CT-Ops

Host Tools

How to use CT-Ops host tasks, automated logs, terminal access, and host deletion controls.

The Tools area contains actions and action history. Unlike monitoring and inventory pages, tools can execute work against the host or expose direct terminal access, so use them deliberately.

The area contains three child tabs:

TabWhat it is for
TasksOperator-triggered task runs, including scripts, patching, service actions, and Ansible ping checks.
LogsSystem-triggered automated runs for the host, such as software inventory scans.
TerminalInteractive SSH terminal access when global, host, role, and credential checks allow it.

Tasks tab

The Tasks tab lets permitted operators run supported host tasks and review task history. Available actions include patch runs, custom scripts, service actions, and Ansible ping checks when automation integration is enabled.

Task history shows task type, details, status, started time, and a link to the live or completed task run. It also supports selecting old task runs for deletion. CT-Ops lists the latest 50 operator-triggered runs for the host. The table refreshes every 5 seconds while any visible run is pending or running, then every 30 seconds after all visible runs are complete or failed.

The action buttons are role-aware:

ButtonAvailabilityWhat it does
Run ScriptUsers who can run host tasks.Opens the custom script dialog for this single host.
Ansible PingLinux hosts, users who can run host tasks, and enabled Automation Integration Settings for Ansible.Opens the Ansible ping dialog.
ServiceLinux hosts and users who can run host tasks.Opens the systemctl service action dialog.
Run PatchLinux hosts and users who can run host tasks.Opens the package patch dialog.

The task history table contains:

Column or controlMeaning
Select checkboxSelects one run for deletion.
Select all checkboxSelects or clears all visible runs.
TaskTask type, such as Patch, Script, Service, Patch status, or Ansible ping.
DetailsType-specific summary. Patch rows show All updates or Security only and may show a Reboot req. badge. Script rows show sh, bash, or python3. Service rows show action and service name plus an Active or Inactive result badge when available. Ansible ping rows show that the run is an SSH connectivity check.
StatusPending, Running, Completed, or Failed.
StartedStart time when available, otherwise creation time.
View live / ViewOpens the task run. Active runs use View live.
Selection toolbarAppears only after one or more rows are selected. It shows the selected count and a destructive Delete {count} button.
Delete {count}Deletes the selected task run history rows and related per-host task data. It does not undo work that already ran on the host.

When there are no operator-triggered task runs, CT-Ops shows No task runs yet and directs you to use the action buttons above the table.

Patch tasks

Patch tasks can run all updates or security-only updates. The task result can show whether a reboot is required.

The Run Patch dialog contains:

FieldWhat it does
All updatesRuns a full system upgrade using the package manager detected by the agent.
Security updates onlyRuns only security-flagged package updates where supported.
CancelCloses the dialog without creating a task run.
Run PatchCreates a one-host patch task run with maximum parallelism of 1 and opens the task detail page. The button shows a spinner while the request is in flight.

The agent detects supported Linux package managers such as apt, dnf, yum, and zypper. Patch controls are not shown for non-Linux hosts, and the backend also rejects patch runs for non-Linux hosts.

Use patch tasks when the host needs controlled remediation from CT-Ops. For larger rollouts, prefer group-level patching from Hosts -> Groups so you can control concurrency across multiple hosts.

Custom scripts

Custom script tasks can run shell, Bash, or Python scripts. Output is streamed through the task run.

The Run Script dialog contains:

FieldWhat it does
InterpreterSelects sh, bash, or python3. The default is sh.
ScriptScript body to run on the host. The Run Script button is disabled until the body contains non-whitespace text.
CancelCloses the dialog without creating a task run.
Run ScriptCreates a one-host script task run with maximum parallelism of 1 and opens the task detail page. The button shows a spinner while the request is in flight.

Validation and behavior:

RuleDetail
Script sizeEach interpreter has a backend script body limit of 65,536 characters, shown as 64 KB in validation errors.
Empty scriptsThe UI blocks whitespace-only scripts.
Interpreter valuesCT-Ops only accepts sh, bash, and python3.
OutputOutput is streamed through the task detail page.

