Remote Node concept?


#1

Hi list,

I’m rather new to Chef usage. So please forgive for ignorant questions,
remarks :wink:

While looking at the functionality in Chef, I’m wondering if there
exists a way to manage nodes over ssh.
In the past I’ve written my own scripts (not recipes obviously) that can
be either executed locally or remote (over ssh).

If I understand it correctly, in Chef currently every node has to be a
chef-server or chef-client installed. What I’m looking for is a kind of
agent-less approach, where recipes get applied over ssh. Hence the idea
of a remote Node.

I understand that recipes can be written in ruby, so making them execute
remote will be hard if no ruby is installed. Still for the script or
commandline execution, file copying and so on, these can be executed
over ssh (if they execute commandline equivalents) using plain shell
commands. Recipes could be marked as remote if all commands can be
executed remote or not.

Another side effect of this capability, is that any device that has ssh
and a commandline API (such as vmware, xen, routers, switches,
firewalls) can be integrated in Chef without them requiring ruby or
anything else. It would make the tool pass better security guys because
it doesn’t require any additional software on the devices.

My first thought would be to make chef-solo execute command over an ssh.

What do you guys think of this idea? Wrong assumptions? Worth
investigating time in to integrate it in Chef? Or any other ways to
tackle this?

Thanks for any feedback ,

Patrick


#2

Chef is written in ruby so you will need a ruby virtual machine to use
chef. Most use a small bootstrap script to get ruby installed prior to
chef.

-lee

On Mon, Apr 12, 2010 at 8:17 AM, Patrick Debois Patrick.Debois@jedi.be wrote:

Hi list,

I’m rather new to Chef usage. So please forgive for ignorant questions,
remarks :wink:

While looking at the functionality in Chef, I’m wondering if there exists a
way to manage nodes over ssh.
In the past I’ve written my own scripts (not recipes obviously) that can be
either executed locally or remote (over ssh).

If I understand it correctly, in Chef currently every node has to be a
chef-server or chef-client installed. What I’m looking for is a kind of
agent-less approach, where recipes get applied over ssh. Hence the idea of a
remote Node.

I understand that recipes can be written in ruby, so making them execute
remote will be hard if no ruby is installed. Still for the script or
commandline execution, file copying and so on, these can be executed over
ssh (if they execute commandline equivalents) using plain shell commands.
Recipes could be marked as remote if all commands can be executed remote or
not.

Another side effect of this capability, is that any device that has ssh and
a commandline API (such as vmware, xen, routers, switches, firewalls) can be
integrated in Chef without them requiring ruby or anything else. It would
make the tool pass better security guys because it doesn’t require any
additional software on the devices.

My first thought would be to make chef-solo execute command over an ssh.

What do you guys think of this idea? Wrong assumptions? Worth investigating
time in to integrate it in Chef? Or any other ways to tackle this?

Thanks for any feedback ,

Patrick


Lee Azzarello
drop.io staff hacker


#3

Hey Patrick,

I’ve got a little ruby gem I’ve written called spatula that you can install
using “gem install spatula”. It’ll both prepare a remote server by
installing all the necessary dependencies for chef-solo to run and ssh into
a server and run chef solo. So… maybe it’ll fit your needs :slight_smile:

Here’s a little example of usage:

gem install spatula cd your-chef-repo
spatula prepare some.remote.box spatula cook some.remote.box node-config-name

That’ll prepare the box, rsync your chef-repo over, and then run chef-solo
on the box. Let me know if you have any problems.

  • Trotter

On Mon, Apr 12, 2010 at 8:17 AM, Patrick Debois Patrick.Debois@jedi.bewrote:

Hi list,

I’m rather new to Chef usage. So please forgive for ignorant questions,
remarks :wink:

While looking at the functionality in Chef, I’m wondering if there exists a
way to manage nodes over ssh.
In the past I’ve written my own scripts (not recipes obviously) that can be
either executed locally or remote (over ssh).

