06-06-2017 03:46 AM
A few of the things I have used CLI access for:
1. Changing timezone (there was no GUI option for this in previous versions, don't know about 8.2.4).
2. SSH from Airwave server to Aruba controllers and switches has been valuable in situations where TAC needed quick access.
3. Keeping VMware Tools updated (our server guys are always bugging me about this).
06-07-2017 12:09 AM
I agree with Michael_Bloom. A change like this should be communicated to all customers well in advance, at least 6 months. You should use that period to collect feedback about what shell features are needed and used.
06-07-2017 12:24 AM - edited 06-07-2017 12:29 AM
Also not a big fan of this new menu based CLI. Question, do I now need to make a TAC case to perform the following?
- Expand the disk size > this is quite a common problem/request with our end customers
- Check running processes or disk space (top & df -h) > makes it easier to spot issues or a full disk
- Change the timezone
06-07-2017 07:36 AM
This is all useful feedback. The Product team did communicate with several customers when building up the plan for the feature. And the feature has been shown at Atmosphere, Aspire, and Discover events. While there could have been more of an announcement of the feature, the upgrade notice does allow you to bailout if you do not want to run AMPCLI. The custom modules structure in the menu is designed in a way that we are going to be able to address some of the requests sooner than the next release. This was a 1.0 feature release, so there's room for improvement.
That said, let's move forward by making requests for enhancements and modules that address options that are now missing. I've been adding them as feature stories, but it doesn't guarantee that it will make it into the scheduling - but like all features, the more requests for a feature - the more likely it'll be implemented.
US16673 : option to update timezone
US16776 : vmware tools installation
US16788 : expand disk size
US16789 : CIFS option for backup transfer to windows fileshare
For processes, you can request through support for the 'process list' module -> while it's not top, it does show the running processes.
For disk space -> you can use the Disk Usage alert (it has an email option as well)
No longer a usage case from AirWave server:
- Full shell access
- Allowing CLI user to SSH into another server or networked resource via AirWave server
:: REASON ::
The above 2 items are being caught by security audits as security vulnerabilities.
For things that don't have a workaround, a support case would need to be opened to address the changes needed and help track the module &/or feature requests as they come in.
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
06-08-2017 06:59 AM
The problem is that I can’t bail or opt out because we are deploying AP-303H’s and AP-365’s and we need to be able to monitor them. I now have to figure out what to do with the agents running on centos for our backup and monitoring systems. I'm guessing that the only solution in not to use these systems.
Also, I occasionally need to run ifconfig commands and would like to know if there will be a way up/down and bond ethernet interfaces from the new CLI.
06-08-2017 08:15 AM
The elimination of the CLI for us has put a halt on further upgrades to airwave, and we well be evaluating the next step going forward. My first thought was they are turning the Server/application into an appliance only device when I saw this going on. I have a lot of questions that I am trying to research answers to if we don't have CLI access.
Right now, how do I do the following without access to the CLI?
We currently mount volume to our SAN for backups. This solved the problem of constantly running out of space on the drives and gave us an off the server backup in the event of a crash. Which we were bit by a few years ago when drives failed.
Here are the mount points. that we ship over to the SAN
/var/airwave-backup type ext4 (rw,_netdev)
/alternative type ext4 (rw,_netdev)
/airwave-logs type ext4 (rw,_netdev)
Database Access provides us with three main usefull data/tools!
1) Data that we transfer over to long term for our CIO's project. This gets integrated with other systems. If we can't access it via the cli can we access it via ODBC to provide this data? Then how do we set this up if we do not have access to the CLI or root access? It is our data we want and need access to it. How are you going to do this for everyone who needs to access the database without the CLI?
2) Mass Imports for Location and AP updates. When we get a few new buildings that are rehabbed the AP's are updated and then I have a few hundred AP's to rename, upload Location information, and AP group information for. Now to do this via the GUI it’s slow and takes a very long time. I can do this via the database access in about 5 minutes I would be really pissed they had not figured that out first before removing access. ( This is coming from a long time customer!) Because now you’re talking days of work instead of minutes.
3) Database access for trouble shooting. We use this all the time to identify AP’s, as it's a lot faster than the web GUI. So work needs to be done to fix the slow interaction between the Database and the Web GUI. It just plain slow to access the database and update!
- OS Lockdown
I get that you want to have your app "airwave" run on a certain version of CENT OS so it's certified to work with it. That is the easy way out if the world didn't evolve. But the base OS must be kept up to date and therefore the application must be as well. We have far too many applications that simply refuse to keep with the times simply because they don't want put the effort in to testing or money on a new OS.
Somehow, this needs to be reversed so that all systems are secured by not limiting the OS version to that which the application can support. We pay enough for support and the product upfront so it should be kept up to date! Therefore, this last one I do see a valid reason but still not enough of one to kill the CLI entirely and replace it with Menu driven system.
That's my thoughts on the subject. Simply put a Menu just will not cut it; you have just handcuffed the product. We all don't need to be root. Say wny not create a user class say call ampuser and amp_operater so that there are levels of access... isn't that a unique idea to computing and security?
06-08-2017 10:21 AM
I was looking forward to this release (8.2.4). The Security team ran several scans against 126.96.36.199 and were not happy with the results. I spent countless hours patching and applying STIG settings. Prior to this, I had to run the "convert_to_sercure_amp" script. It had limited functionality and was very slow.
- Being able to use Open SSL to generate certificates
06-08-2017 10:37 AM
Question: Can AirWave servers running 8.2.4 copy files between each other. Let's say a Primary AMP and a Failover AMP...can files be SCP'd between the two devices using the AMPCLI? Or do I need to introduce an additional SCP server?
On 188.8.131.52 (prior to converting it to a secure AMP), I would have shell access and would SCP the backup files directly between each server...when there was a failover event. I assume this functionality is there now using the numbered options? Or, has the SCP server functionality been removed?