Use scripts for controlled one-off diagnostics or remediation. Keep scripts small, explicit, and reversible where possible. For repeated workflows, consider moving the logic into a reviewed automation template rather than pasting ad hoc scripts.

Service actions

Service actions can start, stop, restart, or check status for a named service. The service picker can query services from the host to reduce typing mistakes.

The Service Action dialog contains:

Field or controlWhat it does
Service nameService name to pass to systemctl. Operators can type a name such as nginx, postgresql, or ssh.
Query buttonAsks the agent to list services on the host. The button shows a spinner while the query is pending.
Query result rowInserts the selected service into Service name. CT-Ops removes a trailing .service suffix before inserting the value and shows the service active_sub state next to each result.
StartStarts the service.
StopStops the service.
RestartRestarts the service. This is the default selected action.
StatusChecks current service status without changing it.
CancelCloses the dialog without creating a task run.
Run ActionCreates a one-host service task run with maximum parallelism of 1 and opens the task detail page. The button shows a spinner while the request is in flight.

Service management requires Linux with systemctl. The run button is disabled until a service name is present. Service action controls are not shown for non-Linux hosts from the Tasks tab, and the backend also rejects service actions for non-Linux hosts.

Use service actions when you need a controlled service operation with recorded evidence. Review the task result to confirm whether the service is active or inactive after the action.

Ansible ping

Ansible ping checks SSH connectivity to Linux hosts using a configured credential profile and SSH port. It is available only when Ansible automation is enabled, the Ansible API is healthy, at least one credential profile exists, and the current user can run host tasks.

The Run Ansible Ping dialog contains:

FieldWhat it does
Credential profileSaved Ansible SSH credential profile. Each choice shows the profile name and username. If none exist, CT-Ops directs administrators to create one under Automation Integration Settings.
SSH portSSH port to test. The UI allows 1 through 65,535 and defaults to 22.
CancelCloses the dialog without creating a task run.
Run PingCreates and immediately completes a one-host Ansible ping task run, then opens the task detail page. Disabled until a credential profile is selected.

Validation and behavior:

RuleDetail
Host OSOnly Linux hosts can run Ansible ping. Non-Linux hosts are rejected.
SSH portThe backend accepts only whole-number ports from 1 through 65,535.
CredentialThe selected credential profile must still exist in the current instance.
Automation readinessCT-Ops checks the stored Ansible automation setting and Ansible API health before running the ping.
Output safetyAnsible output is redacted before it is stored on the task run.
Stored configCT-Ops stores the credential profile ID and target inventory. The SSH port is stored only when it is not the default 22.

Use it before running SSH-based automation. A failed ping tells you to fix credentials, host reachability, SSH port, or host policy before attempting a more meaningful task.

Logs tab

The Logs tab shows automated system runs for the host, such as periodic software inventory scans. Each row shows task type, details, status, start time, and a link to the task run.

These are system-triggered runs rather than operator-triggered task runs. Use them when data looks stale or missing and you need to see whether background collection was pending, running, completed, or failed. CT-Ops lists the latest 50 automated runs for the host. The table refreshes every 5 seconds while any visible run is pending or running, then every 30 seconds after all visible runs are complete or failed.

Column or controlMeaning
Select checkboxSelects one automated run for deletion.
Select all checkboxSelects or clears all visible automated runs.
TaskAutomated run type. Software inventory runs are labelled Software inventory. Other task types are shown with underscores replaced by spaces.
DetailsType-specific summary. Software inventory rows show package count and collection source when the run result is available.
StatusPending, Running, Completed, or Failed.
StartedWhen the automated run started, or when it was created if it has not started.
View live / ViewOpens the task run detail.
Selection toolbarAppears only after one or more rows are selected.
Delete {count}Deletes the selected automated run history rows. For software inventory runs, CT-Ops also deletes associated software scan rows for those runs.

When there are no automated runs, CT-Ops shows No automated runs yet and explains that rows will appear after the system schedules its next scan.

