-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
212 lines (144 loc) · 6.15 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
===
KFC
===
A KeePass-Fabric Cluster.
DISCLAIMER: I take no resposability for the use you give to this software you
may find very useful or very destructive if you use it in the wrong way.
USE KFC AT YOUR OWN RISK. --av.-
Project status
--------------
This *is* working alpha software. I have coded this Python Fabric recipe
according to my needs you may find this software useful if you have an scenario
similar to mine or if you stick to the standard that KFC expects.
See the source to learn how it works. Sorry, the code is *still* messy.
Scenario
--------
* Need to work on variety of UNIX-like OSes
* HP-UX
* Solaris
* Linux
* AIX
* Don't want to repeat same passwords across all OSes
* sshd have some *eccentric* "security" settings
* Don't always have direct root access (PermitRootLogin no)
* Don't always have ssh key authentication (PubkeyAuthentication no)
* Don't always have sudo (almost never)
* Changing any of these settings is a hastle.
* Want to have a simple cache to store OS output from commands. Useful for
off-line fast Python command output parsing.
* Management require very often reports about servers. I want to build updated
and automatic reports.
My proposed solution
--------------------
* Use KeePass to store the passwords safely
* Use Python Fabric to work on OSes via ssh
* Store command output on a simple pickle dictionary used as a LRU cache
* Build pretty reports using xlsxwriter
KFC requirements
----------------
* KFC needs the following Python requirements to work
(env)[andres@arch kfc]$ pip freeze
Fabric==1.8.0
ecdsa==0.8
keepassdb==0.2.1
paramiko==1.12.0
pycrypto==2.6
wsgiref==0.1.2
A newer environment will probably also work.
KFC config requirements
-----------------------
KFC reads simple .ini configuration files.
Have some "kfc/*.ini" file(s) in you $HOME directory with a configuration
similar to this one.
# global section is used to define command output cache settings.
[global]
# cache_store is the full path to the pickle database used to store command
# output cache
cache_store = /home/andres/kfc/kfc.db
# cache_size defines the maximum number of items that will be saved in the
# pickle database
cache_size = 10000
# cache_max_age defines the maximum number of seconds that a value will be
# kept in the pickle database without being used (read)
cache_max_age = 86400
# Every non-global section is treated as a KeePass database with entries
# under a top-level "group" which is read recursively. The name of the section
# is arbitrary, you can have more than one section.
[MyOSes]
# keepassdb is the full path to your KeePass database.
keepassdb = /home/andres/Database.kdb
# group is the name of your top-level main group where you store all your
# OSes credentials, key entries or groups outside of this group will be
# ignored.
group = OSes
KFC keepassdb requirements
--------------------------
KFC opens your KeePass file in read-only mode, so you don't need to worry about
your database being corrupted by KFC. (However, read the disclaimer, and have a
copy of your KP database elsewhere)
Your KeePass database needs to have a top-level group where you store all your
subgroups and/or key entries. KFC will walk recursively this group. Any part
of the full path to the entry can be used for searching. Useful if you store
hosts by function on a particular group.
For hosts that have normal-user-then-su-to-root access you need an entry with
username *different* from "root" if no non-root entry is found, only the "root"
entry will be used. The first found non-root entry will be used for login.
For hosts that connect to ports different than 22 this simple standard is used.
The port is read from the URL field in the KeePass DB entry, KFC search for a
-P and uses the value *next* to it as remote port, this convention comes from
-P being the option on Putty to open a session on a different port.
Example URL field on a KeePass DB entry.
cmd://putty.exe {USERNAME}@{TITLE} -pw {PASSWORD} -P 2223
This serves as a double purpose as I also use this KeePass DB on Windows
workstations (where by the way KFC also runs) sometimes I just open a Putty
session by clicking the URL on KeePass program window.
The entry *title* will be used as the host to connect but entry titles which
look like an IP address will be ignored as I use them to differentiate ILOs from
OSes.
KFC usages
----------
* Just code your task in Fabric format and run your task with the following
command, KFC will ask for you KeePass DB master password.
fab --set os_filter='dbcluster' my_task
Will run Fabric task "my_task" on every host which hostname matches the
"dbcluster" regular expression. The hostname is taken from the KeePass DB
entry title.
* Run arbitrary command against your cluster.
fab --set os_filter=/HP-UX/ -- uname -a
Will run "uname -a" across all HP-UX OSes found in you KeePass DB. KFC will
filter any KeePass group name found in the path to the entry.
* Open a remote shell
fab --set os_filter=hosta shell
* Open a remote root shell
fab --set os_filter=hostb root_shell
* Build a fancy xlsx report
fab --set os_filter=/Linux/ build_uptime_report xlsx_report
KFC limitations and roadmap
---------------------------
2DO:
* The KFC "su" operation mock-up is not parallel execution safe.
* The cache feature of KFC is not parallel execution safe.
* Entry title needs to be not an IP address the regular expression is hardcoded
* serverinfo was the previous project name, this class needs to be renamed
* cache ussage needs to be explicit
Done:
* Needs "admin" or "Root" user on hosts with no direct root access. Username
is hardcoded.
* Username is no longer hardcoded.
* fabfile.py is messy
* fabfile.py is no longer that messy
Feedback
========
* Let me know if you find this software useful or if you find a bug. Write me
an email to <[email protected]>.
Thanks
======
* This software will be *nothing* without all the great software libraries that
it uses. Many thanks to the gals and guys from:
* Python
* Fabric
* Paramiko
* Keepass
* keepassdb
* XlsxWriter
And many others.