From 628165fd0a4e03bb7bbef3a464447924195e10b8 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 23 Oct 2012 03:53:06 -0700 Subject: added a bunch of new commands, including init-node and deploy --- lib/leap_cli/commands/bootstrap.rb | 131 --------------------------- lib/leap_cli/commands/clean.rb | 6 +- lib/leap_cli/commands/compile.rb | 16 ++-- lib/leap_cli/commands/deploy.rb | 21 +++-- lib/leap_cli/commands/node.rb | 179 +++++++++++++++++++++++++++++++++++++ lib/leap_cli/commands/pre.rb | 5 ++ lib/leap_cli/commands/shell.rb | 12 +++ lib/leap_cli/commands/user.rb | 19 ++-- lib/leap_cli/commands/util.rb | 159 ++++++++++++++++++++++++++------ 9 files changed, 367 insertions(+), 181 deletions(-) delete mode 100644 lib/leap_cli/commands/bootstrap.rb create mode 100644 lib/leap_cli/commands/node.rb create mode 100644 lib/leap_cli/commands/shell.rb (limited to 'lib/leap_cli/commands') diff --git a/lib/leap_cli/commands/bootstrap.rb b/lib/leap_cli/commands/bootstrap.rb deleted file mode 100644 index 11188fb..0000000 --- a/lib/leap_cli/commands/bootstrap.rb +++ /dev/null @@ -1,131 +0,0 @@ -require 'net/ssh/known_hosts' -require 'tempfile' - -module LeapCli; module Commands - - #desc 'Create a new configuration for a node' - #command :'new-node' do |c| - # c.action do |global_options,options,args| - # end - #end - - desc 'Bootstraps a node, setting up ssh keys and installing prerequisites' - arg_name '', :optional => false, :multiple => false - command :'init-node' do |c| - c.action do |global_options,options,args| - node_name = args.first - node = manager.node(node_name) - assert!(node, "Node '#{node_name}' not found.") - progress("Pinging #{node.name}") - assert_run!("ping -W 1 -c 1 #{node.ip_address}", "Could not ping #{node_name} (address #{node.ip_address}). Try again, we only send a single ping.") - install_public_host_key(node) - end - end - - desc 'not yet implemented' - command :'rename-node' do |c| - c.action do |global_options,options,args| - end - end - - desc 'not yet implemented' - command :'rm-node' do |c| - c.action do |global_options,options,args| - end - end - - # - # saves the public ssh host key for node into the provider directory. - # - # see `man sshd` for the format of known_hosts - # - def install_public_host_key(node) - progress("Fetching public SSH host key for #{node.name}") - public_key, key_type = get_public_key_for_ip(node.ip_address) - if key_in_known_hosts?(public_key, [node.name, node.ip_address, node.domain.name]) - progress("Public ssh host key for #{node.name} is already trusted (key found in known_hosts)") - else - fingerprint, bits = ssh_key_fingerprint(key_type, public_key) - puts - say("This is the SSH host key you got back from node \"#{node.name}\"") - say("Type -- #{bits} bit #{key_type.upcase}") - say("Fingerprint -- " + fingerprint) - say("Public Key -- " + public_key) - if !agree("Is this correct? ") - bail! - else - puts - # we write the file without ipaddress or hostname, because these might change later, but we want to keep the same key. - write_file!([:node_ssh_pub_key, node.name], [key_type, public_key].join(' ')) - update_known_hosts - end - end - - end - - def get_public_key_for_ip(address) - assert_bin!('ssh-keyscan') - output = assert_run! "ssh-keyscan -t rsa #{address}", "Could not get the public host key. Maybe sshd is not running?" - line = output.split("\n").grep(/^[^#]/).first - assert! line, "Got zero host keys back!" - ip, key_type, public_key = line.split(' ') - return [public_key, key_type] - end - - # - # returns true if the particular host_key is found in a "known_hosts" file installed for the current user or on this machine. - # - # - host_key: string of ssh public host key - # - identifiers: an array of identifers (which could be an ip address or hostname) - # - def key_in_known_hosts?