Add multiple REX options. See issues #204 #210 #220
Conversation
bootstrap.py
Outdated
| @@ -880,6 +889,9 @@ def exec_service(service, command, failonerror=True): | |||
| parser.add_option("--unmanaged", dest="unmanaged", action="store_true", help="Add the server as unmanaged. Useful to skip provisioning dependencies.") | |||
| parser.add_option("--rex", dest="remote_exec", action="store_true", help="Install Foreman's SSH key for remote execution.", default=False) | |||
| parser.add_option("--rex-user", dest="remote_exec_user", default="root", help="Local user used by Foreman's remote execution feature.") | |||
| parser.add_option("--rex-capsules", dest="remote_exec_capsules", default="", help="Comma separated list of capsules to install Foreman's SSH keys for remote execution.") | |||
There was a problem hiding this comment.
If there is no default, you can omit the default key completely.
bootstrap.py
Outdated
| @@ -449,12 +458,12 @@ def install_foreman_ssh_key(): | |||
| return | |||
| if os.path.isfile(foreman_ssh_authfile): | |||
| if foreman_ssh_key in open(foreman_ssh_authfile, 'r').read(): | |||
| print_generic("Foreman's SSH key is already present in %s" % foreman_ssh_authfile) | |||
| print_generic("Foreman's SSH key/s already present in %s" % foreman_ssh_authfile) | |||
There was a problem hiding this comment.
why this change? do you want the sentence to be "ssh key (or keys) already present"? given the function still adds one key at a time, I think we should not change that. But we could add the remote-url to indicate which key was present?
There was a problem hiding this comment.
OK. Depending on the rex option you're adding one key at a time or multiple when copying a remote file containing multiples keys. So if adding multiples you're checking multiple keys at a time.
bootstrap.py
Outdated
| return | ||
| output = os.fdopen(os.open(foreman_ssh_authfile, os.O_WRONLY | os.O_CREAT, 0600), 'a') | ||
| output.write(foreman_ssh_key) | ||
| os.chown(foreman_ssh_authfile, userpw.pw_uid, userpw.pw_gid) | ||
| print_generic("Foreman's SSH key was added to %s" % foreman_ssh_authfile) | ||
| print_generic("Foreman's SSH key/s added to %s" % foreman_ssh_authfile) |
There was a problem hiding this comment.
same as above with s/present/added/ ;)
bootstrap.py
Outdated
| if not os.path.isdir(foreman_ssh_dir): | ||
| os.mkdir(foreman_ssh_dir, 0700) | ||
| os.chown(foreman_ssh_dir, userpw.pw_uid, userpw.pw_gid) | ||
| try: | ||
| foreman_ssh_key = urllib2.urlopen("https://%s:9090/ssh/pubkey" % options.foreman_fqdn).read() | ||
| foreman_ssh_key = urllib2.urlopen("%s" % remote_url).read() |
There was a problem hiding this comment.
foreman_ssh_key = urllib2.urlopen(remote_url).read()
no need for string format
bootstrap.py
Outdated
| print_error("Foreman's SSH keys not installed. Directory where authorized_keys file must be located is not found: %s" % options.remote_exec_authpath) | ||
| return | ||
| else: | ||
| foreman_ssh_dir = os.sep.join([userpw.pw_dir, '.ssh']) |
There was a problem hiding this comment.
can we make the default value of options.remote_exec_authpath to be os.path.join(userpw.pw_dir, '.ssh') then we could skip this if/else block.
note that I changed os.sep.join([userpw.pw_dir, '.ssh']) to os.path.join(userpw.pw_dir, '.ssh') which I think is more correct here.
There was a problem hiding this comment.
Actually from the first comment options.remote_exec_authpath is the complete path to authorizedKey file not a dir.
bootstrap.py
Outdated
| if options.remote_exec_authpath: | ||
| if os.path.isdir(options.remote_exec_authpath): | ||
| foreman_ssh_dir = options.remote_exec_authpath | ||
| foreman_ssh_authfile = options.remote_exec_authpath + "/authorized_keys" |
There was a problem hiding this comment.
There is no requirement for the file to be called authorized_keys. In fact, some of my boxes have AuthorizedKeysFile /etc/ssh/authorized_keys/%u (with %u being the username). So I think we just should take the full path at the command line and not alter it at all.
| os.mkdir(foreman_ssh_dir, 0700) | ||
| os.chown(foreman_ssh_dir, userpw.pw_uid, userpw.pw_gid) | ||
| elif not os.path.isfile(options.remote_exec_authpath): | ||
| print_error("Foreman's SSH key not installed. File where authorized_keys must be located is not found: %s" % options.remote_exec_authpath) |
There was a problem hiding this comment.
