Satellite 6.2 ships with the much anticipated remote execution feature, which allows you to run scripts and jobs on a group of systems and then gather and view the output in the Satellite interface.
Remote Execution by itself works fine out of the box for new machines, but already existing machines need to be bootstrapped by adding an SSH public key to root's
You can use Puppet to do this - assuming you are using Puppet at all - in two distinct ways:
- you can use a full module for it, for example the ghoneycutt/ssh module
- you can use hash_resources to place the key generated by Satellite in root's
Because there is a pretty large number of ssh related modules on Puppet Forge, I'm not going to go into that in much detail. If you have chosen one of those, it pretty much rules out all the others (that's just how Puppet works), so this would become a pretty long story. It's much easier to use the
hash_resources module to manage this single key.
The hash_resources module was written by Stephen Benjamin and I'm utterly in love with it. You can use it to transform a hash into a Puppet resource. This is useful for many things, from creating an Apache virtual host with the
apache::vhost defined type, a MariaDB database with the
mysql::db defined type, or - in this case - setting up an SSH public key for authentication and using that with remote execution.
The setup is mind-numbingly simple. Just add the
hash_resources module to your Puppet CV / environment, add the
hash_resources class to your system / host group and override the
resources parameter with:
--- ssh_authorized_key: 'firstname.lastname@example.org': user: root type: <%= @host.params['remote_execution_ssh_keys'].split(' ') %> key: <%= @host.params['remote_execution_ssh_keys'].split(' ') %>
Now granted, the above isn't exactly pretty, but it works and doesn't need a separate module at all. An explanation:
The first line specifies the name of an existing resource we want
hash_resources to create (
ssh_authorized_keys). The second line is the name we want that resource to get (the name / comment of our key, in this case). Lines 4 through 6 are parameters for that resource, starting with the name of the user, then the key type, and finally the body of the key.
I'm using some Ruby to split up the existing global parameter
remote_execution_ssh_keys, because the contents of the
remote_execution_ssh_keys variable itself isn't suitable to pass to
hash_resources. I take the first element of the
remote_execution_ssh_keys array, split that on spaces and take the first and second element of that resulting array for SSH key type and SSH key body, respectively.
The above snippet will work fine if you have only a single Satellite, without external capsules. If you have external capsules, you probably want to use a different snippet that distributes all of the remote execution SSH keys to all of your hosts (remember
remote_execution_ssh_keys is an array!).
--- ssh_authorized_key: <% for _key in @host.params['remote_execution_ssh_keys'] do -%> <% key = _key.split(' ') -%> <%= key %>: user: <%= @host.params['remote_execution_ssh_user'] %> type: <%= key %> key: <%= key %> <% end -%>
The above code isn't any prettier, but it will work on an arbitrary number of SSH keys that need to be distributed. It'll loop over the
remote_execution_ssh_keys array and generate input for
hash_resources on the fly. It'll even set the user correctly, if you don't want to use the default
Ups and downs
|Using a full blown Puppet module||More control over other aspects of the SSH setup, like Match clauses and PermitRootLogin.||Either introduces a new module into the existing Puppet setup (if you aren't using Puppet to manage SSH yet), which can be a slow process, or you'll need to use the module already available (because generally, you can use only one module to manage SSH). Also, as there are at this time 65 modules that involve SSH on Puppet Forge, documenting a generic way to do this is impossible.|
|Using hash_resources only||Really easy to introduce, as it's likely you will use hash_resources at some point anyway. Doesn't require introducing a (new) SSH module, that might interfere with the existing setup.||Requires that you already use or don't mind starting to use hash_resources.|