CT-Ops
Host Tools
How to use CT-Ops host tasks, automated logs, terminal access, and host deletion controls.
The Tools area contains actions and action history. Unlike monitoring and inventory pages, tools can execute work against the host or expose direct terminal access, so use them deliberately.
The area contains three child tabs:
| Tab | What it is for |
|---|---|
| Tasks | Operator-triggered task runs, including scripts, patching, service actions, and Ansible ping checks. |
| Logs | System-triggered automated runs for the host, such as software inventory scans. |
| Terminal | Interactive SSH terminal access when global, host, role, and credential checks allow it. |
Tasks tab
The Tasks tab lets permitted operators run supported host tasks and review task history. Available actions include patch runs, custom scripts, service actions, and Ansible ping checks when automation integration is enabled.
Task history shows task type, details, status, started time, and a link to the live or completed task run. It also supports selecting old task runs for deletion. CT-Ops lists the latest 50 operator-triggered runs for the host. The table refreshes every 5 seconds while any visible run is pending or running, then every 30 seconds after all visible runs are complete or failed.
The action buttons are role-aware:
| Button | Availability | What it does |
|---|---|---|
| Run Script | Users who can run host tasks. | Opens the custom script dialog for this single host. |
| Ansible Ping | Linux hosts, users who can run host tasks, and enabled Automation Integration Settings for Ansible. | Opens the Ansible ping dialog. |
| Service | Linux hosts and users who can run host tasks. | Opens the systemctl service action dialog. |
| Run Patch | Linux hosts and users who can run host tasks. | Opens the package patch dialog. |
The task history table contains:
| Column or control | Meaning |
|---|---|
| Select checkbox | Selects one run for deletion. |
| Select all checkbox | Selects or clears all visible runs. |
| Task | Task type, such as Patch, Script, Service, Patch status, or Ansible ping. |
| Details | Type-specific summary. Patch rows show All updates or Security only and may show a Reboot req. badge. Script rows show sh, bash, or python3. Service rows show action and service name plus an Active or Inactive result badge when available. Ansible ping rows show that the run is an SSH connectivity check. |
| Status | Pending, Running, Completed, or Failed. |
| Started | Start time when available, otherwise creation time. |
| View live / View | Opens the task run. Active runs use View live. |
| Selection toolbar | Appears only after one or more rows are selected. It shows the selected count and a destructive Delete {count} button. |
| Delete {count} | Deletes the selected task run history rows and related per-host task data. It does not undo work that already ran on the host. |
When there are no operator-triggered task runs, CT-Ops shows No task runs yet and directs you to use the action buttons above the table.
Patch tasks
Patch tasks can run all updates or security-only updates. The task result can show whether a reboot is required.
The Run Patch dialog contains:
| Field | What it does |
|---|---|
| All updates | Runs a full system upgrade using the package manager detected by the agent. |
| Security updates only | Runs only security-flagged package updates where supported. |
| Cancel | Closes the dialog without creating a task run. |
| Run Patch | Creates a one-host patch task run with maximum parallelism of 1 and opens the task detail page. The button shows a spinner while the request is in flight. |
The agent detects supported Linux package managers such as apt, dnf, yum, and zypper. Patch controls are not shown for non-Linux hosts, and the backend also rejects patch runs for non-Linux hosts.
Use patch tasks when the host needs controlled remediation from CT-Ops. For larger rollouts, prefer group-level patching from Hosts -> Groups so you can control concurrency across multiple hosts.
Custom scripts
Custom script tasks can run shell, Bash, or Python scripts. Output is streamed through the task run.
The Run Script dialog contains:
| Field | What it does |
|---|---|
| Interpreter | Selects sh, bash, or python3. The default is sh. |
| Script | Script body to run on the host. The Run Script button is disabled until the body contains non-whitespace text. |
| Cancel | Closes the dialog without creating a task run. |
| Run Script | Creates a one-host script task run with maximum parallelism of 1 and opens the task detail page. The button shows a spinner while the request is in flight. |
Validation and behavior:
| Rule | Detail |
|---|---|
| Script size | Each interpreter has a backend script body limit of 65,536 characters, shown as 64 KB in validation errors. |
| Empty scripts | The UI blocks whitespace-only scripts. |
| Interpreter values | CT-Ops only accepts sh, bash, and python3. |
| Output | Output is streamed through the task detail page. |
Use scripts for controlled one-off diagnostics or remediation. Keep scripts small, explicit, and reversible where possible. For repeated workflows, consider moving the logic into a reviewed automation template rather than pasting ad hoc scripts.