If I understand it correctly, in Chef currently every node has to be a
chef-server or chef-client installed. What I’m looking for is a kind of
agent-less approach, where recipes get applied over ssh. Hence the idea of a
remote Node.

I understand that recipes can be written in ruby, so making them execute
remote will be hard if no ruby is installed. Still for the script or
commandline execution, file copying and so on, these can be executed over
ssh (if they execute commandline equivalents) using plain shell commands.
Recipes could be marked as remote if all commands can be executed remote or
not.

Another side effect of this capability, is that any device that has ssh and
a commandline API (such as vmware, xen, routers, switches, firewalls) can be
integrated in Chef without them requiring ruby or anything else. It would
make the tool pass better security guys because it doesn’t require any
additional software on the devices.

My first thought would be to make chef-solo execute command over an ssh.

What do you guys think of this idea? Wrong assumptions? Worth investigating
time in to integrate it in Chef? Or any other ways to tackle this?

Thanks for any feedback ,

Patrick


#4

Hi Trotter, Lee,

thanks for the help.(spatula does look interesting!)

Let me try to clarify: I’m not looking for a way to jumpstart a chef
client. I’m looking for a way to manage a node ‘agent-less’ over ssh. I
understand this not in Chef yet. I personally think this would bring
added value, (at least to me :wink: And I would be willing to spent some
time on this.

I’m trying to figure out if it makes to integrate this in Chef code’s or
not.

Patrick

On 12/04/2010 15:12, Trotter Cashion wrote:

Hey Patrick,

I’ve got a little ruby gem I’ve written called spatula that you can
install using “gem install spatula”. It’ll both prepare a remote
server by installing all the necessary dependencies for chef-solo to
run and ssh into a server and run chef solo. So… maybe it’ll fit
your needs :slight_smile:

Here’s a little example of usage:

gem install spatula cd your-chef-repo
spatula prepare some.remote.box spatula cook some.remote.box node-config-name

That’ll prepare the box, rsync your chef-repo over, and then run
chef-solo on the box. Let me know if you have any problems.

  • Trotter

On Mon, Apr 12, 2010 at 8:17 AM, Patrick Debois
<Patrick.Debois@jedi.be mailto:Patrick.Debois@jedi.be> wrote:

Hi list,

I'm rather new to Chef usage. So please forgive for ignorant
questions, remarks ;-)

While looking at the functionality in Chef, I'm wondering if there
exists a way to manage nodes over ssh.
In the past I've written my own scripts (not recipes obviously)
that can be either executed locally or remote (over ssh).

If I understand it correctly, in Chef currently every node has to
be a chef-server or chef-client installed. What I'm looking for is
a kind of agent-less approach, where recipes get applied over ssh.
Hence the idea of a remote Node.

I understand that recipes can be written in ruby, so making them
execute remote will be hard if no ruby is installed. Still for the
script or commandline execution, file copying and so on, these can
be executed over ssh (if they execute commandline equivalents)
using plain shell commands. Recipes could be marked as remote if
all commands can be executed remote or not.

Another side effect of this capability, is that any device that
has ssh and a commandline API (such as vmware, xen, routers,
switches, firewalls) can be integrated in Chef without them
requiring ruby or anything else.  It would make the tool pass
better security guys because it doesn't require any additional
software on the devices.

My first thought would be to make chef-solo execute command over
an ssh.

What do you guys think of this idea? Wrong assumptions? Worth
investigating time in to integrate it in Chef? Or any other ways
to tackle this?

Thanks for any feedback ,

Patrick

#5

Write a resource / provider to run capistrano actions from within
chef. Your custom chef resources would hide the sequence of ssh
actions which would otherwise be your remote script. Those will be
specifically to those network device(s) such as routers etc. A chef
resource can be put into “cookbook/libraries/resource.rb”.

Im not sure how to call capistrano from chef (never needed to), but it
sounds like thats what you are looking for. Then its possible to write
the resource for your chef recipes. As already was pointed out, the
easiest way to run a chef recipe is with chef-solo.