(host_key, identifiers) - identifiers.each do |identifier| - Net::SSH::KnownHosts.search_for(identifier).each do |key| - # i am not sure what format ssh keys are in, but key.to_pem returns something different than we need. - # this little bit of magic code will encode correctly. I think the format is base64 encoding of bits, exponent, and modulus. - key_string = [Net::SSH::Buffer.from(:key, key).to_s].pack("m*").gsub(/\s/, "") - return true if key_string == host_key - end - end - return false - end - - # - # gets a fingerprint for a key string - # - def ssh_key_fingerprint(type, key) - assert_bin!('ssh-keygen') - file = Tempfile.new('leap_cli_public_key_') - begin - file.write(type) - file.write(" ") - file.write(key) - file.close - output = assert_run!("ssh-keygen -l -f #{file.path}", "Failed to run ssh-keygen on public key.") - bits, fingerprint, filename, key_type = output.split(' ') - return [fingerprint, bits] - ensure - file.close - file.unlink - end - end - - # - # generates the known_hosts file. - # - # we do a 'late' binding on the hostnames and ip part of the ssh pub key record in order to allow - # for the possibility that the hostnames or ip has changed in the node configuration. - # - def update_known_hosts - buffer = StringIO.new - manager.nodes.values.each do |node| - hostnames = [node.name, node.domain.internal, node.domain.full, node.ip_address].join(',') - pub_key = read_file([:node_ssh_pub_key,node.name]) - if pub_key - buffer << [hostnames, pub_key].join(' ') - end - end - write_file!(:known_hosts, buffer.string) - end - -end; end \ No newline at end of file diff --git a/lib/leap_cli/commands/clean.rb b/lib/leap_cli/commands/clean.rb index ed9c901..8847b7d 100644 --- a/lib/leap_cli/commands/clean.rb +++ b/lib/leap_cli/commands/clean.rb @@ -4,11 +4,11 @@ module LeapCli desc 'Removes all files generated with the "compile" command' command :clean do |c| c.action do |global_options,options,args| - Dir.glob(named_path(:hiera, '*')).each do |file| + Dir.glob(path([:hiera, '*'])).each do |file| remove_file! file end - remove_file! named_path(:authorized_keys) - remove_file! named_path(:known_hosts) + remove_file! path(:authorized_keys) + remove_file! path(:known_hosts) end end diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb index 429d1c5..c5bb93e 100644 --- a/lib/leap_cli/commands/compile.rb +++ b/lib/leap_cli/commands/compile.rb @@ -5,20 +5,14 @@ module LeapCli desc 'Compile json files to hiera configs' command :compile do |c| c.action do |global_options,options,args| - manager.load(Path.provider) - ensure_dir(Path.hiera) - manager.export(Path.hiera) - update_authorized_keys - update_known_hosts + update_compiled_ssh_configs # this must come first, hiera configs import these files. + manager.export Path.named_path(:hiera_dir) # generate a hiera .yaml config for each node end end - def update_authorized_keys - buffer = StringIO.new - Dir.glob(named_path(:user_ssh, '*')).each do |keyfile| - buffer << File.read(keyfile) - end - write_file!(:authorized_keys, buffer.string) + def update_compiled_ssh_configs + update_authorized_keys + update_known_hosts end end diff --git a/lib/leap_cli/commands/deploy.rb b/lib/leap_cli/commands/deploy.rb index 9ec984c..c5efed5 100644 --- a/lib/leap_cli/commands/deploy.rb +++ b/lib/leap_cli/commands/deploy.rb @@ -6,12 +6,21 @@ module LeapCli arg_name '' command :deploy do |c| c.action do |global_options,options,args| - nodes = manager.filter(args) - say "Deploying to these nodes: #{nodes.keys.join(', ')}" - if agree "Continue? " - say "deploy not yet implemented" - else - say "OK. Bye." + nodes = manager.filter!