Service actions
Service actions can start, stop, restart, or check status for a named service. The service picker can query services from the host to reduce typing mistakes.
The Service Action dialog contains:
| Field or control | What it does |
|---|---|
| Service name | Service name to pass to systemctl. Operators can type a name such as nginx, postgresql, or ssh. |
| Query button | Asks the agent to list services on the host. The button shows a spinner while the query is pending. |
| Query result row | Inserts the selected service into Service name. CT-Ops removes a trailing .service suffix before inserting the value and shows the service active_sub state next to each result. |
| Start | Starts the service. |
| Stop | Stops the service. |
| Restart | Restarts the service. This is the default selected action. |
| Status | Checks current service status without changing it. |
| Cancel | Closes the dialog without creating a task run. |
| Run Action | Creates a one-host service task run with maximum parallelism of 1 and opens the task detail page. The button shows a spinner while the request is in flight. |
Service management requires Linux with systemctl. The run button is disabled
until a service name is present. Service action controls are not shown for
non-Linux hosts from the Tasks tab, and the backend also rejects service
actions for non-Linux hosts.
Use service actions when you need a controlled service operation with recorded evidence. Review the task result to confirm whether the service is active or inactive after the action.
Ansible ping
Ansible ping checks SSH connectivity to Linux hosts using a configured credential profile and SSH port. It is available only when Ansible automation is enabled, the Ansible API is healthy, at least one credential profile exists, and the current user can run host tasks.
The Run Ansible Ping dialog contains:
| Field | What it does |
|---|---|
| Credential profile | Saved Ansible SSH credential profile. Each choice shows the profile name and username. If none exist, CT-Ops directs administrators to create one under Automation Integration Settings. |
| SSH port | SSH port to test. The UI allows 1 through 65,535 and defaults to 22. |
| Cancel | Closes the dialog without creating a task run. |
| Run Ping | Creates and immediately completes a one-host Ansible ping task run, then opens the task detail page. Disabled until a credential profile is selected. |
Validation and behavior:
| Rule | Detail |
|---|---|
| Host OS | Only Linux hosts can run Ansible ping. Non-Linux hosts are rejected. |
| SSH port | The backend accepts only whole-number ports from 1 through 65,535. |
| Credential | The selected credential profile must still exist in the current instance. |
| Automation readiness | CT-Ops checks the stored Ansible automation setting and Ansible API health before running the ping. |
| Output safety | Ansible output is redacted before it is stored on the task run. |
| Stored config | CT-Ops stores the credential profile ID and target inventory. The SSH port is stored only when it is not the default 22. |
Use it before running SSH-based automation. A failed ping tells you to fix credentials, host reachability, SSH port, or host policy before attempting a more meaningful task.
Logs tab
The Logs tab shows automated system runs for the host, such as periodic software inventory scans. Each row shows task type, details, status, start time, and a link to the task run.
These are system-triggered runs rather than operator-triggered task runs. Use them when data looks stale or missing and you need to see whether background collection was pending, running, completed, or failed. CT-Ops lists the latest 50 automated runs for the host. The table refreshes every 5 seconds while any visible run is pending or running, then every 30 seconds after all visible runs are complete or failed.
| Column or control | Meaning |
|---|---|
| Select checkbox | Selects one automated run for deletion. |
| Select all checkbox | Selects or clears all visible automated runs. |
| Task | Automated run type. Software inventory runs are labelled Software inventory. Other task types are shown with underscores replaced by spaces. |
| Details | Type-specific summary. Software inventory rows show package count and collection source when the run result is available. |
| Status | Pending, Running, Completed, or Failed. |
| Started | When the automated run started, or when it was created if it has not started. |
| View live / View | Opens the task run detail. |
| Selection toolbar | Appears only after one or more rows are selected. |
| Delete {count} | Deletes the selected automated run history rows. For software inventory runs, CT-Ops also deletes associated software scan rows for those runs. |
When there are no automated runs, CT-Ops shows No automated runs yet and explains that rows will appear after the system schedules its next scan.
