Warning message

Log in to add comments.

Making systems ready for Satellite 6.2's remote execution

Maxim Burgerhout published on 2016-08-02T14:27:09+00:00, last updated 2016-08-04T12:04:33+00:00

Satellite 6.2 ships with the much anticipated remote execution feature, which allows you to run scripts and jobs on a group of systems and then gather and view the output in the Satellite interface.

Remote Execution by itself works fine out of the box for new machines, but already existing machines need to be bootstrapped by adding an SSH public key to root's ~/.ssh/authorized_keys.

You can use Puppet to do this - assuming you are using Puppet at all - in two distinct ways:
- you can use a full module for it, for example the ghoneycutt/ssh module
- you can use hash_resources to place the key generated by Satellite in root's ~/.ssh/authorized_keys

Because there is a pretty large number of ssh related modules on Puppet Forge, I'm not going to go into that in much detail. If you have chosen one of those, it pretty much rules out all the others (that's just how Puppet works), so this would become a pretty long story. It's much easier to use the hash_resources module to manage this single key.

The hash_resources module was written by Stephen Benjamin​ and I'm utterly in love with it. You can use it to transform a hash into a Puppet resource. This is useful for many things, from creating an Apache virtual host with the apache::vhost defined type, a MariaDB database with the mysql::db defined type, or - in this case - setting up an SSH public key for authentication and using that with remote execution.

The setup

The setup is mind-numbingly simple. Just add the hash_resources module to your Puppet CV / environment, add the hash_resources class to your system / host group and override the resources parameter with:

---
ssh_authorized_key:
  'foreman-proxy@satellite.example.com':
    user: root
    type: <%= @host.params['remote_execution_ssh_keys'][0].split(' ')[0] %>
    key: <%= @host.params['remote_execution_ssh_keys'][0].split(' ')[1] %>

Now granted, the above isn't exactly pretty, but it works and doesn't need a separate module at all. An explanation:

The first line specifies the name of an existing resource we want hash_resources to create (ssh_authorized_keys). The second line is the name we want that resource to get (the name / comment of our key, in this case). Lines 4 through 6 are parameters for that resource, starting with the name of the user, then the key type, and finally the body of the key.

I'm using some Ruby to split up the existing global parameter remote_execution_ssh_keys, because the contents of the remote_execution_ssh_keys variable itself isn't suitable to pass to hash_resources. I take the first element of the remote_execution_ssh_keys array, split that on spaces and take the first and second element of that resulting array for SSH key type and SSH key body, respectively.

The above snippet will work fine if you have only a single Satellite, without external capsules. If you have external capsules, you probably want to use a different snippet that distributes all of the remote execution SSH keys to all of your hosts (remember remote_execution_ssh_keys is an array!).

---
ssh_authorized_key:
  <% for _key in @host.params['remote_execution_ssh_keys'] do -%>
  <% key = _key.split(' ') -%>
  <%= key[2] %>:
  user: <%= @host.params['remote_execution_ssh_user'] %>
  type: <%= key[0] %>
  key: <%= key[1] %>
  <% end -%>

The above code isn't any prettier, but it will work on an arbitrary number of SSH keys that need to be distributed. It'll loop over the remote_execution_ssh_keys array and generate input for hash_resources on the fly. It'll even set the user correctly, if you don't want to use the default root account.

Ups and downs

Method Ups Downs
Using a full blown Puppet module More control over other aspects of the SSH setup, like Match clauses and PermitRootLogin. Either introduces a new module into the existing Puppet setup (if you aren't using Puppet to manage SSH yet), which can be a slow process, or you'll need to use the module already available (because generally, you can use only one module to manage SSH). Also, as there are at this time 65 modules that involve SSH on Puppet Forge, documenting a generic way to do this is impossible.
Using hash_resources only Really easy to introduce, as it's likely you will use hash_resources at some point anyway. Doesn't require introducing a (new) SSH module, that might interfere with the existing setup. Requires that you already use or don't mind starting to use hash_resources.
English

About The Author

Maxim Burgerhout's picture Red Hat Community Member 32 points

Maxim Burgerhout

Maxim is a senior solution architect for Red Hat's platform and cloud portfolio. He's based in Red Hat's Amsterdam office. Apart from his role as a solution architect, Maxim leads the Satellite 6 subject matter expert team in EMEA. He likes tinkering with Satellite 6 (obviously), Puppet, Ansible ...