I am playing with Foreman in order to integrate with OpenSCAP auditing
capabilities. OpenSCAP is open source security compliance toolkit. I've
already started some hacking under our OpenSCAP github umbrella: https://github.com/OpenSCAP
I must say that I enjoy plug-in interface in both Foreman and
smart-proxy. I shall not need any modification of upstream projects.
Now, I came across the question: What are the options for issuing
command on the managed system?
In stock Foreman, I have identified Puppet which has abilities to run
command in certain cases. When using plug-ins there is the Chef and
mcollective. MCollective is wonderful, however, there will always be
deployments without MCollective set-up.
Are there any other options?
Thanks!
···
--
Simon Lukasik
Security Technologies, Red Hat, Inc.
> Hiya,
>
> I am playing with Foreman in order to integrate with OpenSCAP auditing
> capabilities. OpenSCAP is open source security compliance toolkit. I've
> already started some hacking under our OpenSCAP github umbrella:
> https://github.com/OpenSCAP
>
> I must say that I enjoy plug-in interface in both Foreman and smart-proxy.
> I shall not need any modification of upstream projects.
>
>
> Now, I came across the question: What are the options for issuing command
> on the managed system?
>
> In stock Foreman, I have identified Puppet which has abilities to run
> command in certain cases. When using plug-ins there is the Chef and
> mcollective. MCollective is wonderful, however, there will always be
> deployments without MCollective set-up.
>
> Are there any other options?
>
It sounds to me like you need a plugable solution have multiple
providers, SSH, mcollective, <something else> …?
Ohad
···
On Mon, Jul 28, 2014 at 6:32 PM, Simon Lukasik wrote:
Thanks!
–
Simon Lukasik
Security Technologies, Red Hat, Inc.
>
> > Hiya,
> >
> > I am playing with Foreman in order to integrate with OpenSCAP auditing
> > capabilities. OpenSCAP is open source security compliance toolkit. I've
> > already started some hacking under our OpenSCAP github umbrella:
> > https://github.com/OpenSCAP
> >
> > I must say that I enjoy plug-in interface in both Foreman and smart-proxy.
> > I shall not need any modification of upstream projects.
> >
> >
> > Now, I came across the question: What are the options for issuing command
> > on the managed system?
> >
> > In stock Foreman, I have identified Puppet which has abilities to run
> > command in certain cases. When using plug-ins there is the Chef and
> > mcollective. MCollective is wonderful, however, there will always be
> > deployments without MCollective set-up.
> >
> > Are there any other options?
> >
>
> It sounds to me like you need a plugable solution have multiple
> providers, SSH, mcollective, <something else> …?
Currently, we are using ForemanTasks/Dynflow for triggering and tracking the
remote execution via Pulp gofer. [1]. One can image that in this code, there
could be a decision for what mechanism should be used (chosing the right
action to be planned: right now it's Pulp::Consumer::ContentInstall).
The foreman_mco [2] uses also the ForemanTasks for that and I have a POC to use dynflow to trigger and
track the systme commands (basic of the ssh-line approach) [3].
The question is if the plugability should be done on Foreman or the foreman-proxy side:
in other words, for example for ssh, would be one able to use that without a smart-proxy
in there or not?
···
On Thursday 07 of August 2014 18:22:00 Ohad Levy wrote:
> On Mon, Jul 28, 2014 at 6:32 PM, Simon Lukasik wrote:
> > Hiya,
> >
> > I am playing with Foreman in order to integrate with OpenSCAP auditing
> > capabilities. OpenSCAP is open source security compliance toolkit. I've
> > already started some hacking under our OpenSCAP github umbrella:
> > https://github.com/OpenSCAP
> >
> > I must say that I enjoy plug-in interface in both Foreman and smart-proxy.
> > I shall not need any modification of upstream projects.
> >
> >
> > Now, I came across the question: What are the options for issuing command
> > on the managed system?
> >
> > In stock Foreman, I have identified Puppet which has abilities to run
> > command in certain cases. When using plug-ins there is the Chef and
> > mcollective. MCollective is wonderful, however, there will always be
> > deployments without MCollective set-up.
> >
> > Are there any other options?
>
> It sounds to me like you need a plugable solution :) have multiple
> providers, SSH, mcollective, ...?
Maybe you could use sysflow [1]. It’s general engine for running local commands
using dynflow. I started to add support for running through SSH but never had
chance to finish it (see my fork if interested). Maybe we could add other
backends.
Thank You guys for your valuable input. I'll be evaluating each
suggested option later.
Thanks!
