Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add more attributes for most of the Scaleft Configuration Options #8

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add more attributes for most of the Scaleft Configuration Options #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
8a405ea
Completed work to be able to generate sftd.yaml based on attributes
rberger Jun 28, 2017
20b5e14
Change order so that the config file is built before package is insta…
rberger Jun 28, 2017
ba515f1
Force restart if template changes
rberger Jun 28, 2017
a7d4b46
Updated README.md with attribute info
rberger Jul 14, 2017
03ed2e0
Tweak formating in README.md
rberger Jul 15, 2017
34ec2a6
More formatting tweaks of README.md
rberger Jul 15, 2017
51252ce
Added more info on how to use in a wrapper cookbook to the README
rberger Jul 15, 2017
6c30883
Merge
rberger Jul 15, 2017
3459979
Added name
rberger Jul 15, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 123 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,120 @@ Only works with RHEL and Debian based distros.

Attributes
----------

**NOTE: if the Default is `nil` below, that means it does not override the
default of the ScaleFT options as described at
https://www.scaleft.com/docs/sftd/#common-configuration-options**

#### scaleft::default
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
<th>Attribute Default</th>
<th>ScaleFT Default</th>
</tr>
<tr>
<td><tt>['scaleft']['initial_url_required']</tt></td>
<td>String</td>
<td>If set, recreates the same behavior as v0.1.0. I.E. you must supply the initial_url parameter</td>
<td>true</td>
<td><tt>N/A</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['initial_url']</tt></td>
<td>String</td>
<td>your scaleft endpoint</td>
<td>When AutoEnroll is set to true, this option specifies the InitialURL
that the server can use to auto-enroll.
When an enrollment.token is provided, this option is ignored.
If you are using the ScaleFT SaaS, you can leave this unset</td>
<td>nil</td>
<td><tt>unset</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['access_address']</tt></td>
<td>String</td>
<td>For hosts with multiple interfaces, or behind DNATs; specifies the address clients will use when connecting to this host</td>
<td>nil</td>
<td><tt>unset</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['alt_names']</tt></td>
<td>String</td>
<td>A list of alternative hostnames for this server. These names can be used as targetnames in sft ssh</td>
<td>nil</td>
<td><tt>unset</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['auto_enroll'] </tt></td>
<td>String</td>
<td>When true, sftd will attempt to automatically enroll with ScaleFT on initial startup</td>
<td>nil</td>
<td><tt>true</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['bastion']</tt></td>
<td>String</td>
<td>Specifies the bastion-host clients will automatically use when connecting to this host</td>
<td>nil</td>
<td><tt>unset</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['canonical_name']</tt></td>
<td>String</td>
<td>Specifies the name clients should use/see when connecting to this host. Overrides the name found with hostname</td>
<td>nil</td>
<td><tt>unset</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['log_level']</tt></td>
<td>String</td>
<td>Controls the logging verbosity. Valid values are WARN, INFO or DEBUG. Runing sftd with the --debug flag is equivalent to configuring a level of DEBUG, and will override values from the config file</td>
<td>nil</td>
<td><tt>INFO</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['buffer_file']</tt></td>
<td>String</td>
<td>Path-prefix to the file(s) that sftd will use for it’s local buffer store. Individual buffers will have a ‘.’ and an incrementing number will be appended to the path-prefix. BufferFiles which have been synchronized will be removed automatically</td>
<td>nil</td>
<td><tt>/var/lib/sftd/buffer.db</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['enrollment_token_file']</tt></td>
<td>String</td>
<td>Path to the file containing a secret token for token based enrollment. This file is deleted after a successful enrollment to the platform</td>
<td>nil</td>
<td><tt>/var/lib/sftd/enrollment.token</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['server_file']</tt></td>
<td>String</td>
<td>Path to the file that sftd uses to store the server URL that it will connect to</td>
<td>nil</td>
<td><tt>/var/lib/sftd/device.server</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['sshd_config_file']</tt></td>
<td>String</td>
<td>Path to sshd configuration file. *Note sftd will modify this file*</td>
<td>nil</td>
<td><tt>/etc/ssh/sshd_config</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['token_file']</tt></td>
<td>String</td>
<td>Path to file that sftd uses to store its secret token for authentication to ScaleFT</td>
<td>nil</td>
<td><tt>/var/lib/sftd/device.token</tt></td>
</tr>
<tr>
<td><tt>['scaleft']['trusted_user_ca_file']</tt></td>
<td>String</td>
<td>Path for sftd to write the list of trusted SSH Certificate authorities to</td>
<td>nil</td>
<td><tt>/var/lib/sftd/ssh_ca.pub</tt></td>
</tr>
</table>

