how does "--rm-when-done" work on axiom-fleet?

[bebiksior]

Does the --rm-when-done option delete individual instances upon completion of tasks, or does it wait for the entire fleet to finish and then delete?

[pdelteil]

It deletes one by one has the command running finishes.

[0xtavian]

@bebiksior sorry for the long delay in responding to this. As @pdelteil said, if you use --rm-when-done during the scan, if one instance is finished scanning, axiom deletes it.

axiom does not wait for the entire scan to be finished before killing the instances.

"When the remote scan process has finished, it creates a file named $(hostname) in the remote scan working directory. During the scan, axiom checks for each $(hostname) file to know that part of the scan has completed". So when axiom sees the $(hostname) file for any given instance, it knows that part of the scan has finished. If you use --rm-when-done, it just deletes the instance.

Whats happening in the background is, after the --rm-when-done statement runs axiom-rm, it then calls the preflight_function.

the preflight_function will try to ssh into all instances on the fleet and determine which ones it can and cant reach. it will then recreate "$tmp/hosts" and "$tmp/selected.conf" files, which are used by axiom to track which instances are part of the running scan, removing the ones from the list that have been deleted. This will happen over and over for each instance in the fleet as they are finishing with their scan. Specific to --rm-when-done, at the end of the scan the "$tmp/hosts" and "$tmp/selected.conf" files will be empty, since all of the instances have been deleted and axiom can no longer reach any of them. Which will pass this specific check and the scan will complete.

--rm-when-done is like a controlled failure of the scan. As axiom deletes the instances, the preflight_function justifies which instance can still be reached and once that number is 0, the scan ends.