(args) + if nodes.size > 1 + say "Deploying to these nodes: #{nodes.keys.join(', ')}" + unless agree "Continue? " + quit! "OK. Bye." + end + end + leap_root = '/root/leap' + ssh_connect(nodes) do |ssh| + ssh.leap.mkdir_leap leap_root + ssh.leap.rsync_update do |server| + node = manager.node(server.host) + {:source => Path.named_path([:hiera, node.name]), :dest => "#{leap_root}/config/#{node.name}.yaml"} + end + ssh.apply_puppet end end end diff --git a/lib/leap_cli/commands/node.rb b/lib/leap_cli/commands/node.rb new file mode 100644 index 0000000..46c8fb6 --- /dev/null +++ b/lib/leap_cli/commands/node.rb @@ -0,0 +1,179 @@ +require 'net/ssh/known_hosts' +require 'tempfile' + +module LeapCli; module Commands + + ## + ## COMMANDS + ## + + #desc 'Create a new configuration for a node' + #command :'new-node' do |c| + # c.action do |global_options,options,args| + # end + #end + + desc 'Bootstraps a node, setting up ssh keys and installing prerequisites' + arg_name '', :optional => false, :multiple => false + command :'init-node' do |c| + c.action do |global_options,options,args| + node = get_node_from_args(args) + ping_node(node) + save_public_host_key(node) + update_compiled_ssh_configs + ssh_connect(node, :bootstrap => true) do |ssh| + ssh.install_authorized_keys + ssh.install_prerequisites + end + end + end + + desc 'not yet implemented' + command :'rename-node' do |c| + c.action do |global_options,options,args| + end + end + + desc 'not yet implemented' + arg_name '', :optional => false, :multiple => false + command :'rm-node' do |c| + c.action do |global_options,options,args| + remove_file!() + end + end + + ## + ## PUBLIC HELPERS + ## + + # + # generates the known_hosts file. + # + # we do a 'late' binding on the hostnames and ip part of the ssh pub key record in order to allow + # for the possibility that the hostnames or ip has changed in the node configuration. + # + def update_known_hosts + buffer = StringIO.new + manager.nodes.values.each do |node| + hostnames = [node.name, node.domain.internal, node.domain.full, node.ip_address].join(',') + pub_key = read_file([:node_ssh_pub_key,node.name]) + if pub_key + buffer << [hostnames, pub_key].join(' ') + end + end + write_file!(:known_hosts, buffer.string) + end + + def get_node_from_args(args) + node_name = args.first + node = manager.node(node_name) + assert!(node, "Node '#{node_name}' not found.") + node + end + + private + + ## + ## PRIVATE HELPERS + ## + + # + # saves the public ssh host key for node into the provider directory. + # + # see `man sshd` for the format of known_hosts + # + def save_public_host_key(node) + progress("Fetching public SSH host key for #{node.name}") + public_key, key_type = get_public_key_for_ip(node.ip_address) + pub_key_path = Path.named_path([:node_ssh_pub_key, node.name]) + if Path.exists?(pub_key_path) + if file_content_equals?(pub_key_path, node_pub_key_contents(key_type, public_key)) + progress("Public SSH host key for #{node.name} has not changed") + else + bail!("WARNING: The public SSH host key we just fetched for #{node.name} doesn't match what we have saved previously. Remove the file #{pub_key_path} if you really want to change it.") + end + elsif key_in_known_hosts?(public_key, [node.name, node.ip_address, node.domain.name]) + progress("Public SSH host key for #{node.name} is trusted (key found in your ~/.ssh/known_hosts)") + else + fingerprint, bits = ssh_key_fingerprint(key_type, public_key) + puts + say("This is the SSH host key you got back from node \"#{node.name}\"") + say("Type -- #{bits} bit #{key_type.upcase}") + say("Fingerprint -- " + fingerprint) + say("Public Key -- " + public_key) + if !agree("Is this correct? ") + bail! + else + puts + write_file!([:node_ssh_pub_key, node.name], node_pub_key_contents(key_type, public_key)) + end + end + end + + def get_public_key_for_ip(address) + assert_bin!('ssh-keyscan') + output = assert_run! "ssh-keyscan -t rsa #{address}", "Could not get the public host key. Maybe sshd is not running?" + line = output.split("\n").grep(/^[^#]/).first + assert! line, "Got zero host keys back!" + ip, key_type, public_key = line.split(' ') + return [public_key, key_type] + end + + # + # returns true if the particular host_key is found in a "known_hosts" file installed for the current user or on this machine. + # + # - host_key: string of ssh public host key + # - identifiers: an array of identifers (which could be an ip address or hostname) + # + def key_in_known_hosts?