Use this tab to verify background collection activity. For example, if software inventory is stale, check automated logs to see whether scans are failing, pending, or not running.

Terminal tab

The Terminal tab launches controlled terminal access when the feature is enabled, the host allows it, SSH host keys are trusted, and the current user is authorised.

The terminal launcher checks access before opening a session. Access can be blocked by Terminal Access Settings, the host-level Enable Terminal switch, the host user allowlist, untrusted or changed SSH host keys, role permissions, or a disconnected agent. When access is blocked, CT-Ops shows the denial reason instead of launching a session.

The launch form contains:

Field or controlWhat it does
UsernameSSH username for the target host. CT-Ops stores the last-used username for the current browser, user, and host in local browser storage.
SSH PortSSH port for the target host. Defaults to 22; the last valid port for the host is read from local browser storage when present.
PasswordSSH password for the target account. The field is required for direct login and is cleared after opening a terminal.
Save in CT-VaultEncrypts and stores the username and password as a per-user, per-host terminal credential before opening the terminal.
Vault passwordPassword used in the browser to encrypt or decrypt the saved terminal credential. Required when saving or using a saved credential.
Login with VaultDecrypts the saved terminal credential with the supplied vault password and opens the terminal. Shown only when a saved credential exists.
Delete saved CT-Vault credential buttonRemoves the saved terminal credential for the current user and host.
Open TerminalOpens the terminal panel for the host using the typed username, password, and parsed SSH port. Disabled until username, password, and port are present.

Terminal and Host Editor sessions open in the shared bottom workspace. Use the full-screen toolbar button to expand the active tab to the whole viewport, then use the restore button to return it to the bottom panel.

Validation and behavior:

RuleDetail
Minimum roleTerminal access requires at least engineer-level membership.
Instance switchIf global terminal access is disabled, no host terminal can launch.
Host switchIf the host disables terminal access, the launcher shows a denial message.
Host allowlistIf the host has an allowlist, only listed users can open the terminal.
SSH portThe port must be a whole number from 1 through 65,535. Empty, non-numeric, or out-of-range values are rejected.
SSH username for saved credentialsCT-Vault terminal credentials require a POSIX-style username up to 32 characters: start with a letter or underscore, then letters, numbers, underscores, or dashes.
Password and vault password lengthSaved terminal credential passwords and vault passwords are limited to 4,096 characters.
CT-Vault encryptionTerminal credentials are encrypted in the browser with PBKDF2-SHA-256 and AES-256-GCM before being stored. CT-Ops does not return plaintext saved credentials from the server.
Direct accessCT-Ops forces terminal direct access off. Sessions are SSH-backed and use the supplied target host credentials.

Use terminal access for interactive investigation when passive telemetry and task workflows are not enough. Prefer checks, logs, and tasks where they provide the same answer, because they produce more structured evidence.

SFTP tab

The SFTP tab is the file companion to terminal access. It lets an engineer browse remote paths, upload and download files, and open, edit, diff, back up, save, and roll back remote text files over SSH/SFTP.

Global SFTP Security Settings decide whether CT-Ops applies the host-level allowlist and denylist before file operations, or whether SFTP relies on the remote host permissions only. When CT-Ops path policy is enabled, the host editor policy is configured by an administrator on the host Management -> Settings tab and opening, saving, creating, deleting, uploading, downloading, and rolling back require a matching CT-Ops allow rule. When CT-Ops path policy is disabled, Linux permissions for the SSH user decide whether the remote read, write, upload, download, or delete succeeds.

The remote file browser starts at / and lists directories that the SSH user can list on the host. Double-click a file in the browser to open it; each opened file appears as a tab above the editor. Closing a tab with unsaved changes prompts before discarding the draft. Global SFTP host availability can deny the tab for a specific host even when SFTP is otherwise enabled across the instance, or invert access so only selected hosts can launch SFTP.

SFTP status messages, including upload errors such as an existing remote file, can be dismissed manually and clear automatically after five seconds. The same messages remain visible in the collapsible current-session activity log, so an operator can return later in the same browser session and review what happened.