On Mon, Apr 12, 2010 at 2:48 PM, Patrick Debois Patrick.Debois@jedi.be wrote:

Hi Trotter, Lee,

thanks for the help.(spatula does look interesting!)

Let me try to clarify: I’m not looking for a way to jumpstart a chef client.
I’m looking for a way to manage a node ‘agent-less’ over ssh. I understand
this not in Chef yet. I personally think this would bring added value, (at
least to me :wink: And I would be willing to spent some time on this.

I’m trying to figure out if it makes to integrate this in Chef code’s or
not.

Patrick

On 12/04/2010 15:12, Trotter Cashion wrote:

Hey Patrick,
I’ve got a little ruby gem I’ve written called spatula that you can install
using “gem install spatula”. It’ll both prepare a remote server by
installing all the necessary dependencies for chef-solo to run and ssh into
a server and run chef solo. So… maybe it’ll fit your needs :slight_smile:
Here’s a little example of usage:
gem install spatula cd your-chef-repo
spatula prepare some.remote.box spatula cook some.remote.box node-config-name
That’ll prepare the box, rsync your chef-repo over, and then run chef-solo
on the box. Let me know if you have any problems.

Hi list,

I’m rather new to Chef usage. So please forgive for ignorant questions,
remarks :wink:

While looking at the functionality in Chef, I’m wondering if there exists
a way to manage nodes over ssh.
In the past I’ve written my own scripts (not recipes obviously) that can
be either executed locally or remote (over ssh).

If I understand it correctly, in Chef currently every node has to be a
chef-server or chef-client installed. What I’m looking for is a kind of
agent-less approach, where recipes get applied over ssh. Hence the idea of a
remote Node.

I understand that recipes can be written in ruby, so making them execute
remote will be hard if no ruby is installed. Still for the script or
commandline execution, file copying and so on, these can be executed over
ssh (if they execute commandline equivalents) using plain shell commands.
Recipes could be marked as remote if all commands can be executed remote or
not.

Another side effect of this capability, is that any device that has ssh
and a commandline API (such as vmware, xen, routers, switches, firewalls)
can be integrated in Chef without them requiring ruby or anything else. It
would make the tool pass better security guys because it doesn’t require any
additional software on the devices.

My first thought would be to make chef-solo execute command over an ssh.

What do you guys think of this idea? Wrong assumptions? Worth
investigating time in to integrate it in Chef? Or any other ways to tackle
this?

Thanks for any feedback ,

Patrick


#6

On Mon, Apr 12, 2010 at 03:48:03PM +0200, Patrick Debois wrote:

Hi Trotter, Lee,

thanks for the help.(spatula does look interesting!)

Let me try to clarify: I’m not looking for a way to jumpstart a chef
client. I’m looking for a way to manage a node ‘agent-less’ over
ssh. I understand this not in Chef yet. I personally think this
would bring added value, (at least to me :wink: And I would be willing
to spent some time on this.

I’m trying to figure out if it makes to integrate this in Chef
code’s or not.

I’ve wanted to have this feature in chef in the past as well.
From what I can tell, the bulk of the work that would need to be done is in
crafting drop in replacements of popen4() and run_command() that execute
ssh and execute the commands over the ssh connection. You would probably
at the very least investigate using multiple ssh channels over one
ssh connection to eliminate the setup cost of having one authenticated
ssh session for each executed command. I have no idea whether or not
net-ssh-ruby supports using session multiplexing.

I would be definitely interested in working with someone on this
feature.


Mathieu Sauve-Frankel


#7

On 12/04/2010 16:17, msf wrote:

On Mon, Apr 12, 2010 at 03:48:03PM +0200, Patrick Debois wrote:

Hi Trotter, Lee,

thanks for the help.(spatula does look interesting!)

Let me try to clarify: I’m not looking for a way to jumpstart a chef
client. I’m looking for a way to manage a node ‘agent-less’ over
ssh. I understand this not in Chef yet. I personally think this
would bring added value, (at least to me :wink: And I would be willing
to spent some time on this.

