The very first start of 'fireball mode', which uses ansible in SSH mode to deploy a ephemeral zeromq daemon (entirely optional) that is will die after

it is no longer used.  No key signing will be required.  At this point, development use only -- NOT complete.
This commit is contained in:
Michael DeHaan 2012-09-26 23:50:54 -04:00
commit 69612ba16d
6 changed files with 406 additions and 10 deletions

View file

@ -85,3 +85,4 @@ DEFAULT_SUDO_PASS = None
DEFAULT_SUBSET = None
ANSIBLE_SSH_ARGS = get_config(p, 'ssh_connection', 'ssh_args', 'ANSIBLE_SSH_ARGS', None)
ZEROMQ_PORT = int(get_config(p, 'fireball', 'zeromq_port', 'ANSIBLE_ZEROMQ_PORT', 5099))

View file

@ -206,6 +206,7 @@ class AnsibleModule(object):
def _log_invocation(self):
''' log that ansible ran the module '''
# TODO: generalize a seperate log function and make log_invocation use it
# Sanitize possible password argument when logging.
log_args = dict()
passwd_keys = ['password', 'login_password']

View file

@ -26,6 +26,7 @@ import tempfile
import time
import collections
import socket
import base64
import ansible.constants as C
import ansible.inventory
@ -45,7 +46,8 @@ except ImportError:
dirname = os.path.dirname(__file__)
action_plugin_list = utils.import_plugins(os.path.join(dirname, 'action_plugins'))
################################################
def _executor_hook(job_queue, result_queue):
@ -153,11 +155,11 @@ class Runner(object):
# ability to turn off temp file deletion for debug purposes
return
if type(files) == str:
if type(files) in [ str, unicode ]:
files = [ files ]
for filename in files:
if filename.find('/tmp/') == -1:
raise Exception("not going to happen")
raise Exception("safeguard deletion, removal of %s is not going to happen" % filename)
self._low_level_exec_command(conn, "rm -rf %s" % filename, None)
# *****************************************************
@ -188,6 +190,10 @@ class Runner(object):
''' runs a module that has already been transferred '''
# hack to support fireball mode
if module_name == 'fireball':
args = "%s password=%s port=%s" % (args, base64.b64encode(str(utils.key_for_hostname(conn.host))), C.ZEROMQ_PORT)
(remote_module_path, is_new_style) = self._copy_module(conn, tmp, module_name, args, inject)
cmd = "chmod u+x %s" % remote_module_path
if self.sudo and self.sudo_user != 'root':
@ -404,12 +410,12 @@ class Runner(object):
sudo_user = self.sudo_user
stdin, stdout, stderr = conn.exec_command(cmd, tmp, sudo_user, sudoable=sudoable)
if type(stdout) != str:
if type(stdout) not in [ str, unicode ]:
out = "\n".join(stdout.readlines())
else:
out = stdout
if type(stderr) != str:
if type(stderr) not in [ str, unicode ]:
err = "\n".join(stderr.readlines())
else:
err = stderr
@ -452,7 +458,9 @@ class Runner(object):
cmd += ' && echo %s' % basetmp
result = self._low_level_exec_command(conn, cmd, None, sudoable=False)
return utils.last_non_blank_line(result).strip() + '/'
rc = utils.last_non_blank_line(result).strip() + '/'
return rc
# *****************************************************
@ -499,9 +507,10 @@ class Runner(object):
def _parallel_exec(self, hosts):
''' handles mulitprocessing when more than 1 fork is required '''
job_queue = multiprocessing.Manager().Queue()
manager = multiprocessing.Manager()
job_queue = manager.Queue()
[job_queue.put(i) for i in hosts]
result_queue = multiprocessing.Manager().Queue()
result_queue = manager.Queue()
workers = []
for i in range(self.forks):

