Workers

A-Ops uses workers that are installed locally by customers so that execution and secrets remains within the customers environment. This is also required as often the worker needs to interact directly with customers infrastructure, applications or networks and doing this from a non-customer managed worker would be difficult.

All workers are single tenanted and in a multi worker environment must have the same level of access and rights as flows could be executed on any worker at any time.

By request SecureAck can arrange for a worker to be deployed into our cloud environment but does come with additional complexity.

Docker Deployment

Coming soon!

Manual Deployment

System -> Worker Status

From this page click "Download Worker Package"

We recommend using Ubuntu but any operating system that supports Python will work.

Prerequisites

  • python3
  • python3-pip
apt-get install python3 python3-pip

Installing

  1. Transfer and unzip worker_package.zip that was downloaded from the Worker Status page
  2. Run start.sh

Service Installation

nano /etc/systemd/system/a-ops-worker.service

[Unit]
Description=a-ops-worker

[Service]
Type=simple
WorkingDirectory=<PATH TO EXTRACTED FILES>
ExecStart=/usr/bin/python3 <PATH TO EXTRACTED FILES>/A-Ops.py worker <LINE FROM start.sh>

[Install]
WantedBy=multi-user.target

"LINE FROM start.sh" - This would be a copy from the --tenant to the end of the line shown within the start.sh file that came within the worker_package.zip.

It is recommended to use a dedicated service account to run the a-ops worker to do this you can follow these steps:

> useradd a-ops
> mkdir /home/a-ops
> chown a-ops:a-ops /home/a-ops
> nano /etc/systemd/system/a-ops-worker.service
[Unit]
Description=a-ops-worker

[Service]
Type=simple
User=a-ops
Group=a-ops
WorkingDirectory=<PATH TO EXTRACTED FILES>
ExecStart=/usr/bin/python3 <PATH TO EXTRACTED FILES>/A-Ops.py worker <LINE FROM start.sh>

[Install]
WantedBy=multi-user.target

> systemctl daemon-reload

Network Requirements

For A-Ops SaaS to communicate workers require certain outbound network access.

At a miniumum you MUST open domains within A-Ops SaaS section below.

A-Ops SaaS

Outbound HTTPS ( TCP 443 )

  • prod-eu-west-1.a-ops.cloud

S3 Storage Provider

Referer to supplier documentation i.e. AWS

Python Respositorties

Outbound HTTPS ( TCP 443 )

  • pypi.org
  • pypi.python.org
  • files.pythonhosted.org

Provides capability to install required packages, if this access is not granted then customers will need to manually install requirements for the worker to operate. Please note additional requirements will be needed for each integration that is deployed.

Python Requirements

  • markdown
  • boto3
  • pymongo
  • croniter
  • requests
  • pycryptodome
  • pyjwt
  • pyreadline
  • cryptography
  • onetimepass
  • cherrypy
  • psutil
  • ldap3
  • flask
  • json2html

Default configuration requirements are automatically installed.