Expand All @@ -44,6 +145,25 @@ Just include `scaleft` in your node's `run_list`:
}
```

#### In a wrapper recipe when using ScaleFT SaaS

```ruby
node.set['scaleft']['initial_url_required'] = false

node.set['scaleft']['bastion'] = calculate_bastion_name(node['hostname'], node.chef_environment)
node.set['scaleft']['canonical_name'] = calculate_canonical_name(node['hostname'], node.chef_environment)
node.set['scaleft']['alt_names'] = calculate_alt_names(node['hostname'], node.chef_environment)

include_recipe "scaleft"
```

**Note:** The `calculate_*` functions are a placeholder for how you would
determine the values of the various parameters at chef-client runtime.

Remeber to add `depends scaleft` to your `metatdata.rb` and this repo to your
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like 2 typos here -- remember and metadata.rb.

`Berksfile` for your wrapper cookbook.


Contributing
------------
1. Fork the repository on Github
Expand All @@ -56,3 +176,4 @@ Contributing
License and Authors
-------------------
Authors:: Jim Rosser ([email protected])
Robert Berger ([email protected])
24 changes: 24 additions & 0 deletions attributes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,25 @@
# 'initial_url_required' is there to preserve backwards compatable
# behavior with the original Rackspace version
# Override it to false to not require 'initial_url' in your
# environment, role or wrapper cookbook
default['scaleft']['initial_url_required'] = true
Copy link
Contributor

@TheSeubert TheSeubert Jul 18, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to see this removed instead in favor of logic that checks if ['scaleft']['auto_enroll'] is true, then either ['scaleft']['initial_url'] or ['scaleft']['token_file'] need to be set.

Honestly I think we only had this check in place because Rackspace utilizes the SaaS version of ScaleFT so we wanted to catch and enforce using the initial_url. I like making this less opinionated and match the logic of the config file if you are doing this.

Copy link
Author

@rberger rberger Jul 19, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open, I put that in just to make it backwards compatible with what you folks were doing. I always set 'initial_url_required' to false.

Its not stated in the docs, but if you are using the SaaS you don't need to specify the initial_url, it seems to default to the right url. Seems to be only needed if you are not using the SaaS.

We don't set the initial_url on ours, we don't explicitly set auto-enroll (defaults to it) We just set the CannonicalName and the Bastion (and maybe the AltNames). We also associated an AWS Account with each project but that is thru the Web UI. (Just talked to Robert Chiniquy at ScaleFT and he's going to update the docs for Initial_Url to reflect that the default is the SaaS url)

My git-fu isn't up to knowing how to squash the commits/comments at this point.

Let me know if you want me to update the Pull Request by taking out all the logic around initial_url_required

It seems to me to be difficult and maybe unesseccary to have logic as @dude051 proposed. This is because:

auto_enroll is true by default if not specified in the sftd.yml file, and if the initial_url attribute is nil or false in the cookbook. Also as I mentioned if you are using the SaaS you do not need specific the initial_url

I had assumed that the original cookbook had the requirement for initial_url being set because folks at Rackspace was using a Private version of scaleft and not the SaaS. In which case requiring it to be set made sense, That is why I made the original behavior the default and had an explicit mechanism to override that.

Don't know if there is any way to programmatically sense if you had a private ScaleFt service and then require the initial_url to be set.


# Values used to set the sftd.yaml config file
# If set to nil, it won't be written to the file and will use
# ScaleFT Defaults
# Override in your environment, role or wrapper cookbook
# See https://www.scaleft.com/docs/sftd/
#
default['scaleft']['initial_url'] = nil
default['scaleft']['access_address'] = nil
default['scaleft']['alt_names'] = nil