Use this tab to verify background collection activity. For example, if software inventory is stale, check automated logs to see whether scans are failing, pending, or not running.
Terminal tab
The Terminal tab launches controlled terminal access when the feature is enabled, the host allows it, SSH host keys are trusted, and the current user is authorised.
The terminal launcher checks access before opening a session. Access can be blocked by Terminal Access Settings, the host-level Enable Terminal switch, the host user allowlist, untrusted or changed SSH host keys, role permissions, or a disconnected agent. When access is blocked, CT-Ops shows the denial reason instead of launching a session.
The launch form contains:
| Field or control | What it does |
|---|---|
| Username | SSH username for the target host. CT-Ops stores the last-used username for the current browser, user, and host in local browser storage. |
| SSH Port | SSH port for the target host. Defaults to 22; the last valid port for the host is read from local browser storage when present. |
| Password | SSH password for the target account. The field is required for direct login and is cleared after opening a terminal. |
| Save in CT-Vault | Encrypts and stores the username and password as a per-user, per-host terminal credential before opening the terminal. |
| Vault password | Password used in the browser to encrypt or decrypt the saved terminal credential. Required when saving or using a saved credential. |
| Login with Vault | Decrypts the saved terminal credential with the supplied vault password and opens the terminal. Shown only when a saved credential exists. |
| Delete saved CT-Vault credential button | Removes the saved terminal credential for the current user and host. |
| Open Terminal | Opens the terminal panel for the host using the typed username, password, and parsed SSH port. Disabled until username, password, and port are present. |
Terminal and Host Editor sessions open in the shared bottom workspace. Use the full-screen toolbar button to expand the active tab to the whole viewport, then use the restore button to return it to the bottom panel.
Validation and behavior:
| Rule | Detail |
|---|---|
| Minimum role | Terminal access requires at least engineer-level membership. |
| Instance switch | If global terminal access is disabled, no host terminal can launch. |
| Host switch | If the host disables terminal access, the launcher shows a denial message. |
| Host allowlist | If the host has an allowlist, only listed users can open the terminal. |
| SSH port | The port must be a whole number from 1 through 65,535. Empty, non-numeric, or out-of-range values are rejected. |
| SSH username for saved credentials | CT-Vault terminal credentials require a POSIX-style username up to 32 characters: start with a letter or underscore, then letters, numbers, underscores, or dashes. |
| Password and vault password length | Saved terminal credential passwords and vault passwords are limited to 4,096 characters. |
| CT-Vault encryption | Terminal credentials are encrypted in the browser with PBKDF2-SHA-256 and AES-256-GCM before being stored. CT-Ops does not return plaintext saved credentials from the server. |
| Direct access | CT-Ops forces terminal direct access off. Sessions are SSH-backed and use the supplied target host credentials. |
Use terminal access for interactive investigation when passive telemetry and task workflows are not enough. Prefer checks, logs, and tasks where they provide the same answer, because they produce more structured evidence.
SFTP tab
The SFTP tab is the file companion to terminal access. It lets an engineer browse remote paths, upload and download files, and open, edit, diff, back up, save, and roll back remote text files over SSH/SFTP.
Global SFTP Security Settings decide whether CT-Ops applies the host-level allowlist and denylist before file operations, or whether SFTP relies on the remote host permissions only. When CT-Ops path policy is enabled, the host editor policy is configured by an administrator on the host Management -> Settings tab and opening, saving, creating, deleting, uploading, downloading, and rolling back require a matching CT-Ops allow rule. When CT-Ops path policy is disabled, Linux permissions for the SSH user decide whether the remote read, write, upload, download, or delete succeeds.
The remote file browser starts at / and lists directories that the SSH user
can list on the host. Double-click a file in the browser to open it; each opened
file appears as a tab above the editor. Closing a tab with unsaved changes
prompts before discarding the draft. Global SFTP host availability can deny the
tab for a specific host even when SFTP is otherwise enabled across the instance,
or invert access so only selected hosts can launch SFTP.