Uploads use the Host Editor streaming upload route rather than a base64 server action payload. This keeps large maintenance artifacts, such as installer images or support bundles, out of browser and web-server memory while preserving per-file progress in the transfer monitor. New files are added to the upload queue first; the queue processor wakes periodically and starts the next file only when no other upload is active, so CT-Ops transfers one uploaded file at a time. CT-Ops still enforces the active SFTP security mode, audits successful uploads, and rejects files over the 5 GiB upload limit before the browser starts sending an oversized file. The bundled nginx proxy streams Host Editor uploads to the web app instead of buffering the whole request first, so multi-GB ISO files can start transferring immediately and a stopped upload is cancelled promptly. Completed and failed transfer cards can be dismissed individually, or the transfer monitor can clear all finished transfers at once. Operators can stop an active or queued upload; stopped uploads are shown as a user-stopped warning rather than an error for 10 seconds, then removed from the transfer list. The transfer monitor can also be hidden from its own header and shown again from the remote file browser toolbar.

Downloads use a separate streaming read route. CT-Ops checks the active Host Editor session, the active SFTP security mode, and the SSH credential, then hands the selected remote file to the browser download manager as an attachment instead of first building a browser Blob. Downloads preserve binary file bytes and are capped at 5 GiB to keep the web service bounded. The bundled nginx proxy streams Host Editor downloads without response buffering, so multi-GB ISO or bundle files can flow from SFTP through CT-Ops to disk without being spooled in the browser or proxy first. Use the remote file browser toolbar download button when the file is too large or too binary to open in the browser editor.

The server-copy control opens a modal for copying files or folders between the current SFTP host and another SSH/SFTP server. The left pane shows the current host filesystem, and the right pane first asks for the other server’s hostname or IP address plus username and password. After the other server connects, both panes show their current folder above a selectable file tree. Use the arrow buttons between the panes to copy selected paths to the other server or back to the current host.

Peer copies run as background jobs and stream over SSH/SFTP through CT-Ops. CT-Ops applies the active SFTP policy to the managed host side of the transfer: copying from the current host requires read access to the selected source path, and copying back to the current host requires write access to the selected destination folder. The ad-hoc peer server is checked by its SSH credentials and remote filesystem permissions. CT-Ops warns when a peer copy expands to more than 200 files so the operator can cancel before starting a large background job. Confirmed peer copies remain bounded by the 5 GiB SFTP transfer limit, and the peer server password is used for the active job only.

The server-copy modal supports multiple peer connection tabs. Each tab has its own selected paths, queued and active jobs, and bottom transfer status, so file counts and byte totals only reflect the selected peer connection. After an operator adds selected paths to the queue, CT-Ops clears that selection to avoid accidentally queueing the same file again. Closing a peer connection tab with queued or active transfers prompts for confirmation, cancels that tab’s active transfer jobs, and switches to the next available connection tab.

While a peer copy is running, the modal shows an overall byte-based progress bar with file counts, transferred bytes, percentage complete, live speed, estimated time remaining, and a needle-based speed indicator with labelled graticules but no circular progress fill. The speed indicator uses a moving average of the current transfer rate over roughly 20 seconds and holds through short polling gaps, so the needle does not snap back to zero between updates. It still settles back to zero when the copy is queued, complete, cancelled, failed, or has stopped moving data. This means a single multi-GB file moves during the transfer instead of staying at 0% until the file finishes. The details button opens a separate log modal showing the current file, current-file byte progress, each copied file, status, and destination path. Use View jobs to review recent background peer-copy jobs, refresh their status, cancel a queued or active transfer, and inspect transferred/total bytes for each file. The background jobs dialog shows one overall progress bar for all visible jobs, followed by one combined file list covering queued, transferring, completed, failed, and cancelled files. Operators can start another peer-copy job while one is already running; the new job appears in the same file list and waits in the queue until the active job completes or is cancelled. The peer-copy overview aggregates queued and active jobs, so selecting two files as separate copy actions still shows the combined file and byte total while CT-Ops transfers one file job at a time. Cancellation is checked during the active file stream so CT-Ops can stop a large file transfer promptly and clean up its temporary upload file.