default['scaleft']['auto_enroll'] = true
default['scaleft']['bastion'] = nil
default['scaleft']['canonical_name'] = nil
default['scaleft']['log_level'] = nil
default['scaleft']['buffer_file'] = nil
default['scaleft']['enrollment_token_file'] = nil
default['scaleft']['server_file'] = nil
default['scaleft']['sshd_config_file'] = nil
default['scaleft']['token_file'] = nil
default['scaleft']['trusted_user_ca_file'] = nil
16 changes: 3 additions & 13 deletions recipes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,23 +38,13 @@
fail "Platform #{node['platform_family']} is not currently supported"
end

# Create the config file
include_recipe "scaleft::sftd_config"

package 'scaleft-server-tools' do
action :install
end

directory '/etc/sft' do
action :create
end

if node['scaleft']['initial_url'].nil?
fail "The attribute node['scaleft']['initial_url'] must be set"
end

file '/etc/sft/sftd.yaml' do
action :create
content "InitialURL: #{node['scaleft']['initial_url']}"
end

# https://github.com/rackspace-cookbooks/scaleft/issues/2
execute 'chkconfig_add_sftd' do
command 'chkconfig --add sftd'
Expand Down
35 changes: 35 additions & 0 deletions recipes/sftd_config.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#
# Cookbook Name:: scaleft
# Recipe:: sftd_config
#
# Copyright 2017, Omnyway and Rackspace
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a typo or is it really Omnyway and not Onmyway?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Omnyway!

#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

directory '/etc/sft' do
action :create
end

if (node['scaleft']['initial_url_required'] &&
node['scaleft']['initial_url'].nil?)
fail "The attribute node['scaleft']['initial_url'] must be set"
end

# Gets all its config from node attributes
template '/etc/sft/sftd.yaml' do
source 'sftd.yaml.erb'
owner 'root'
group 'root'
mode '0755'
notifies :restart, 'service[sftd]', :delayed
end
85 changes: 85 additions & 0 deletions templates/default/sftd.yaml.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
---
# Common Configuration Options:
#
# NOTE: This file managed by Chef.
# Manual changes will be removed on next chef-client run
#
<% sft = node['scaleft'] %>

<% if sft['access_address'] %>
AccessAddress: <%= sft['access_address'] %>
<% else %>
# AccessAddress is unset by default
<% end %>

<% if sft['alt_names'] %>
AltNames: [<%= sft['alt_names'].join(",") %>]
<% else %>
# AltNames is unset by default
<% end %>

<% if sft['auto_enroll'] %>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you set the default attribute to true you shouldn't need this logic. Looking at the documentation this matches the default of true too so looks good.

AutoEnroll: <%= sft['auto_enroll'] %>
<% else %>
# AutoEnroll is unset by default
<% end %>

<% if sft['bastion'] %>
Bastion: <%= sft['bastion'] %>
<% else %>
# Bastion is unset by default
<% end %>

<% if sft['canonical_name'] %>
CanonicalName: <%= sft['canonical_name'] %>
<% else %>
# CanonicalName is unset by default
<% end %>

<% if sft['initial_url'] %>
InitialURL: <%= sft['initial_url'] %>
<% else %>
# InitialURL is unset by default
<% end %>

<% if sft['log_level'] %>
LogLevel: <%= sft['log_level'] %>
<% else %>
# LogLevel is INFO by default
<% end %>

<% if sft['buffer_file'] %>
BufferFile: <%= sft['buffer_file'] %>
<% else %>
# BufferFile will use ScaleFT Default value
<% end %>

<% if sft['enrollment_token_file'] %>
EnrollmentTokenFile: <%= sft['enrollment_token_file'] %>
<% else %>
# EnrollmentTokenFile will use ScaleFT Default value
<% end %>

<% if sft['server_file'] %>
ServerFile: <%= sft['server_file'] %>
<% else %>
# ServerFile will use ScaleFT Default value
<% end %>

<% if sft['sshd_config_file'] %>
SSHDConfigFile: <%= sft['sshd_config_file'] %>
<% else %>
# SSHDConfigFile will use ScaleFT Default value
<% end %>

<% if sft['token_file'] %>
TokenFile: <%= sft['token_file'] %>
<% else %>
# TokenFile will use ScaleFT Default value
<% end %>

<% if sft['trusted_user_ca_file'] %>
TrustedUserCAKeysFile: <%= sft['trusted_user_ca_file'] %>
<% else %>
# TrustedUserCAKeysFile will use ScaleFT Default value
<% end %>