ungleich-public/cdist
ungleich-public
/
cdist
7
3
Fork 11
Code Issues 56 Pull Requests 15 Projects Releases Wiki Activity

Using cdist to configure non-SSH/non-shell targets #118

New Issue
Closed
opened 2021-11-20 13:24:12 +00:00 by ungleich-gitea · 6 comments
ungleich-gitea commented 2021-11-20 13:24:12 +00:00
Owner
Copy Link

Created by: adam-dej

I want to use cdist to configure targets without SSH connectivity (or without usable shell), that
can be configured using a locally-run utility (for example SNMP-enabled network gear/printers,
Google Cloud Platform projects or Kubernetes clusters).

Why do I want to use cdist for this? I want to combine configuration of non-ssh-enabled devices
with configuration of my servers without launching multiple different configuration tools. For
example, I want to have a type which creates SMB shares on a server, and configures relevant
multi-function printers (over SNMP) to use them as scanning targets. Or I want to write a type
__server_link which configures VLANs and link aggregation on a server and on an SNMP switch,
depending on the $__target_host. Arguments of that type are a single source of truth for both
machines (and for my documentation, since I generate it from my manifests).

Currently possible ways to do it? One option is to use a "config gateway" machine (VM, container or
even localhost), but that adds the necessity to maintain one more thing and introduces one more
point of failure. The other option is to use gencode-local, but then I can't run explorers locally
and have to always generate code. My current workaround is to use gencode-local, HOST is IP of the
SNMP device I want to configure, and I prevent cdist from attempting to connect over SSH with args
--remote-exec true and --remote-copy true. Downsides are no explorers, and the fact that it is
an ugly hack.

I'm willing to implement this feature and submit a PR, but first I would like to know whether you
even want such feature in cdist, and if so, in what way should it be implemented.

My initial proposal consists of two parts:

  • Add support for explorer-local in types. Same thing as explorer, just executed locally.
  • Add support for marking some hosts as "nonshell". If a "nonshell" host is being configured, no SSH
    connection is attempted and execution of all global explorers and type explorers will be skipped.
    Moreover, if any remote code is generated, the configuration should fail (manifests/types that
    expect to be executed against "nonshell" targets will know not to generate any remote code, so
    if some code was generated the config is not intended to be used with "nonshell" targets,
    and unexpected things may happen). In addition to existing __target_* variables, a new
    variable, __target_without_shell would be set when configuring a "nonshell" target.

I'm not really sure what would be the best way to mark a target as "nonshell". One possibility would
be to use the built-in inventory, and define a special tag .nonshell. Special tags are bad, and
somebody may want to use an external inventory. Another possibility is to use a non-standard URI
scheme nonshell://host (ssh-enabled hosts are either without scheme or with
ssh://[user@]hostname, both accepted by ssh(1)). But then cdist would have to parse URIs and
remove schemes, not just pass them through.

What are your thoughts on this feature or on the proposed way of implementing it?

*Created by: adam-dej* I want to use cdist to configure targets without SSH connectivity (or without usable shell), that can be configured using a locally-run utility (for example SNMP-enabled network gear/printers, Google Cloud Platform projects or Kubernetes clusters). Why do I want to use `cdist` for this? I want to combine configuration of non-ssh-enabled devices with configuration of my servers without launching multiple different configuration tools. For example, I want to have a type which creates SMB shares on a server, and configures relevant multi-function printers (over SNMP) to use them as scanning targets. Or I want to write a type `__server_link` which configures VLANs and link aggregation on a server and on an SNMP switch, depending on the `$__target_host`. Arguments of that type are a single source of truth for both machines (and for my documentation, since I generate it from my manifests). Currently possible ways to do it? One option is to use a "config gateway" machine (VM, container or even localhost), but that adds the necessity to maintain one more thing and introduces one more point of failure. The other option is to use `gencode-local`, but then I can't run explorers locally and have to always generate code. My current workaround is to use `gencode-local`, HOST is IP of the SNMP device I want to configure, and I prevent cdist from attempting to connect over SSH with args `--remote-exec true` and `--remote-copy true`. Downsides are no explorers, and the fact that it is an ugly hack. I'm willing to implement this feature and submit a PR, but first I would like to know whether you even want such feature in cdist, and if so, in what way should it be implemented. My initial proposal consists of two parts: - Add support for `explorer-local` in types. Same thing as `explorer`, just executed locally. - Add support for marking some hosts as "nonshell". If a "nonshell" host is being configured, no SSH connection is attempted and execution of all global explorers and type explorers will be skipped. Moreover, if any remote code is generated, the configuration should fail (manifests/types that expect to be executed against "nonshell" targets will know not to generate any remote code, so if some code was generated the config is not intended to be used with "nonshell" targets, and unexpected things may happen). In addition to existing `__target_*` variables, a new variable, `__target_without_shell` would be set when configuring a "nonshell" target. I'm not really sure what would be the best way to mark a target as "nonshell". One possibility would be to use the built-in inventory, and define a special tag `.nonshell`. Special tags are bad, and somebody may want to use an external inventory. Another possibility is to use a non-standard URI scheme `nonshell://host` (ssh-enabled hosts are either without scheme or with `ssh://[user@]hostname`, both accepted by ssh(1)). But then `cdist` would have to parse URIs and remove schemes, not just pass them through. What are your thoughts on this feature or on the proposed way of implementing it?
ungleich-gitea added the
Stale
 label 2021-11-20 13:24:12 +00:00
ungleich-gitea commented 2021-11-20 15:41:02 +00:00
Author
Owner
Copy Link