SFTP status messages, including upload errors such as an existing remote file, can be dismissed manually and clear automatically after five seconds. The same messages remain visible in the collapsible current-session activity log, so an operator can return later in the same browser session and review what happened.
Uploads use the Host Editor streaming upload route rather than a base64 server action payload. This keeps large maintenance artifacts, such as installer images or support bundles, out of browser and web-server memory while preserving per-file progress in the transfer monitor. New files are added to the upload queue first; the queue processor wakes periodically and starts the next file only when no other upload is active, so CT-Ops transfers one uploaded file at a time. CT-Ops still enforces the active SFTP security mode, audits successful uploads, and rejects files over the 5 GiB upload limit before the browser starts sending an oversized file. The bundled nginx proxy streams Host Editor uploads to the web app instead of buffering the whole request first, so multi-GB ISO files can start transferring immediately and a stopped upload is cancelled promptly. Completed and failed transfer cards can be dismissed individually, or the transfer monitor can clear all finished transfers at once. Operators can stop an active or queued upload; stopped uploads are shown as a user-stopped warning rather than an error for 10 seconds, then removed from the transfer list. The transfer monitor can also be hidden from its own header and shown again from the remote file browser toolbar.
Downloads use a separate streaming read route. CT-Ops checks the active Host Editor session, the active SFTP security mode, and the SSH credential, then hands the selected remote file to the browser download manager as an attachment instead of first building a browser Blob. Downloads preserve binary file bytes and are capped at 5 GiB to keep the web service bounded. The bundled nginx proxy streams Host Editor downloads without response buffering, so multi-GB ISO or bundle files can flow from SFTP through CT-Ops to disk without being spooled in the browser or proxy first. Use the remote file browser toolbar download button when the file is too large or too binary to open in the browser editor.
The server-copy control opens a modal for copying files or folders between the current SFTP host and another SSH/SFTP server. The left pane shows the current host filesystem, and the right pane first asks for the other server’s hostname or IP address plus username and password. After the other server connects, both panes show their current folder above a selectable file tree. Use the arrow buttons between the panes to copy selected paths to the other server or back to the current host.
Peer copies run as background jobs and stream over SSH/SFTP through CT-Ops. CT-Ops applies the active SFTP policy to the managed host side of the transfer: copying from the current host requires read access to the selected source path, and copying back to the current host requires write access to the selected destination folder. The ad-hoc peer server is checked by its SSH credentials and remote filesystem permissions. CT-Ops warns when a peer copy expands to more than 200 files so the operator can cancel before starting a large background job. Confirmed peer copies remain bounded by the 5 GiB SFTP transfer limit, and the peer server password is used for the active job only.
The server-copy modal supports multiple peer connection tabs. Each tab has its own selected paths, queued and active jobs, and bottom transfer status, so file counts and byte totals only reflect the selected peer connection. After an operator adds selected paths to the queue, CT-Ops clears that selection to avoid accidentally queueing the same file again. Closing a peer connection tab with queued or active transfers prompts for confirmation, cancels that tab’s active transfer jobs, and switches to the next available connection tab.
While a peer copy is running, the modal shows an overall byte-based progress bar with file counts, transferred bytes, percentage complete, live speed, estimated time remaining, and a needle-based speed indicator with labelled graticules but no circular progress fill. The speed indicator uses a moving average of the current transfer rate over roughly 20 seconds and holds through short polling gaps, so the needle does not snap back to zero between updates. It still settles back to zero when the copy is queued, complete, cancelled, failed, or has stopped moving data. This means a single multi-GB file moves during the transfer instead of staying at 0% until the file finishes. The details button opens a separate log modal showing the current file, current-file byte progress, each copied file, status, and destination path. Use View jobs to review recent background peer-copy jobs, refresh their status, cancel a queued or active transfer, and inspect transferred/total bytes for each file. The background jobs dialog shows one overall progress bar for all visible jobs, followed by one combined file list covering queued, transferring, completed, failed, and cancelled files. Operators can start another peer-copy job while one is already running; the new job appears in the same file list and waits in the queue until the active job completes or is cancelled. The peer-copy overview aggregates queued and active jobs, so selecting two files as separate copy actions still shows the combined file and byte total while CT-Ops transfers one file job at a time. Cancellation is checked during the active file stream so CT-Ops can stop a large file transfer promptly and clean up its temporary upload file.