Why? We can just create the file (and we actually do)?
There was a problem hiding this comment.
That's the case when the path is entered by user. I think must be warned.
If there is no remote_exec_autpath we pick the default one (~/.ssh/authorized_keys) where we create the folder if needed
There was a problem hiding this comment.
We should not create the complete path to the remote_exec_autpath if it's entered by user, otherwise we'll probably face security issues in the future.
bootstrap.py
Outdated
| @@ -880,6 +885,9 @@ def exec_service(service, command, failonerror=True): | |||
| parser.add_option("--unmanaged", dest="unmanaged", action="store_true", help="Add the server as unmanaged. Useful to skip provisioning dependencies.") | |||
| parser.add_option("--rex", dest="remote_exec", action="store_true", help="Install Foreman's SSH key for remote execution.", default=False) | |||
| parser.add_option("--rex-user", dest="remote_exec_user", default="root", help="Local user used by Foreman's remote execution feature.") | |||
| parser.add_option("--rex-capsules", dest="remote_exec_capsules", help="Comma separated list of capsules to install Foreman's SSH keys for remote execution.") | |||
| parser.add_option("--rex-urlkeyfile", dest="remote_exec_url", help="HTTP/S location to install a file containing one or multiple Foreman's SSH keys for remote execution.") | |||
| parser.add_option("--rex-authpath", dest="remote_exec_authpath", help="Local folder where is placed the authorized_keys file to install Foreman's SSH keys for remote execution. Default ~/.ssh") | |||
bootstrap.py
Outdated
| os.chown(foreman_ssh_dir, userpw.pw_uid, userpw.pw_gid) | ||
| if not options.remote_exec_authpath: | ||
| userpw = pwd.getpwnam(options.remote_exec_user) | ||
| options.remote_exec_authpath = os.path.join(*[userpw.pw_dir, '.ssh', 'authorized_keys']) |
There was a problem hiding this comment.
os.path.join(userpw.pw_dir, '.ssh', 'authorized_keys') should do it too, no?
bootstrap.py
Outdated
| if not options.remote_exec_authpath: | ||
| userpw = pwd.getpwnam(options.remote_exec_user) | ||
| options.remote_exec_authpath = os.path.join(*[userpw.pw_dir, '.ssh', 'authorized_keys']) | ||
| foreman_ssh_dir = os.path.join(*[userpw.pw_dir, '.ssh']) |
|
rebased and squashed this (thanks @fcami for the rebase work) |
--rex-capsules: Comma separated list of capsules to install Foreman's SSH keys for remote execution. It will iterate all over the list of capsules. If one fails user is notified by the task keeps going until all capsules were tried. --rex-urlkeyfile: HTTP/S location to install a file containing one or multiple Foreman's SSH keys for remote execution. Instead of iterate you can create file on /pub folder that contains all ssh public keys of several capsules and tell bootstrap.py to fech it and install on the local user authorized keys file. --rex-authpath. Local folder where is placed the authorized_keys file to install Foreman's SSH keys for remote execution. Default ~/.ssh. I found that several customers specifies AuthorizedKeysFile on sshd_config on a different path. Closes: #204 Closes: #210
|
@sideangleside as I got my hands dirty in here, you'll have to do the final review |
|
@alosadagrande it looks like this needs a rebase |
|
@beav @alosadagrande @evgeni I'll rebase |
|
@beav @evgeni could you please review and pull from https://github.com/fcami/katello-client-bootstrap/tree/multi-key-rex - it seems OK to me but I haven't tested it yet. |
|
@fcami the change looks OK to me but I didn't test it either. If @alosadagrande doesn't update this PR, the best bet is for you to create a new branch, then do "git cherry-pick -x 299b034" and resolve the conflict, then do "git add bootstrap.py" and "git commit". That way it will keep the authorship information correct and you can then create a new PR and we can close this one out. |
|
obsoleted by #281 |
Add multiple options to remote execution in order to solve enhancement #204 and #210:
--rex-capsules: Comma separated list of capsules to install Foreman's SSH keys for remote execution. It will iterate all over the list of capsules. If one fails user is notified by the task keeps going until all capsules were tried.
--rex-urlkeyfile: HTTP/S location to install a file containing one or multiple Foreman's SSH keys for remote execution. Instead of iterate you can create file on /pub folder that contains all ssh public keys of several capsules and tell bootstrap.py to fech it and install on the local user authorized keys file.
--rex-authpath. Local folder where is placed the authorized_keys file to install Foreman's SSH keys for remote execution. Default ~/.ssh. I found that several customers specifies AuthorizedKeysFile on sshd_config on a different path.