closed

closed
ungleich-gitea commented 2021-11-20 15:41:03 +00:00
Author
Owner
Copy Link

Created by: darko-poljak

@adam-dej

My current workaround is to use gencode-local, HOST is IP of the
SNMP device I want to configure, and I prevent cdist from attempting to connect over SSH with args
--remote-exec true and --remote-copy true. Downsides are no explorers, and the fact that it is
an ugly hack.

You can do it better. remote-exec and remote-copy can be paths to your exec and copy scripts.
And in those shell scripts you can do the desired behavior.
In cdist-ng transports are actually shell scripts. see https://github.com/asteven/cdist-ng/tree/master/conf/transport and for chroot example see https://github.com/asteven/cdist-ng/blob/master/conf/transport/chroot/exec and https://github.com/asteven/cdist-ng/blob/master/conf/transport/chroot/copy. Following the same principle you can write scripts for your needs.

*Created by: darko-poljak* @adam-dej > My current workaround is to use gencode-local, HOST is IP of the SNMP device I want to configure, and I prevent cdist from attempting to connect over SSH with args --remote-exec true and --remote-copy true. Downsides are no explorers, and the fact that it is an ugly hack. You can do it better. remote-exec and remote-copy can be paths to your exec and copy scripts. And in those shell scripts you can do the desired behavior. In cdist-ng transports are actually shell scripts. see https://github.com/asteven/cdist-ng/tree/master/conf/transport and for chroot example see https://github.com/asteven/cdist-ng/blob/master/conf/transport/chroot/exec and https://github.com/asteven/cdist-ng/blob/master/conf/transport/chroot/copy. Following the same principle you can write scripts for your needs.
ungleich-gitea commented 2021-11-20 15:41:04 +00:00
Author
Owner
Copy Link

Created by: darko-poljak

@adam-dej Are you starting to port this to cdist?

*Created by: darko-poljak* @adam-dej Are you starting to port this to cdist?
ungleich-gitea commented 2021-11-20 15:41:06 +00:00
Author
Owner
Copy Link

Created by: telmich

I like @asteven 's URL based way. Porting it to cdist from cdist-ng is a good idea.

*Created by: telmich* I like @asteven 's URL based way. Porting it to cdist from cdist-ng is a good idea.
ungleich-gitea commented 2021-11-20 15:41:07 +00:00
Author
Owner
Copy Link

Created by: lubo

@darko-poljak @telmich Your thoughts would be highly appreciated.

*Created by: lubo* @darko-poljak @telmich Your thoughts would be highly appreciated.
ungleich-gitea commented 2021-11-20 15:41:08 +00:00
Author
Owner
Copy Link

Created by: asteven

While experimenting with cdist-ng I implemented target host as always being a URI. Then used the scheme in the URI to select the apropriate transport.

This allowed me to do things like:

cdist config test.example.com
# same as
cdist config ssh://test.example.com
# or stacked transports
cdist config ssh+sudo+chroot://sudo-user@test.example.com/path/to/chroot

Guess what I want to say is: I like the idea of using URI's for this kind of stuff.
Not sure if I would call it 'noshell', but that depends on how generic you can make it.

I believe @telmich mentioned he would also like this feature, e.g. to configure his switches, so will let him comment.