SFTP security model
SFTP can use two permission layers:
| Layer | What it controls |
|---|---|
| CT-Ops SFTP global settings | Instance boundary. The server checks whether SFTP is available for the selected host and whether CT-Ops path policy must be enforced. |
| CT-Ops host editor policy | Optional path boundary. When enabled globally, the server checks the host’s enabled state, allowlist, denylist, path mode, file size limits, and payload limits before each remote file operation. Deny rules win over allow rules. |
| Remote Linux permissions | Required host boundary. CT-Ops connects as the supplied SSH user. Normal reads and writes use SFTP as that user, so filesystem ownership, mode bits, ACLs, and SSH authentication still decide whether the operation succeeds. |
Terminal access and SFTP access are separate features. They share SSH host-key trust and familiar credential fields, but enabling terminal access does not automatically grant SFTP access.
CT-Ops does not store SFTP plaintext SSH credentials. The credentials are used for the active editor operation and are not written to audit metadata.
File browser actions
The toolbar above the remote file browser is available to users with write access under the active SFTP security mode:
| Control | What it does |
|---|---|
| + | Creates a new empty file in the selected directory and opens it in a tab. |
| Trash | Deletes the selected file or folder after confirmation. |
| Upload | Uploads one or more local files, including binary files up to 5 GiB each, into the selected directory. |
| Download | Downloads the selected remote file or the currently open remote file through the active SFTP read controls. Binary files are supported up to 5 GiB, even when they cannot be opened in the browser editor. |
| Server copy | Opens a two-pane modal for copying selected files or folders between the current host and another SSH/SFTP server. |
Uploads preserve the local file bytes and are intended for SFTP-style transfer workflows. Binary files can be uploaded, but they are not opened in the browser editor. The transfer monitor shows each queued, active, completed, or failed file, while stopped files remain visible for 10 seconds before being removed. Use the per-file Stop upload button or Stop all to cancel queued or active uploads; CT-Ops marks the card as stopped immediately and removes any partial remote file when the SFTP stream is cancelled or fails. CT-Ops bounds uploads to protect the web service from unreasonable request sizes; for larger transfer jobs, use terminal access or a native SFTP client.
The remote file browser toolbar is the primary place to download a selected path. The file editor toolbar also has Download after a text file is open, so operators can save a local copy without making an edit.
Admin configuration
Admins configure global SFTP behavior from Settings -> Security -> SFTP. Admins configure the optional CT-Ops host path policy from the host Management -> Settings tab:
| Setting | What it does |
|---|---|
| Enable Host Editor | Enables the CT-Ops path policy for this host when global SFTP path policy is active. When disabled in that mode, the Tools tab shows a denial state and no file operation can run. |
| Allowed Paths | Absolute path patterns that engineers may open. Each entry has a mode: read-only, read/write, or sudo-write. |
| Denied Paths | Absolute path patterns that are always blocked, even if an allow rule also matches. Leave blank to rely only on the allowlist, or use Add recommended denies as a visible starting point for SSH keys, .env files, private keys, and shadow password files. |
| Backup required | Host Editor creates a timestamped remote backup before writes. Keep this enabled for editable paths. |
Use narrow allowlists when CT-Ops path policy is enabled. Prefer exact files or
small configuration directories, for example /etc/nginx/**, rather than broad
system paths. If global SFTP path policy is set to Use host permissions only,
these host allowlists and denylists are not applied to SFTP operations.
Engineer workflow
The SFTP launcher opens in the same persistent bottom panel as terminal sessions. Terminal and SFTP sessions appear as tabs in one shared panel, so engineers can switch between shell access and file maintenance without stacking separate panels. SFTP tabs support the same tab menu pattern for renaming, colour marking, and closing the session.
