The very first start of 'fireball mode', which uses ansible in SSH mode to deploy a ephemeral zeromq daemon (entirely optional) that is will die after

it is no longer used.  No key signing will be required.  At this point, development use only -- NOT complete.

lib/ansible/constants.py

@@ -85,3 +85,4 @@ DEFAULT_SUDO_PASS         = None
 DEFAULT_SUBSET            = None
 
 ANSIBLE_SSH_ARGS          = get_config(p, 'ssh_connection', 'ssh_args', 'ANSIBLE_SSH_ARGS', None)
+ZEROMQ_PORT               = int(get_config(p, 'fireball', 'zeromq_port', 'ANSIBLE_ZEROMQ_PORT', 5099))

lib/ansible/module_common.py

@@ -206,6 +206,7 @@ class AnsibleModule(object):
 
     def _log_invocation(self):
         ''' log that ansible ran the module '''
+        # TODO: generalize a seperate log function and make log_invocation use it
         # Sanitize possible password argument when logging.
         log_args = dict()
         passwd_keys = ['password', 'login_password']

lib/ansible/runner/__init__.py

@@ -26,6 +26,7 @@ import tempfile
 import time
 import collections
 import socket
+import base64
 
 import ansible.constants as C
 import ansible.inventory
@@ -45,7 +46,8 @@ except ImportError:
 
 dirname = os.path.dirname(__file__)
 action_plugin_list = utils.import_plugins(os.path.join(dirname, 'action_plugins'))
-
+    
+        
 ################################################
 
 def _executor_hook(job_queue, result_queue):
@@ -153,11 +155,11 @@ class Runner(object):
             # ability to turn off temp file deletion for debug purposes
             return
 
-        if type(files) == str:
+        if type(files) in [ str, unicode ]:
             files = [ files ]
         for filename in files:
             if filename.find('/tmp/') == -1:
-                raise Exception("not going to happen")
+                raise Exception("safeguard deletion, removal of %s is not going to happen" % filename)
             self._low_level_exec_command(conn, "rm -rf %s" % filename, None)
 
     # *****************************************************
@@ -188,6 +190,10 @@ class Runner(object):
 
         ''' runs a module that has already been transferred '''
 
+        # hack to support fireball mode
+        if module_name == 'fireball':
+            args = "%s password=%s port=%s" % (args, base64.b64encode(str(utils.key_for_hostname(conn.host))), C.ZEROMQ_PORT)
+
         (remote_module_path, is_new_style) = self._copy_module(conn, tmp, module_name, args, inject)
         cmd = "chmod u+x %s" % remote_module_path
         if self.sudo and self.sudo_user != 'root':
@@ -404,12 +410,12 @@ class Runner(object):
         sudo_user = self.sudo_user
         stdin, stdout, stderr = conn.exec_command(cmd, tmp, sudo_user, sudoable=sudoable)
 
-        if type(stdout) != str:
+        if type(stdout) not in [ str, unicode ]:
             out = "\n".join(stdout.readlines())
         else:
             out = stdout
 
-        if type(stderr) != str:
+        if type(stderr) not in [ str, unicode ]:
             err = "\n".join(stderr.readlines())
         else:
             err = stderr
@@ -452,7 +458,9 @@ class Runner(object):
         cmd += ' && echo %s' % basetmp
 
         result = self._low_level_exec_command(conn, cmd, None, sudoable=False)
-        return utils.last_non_blank_line(result).strip() + '/'
+        rc = utils.last_non_blank_line(result).strip() + '/'
+        return rc
+
 
     # *****************************************************
 
@@ -499,9 +507,10 @@ class Runner(object):
     def _parallel_exec(self, hosts):
         ''' handles mulitprocessing when more than 1 fork is required '''
 
-        job_queue = multiprocessing.Manager().Queue()
+        manager = multiprocessing.Manager()
+        job_queue = manager.Queue()
         [job_queue.put(i) for i in hosts]
-        result_queue = multiprocessing.Manager().Queue()
+        result_queue = manager.Queue()
 
         workers = []
         for i in range(self.forks):