View file

@ -0,0 +1,129 @@
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
import json
import os
from ansible.callbacks import vvv
from ansible import utils
from ansible import errors
from ansible import constants
HAVE_ZMQ=False
try:
import zmq
HAVE_ZMQ=True
except ImportError:
pass
class Connection(object):
''' SSH based connections with Paramiko '''
def __init__(self, runner, host, port=None):
self.runner = runner
# attempt to work around shared-memory funness
if getattr(self.runner, 'aes_keys', None):
utils.AES_KEYS = self.runner.aes_keys
self.host = host
self.key = utils.key_for_hostname(host)
self.socket = None
# port passed in is the SSH port, which we ignore
self.port = constants.ZEROMQ_PORT
def connect(self):
''' activates the connection object '''
if not HAVE_ZMQ:
raise errors.AnsibleError("zmq is not installed")
# this is rough/temporary and will likely be optimized later ...
context = zmq.Context()
socket = context.socket(zmq.REQ)
addr = "tcp://%s:%s" % (self.host, self.port)
socket.connect(addr)
self.socket = socket
return self
def exec_command(self, cmd, tmp_path, sudo_user, sudoable=False):
''' run a command on the remote host '''
vvv("EXEC COMMAND %s" % cmd)
if self.runner.sudo and sudoable:
raise errors.AnsibleError("fireball does not use sudo, but runs as whoever it was initiated as. (That itself is where to use sudo).")
data = dict(
mode='command',
cmd=cmd,
tmp_path=tmp_path,
)
data = utils.jsonify(data)
data = utils.encrypt(self.key, data)
self.socket.send(data)
response = self.socket.recv()
response = utils.decrypt(self.key, response)
response = utils.parse_json(response)
return ('', response.get('stdout',''), response.get('stderr',''))
def put_file(self, in_path, out_path):
''' transfer a file from local to remote '''
vvv("PUT %s TO %s" % (in_path, out_path), host=self.host)
if not os.path.exists(in_path):
raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
data = file(in_path).read()
data = dict(mode='put', data=data, out_path=out_path)
data = utils.jsonify(data)
data = utils.encrypt(self.key, data)
self.socket.send(data)
response = self.socket.recv()
response = utils.decrypt(self.key, response)
response = utils.parse_json(response)
# no meaningful response needed for this
def fetch_file(self, in_path, out_path):
''' save a remote file to the specified path '''
vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host)
data = dict(mode='fetch', file=in_path)
data = utils.jsonify(data)
data = utils.encrypt(self.key, data)
self.socket.send(data)
response = self.socket.recv()
response = utils.decrypt(self.key, response)
response = utils.parse_json(response)
response = response['data']
fh = open(out_path, "w")
fh.write(response)
fh.close()
def close(self):
''' terminate the connection '''
# no need for this

View file

@ -35,6 +35,7 @@ import subprocess
import stat
import termios
import tty
from multiprocessing import Manager
VERBOSITY=0
@ -48,15 +49,54 @@ try:
except ImportError:
from md5 import md5 as _md5
# vars_prompt_encrypt
PASSLIB_AVAILABLE = False
try:
import passlib.hash
PASSLIB_AVAILABLE = True
except:
pass
KEYCZAR_AVAILABLE=False
try:
from keyczar.keys import AesKey
KEYCZAR_AVAILABLE=True
except ImportError:
pass
###############################################################
# abtractions around keyczar
def key_for_hostname(hostname):
# fireball mode is an implementation of ansible firing up zeromq via SSH
# to use no persistent daemons or key management
key_path = os.path.expanduser("~/.fireball.keys")
if not os.path.exists(key_path):
os.makedirs(key_path)
key_path = os.path.expanduser("~/.fireball.keys/%s" % hostname)
# use new AES keys every 2 hours, which means fireball must not allow running for longer either
if not os.path.exists(key_path) or (time.time() - os.path.getmtime(key_path) > 60*60*2):
key = AesKey.Generate()
fh = open(key_path, "w")
fh.write(str(key))
fh.close()
return key
else:
fh = open(key_path)
key = AesKey.Read(fh.read())
fh.close()
return key
def encrypt(key, msg):
return key.Encrypt(msg)
def decrypt(key, msg):
try:
return key.Decrypt(msg)
except keyczar.errors.InvalidSignatureError:
raise errors.AnsibleError("decryption failed")
###############################################################
# UTILITY FUNCTIONS FOR COMMAND LINE TOOLS
###############################################################