After login, the workspace shows a remote-file tree rooted at /, quick-open
path entry, and CodeMirror editor. Until a file is open, the editor area shows a
centered prompt to choose a file instead of an empty editor surface. Directory
expansion follows the SSH user’s Linux permissions and can show files that are
not allowed for editing. When global SFTP path policy is enabled, CT-Ops checks
the host editor policy when the user opens or changes a selected file. The
allowed-path list is collapsed behind an expander so the file browser and editor
keep most of the panel space.
| Field or control | What it does |
|---|---|
| Username | SSH username used for remote file operations. |
| Password | SSH password for the active editor session. Host Editor does not offer private-key login from this form. |
| Save in CT-Vault | Encrypts and stores the username and password as a per-user, per-host credential before opening the editor. |
| Vault password | Password used in the browser to encrypt or decrypt the saved credential. Required when saving or using a saved credential. |
| Login with Vault | Decrypts the saved credential with the supplied vault password and opens the editor. Shown only when a saved credential exists. |
| Delete saved CT-Vault credential button | Removes the saved credential for the current user and host. |
| Path | Absolute remote path to open, such as /etc/nginx/nginx.conf. Relative paths and traversal are rejected. |
| Remote files | Expands remote directories from / using the SSH user’s Linux permissions. Selecting a file fills the path field; opening the file still requires CT-Ops policy access when global path policy is enabled. |
| Open | Creates a short-lived SFTP session, checks the active SFTP security mode, verifies the SSH host key, connects as the supplied SSH user, and reads the remote file through SFTP. |
| Reload | Re-reads the current file from the host. |
| Diff | Produces a server-side diff between the current remote file and the editor buffer, then opens it in a modal. |
| Save | Creates a timestamped backup, then writes the file through SFTP. Available only for read/write policy paths. |
| Save with sudo | Uses the sudo-write flow for policy paths marked sudo-write. CT-Ops uses SSH exec only for the sudo backup/write step because SFTP cannot elevate privileges. |
| Rollback | Restores the most recent Host Editor backup for the file when a backup is available and the SSH user can write it back. |
The top bar shows the host, open path, matched mode, and dirty state. Read-only paths can be opened but not saved. Sudo-write paths require Save with sudo; normal Save is disabled for those paths.
Backups, diffs, and sudo
Before a save, CT-Ops reads the current remote file and refuses to save if the
file changed since it was opened. It then creates a backup next to the original
file using a .ctops-backup-<timestamp> suffix.
Diff preview reads the current remote file and compares it with the editor buffer on demand. The result opens in a modal so the editor does not reserve permanent space for a diff panel.
Normal saves use SFTP as the SSH user. Sudo-write saves use the configured SSH user and non-interactive sudo for the copy/write step. If the target host requires an interactive sudo prompt, the save fails and CT-Ops shows an explicit sudo failure message.
Every open/read attempt, write attempt, denied attempt, backup, rollback, and save is written as an audit event with path, SSH username, mode, session ID, hashes, sizes, and backup path where relevant. File contents and SSH credentials are not included in audit metadata.
Access can be denied when host editor access is disabled, no paths have been allowed, the requested path is outside the allowlist, the path matches a blocked pattern, the requested operation is stronger than the matched path mode, the file is too large, the payload is too large, the content appears binary, SSH host-key verification fails, or the remote Linux user lacks filesystem permission.
Use Host Editor for policy-gated file maintenance. Use Terminal when the work is interactive command-line investigation rather than editing a known file.
Delete host
Users with host-management access can delete a host from the host detail page. When supported, the delete flow can also request agent uninstall before the host record is removed.
The delete dialog explains that deletion removes associated data including metrics, checks, alerts, certificates, users, and SSH keys. The action cannot be undone.
| Control | What it does |
|---|---|
| Also uninstall agent from the remote host | Sends an uninstall command before deleting the host record. It is available only when the agent status is active. |
| Cancel | Closes the dialog without deleting. |
| Delete permanently | Deletes the CT-Ops host record and associated data. |
| Uninstall agent & delete | Attempts remote uninstall, then deletes the host record. |
If uninstall fails, CT-Ops keeps the dialog open and shows the error. Operators can uncheck the uninstall option and retry host-record deletion when the remote agent cannot receive or complete the uninstall command.
Use deletion for decommissioned hosts, failed test registrations, or records that should no longer appear in inventory. Do not delete a host just to silence an alert; resolve the underlying monitoring, agent, or infrastructure issue instead.