(host_key, identifiers) + identifiers.each do |identifier| + Net::SSH::KnownHosts.search_for(identifier).each do |key| + # i am not sure what format ssh keys are in, but key.to_pem returns something different than we need. + # this little bit of magic code will encode correctly. I think the format is base64 encoding of bits, exponent, and modulus. + key_string = [Net::SSH::Buffer.from(:key, key).to_s].pack("m*").gsub(/\s/, "") + return true if key_string == host_key + end + end + return false + end + + # + # gets a fingerprint for a key string + # + # i think this could better be done this way: + # blob = Net::SSH::Buffer.from(:key, key).to_s + # fingerprint = OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":") + # + def ssh_key_fingerprint(type, key) + assert_bin!('ssh-keygen') + file = Tempfile.new('leap_cli_public_key_') + begin + file.write(type) + file.write(" ") + file.write(key) + file.close + output = assert_run!("ssh-keygen -l -f #{file.path}", "Failed to run ssh-keygen on public key.") + bits, fingerprint, filename, key_type = output.split(' ') + return [fingerprint, bits] + ensure + file.close + file.unlink + end + end + + def ping_node(node) + progress("Pinging #{node.name}") + assert_run!("ping -W 1 -c 1 #{node.ip_address}", "Could not ping #{node.name} (address #{node.ip_address}). Try again, we only send a single ping.") + end + + # + # returns a string that can be used for the contents of the files/nodes/x/x_ssh_key.pub file + # + # We write the file without ipaddress or hostname, because these might change later. + # The ip and host is added at when compiling the combined known_hosts file. + # + def node_pub_key_contents(key_type, public_key) + [key_type, public_key].join(' ') + end + +end; end \ No newline at end of file diff --git a/lib/leap_cli/commands/pre.rb b/lib/leap_cli/commands/pre.rb index ada6a6a..d80a9c2 100644 --- a/lib/leap_cli/commands/pre.rb +++ b/lib/leap_cli/commands/pre.rb @@ -20,6 +20,11 @@ module LeapCli # set verbosity # LeapCli.log_level = global[:verbose].to_i + if LeapCli.log_level > 1 + ENV['GLI_DEBUG'] = "true" + else + ENV['GLI_DEBUG'] = "false" + end # # require a root directory diff --git a/lib/leap_cli/commands/shell.rb b/lib/leap_cli/commands/shell.rb new file mode 100644 index 0000000..df392bd --- /dev/null +++ b/lib/leap_cli/commands/shell.rb @@ -0,0 +1,12 @@ +module LeapCli; module Commands + + desc 'Log in to the specified node with an interactive shell' + arg_name '', :optional => false, :multiple => false + command :shell, :ssh do |c| + c.action do |global_options,options,args| + node = get_node_from_args(args) + exec "ssh -l root -o 'HostName=#{node.ip_address}' -o 'HostKeyAlias=#{node.name}' -o 'UserKnownHostsFile=#{path(:known_hosts)}' -o 'StrictHostKeyChecking=yes' #{node.name}" + end + end + +end; end \ No newline at end of file diff --git a/lib/leap_cli/commands/user.rb b/lib/leap_cli/commands/user.rb index 00c4b62..7be91c8 100644 --- a/lib/leap_cli/commands/user.rb +++ b/lib/leap_cli/commands/user.rb @@ -1,13 +1,14 @@ require 'gpgme' # -# notes: +# perhaps we want to verify that the key files are actually the key files we expect. +# we could use 'file' for this: # -# file ~/.gnupg/00440025.asc -# /home/elijah/.gnupg/00440025.asc: PGP public key block +# > file ~/.gnupg/00440025.asc +# ~/.gnupg/00440025.asc: PGP public key block # -# file ~/.ssh/id_rsa.pub -# /home/elijah/.ssh/id_rsa.pub: OpenSSH RSA public key +# > file ~/.ssh/id_rsa.pub +# ~/.ssh/id_rsa.pub: OpenSSH RSA public key # module LeapCli @@ -103,5 +104,13 @@ module LeapCli return `gpg --armor --export-options export-minimal --export #{key_id}`.strip end + def update_authorized_keys + buffer = StringIO.new + Dir.glob(path([:user_ssh, '*'])).each do |keyfile| + buffer << File.read(keyfile) + end + write_file!