SFTP security model

SFTP can use two permission layers:

LayerWhat it controls
CT-Ops SFTP global settingsInstance boundary. The server checks whether SFTP is available for the selected host and whether CT-Ops path policy must be enforced.
CT-Ops host editor policyOptional path boundary. When enabled globally, the server checks the host’s enabled state, allowlist, denylist, path mode, file size limits, and payload limits before each remote file operation. Deny rules win over allow rules.
Remote Linux permissionsRequired host boundary. CT-Ops connects as the supplied SSH user. Normal reads and writes use SFTP as that user, so filesystem ownership, mode bits, ACLs, and SSH authentication still decide whether the operation succeeds.

Terminal access and SFTP access are separate features. They share SSH host-key trust and familiar credential fields, but enabling terminal access does not automatically grant SFTP access.

CT-Ops does not store SFTP plaintext SSH credentials. The credentials are used for the active editor operation and are not written to audit metadata.

File browser actions

The toolbar above the remote file browser is available to users with write access under the active SFTP security mode:

ControlWhat it does
+Creates a new empty file in the selected directory and opens it in a tab.
TrashDeletes the selected file or folder after confirmation.
UploadUploads one or more local files, including binary files up to 5 GiB each, into the selected directory.
DownloadDownloads the selected remote file or the currently open remote file through the active SFTP read controls. Binary files are supported up to 5 GiB, even when they cannot be opened in the browser editor.
Server copyOpens a two-pane modal for copying selected files or folders between the current host and another SSH/SFTP server.

Uploads preserve the local file bytes and are intended for SFTP-style transfer workflows. Binary files can be uploaded, but they are not opened in the browser editor. The transfer monitor shows each queued, active, completed, or failed file, while stopped files remain visible for 10 seconds before being removed. Use the per-file Stop upload button or Stop all to cancel queued or active uploads; CT-Ops marks the card as stopped immediately and removes any partial remote file when the SFTP stream is cancelled or fails. CT-Ops bounds uploads to protect the web service from unreasonable request sizes; for larger transfer jobs, use terminal access or a native SFTP client.

The remote file browser toolbar is the primary place to download a selected path. The file editor toolbar also has Download after a text file is open, so operators can save a local copy without making an edit.

Admin configuration

Admins configure global SFTP behavior from Settings -> Security -> SFTP. Admins configure the optional CT-Ops host path policy from the host Management -> Settings tab:

SettingWhat it does
Enable Host EditorEnables the CT-Ops path policy for this host when global SFTP path policy is active. When disabled in that mode, the Tools tab shows a denial state and no file operation can run.
Allowed PathsAbsolute path patterns that engineers may open. Each entry has a mode: read-only, read/write, or sudo-write.
Denied PathsAbsolute path patterns that are always blocked, even if an allow rule also matches. Leave blank to rely only on the allowlist, or use Add recommended denies as a visible starting point for SSH keys, .env files, private keys, and shadow password files.
Backup requiredHost Editor creates a timestamped remote backup before writes. Keep this enabled for editable paths.

Use narrow allowlists when CT-Ops path policy is enabled. Prefer exact files or small configuration directories, for example /etc/nginx/**, rather than broad system paths. If global SFTP path policy is set to Use host permissions only, these host allowlists and denylists are not applied to SFTP operations.

Engineer workflow

The SFTP launcher opens in the same persistent bottom panel as terminal sessions. Terminal and SFTP sessions appear as tabs in one shared panel, so engineers can switch between shell access and file maintenance without stacking separate panels. SFTP tabs support the same tab menu pattern for renaming, colour marking, and closing the session.

After login, the workspace shows a remote-file tree rooted at /, quick-open path entry, and CodeMirror editor. Until a file is open, the editor area shows a centered prompt to choose a file instead of an empty editor surface. Directory expansion follows the SSH user’s Linux permissions and can show files that are not allowed for editing. When global SFTP path policy is enabled, CT-Ops checks the host editor policy when the user opens or changes a selected file. The allowed-path list is collapsed behind an expander so the file browser and editor keep most of the panel space.