I’m trying to figure out if it makes to integrate this in Chef
code’s or not.

I’ve wanted to have this feature in chef in the past as well.
From what I can tell, the bulk of the work that would need to be done is in
crafting drop in replacements of popen4() and run_command() that execute
ssh and execute the commands over the ssh connection. You would probably
at the very least investigate using multiple ssh channels over one
ssh connection to eliminate the setup cost of having one authenticated
ssh session for each executed command. I have no idea whether or not
net-ssh-ruby supports using session multiplexing.

I would be definitely interested in working with someone on this
feature.

Dreamcat4 and Lindsay,

thanks for the hints on integrating Capistrano. It’s not what I had in
mind, but I’ll investigate the custom resource and the moonshine
alternative to see how they fit in.

Msf,

From what I read from your mail, this is what I was thinking: making
run_command, open4, system and so one ssh/remote aware. The caveat is
that a lot of logic in scripts is handled by ruby internal code that you
can’t simply make ssh aware unless you implement it as a command line
(f.i. copy files over ssh (handled in ruby code) instead of 'scp …'
command). Therefore I was thinking of flagging recipes with the remote
execute capability flag : meaning it handles everything by commandline
commands.

Anyone else interested?


#8

On Mon, Apr 12, 2010 at 3:17 PM, msf msf@kisoku.net wrote:

On Mon, Apr 12, 2010 at 03:48:03PM +0200, Patrick Debois wrote:

Hi Trotter, Lee,

thanks for the help.(spatula does look interesting!)

Let me try to clarify: I’m not looking for a way to jumpstart a chef
client. I’m looking for a way to manage a node ‘agent-less’ over
ssh. I understand this not in Chef yet. I personally think this
would bring added value, (at least to me :wink: And I would be willing
to spent some time on this.

I’m trying to figure out if it makes to integrate this in Chef
code’s or not.

I’ve wanted to have this feature in chef in the past as well.
From what I can tell, the bulk of the work that would need to be done is in
crafting drop in replacements of popen4() and run_command() that execute
ssh and execute the commands over the ssh connection. You would probably
at the very least investigate using multiple ssh channels over one
ssh connection to eliminate the setup cost of having one authenticated
ssh session for each executed command. I have no idea whether or not
net-ssh-ruby supports using session multiplexing.

Well, these are features already present in Capistrano. Multiple
remote hosts, single session. Many more. Why would you want to
re-write all of that stuff rather than just require ‘capistrano’ and
have at it?

You can run cap from within another ruby library. Theres no need for a
seperate process or anything.

I would be definitely interested in working with someone on this
feature.


Mathieu Sauve-Frankel


#9

On Mon, Apr 12, 2010 at 7:28 AM, Patrick Debois Patrick.Debois@jedi.be wrote:

Msf,

From what I read from your mail, this is what I was thinking: making
run_command, open4, system and so one ssh/remote aware. The caveat is that a
lot of logic in scripts is handled by ruby internal code that you can’t
simply make ssh aware unless you implement it as a command line (f.i. copy
files over ssh (handled in ruby code) instead of ‘scp …’ command).
Therefore I was thinking of flagging recipes with the remote execute
capability flag : meaning it handles everything by commandline commands.

Anyone else interested?

I think this is probably dangerous, and at the very least fraught with
peril - and also, it might be totally awesome.

What I don’t understand is where the use case is. If the issue is
that the devices themselves are closed (say a switch, or a load
balancer, etc.) a smaller amount of effort could probably be expended
to get a full fledged Chef resource and provider that work for the
device.

It feels to me like what you want is a mash-up of what Capistrano
provides (in terms of push-ability and quick hacking) and the
resources that exist in Chef. Which you can have, but the easy path
would be to have ruby on the devices under management.

Is the real problem here just that you don’t want ruby installed everywhere?

Adam


Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-7449 E: adam@opscode.com