+ Converge is a utility for troubleshooting builds on continuous integration servers. + It solves a common problem where the cause of job failure is difficult to determine. + This is complicated further by the fact that build jobs are usually run on a build + farm where there is no access to the build agents or in more modern envrionments when + jobs are run in ephemeral containers. +
+ ++ With Converge it is possible to get remote shell access to such jobs. This works + by configuring the build job to connect to a Converge server using an agent program. + The agent program can be downloaded from within the CI job using curl or wget. + Next, an end-user can connect to the Converge server, a rendez-vous server, that connects + the client and server together. +
+ ++ The setup is such that the connection from client (end-user) to server (agent on CI job) + is end-to-end encrypted. The Converge server itself is no more than a bitpipe which pumps + data between client and agent. +
+ ++ Both ssh and sftp are supported. Multiple shells are also allowed. +
+ ++ There is a timeout mechanism in the agent such that jobs do not hang indefinitely + waiting for a connection. This mechanism is useful to make sure build agents do not keep + build agents occupied for a long time. By default, the agent exits with status 0 when + the first client exits after logging in. This behavior as well as general expiry can be + controlled from within a shell session by touching a .hold file. After logging in, the + user can control expiry of the session as instructed by messages in the ssh session. + When the timeout of a session is near the user is informed about this with messages + in the shell. +
+| Component | +Purpose | +Linux | +Windows | +
|---|---|---|---|
| agent | +The agent to run inside aa CI job | +agent | +agent.exe | +
| wsproxy | +SSH proxy command that can be directly used by ssh | +wsproxy | +wsproxy.exe | +
| tcptows | +TCP to WS tunnel for allowing regular + SSH and SFTP clients to connect to converge | +tcptows | +tcptows.exe | +
- Converge is a utility for troubleshooting builds on continuous integration servers. - It solves a common problem where the cause of job failure is difficult to determine. - This is complicated further by the fact that build jobs are usually run on a build - farm where there is no access to the build agents or in more modern envrionments when - jobs are run in ephemeral containers. -
- -- With Converge it is possible to get remote shell access to such jobs. This works - by configuring the build job to connect to a Converge server using an agent program. - The agent program can be downloaded from within the CI job using curl or wget. - Next, an end-user can connect to the Converge server, a rendez-vous server, that connects - the client and server together. -
- -- The setup is such that the connection from client (end-user) to server (agent on CI job) - is end-to-end encrypted. The Converge server itself is no more than a bitpipe which pumps - data between client and agent. -
- -- Both ssh and sftp are supported. Multiple shells are also allowed. -
- -- There is a timeout mechanism in the agent such that jobs do not hang indefinitely - waiting for a connection. This mechanism is useful to make sure build agents do not keep - build agents occupied for a long time. By default, the agent exits with status 0 when - the first client exits after logging in. This behavior as well as general expiry can be - controlled from within a shell session by touching a .hold file. After logging in, the - user can control expiry of the session as instructed by messages in the ssh session. - When the timeout of a session is near the user is informed about this with messages - in the shell. -
- -- In a - continuous integration job, download the agent, chmod it and run it. -
-{`
- # linux
- `}curl http{secure}://{host}/docs/agent > agent{`
- chmod 755 agent
- `}./agent --id ID ws{secure}://{host}{`
-
- # windows
- `}curl http{secure}://{host}/docs/agent.exe > agent.exe{`
- `}agent --id ID ws{secure}://{host}{`
- `}
- - Above, ID is a unique id for the job, the so-called rendez-cous ID. This should not conflict with IDs - used by other agents. The ID is used for a rendez-vous between the end-user on a local system and - the continuous integration job running on a build agent. If you don't specify an id, a random - id will be generated. - - The agent to the converge server and tells it the ID. Clients can now connect to the Converge - server to establish a connection to the CI job through converge by also specifying the same - ID. - - Communication between - end-user and agent is encrypted using SSH and the rendez-vous server is unable to - read the contents. The rendez-vous server is nothing more then a glorified bit pipe, - simply transferring data between end-user SSH client and the agent which runs an - embedded SSH server. -
- -- NOTE: When running the agent on windows, an exit of the remote session using - exit in powershell or command prompt does not terminate the shell completely. - To terminate the client ssh session must be killed by closing the terminal. - Cleanup of remote processes on the agent appears to work properly despite this - problem. It is just that exit of the windows shell (powershell or command prompt) - is not detected properly. -
- -- The agent has more options, download the agent and run it without arguments to - see all options. -
- -wsproxy is a command that can be used as a proxy command for SSH which performs the connection to the
- remote server. This command needs to be downloaded only once (see downloads below). It does not depend on
- the converge implementation but only on the websocket standards. Other tools that
- provide a mapping of stdio to a websocket can also be used instead of wsproxy.
