<div dir="ltr">Team,<div><br></div><div>A "bicycle" will have to be present anyway, as a code which interacts with Ansible, because as far as I understand Ansible on it's own cannot provide all the functionality in one go, so a wrapper for it will have to be present anyway.<br></div><div><br></div><div>I think me and Alexander we will look into converting Timmy into Ansible-based tool. One way to go would be to make Ansible a backend option for Timmy (ssh being the alternative).</div><div><br></div><div>I agree that the folder-driven structure is not easy to manipulate, but you don't want to put all your scripts inside Ansible playbooks, that would also be a mess. Something in-between would work well - folder structure for available </div><div>scripts, and playbooks which link to them via -script: <path-here>, generated statically (default) or dynamically if need be.<br></div><div><br></div><div>Also, I imagine some functions might not be directly possible with Ansible, such as parallel stdout delivery of binary data into separate files (Timmy pulls logs compressed on the fly on the node side through ssh, to avoid using any unnecessary disk space on env nodes and local machine). So again, for maximum efficiency and specifc tasks a separate tool might be required, apart of Ansible.</div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 5:36 PM, Dmitriy Novakovskiy <span dir="ltr"><<a href="mailto:dnovakovskiy@mirantis.com" target="_blank">dnovakovskiy@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There's a thread on openstack-dev, but<div>- nobody replied there (I checked this morning)</div><div>- I can't link PROD tickets there :)<div><div class="h5"><span></span><br><div><br>On Thursday, April 21, 2016, Mike Scherbakov <<a href="mailto:mscherbakov@mirantis.com" target="_blank">mscherbakov@mirantis.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Guys,<div>how did it turn into openstack-dev from mos-dev, without any tags and original messages... ?</div><div><br></div><div>Please be careful when replying... There is a different email thread started in OpenStack dev, with [Fuel] in subject.. </div><div><br><div class="gmail_quote"><div dir="ltr">On Wed, Apr 20, 2016 at 10:08 AM Dmitry Nikishov <<a>dnikishov@mirantis.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Dmitry,</div><div><br></div><div>I mean, currently shotgun fetches services' configuration along with astute.yaml. These files contain passwords, keys, tokens. I beleive, these should be sanitized. Or, better yet, there should be an option to sanitize sensitive data from fetched files.</div><div><br></div><div><br></div>Aleksandr,<div><br></div><div>Currently Fuel has a service non-root account with passwordless sudo enabled. This may change in the future (the passwordless part), however, now I don't see an issue there.</div><div>Additionally, it is possible for users to configure sudo for the user-facing account however they like.</div><div><br></div><div>In regards to have this tool to use a non-root accounts, there are 2 items:</div><div>- execute commands, that require elevated privileges (the easy part -- user has to be able to execute these commands with sudo and without password)</div><div>- copy files, that this user doesn't have read privileges for.</div><div><br></div><div>For the second item, there are 2 possible solutions:</div><div>1. Give the non-root user read privileges for these files.</div><div>Pros:</div><div>- More straightforward, generally acceptable way</div><div>Cons:</div><div>- Requires additional implementation to give permissions to the user</div><div>- (?) Not very extensible: to allow copying a new file, we'd have to first add it to the tool's config, and somehow implement adding read permissions</div><div><br></div><div>2. Somehow allow to copy these files with sudo.</div><div>Pros:</div><div>- More simple implementation: we'll just need to make sure that the user can do passwordless sudo</div><div>- Extensible: to add more files, it's enough to just specify them in the tool's configuration.</div><div>Cons:</div><div>- Non-obvious, obscure way</div><div>- Relies on having to be able to do something like "sudo cat /path/to/file", which is not much better that just giving the user read privileges. In fact, the only difference between this and giving the user the read rights is that it is possible to allow "sudo cat" for files, that don't yet exist, whereas giving permissions requires that these files already are on the filesystem.</div><div><br></div><div>What way do you think is more appropriate? </div><div><br></div></div><div class="gmail_extra"></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 5:28 AM, Aleksandr Dobdin <span dir="ltr"><<a>adobdin@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:tahoma,sans-serif">Dmitry,</div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif"><span>You can create a non-root user account without
root privileges but you need to add it to appropriate groups and
configure sudo permissions (even though you add this user to root group,
it will fail with iptables command for example) to get config files and
launch requested commands.<span></span></span><span>I
suppose that it is possible to note this possibility in the
documentation and provide a customer with detailed instructions on how
to setup this user account.<span></span></span><span>There are some logs that will also be missing from the snapshot with the message <code></code></span><span><code>permission denied</code></span><span> (only the root user has access to some files with 0600 mask)<br>This user account could be specified into config.yaml (ssh -> opts option)</span><br></div><span><div style="font-family:tahoma,sans-serif"><span><br></span></div><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="2"><span style="font-family:tahoma,sans-serif">Sincerely yours,<br>Aleksandr Dobdin<br>Senior Operations Engineer<br>Mirantis <div style="font-family:tahoma,sans-serif;display:inline">Inc.</div></span></font><span style="font-family:monospace,monospace"><br></span></div></div></div></div></div></div></div>
</span></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div><div class="gmail_extra">-- <br><div><div dir="ltr"><div><div><font color="#888888"><span><font color="#888888">Dmitry Nikishov,<br></font></span></font></div><font color="#888888"><span><font color="#888888">Deployment Engineer,<br></font></span></font></div><font color="#888888"><span><font color="#888888">Mirantis, Inc.</font></span></font><font color="#888888"><span></span></font></div></div>
</div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div></div></div><div dir="ltr">-- <br></div><div dir="ltr">Mike Scherbakov<br>#mihgen</div>
</blockquote></div></div></div></div><br><div class="HOEnZb"><div class="h5"><br>-- <br><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><span style="font-family:arial,helvetica,sans-serif">---</span></div><div><font face="arial, helvetica, sans-serif"><b>Dmitriy Novakovskiy</b></font></div><div><span style="font-family:arial,helvetica,sans-serif;font-size:small">Sr. Product Manager, Mirantis EMEA</span></div><div><font face="arial, helvetica, sans-serif" size="2"><b>NL:</b> <a href="tel:%2B31650270244" value="+31650270244" target="_blank">+31650270244</a></font><font size="2"> | </font><span style="font-family:arial,helvetica,sans-serif"><b>UA:</b> <a href="tel:%2B380509372711" value="+380509372711" target="_blank">+380509372711</a></span><font size="2"> | </font><span style="font-family:arial,helvetica,sans-serif"><b>US:</b> </span><font face="arial, helvetica, sans-serif">+<a href="tel:16506606291" value="+16506606291" target="_blank">16506606291</a></font></div></div></div></div></div></div></div></div><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Yours sincerely,</div><div dir="ltr">Dmitry Sutyagin</div><div dir="ltr">OpenStack Escalations Engineer</div><div dir="ltr">Mirantis, Inc.</div></div></div></div></div></div>
</div></div>