ctrl-exec v0.8.4

Tasks

The specific sysadmin operations ctrl-exec is built to handle — currently done one host at a time over SSH.

These are tasks currently done by opening a terminal, SSH-ing into a host, running a command, and repeating per host. ctrl-exec replaces that pattern with a single command from the control host, with structured output, across all relevant hosts at once.

Tags on each agent (env=prod, role=db, site=london) allow operations to target logical groups without maintaining separate host lists in every tool that needs them.

System Health and Monitoring

  • Check disk usage on all hosts
  • Check memory and swap usage
  • Check CPU load averages
  • List top processes by CPU or memory
  • Check system uptime and last reboot time
  • Check kernel version across the fleet
  • Check for OOM killer events in dmesg
  • Check NTP sync status and drift
  • Check system temperature (servers and edge devices)

Service Management

  • Restart a service (nginx, postgres, php-fpm)
  • Reload a service config without restart (nginx -s reload)
  • Check service status
  • Start a stopped service
  • Stop a runaway service
  • Check which services are failed
  • List all enabled services
  • Check a service's recent log output (last N lines of journalctl)

Log Inspection

  • Tail the last 100 lines of an application log
  • Search a log file for errors in the last hour
  • Count error occurrences by type
  • Check auth.log for failed login attempts
  • Check for specific error patterns (5xx responses in nginx access log)
  • Rotate logs manually
  • Archive and compress old logs

Network and Connectivity

  • Check open ports and listening services (ss -tlnp)
  • Check active connections to a service
  • Check firewall rules (iptables / nftables)
  • Add or remove a firewall rule
  • Check DNS resolution from the host
  • Check external connectivity (ping or curl to a known endpoint)
  • Check network interface status and IP addresses
  • Check routing table
  • Check bandwidth usage

Package and Software Management

  • Check installed version of a package
  • Check if a security update is available for a specific package
  • Apply a single package update
  • Check if a reboot is required after updates
  • List recently installed or updated packages
  • Verify a binary is present and the correct version

Certificate and TLS Management

  • Check expiry date of a TLS certificate (local file or live endpoint)
  • Check which cert is currently served by a site
  • Reload certificates after renewal (trigger certbot or acme.sh)
  • Verify certificate chain is valid
  • Check that a cert and key match

Database Operations

  • Check database service is running and accepting connections
  • Run a health check query
  • Check database size and table sizes
  • Show active connections and any blocking queries
  • Trigger a backup
  • Verify backup completed and check file size
  • Flush slow query log
  • Check replication lag (MySQL, PostgreSQL)

File and Storage Operations

  • Check a specific file exists and its permissions
  • Check a directory size
  • Find files modified in the last N hours
  • Check available inodes (not just disk space)
  • Verify a config file syntax (nginx -t, php -l)
  • Check a mount is present and healthy
  • Trigger an rsync or backup job

User and Access Management

  • List currently logged-in users
  • Check last login times
  • Check for unexpected sudo usage
  • Lock or unlock a user account
  • Force a password expiry
  • Check SSH authorised keys on a host

Application-Specific Tasks

  • Clear an application cache
  • Trigger a queue worker restart
  • Check queue depth
  • Run a database migration
  • Toggle maintenance mode on/off
  • Warm a cache after deployment
  • Trigger a config reload in an application

OpenWrt-Specific Tasks

These are tasks currently done by SSH-ing into each router or access point individually - particularly painful across multiple sites or CPE device fleets.

  • Check connected WiFi clients (count and MAC addresses)
  • Check WAN IP and uptime
  • Check signal strength and channel utilisation
  • Restart a network interface
  • Flush DNS cache (restart dnsmasq)
  • Check firewall rules
  • Check DHCP leases
  • Update a blocklist
  • Check available flash and RAM
  • Restart a VPN tunnel
  • Check whether a specific host can reach the internet
  • Trigger a package update check
  • Reboot the device
  • Check which firmware version is running across a fleet of APs
The OpenWrt case is particularly well suited to ctrl-exec — `ash` and `opkg` are present, Perl is available via opkg, and SSH-to-every-AP is a common and tedious operational pattern for anyone managing multiple sites or a WiFi fleet.

The Common Thread

Every task above is currently done interactively over SSH, sequentially host by host, undocumented, unlogged, and unscoped. ctrl-exec makes each one a named, allowlisted, logged, parallelisable operation that any authorised person or system can trigger without SSH access.

See Use Cases for the problem/solution context behind each category, and Plugins for the ctrl-exec-plugins repository of ready-built scripts.