lib/ansible/runner/connection_plugins/fireball.py

@@ -0,0 +1,129 @@
+# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import os
+from ansible.callbacks import vvv
+from ansible import utils
+from ansible import errors
+from ansible import constants
+
+HAVE_ZMQ=False
+
+try:
+    import zmq
+    HAVE_ZMQ=True
+except ImportError:
+    pass
+
+class Connection(object):
+    ''' SSH based connections with Paramiko '''
+
+    def __init__(self, runner, host, port=None):
+
+        self.runner = runner
+
+        # attempt to work around shared-memory funness
+        if getattr(self.runner, 'aes_keys', None):
+            utils.AES_KEYS = self.runner.aes_keys
+
+        self.host = host
+        self.key = utils.key_for_hostname(host)
+        self.socket = None
+        # port passed in is the SSH port, which we ignore
+        self.port = constants.ZEROMQ_PORT
+  
+    def connect(self):
+        ''' activates the connection object '''
+
+        if not HAVE_ZMQ:
+            raise errors.AnsibleError("zmq is not installed")
+        
+        # this is rough/temporary and will likely be optimized later ...
+        context = zmq.Context()
+        socket = context.socket(zmq.REQ)
+        addr = "tcp://%s:%s" % (self.host, self.port)
+        socket.connect(addr)
+        self.socket = socket    
+
+        return self
+
+    def exec_command(self, cmd, tmp_path, sudo_user, sudoable=False):
+        ''' run a command on the remote host '''
+
+        vvv("EXEC COMMAND %s" % cmd)
+
+        if self.runner.sudo and sudoable:
+            raise errors.AnsibleError("fireball does not use sudo, but runs as whoever it was initiated as.  (That itself is where to use sudo).")
+
+        data = dict(
+            mode='command',
+            cmd=cmd,
+            tmp_path=tmp_path,
+        )
+        data = utils.jsonify(data)
+        data = utils.encrypt(self.key, data)
+        self.socket.send(data)
+        
+        response = self.socket.recv()
+        response = utils.decrypt(self.key, response)
+        response = utils.parse_json(response)
+
+        return ('', response.get('stdout',''), response.get('stderr',''))
+
+    def put_file(self, in_path, out_path):
+
+        ''' transfer a file from local to remote '''
+        vvv("PUT %s TO %s" % (in_path, out_path), host=self.host)
+
+        if not os.path.exists(in_path):
+            raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
+        data = file(in_path).read()
+        
+        data = dict(mode='put', data=data, out_path=out_path)
+        data = utils.jsonify(data)
+        data = utils.encrypt(self.key, data)
+        self.socket.send(data)
+
+        response = self.socket.recv()
+        response = utils.decrypt(self.key, response)
+        response = utils.parse_json(response)
+
+        # no meaningful response needed for this
+
+    def fetch_file(self, in_path, out_path):
+        ''' save a remote file to the specified path '''
+        vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host)
+
+        data = dict(mode='fetch', file=in_path)
+        data = utils.jsonify(data)
+        data = utils.encrypt(self.key, data)
+        self.socket.send(data)
+
+        response = self.socket.recv()
+        response = utils.decrypt(self.key, response)
+        response = utils.parse_json(response)
+        response = response['data']
+
+        fh = open(out_path, "w")
+        fh.write(response)
+        fh.close()
+
+    def close(self):
+        ''' terminate the connection '''
+        # no need for this
+

lib/ansible/utils.py

@@ -35,6 +35,7 @@ import subprocess
 import stat
 import termios
 import tty
+from multiprocessing import Manager
 
 VERBOSITY=0
 
@@ -48,15 +49,54 @@ try:
 except ImportError:
     from md5 import md5 as _md5
 
-# vars_prompt_encrypt
 PASSLIB_AVAILABLE = False
-
 try:
     import passlib.hash
     PASSLIB_AVAILABLE = True
 except:
     pass
 
+KEYCZAR_AVAILABLE=False
+try:
+    from keyczar.keys import AesKey
+    KEYCZAR_AVAILABLE=True
+except ImportError:
+    pass
+
+###############################################################
+# abtractions around keyczar
+
+def key_for_hostname(hostname):
+    # fireball mode is an implementation of ansible firing up zeromq via SSH
+    # to use no persistent daemons or key management
+
+    key_path = os.path.expanduser("~/.fireball.keys")
+    if not os.path.exists(key_path):
+        os.makedirs(key_path)
+    key_path = os.path.expanduser("~/.fireball.keys/%s" % hostname)
+
+    # use new AES keys every 2 hours, which means fireball must not allow running for longer either
+    if not os.path.exists(key_path) or (time.time() - os.path.getmtime(key_path) > 60*60*2):
+        key = AesKey.Generate()
+        fh = open(key_path, "w")
+        fh.write(str(key))
+        fh.close()
+        return key
+    else:
+        fh = open(key_path)
+        key = AesKey.Read(fh.read())  
+        fh.close()
+        return key
+
+def encrypt(key, msg):
+    return key.Encrypt(msg)
+
+def decrypt(key, msg):
+    try:
+        return key.Decrypt(msg)
+    except keyczar.errors.InvalidSignatureError:
+        raise errors.AnsibleError("decryption failed")
+
 ###############################################################
 # UTILITY FUNCTIONS FOR COMMAND LINE TOOLS
 ###############################################################