···
On 08/08/2014 09:42 AM, Ivan Necas wrote:
>
>
> ----- Original Message -----
>> On Mon, Jul 28, 2014 at 6:32 PM, Simon Lukasik wrote:
>>
>>> Hiya,
>>>
>>> I am playing with Foreman in order to integrate with OpenSCAP auditing
>>> capabilities. OpenSCAP is open source security compliance toolkit. I've
>>> already started some hacking under our OpenSCAP github umbrella:
>>> https://github.com/OpenSCAP
>>>
>>> I must say that I enjoy plug-in interface in both Foreman and smart-proxy.
>>> I shall not need any modification of upstream projects.
>>>
>>>
>>> Now, I came across the question: What are the options for issuing command
>>> on the managed system?
>>>
>>> In stock Foreman, I have identified Puppet which has abilities to run
>>> command in certain cases. When using plug-ins there is the Chef and
>>> mcollective. MCollective is wonderful, however, there will always be
>>> deployments without MCollective set-up.
>>>
>>> Are there any other options?
>>>
>>
>> It sounds to me like you need a plugable solution :) have multiple
>> providers, SSH, mcollective, ...?
>
> Currently, we are using ForemanTasks/Dynflow for triggering and tracking the
> remote execution via Pulp gofer. [1]. One can image that in this code, there
> could be a decision for what mechanism should be used (chosing the right
> action to be planned: right now it's Pulp::Consumer::ContentInstall).
>
> The foreman_mco [2] uses also the ForemanTasks for that and I have a POC to use dynflow to trigger and
> track the systme commands (basic of the ssh-line approach) [3].
>
> The question is if the plugability should be done on Foreman or the foreman-proxy side:
> in other words, for example for ssh, would be one able to use that without a smart-proxy
> in there or not?
>
> [1] - https://github.com/Katello/katello/blob/master/app/lib/actions/katello/system/package/install.rb#L25
> [2] - https://github.com/witlessbird/foreman_mco/tree/master/app/models/foreman_mco/actions
> [3] - https://github.com/iNecas/sysflow
>
> -- Ivan
>
–
Simon Lukasik
Security Technologies, Red Hat, Inc.
>>
>>
>>
>>>
>>>
>>>> Hiya,
>>>>
>>>> I am playing with Foreman in order to integrate with OpenSCAP auditing
>>>> capabilities. OpenSCAP is open source security compliance toolkit. I've
>>>> already started some hacking under our OpenSCAP github umbrella:
>>>> https://github.com/OpenSCAP
>>>>
>>>> I must say that I enjoy plug-in interface in both Foreman and
>>>> smart-proxy.
>>>> I shall not need any modification of upstream projects.
>>>>
>>>>
>>>> Now, I came across the question: What are the options for issuing
>>>> command
>>>> on the managed system?
>>>>
>>>> In stock Foreman, I have identified Puppet which has abilities to run
>>>> command in certain cases. When using plug-ins there is the Chef and
>>>> mcollective. MCollective is wonderful, however, there will always be
>>>> deployments without MCollective set-up.
>>>>
>>>> Are there any other options?
>>>>
>>>
>>> It sounds to me like you need a plugable solution have multiple
>>> providers, SSH, mcollective, <something else> …?
>>
>>
>> Currently, we are using ForemanTasks/Dynflow for triggering and tracking
>> the
>> remote execution via Pulp gofer. [1]. One can image that in this code,
>> there
>> could be a decision for what mechanism should be used (chosing the right
>> action to be planned: right now it's Pulp::Consumer::ContentInstall).
>>
>> The foreman_mco [2] uses also the ForemanTasks for that and I have a POC
>> to use dynflow to trigger and
>> track the systme commands (basic of the ssh-line approach) [3].
>>
>> The question is if the plugability should be done on Foreman or the
>> foreman-proxy side:
>> in other words, for example for ssh, would be one able to use that without
>> a smart-proxy
>> in there or not?
>>
>> [1] -
>> https://github.com/Katello/katello/blob/master/app/lib/actions/katello/system/package/install.rb#L25
>> [2] -
>> https://github.com/witlessbird/foreman_mco/tree/master/app/models/foreman_mco/actions
>> [3] - https://github.com/iNecas/sysflow
>>
>> – Ivan
>>
>
> Thank You guys for your valuable input. I'll be evaluating each suggested
> option later.
One thought, if you do end up with a pluggable framework as Ohad
suggests, I'd say that starting with a simple SSH back end would
probably get us the most "bang for buck" and would out of the box be a
sort of minimal lowest common denominator that many shops could use.
Check out ruby gem Net::SSH, and perhaps sshkit…
···
On Thu, Aug 14, 2014 at 4:03 AM, Simon Lukasik wrote:
> On 08/08/2014 09:42 AM, Ivan Necas wrote:
>> ----- Original Message -----
>>> On Mon, Jul 28, 2014 at 6:32 PM, Simon Lukasik >>> wrote:
Thanks!
–
Simon Lukasik
Security Technologies, Red Hat, Inc.
have multiple