*Created by: asteven* While experimenting with [cdist-ng](https://github.com/asteven/cdist-ng/) I implemented target host as always being a URI. Then used the scheme in the URI to select the apropriate transport. This allowed me to do things like: ``` cdist config test.example.com # same as cdist config ssh://test.example.com # or stacked transports cdist config ssh+sudo+chroot://sudo-user@test.example.com/path/to/chroot ``` Guess what I want to say is: I like the idea of using URI's for this kind of stuff. Not sure if I would call it 'noshell', but that depends on how generic you can make it. I believe @telmich mentioned he would also like this feature, e.g. to configure his switches, so will let him comment.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
7.0
6.9
py3.10
ander/__package_apt_update_index
haproxy-dualstack
ander/__sed
beta
ander/os_version_debian_sid
evilham-compatibility-fixes
ander/__rsync
__snakeoil_cert
ander/update_readme
__download_improvements
feature/onchange
cleanup/string-formatting
feature/type-relationship-graph
cleanup/ssh-auth-keys-types
__letsencrypt_cert-fix-hooks
bugfix/preos-debug
bugfix/in-script-import
6.8
bugfix/sphinx-docs-build
6.7
cherry-pick-2f433a14
bugfix/make-code-consistent
6.6
regain-py3.2-support
6.5
bugfix/multiple-log-lines
matterbridge
coturn
alpinefix
matrix
new-type/network-interface
feature/process
6.4
feature/info-command
feature/libexec
6.3
preos-plugins-dir-opt
gitlab-ci
6.2
order-dep-fix
6.1
6.0
build/support-pip-from-git
feature/shell-lib
5.1
feature/support-type-deprecation
5.0
feature/python-types
4.11
4.10
shellcheck
4.9
4.8
freebsd-improvements
new-prometheus
key_value-onchange
feature/output_streams
AnotherKamila-patch-1
__letsencrypt_cert-fixes
letsencrypt-cron-fix
4.7
newtype-__letsencrypt_cert
os_explorer_devuan_fix
prometheus-exporter-fixes
daemontools-for-fbsd
type-prometheus-exporter-from-master
prometheus-more-fixes
4.6
4.5
fix-j
steven-backport
4.4
prometheus-fixes
grafana_dashboard
prometheus
daemontools
consul_improvements
feature/trigger
4.3
4.0-pre-not-stable
4.2
4.1
4.0
feature_install_and_preos
3.1
no-dot-cdist
random_dot_cdist
feature_yum_url
feature_files_export
3.0
2.3
2.2
2.1
ssh_callback
2.0
archive_shell_function_approach
1.7
1.6
1.5
1.4
1.3
1.2
1.1
1.0
7.0.0
6.9.8
6.9.7
6.9.6
6.9.5
6.9.4
6.9.3
6.9.2
6.9.1
6.9.0
6.8.0
6.7.0
6.6.0
6.5.6
6.5.5
6.5.4
6.5.3
6.5.2
6.5.1
6.5.0
6.4.0
6.3.0
6.2.0
6.1.1
6.1.0
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.1.3
5.1.2
5.1.1
5.1.0
5.0.2
5.0.1
5.0.0
4.11.1
4.11.0
4.10.11
4.10.10
4.10.9
4.10.8
4.10.7
4.10.6
4.10.5
4.10.4
4.10.3
4.10.2
4.10.1
4.10.0
4.9.1
4.9.0
4.8.4
4.8.3
4.8.2
4.8.1
4.8.0
4.7.3
4.7.2
4.7.1
4.7.0
4.6.1
4.6.0
4.5.0
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.3.2
4.3.1
4.3.0
4.2.2
4.2.1
4.2.0
4.1.0
4.0.0
3.1.13
tn1
3.1.12
3.1.11
3.1.10
3.1.9
3.1.8
3.1.7
3.1.6
4.0.0pre3
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
4.0.0pre2
3.0.9
3.0.8
3.0.7
3.0.6
3.0.5
3.0.4
3.0.3
4.0.0pre1
3.0.2
3.0.1
3.0.0
2.3.7
2.3.6
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.0
2.1.2
2.1.1
2.1.0
2.1.0pre8
2.1.0pre7
2.1.0pre6
2.0.15
2.1.0pre5
2.1.0pre4
2.1.0pre3
2.1.0pre2
2.1.0pre1
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
1.7.1
1.7.0
1.6.2
1.6.1
1.6.0
1.5.0
1.4.1
1.4.0
1.3.2
1.3.1
1.3.0
1.2.0
1.1.0
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0
0.9.9
0.9.8
0.9.7
0.9.6
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
bugfix

   
cleanup

   
discussion

   
documentation

   
doing

   
done

   
feature

   
improvement

   
packaging

   
Stale

   
testing

   
TODO
No Label
bugfix
cleanup
discussion
documentation
doing
done
feature
improvement
packaging
Stale
testing
TODO
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ungleich-public/cdist#118
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?