ECS: How to Lock or Unlock Remote Access to Nodes
Summary: Node locking provides another layer of security against remote node access from all accounts.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
This article is an extract from the ECS 3.0 Administrator's Guide that is available on Dell Support.
Use the portal to lock and unlock remote SSH access to ECS nodes.
This task is done by the Lock Admin (login -
Locking a node only prevents remote access to the operating system of the node by SSH or the CLI. Locking or unlocking a node has no effect on ECS Portal, ECS REST, Management API functions, or directly connecting to a node locally and then using the CLI or SSH.
The node states are:
Lock and unlock nodes
Use the portal to lock and unlock remote SSH access to ECS nodes.
Before beginning:
This task is done by the Lock Admin (login - emcsecurity).
Locking a node only prevents remote access to the operating system of the node by SSH or the CLI. Locking or unlocking a node has no effect on ECS Portal, ECS REST, Management API functions, or directly connecting to a node locally and then using the CLI or SSH.
Procedure:
- Log in as
emcsecurity:
If this is the first login from this account, it requires a change of password and re-login.
- From the left side of the navigation pane, select Settings > Platform Locking.
The screen lists the nodes in the cluster and displays their lock status.
The node states are:
- Unlocked: This displays an open green lock icon and the Lock action button
- Locked: This displays a closed red lock icon and the Unlock action button
- Offline: This displays the circle-with-slash icon and no action button because the node is unreachable and the lock state cannot be determined
- Choose
| Option | Description |
|---|---|
| Lock | To lock an unlocked node. Any user who is remotely logged in by SSH or CLI is given five minutes to exit before their session is terminated. An impending shutdown message appears on the user's terminal screen. |
| Unlock | To unlock a locked node. A privileged user can remotely log in to the node by SSH or the CLI after a few minutes. |
| Lock the VDC. | This convenience feature locks all unlocked nodes in the VDC as long as they are online. It does not set a state where any new or offline node is automatically locked once detected. |
Additional Information
Locking remote access to nodes
Use the ECS Portal to lock remote access to nodes.
Access types
ECS can be configured in the following ways:
Access types
ECS can be configured in the following ways:
- Using the ECS Portal or the ECS Management API
- By directly connecting to a node through the management switch, with a service laptop and using SSH or the CLI to directly access the node's operating system
- By remotely connecting to a node over the network using SSH or the CLI, directly access the node's operating system
Node locking provides another layer of security against remote node access from all accounts. Without node locking, any privileged node-level account such as the admin, service, or Dell accounts, can remotely access nodes at any time to collect data, configure hardware, and run Linux commands. If all the nodes in a cluster are locked, remote access can be planned and scheduled for a defined window minimizing the opportunity for unauthorized activity.
Using the ECS Portal or the ECS Management API, you can lock selected nodes in a cluster or all the nodes in the cluster. Doing so only affects the ability to remotely access (SSH to) the locked nodes. Locking does not change the way the ECS Portal and ECS Management APIs access nodes, and it does not affect the ability to directly connect to a node.
Using the ECS Portal or the ECS Management API, you can lock selected nodes in a cluster or all the nodes in the cluster. Doing so only affects the ability to remotely access (SSH to) the locked nodes. Locking does not change the way the ECS Portal and ECS Management APIs access nodes, and it does not affect the ability to directly connect to a node.
Lock Admin
To lock and unlock nodes, requires the Lock Admin user. The Lock Admin is a pre-provisioned local user called
emcsecurity. Lock Admins can only change their passwords and lock and unlock nodes. The Lock Admin role cannot be assigned to another user. System Admins and System Monitors can view the lock status of the nodes.
Maintenance
If node maintenance using remote access is periodically required, you can unlock a single node to allow remote access to the entire cluster using SSH with the admin or Dell account. Once the authorized user successfully logs in to the unlocked node using SSH, the user can SSH from that node to any other node in the cluster by way of the private network.
It is necessary to unlock a node to remotely use commands that provide OS-level read-only diagnostics.
It is necessary to unlock a node to remotely use commands that provide OS-level read-only diagnostics.
Auditing
A node lock and a node unlock event is captured in audit logs and also sent to Syslog. Errors from lock or unlock attempts are also logged.
ECS Management API
The following APIs allow the managing of node locks.
| Resource |
Description |
|---|---|
| GET /vdc/nodes. |
Gets the data nodes that are configured in the cluster. |
| GET /vdc/lockdown. |
Gets the locked or unlocked status of a VDC. |
| PUT /vdc/lockdown |
Sets the locked or unlocked status of a VDC. |
| PUT /vdc/nodes/{nodeName}/lockdown |
Sets the Lock or unlock status of a node. |
| GET /vdc/nodes/{nodeName}/lockdown. |
Gets the Lock or unlock status of a node. |
Affected Products
Elastic Cloud StorageProducts
ECS, ECS ApplianceArticle Properties
Article Number: 000019556
Article Type: How To
Last Modified: 04 Jul 2024
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.