(:authorized_keys, buffer.string) + end + end end \ No newline at end of file diff --git a/lib/leap_cli/commands/util.rb b/lib/leap_cli/commands/util.rb index b5a102f..803fe88 100644 --- a/lib/leap_cli/commands/util.rb +++ b/lib/leap_cli/commands/util.rb @@ -1,34 +1,143 @@ -module LeapCli - module Commands - extend self - extend LeapCli::Util +module LeapCli; module Commands - # - # keeps prompting the user for a numbered choice, until they pick a good one or bail out. - # - # block is yielded and is responsible for rendering the choices. - # - def numbered_choice_menu(msg, items, &block) - while true - say("\n" + msg + ':') - items.each_with_index &block - say("q. quit") - index = ask("number 1-#{items.length}> ") - if index.empty? - next - elsif index =~ /q/ + extend self + extend LeapCli::Util + + def path(name) + Path.named_path(name) + end + + # + # keeps prompting the user for a numbered choice, until they pick a good one or bail out. + # + # block is yielded and is responsible for rendering the choices. + # + def numbered_choice_menu(msg, items, &block) + while true + say("\n" + msg + ':') + items.each_with_index &block + say("q. quit") + index = ask("number 1-#{items.length}> ") + if index.empty? + next + elsif index =~ /q/ + bail! + else + i = index.to_i - 1 + if i < 0 || i >= items.length bail! else - i = index.to_i - 1 - if i < 0 || i >= items.length - bail! - else - return i - end + return i end end end + end + + # + # + # + # FYI + # Capistrano::Logger::IMPORTANT = 0 + # Capistrano::Logger::INFO = 1 + # Capistrano::Logger::DEBUG = 2 + # Capistrano::Logger::TRACE = 3 + # + def ssh_connect(nodes, options={}, &block) + node_list = parse_node_list(nodes) + + cap = new_capistrano + cap.logger.level = LeapCli.log_level + user = options[:user] || 'root' + cap.set :user, user + cap.set :ssh_options, ssh_options + cap.set :use_sudo, false # we may want to change this in the future + + # supply drop options + cap.set :puppet_source, [Path.platform, 'puppet'].join('/') + cap.set :puppet_destination, '/root/leap' + #cap.set :puppet_command, 'puppet apply' + cap.set :puppet_lib, "puppet/modules" + cap.set :puppet_parameters, '--confdir=puppet puppet/manifests/site.pp' + #cap.set :puppet_stream_output, false + #puppet apply --confdir=puppet puppet/manifests/site.pp | grep -v 'warning:.*is deprecated' + #puppet_cmd = "cd #{puppet_destination} && #{sudo_cmd} #{puppet_command} --modulepath=#{puppet_lib} #{puppet_parameters}" + + # + # allow password authentication when we are bootstraping a single node. + # + if options[:bootstrap] && node_list.size == 1 + hostname = node_list.values.first.name + cap.set(:password) { ask("SSH password for #{user}@#{hostname}> ") } # only called if needed + # this can be used instead to hide echo -- Capistrano::CLI.password_prompt + end + + node_list.each do |name, node| + cap.server node.name, :dummy_arg, node_options(node) + end + yield cap + end + + + private + + + # + # For available options, see http://net-ssh.github.com/net-ssh/classes/Net/SSH.html#method-c-start + # + def ssh_options + { + :config => false, + :user_known_hosts_file => path(:known_hosts), + :paranoid => true + } + end + + # + # For notes on advanced ways to set server-specific options, see + # http://railsware.com/blog/2011/11/02/advanced-server-definitions-in-capistrano/ + # + def node_options(node) + password_proc = Proc.new {Capistrano::CLI.password_prompt "Root SSH password for #{node.name}"} # only called if needed + { + :password => password_proc, + :ssh_options => { + :host_key_alias => node.name, + :host_name => node.ip_address, + :port => node.ssh.port + } + } + end + def new_capistrano + # load once the library files + @capistrano_enabled ||= begin + require 'capistrano' + #require 'capistrano/cli' + require 'leap_cli/remote/plugin' + Capistrano.plugin :leap, LeapCli::Remote::Plugin + true + end + + # create capistrano instance + cap = Capistrano::Configuration.new + + # add tasks to capistrano instance + cap.load File.dirname(__FILE__) + '/../remote/tasks.rb' + + return cap end -end + + def parse_node_list(nodes) + if nodes.is_a? Config::Object + Config::ObjectList.new(node_list) + elsif nodes.is_a? Config::ObjectList + nodes + elsif nodes.is_a? String + manager.filter!(nodes) + else + bail! "argument error" + end + end + +end; end -- cgit v1.2.3