-
- Next step is to run a local SSH or SFTP client: -
- -
- {`
- `}ssh -oServerAliveInterval=10 -oProxyCommand="wsproxy ws{secure}://{host}/client/ID" { username }{"@localhost"} {`
- `}sftp -oServerAliveInterval=10 -oProxyCommand="wsproxy ws{secure}://{host}/client/ID" { username }{"@localhost"} {`
- `}
-
- - This option is less convenient than the proxy command because it requires two separate - commands to execute. -
- -- Local clients can connect using regular ssh and sftp commands through a tunnel that - translates a local TCP port to a websocket connection in converge. See - the downloads section. - This runs a local client that allows SSH to port 10000 and connects to converge using - a websocket connection. -
- - -- Next step is to run a local SSH of SFTP client: -
- - {`
- `}ssh -oServerAliveInterval=10 -p 10000 { username }{"@localhost"} {`
- `}sftp -oServerAliveInterval=10 -oPort=10000 { username }{"@localhost"} {`
- `}
-
-
- The { username } user above the Converge server and
- communicated to the agent when the agent is started. This is the
- username that must be used when setting up an ssh connection.
- Another way to authenticate is through an .authorized_keys file in the
- same directory as where the agent is started.
-
- This can be setup as follows before starting the agent:
-
{`
- `}# linux {`
- `}echo "ssh-rsa dkddkdkkk a@b.c" > .authorized_keys {`
- `}echo "ssh-rsa adfadjfdf d@e.f" >> .authorized_keys {`
- `} {`
- `}# windows {`
- `}echo ssh-rsa dkddkdkkk a@b.c > .authorized_keys {`
- `}echo ssh-rsa adfadjfdf d@e.f >> .authorized_keys
-
- - Note that on windows you should not used quotes. -
- -| Component | -Purpose | -Linux | -Windows | -
|---|---|---|---|
| agent | -The agent to run inside aa CI job | -agent | -agent.exe | -
| wsproxy | -SSH proxy command that can be directly used by ssh | -wsproxy | -wsproxy.exe | -
| tcptows | -TCP to WS tunnel for allowing regular - SSH and SFTP clients to connect to converge | -tcptows | -tcptows.exe | -
+ In a + continuous integration job, download the agent, chmod it and run it. +
+{`
+ # linux
+ `}curl http{secure}://{host}/docs/agent > agent{`
+ chmod 755 agent
+ `}./agent --id ID ws{secure}://{host}{`
+
+ # windows
+ `}curl http{secure}://{host}/docs/agent.exe > agent.exe{`
+ `}agent --id ID ws{secure}://{host}{`
+ `}
+ + Above, ID is a unique id for the job, the so-called rendez-cous ID. This should not conflict with IDs + used by other agents. The ID is used for a rendez-vous between the end-user on a local system and + the continuous integration job running on a build agent. If you don't specify an id, a random + id will be generated. + + The agent to the converge server and tells it the ID. Clients can now connect to the Converge + server to establish a connection to the CI job through converge by also specifying the same + ID. + + Communication between + end-user and agent is encrypted using SSH and the rendez-vous server is unable to + read the contents. The rendez-vous server is nothing more then a glorified bit pipe, + simply transferring data between end-user SSH client and the agent which runs an + embedded SSH server. +
+ ++ NOTE: When running the agent on windows, an exit of the remote session using + exit in powershell or command prompt does not terminate the shell completely. + To terminate the client ssh session must be killed by closing the terminal. + Cleanup of remote processes on the agent appears to work properly despite this + problem. It is just that exit of the windows shell (powershell or command prompt) + is not detected properly. +
+ ++ The agent has more options, download the agent and run it without arguments to + see all options. +
+ +wsproxy is a command that can be used as a proxy command for SSH which performs the connection to the
+ remote server. This command needs to be downloaded only once (see downloads below). It does not depend on
+ the converge implementation but only on the websocket standards. Other tools that
+ provide a mapping of stdio to a websocket can also be used instead of wsproxy.
+
+ Next step is to run a local SSH or SFTP client: +
+ +
+ {`
+ `}ssh -oServerAliveInterval=10 -oProxyCommand="wsproxy ws{secure}://{host}/client/ID" { username }{"@localhost"} {`
+ `}sftp -oServerAliveInterval=10 -oProxyCommand="wsproxy ws{secure}://{host}/client/ID" { username }{"@localhost"} {`
+ `}
+
+ + This option is less convenient than the proxy command because it requires two separate + commands to execute. +
+ ++ Local clients can connect using regular ssh and sftp commands through a tunnel that + translates a local TCP port to a websocket connection in converge. See + the downloads section. + This runs a local client that allows SSH to port 10000 and connects to converge using + a websocket connection. +
+ + ++ Next step is to run a local SSH of SFTP client: +
+ + {`
+ `}ssh -oServerAliveInterval=10 -p 10000 { username }{"@localhost"} {`
+ `}sftp -oServerAliveInterval=10 -oPort=10000 { username }{"@localhost"} {`
+ `}
+
+
+ The { username } user above the Converge server and
+ communicated to the agent when the agent is started. This is the
+ username that must be used when setting up an ssh connection.
+ Another way to authenticate is through an .authorized_keys file in the
+ same directory as where the agent is started.
+
+ This can be setup as follows before starting the agent:
+
{`
+ `}# linux {`
+ `}echo "ssh-rsa dkddkdkkk a@b.c" > .authorized_keys {`
+ `}echo "ssh-rsa adfadjfdf d@e.f" >> .authorized_keys {`
+ `} {`
+ `}# windows {`
+ `}echo ssh-rsa dkddkdkkk a@b.c > .authorized_keys {`
+ `}echo ssh-rsa adfadjfdf d@e.f >> .authorized_keys
+
+ + Note that on windows you should not used quotes. +
+ +