run on a server. It uses ssh to run tools and integrations. You must edit the servlets configuration file in Moogsoft AIOps in order to use ToolRunner in the UI.

Warning

ToolRunner grants access to the ToolRunner user to run any command on the operating system. Therefore, only implement ToolRunner if it is absolutely necessary and follow the security-related recommendations closely.

Before you begin

Before you begin to configure ToolRunner, ensure you have met the following requirements:

  • You have created or identified an operating system user that you will use to run tools:

    • Do not run ToolRunner as root.

    • Run ToolRunner in a user-restricted shell, for example, bash --restricted. See also https://www.gnu.org/software/bash/manual/html_node/.

    • Run ToolRunner as a non-privileged user.

    • Allow specific permissions to ToolRunner so that it only accesses the tools it needs.

  • You have identified a separate host or a sandboxed environment. Moogsoft recommends that you do not run ToolRunner locally.

  • You have the permissions to modify Moogsoft AIOps configuration files.

  • You have set the PasswordAuthentication property to yes in the /etc/ssh/sshd_config file on the Moogsoft AIOps server and restarted the sshd service.

Configure ToolRunner

To manually configure ToolRunner, edit the Servlets configuration file located at $MOOGSOFT_HOME/config/servlets.conf as follows:

  1. Update these properties in the toolrunner section of the file:

    • toolrunnerhost: The host that ToolRunner runs commands on. This should be a separate host to where you have installed Moogsoft AIOps.

    • toolrunneruser: The ToolRunner user name. The user must exist on the toolrunnerhost system and have the appropriate permissions to run the required tools.

    • toolrunnerpassword: The ToolRunner user password on the toolrunnerhost system.

      If the password is not defined, ToolRunner will use the public key defined in ssh_key_file, or if that is not set, $MOOGSOFT_HOME/etc/keys/id_rsa.

      For ssh_key_file, if the path is a relative path, it is assumed to be relative to $MOOGSOFT_HOME/etc. Your SSH key should have a passphrase set. You can specify this in the configuration file in encrypted form under encrypted_ssh_passphrase or in plaintext (not recommended) in ssh_passphrase.

      If neither is set, weMoogsoft AIOps assumes the password is keyPwd.

    • encrypted_toolrunnerpassword: An encrypted ToolRunner password. Use either the password or encrypted password property. See Moog Encryptor for more information.

    • execute_locally: If this is set to true, ToolRunner executes commands on the server where the ToolRunner servlet is hosted and ToolRunner ignores toolrunnerhost. Otherwise, commands are run on toolrunnerhost. The default is false.

    • webhost: Not used.

    • sshtimeout: SSH timeout period in milliseconds. If this is set to 0, it will never time out. The default is 0.

  2. Restart Apache Tomcat.

  3. Restart Moogfarmd.

Once you have completed the configuration, ToolRunner is available in the Moogsoft AIOps UI.

An example toolrunner section in the servlets configuration file is as follows:

toolrunner:
{
        toolrunnerhost                  : "localhost",
        toolrunneruser                  : "moogtoolrunner",
        toolrunnerpassword              : "moogtoolrunner",
        #encrypted_toolrunnerpassword   : "rmW2daCwMyI8JGZygfEJj0MZdbIkUqX3tT/OIVfMGyI=",
        #execute_locally                : false,
        #webhost                        : "https://localhost",
        sshtimeout                      : 900000
}