Field or controlWhat it does
UsernameSSH username used for remote file operations.
PasswordSSH password for the active editor session. Host Editor does not offer private-key login from this form.
Save in CT-VaultEncrypts and stores the username and password as a per-user, per-host credential before opening the editor.
Vault passwordPassword used in the browser to encrypt or decrypt the saved credential. Required when saving or using a saved credential.
Login with VaultDecrypts the saved credential with the supplied vault password and opens the editor. Shown only when a saved credential exists.
Delete saved CT-Vault credential buttonRemoves the saved credential for the current user and host.
PathAbsolute remote path to open, such as /etc/nginx/nginx.conf. Relative paths and traversal are rejected.
Remote filesExpands remote directories from / using the SSH user’s Linux permissions. Selecting a file fills the path field; opening the file still requires CT-Ops policy access when global path policy is enabled.
OpenCreates a short-lived SFTP session, checks the active SFTP security mode, verifies the SSH host key, connects as the supplied SSH user, and reads the remote file through SFTP.
ReloadRe-reads the current file from the host.
DiffProduces a server-side diff between the current remote file and the editor buffer, then opens it in a modal.
SaveCreates a timestamped backup, then writes the file through SFTP. Available only for read/write policy paths.
Save with sudoUses the sudo-write flow for policy paths marked sudo-write. CT-Ops uses SSH exec only for the sudo backup/write step because SFTP cannot elevate privileges.
RollbackRestores the most recent Host Editor backup for the file when a backup is available and the SSH user can write it back.

The top bar shows the host, open path, matched mode, and dirty state. Read-only paths can be opened but not saved. Sudo-write paths require Save with sudo; normal Save is disabled for those paths.

Backups, diffs, and sudo

Before a save, CT-Ops reads the current remote file and refuses to save if the file changed since it was opened. It then creates a backup next to the original file using a .ctops-backup-<timestamp> suffix.

Diff preview reads the current remote file and compares it with the editor buffer on demand. The result opens in a modal so the editor does not reserve permanent space for a diff panel.

Normal saves use SFTP as the SSH user. Sudo-write saves use the configured SSH user and non-interactive sudo for the copy/write step. If the target host requires an interactive sudo prompt, the save fails and CT-Ops shows an explicit sudo failure message.

Every open/read attempt, write attempt, denied attempt, backup, rollback, and save is written as an audit event with path, SSH username, mode, session ID, hashes, sizes, and backup path where relevant. File contents and SSH credentials are not included in audit metadata.

Access can be denied when host editor access is disabled, no paths have been allowed, the requested path is outside the allowlist, the path matches a blocked pattern, the requested operation is stronger than the matched path mode, the file is too large, the payload is too large, the content appears binary, SSH host-key verification fails, or the remote Linux user lacks filesystem permission.

Use Host Editor for policy-gated file maintenance. Use Terminal when the work is interactive command-line investigation rather than editing a known file.

Delete host

Users with host-management access can delete a host from the host detail page. When supported, the delete flow can also request agent uninstall before the host record is removed.

The delete dialog explains that deletion removes associated data including metrics, checks, alerts, certificates, users, and SSH keys. The action cannot be undone.

ControlWhat it does
Also uninstall agent from the remote hostSends an uninstall command before deleting the host record. It is available only when the agent status is active.
CancelCloses the dialog without deleting.
Delete permanentlyDeletes the CT-Ops host record and associated data.
Uninstall agent & deleteAttempts remote uninstall, then deletes the host record.

If uninstall fails, CT-Ops keeps the dialog open and shows the error. Operators can uncheck the uninstall option and retry host-record deletion when the remote agent cannot receive or complete the uninstall command.

Use deletion for decommissioned hosts, failed test registrations, or records that should no longer appear in inventory. Do not delete a host just to silence an alert; resolve the underlying monitoring, agent, or infrastructure issue instead.