Created by Redacted Hosting
One script to rule them all.
OneRing Fleet helps system administrators generate per-host SSH helper scripts and run fleet-wide maintenance or diagnostic commands quickly.
It is designed for environments where SSH hardening is already in place (key-based auth, non-root access, firewall controls), and you want a faster operational workflow for repetitive tasks.
OneRing Fleet has been used with Linux servers managed from a Linux admin workstation / dev desktop.
Important: backend environment setup is the responsibility of the system administrator (or end user). That includes items such as SSH hardening, port forwarding, firewall rules, VPN/Zero Trust access, and the host update script (for example /root/u.sh).
- Generates standardized per-host helper scripts (for example
123_web_ssh.sh) - Supports interactive SSH login,
--update, and ad hoc command execution - Runs fleet-wide commands across generated helpers with logging
- Provides quick operational checks (disk, memory, CPU summary, uptime)
-
generate_ssh_script.sh
Interactive generator that prompts for host/IP, VM ID, SSH username, and script name. It outputs an executable*_ssh.shhelper script. -
fleet_runner.sh
Batch runner that discovers generated host helpers (for example123_web_ssh.sh) and executes either--updateor diagnostic/custom commands. -
ping_check_onering.sh
Preflight reachability check that pings each host extracted from generated helper scripts before runningfleet_runner.sh. -
function_check_onering.sh
Preflight SSH check that runs a non-interactivetruecommand against each generated helper before runningfleet_runner.sh. -
logs/(created automatically)
Timestamped run logs for auditing and troubleshooting.
- Generate host helper scripts:
./generate_ssh_script.sh- Run updates across the fleet:
./ping_check_onering.sh # preflight ICMP reachability check
./function_check_onering.sh # preflight SSH auth/connectivity check (recommended)
./fleet_runner.sh- Run diagnostics:
./ping_check_onering.sh -c 2 -t 1 # ping each host twice, 1s timeout
./function_check_onering.sh # verify SSH path using helper scripts
./fleet_runner.sh -d # disk usage (df -h)
./fleet_runner.sh -m # memory snapshot (free -h)
./fleet_runner.sh -c # CPU summary (top -bn1 | head -n5)
./fleet_runner.sh -u # uptime
./fleet_runner.sh -k "uname -a" # custom command
./fleet_runner.sh -k "uptime" -s # stop on first failureGenerate two host helpers:
$ ./generate_ssh_script.sh
Enter target host/IP: 192.168.1.10
Enter VM ID (1-1000): 101
Enter SSH username: opsadmin
Enter script name (e.g., web_ssh.sh): web
[INFO] Generated ./101_web_ssh.sh
$ ./generate_ssh_script.sh
Enter target host/IP: 192.168.1.11
Enter VM ID (1-1000): 102
Enter SSH username [opsadmin]:
Enter script name (e.g., web_ssh.sh): db
[INFO] Generated ./102_db_ssh.shRun a fleet check and an update:
$ ./ping_check_onering.sh
[INFO] Pinging 192.168.1.10 (from 101_web_ssh.sh) ...
[OK] 192.168.1.10 reachable
---
[INFO] Pinging 192.168.1.11 (from 102_db_ssh.sh) ...
[OK] 192.168.1.11 reachable
...
$ ./function_check_onering.sh
[INFO] Checking SSH to opsadmin@192.168.1.10 via 101_web_ssh.sh ...
[OK] SSH reachable: opsadmin@192.168.1.10
---
[INFO] Checking SSH to opsadmin@192.168.1.11 via 102_db_ssh.sh ...
[OK] SSH reachable: opsadmin@192.168.1.11
...
$ ./fleet_runner.sh -u
[INFO] Running ./101_web_ssh.sh uptime
10:05:12 up 12 days, 2:45, 1 user, load average: 0.09, 0.05, 0.01
[OK] ./101_web_ssh.sh succeeded.
---
[INFO] Running ./102_db_ssh.sh uptime
10:05:13 up 4 days, 8:17, 1 user, load average: 0.22, 0.14, 0.06
[OK] ./102_db_ssh.sh succeeded.
$ ./fleet_runner.sh
[INFO] Running ./101_web_ssh.sh --update
[OK] /root/u.sh completed on 192.168.1.10
...- Harden SSH on target hosts (key-based auth, disable root login, restrict inbound access)
- Use a dedicated admin workstation / dev desk
- Restrict
sudoersto the minimum commands required - Centralize logs if using this in production
- OneRing Fleet is an operations convenience tool. It is not a complete security control or zero-trust implementation.
- The generated
--updatepath callssudo -n /root/u.sh; review and restrict this for your environment. - Port forwarding, firewall policy, VPN/Zero Trust controls, and remote update script design are intentionally left to the system administrator operating the environment.
ping_check_onering.shuses ICMP ping. If your environment blocks ICMP, a host may still be SSH-reachable even when the ping precheck warns.function_check_onering.shruns a non-interactivetruecommand over SSH, which is usually a better preflight than ICMP for hardened environments.- The generator stores the last used SSH username in
.last_ssh_userfor convenience. - Generated helper scripts and fleet logs may contain internal hostnames, usernames, and IPs.
- A
.gitignoreis included to help prevent accidentally committing generated scripts, logs, and cache files. - Prefer passphrase-protected keys and modern key types (for example
ed25519). - Consider short-lived SSH certificates (OpenSSH CA, Vault, Teleport, etc.) as a future upgrade.
The generated --update mode runs:
sudo -n /root/u.shDo not grant broad passwordless sudo for all commands. Instead, allow only the update script for the SSH user.
Example /etc/sudoers.d/ops-update entry (edit with visudo -f /etc/sudoers.d/ops-update):
# Allow opsadmin to run only the approved update script without a password
opsadmin ALL=(root) NOPASSWD: /root/u.sh
Recommended hardening for /root/u.sh:
- Owned by
root:root - Not writable by non-root users (
chmod 700 /root/u.sh) - Uses absolute paths for commands where practical (for example
/usr/bin/apt,/usr/bin/systemctl) - Returns
exit 0only on success, non-zero on failure - Writes to a root-owned log file if you need audit detail
If you need multiple allowed maintenance scripts, list each script explicitly in sudoers rather than granting ALL.
- Add more
fleet_runner.shflags for common checks - Add host grouping (prod/stage/dev) via prefixes or a manifest file
- Replace
--updatewith a configurable command for your environment - Integrate with short-lived credentials or an access broker
- Project name:
OneRing Fleet - Tagline:
One script to rule them all. - Theme note: this is LOTR-inspired branding only and has no affiliation with Tolkien/Middle-earth rights holders.
MIT (see LICENSE).