Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for non-root deployments #1270

Merged
merged 15 commits into from May 5, 2020
Merged

Add support for non-root deployments #1270

merged 15 commits into from May 5, 2020

Conversation

adisbladis
Copy link
Member

@adisbladis adisbladis commented Mar 29, 2020
edited

This adds a new deployment configuration attribute (targetUser).
To inherit the username from the local user issuing the deployment
set:

deployment.targetUser = null;

Setting this to a string will deploy as that user. This option
defaults to "root".

We assume the following for non-root deploys:

  • Passwordless sudo (no TTY allocation possible)

I'm using the following NixOS configuration

security.pam.services.sudo.sshAgentAuth = true;
security.pam.enableSSHAgentAuth = true;

For this use-case I've introduced:

deployment.sshOptions = [ "-A" ];
  • The deployment user is trusted by the Nix daemon
nix.trustedUsers = [ "adisbladis" ];

This is required because of nix-copy-closure.

Closes #730

@adisbladis adisbladis changed the title Add support for non-root deployments WIP: Add support for non-root deployments Mar 29, 2020
adisbladis
adisbladis commented Mar 29, 2020
View reviewed changes
nixops/ssh_util.py Outdated Show resolved Hide resolved
@adisbladis adisbladis mentioned this pull request Mar 29, 2020
Closed
@adisbladis adisbladis changed the title WIP: Add support for non-root deployments Add support for non-root deployments Mar 29, 2020
@adisbladis adisbladis force-pushed the non-root-deploys branch 3 times, most recently from 7674ab1 to f14c152 Compare March 30, 2020 18:20
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update/6525/1

@adisbladis adisbladis mentioned this pull request Apr 15, 2020
Merged
grahamc
grahamc reviewed Apr 15, 2020
View reviewed changes
nixops/backends/__init__.py Show resolved Hide resolved
nixops/backends/__init__.py Outdated Show resolved Hide resolved
nix/options.nix Outdated Show resolved Hide resolved
nixops/ssh_util.py Outdated Show resolved Hide resolved
@grahamc
Copy link
Member

grahamc commented Apr 15, 2020

I'm thinking we should make two things more configurable, and less "baked-in":

  1. make the escalation command (currently always sudo) configurable as a list of arguments to put before the command being run
  2. make it possible to specify additional options to SSH, so we don't need to explicitly add support for forwarded agents, or other things like GSSAPI.

@adisbladis
Copy link
Member Author

make the escalation command (currently always sudo) configurable as a list of arguments to put before the command being run

Done! The option is in deployment.privilegeEscalationCommand (which defaults to using sudo -H).

make it possible to specify additional options to SSH, so we don't need to explicitly add support for forwarded agents, or other things like GSSAPI.

This is now called deployment.sshOptions.

grahamc
grahamc reviewed Apr 16, 2020
View reviewed changes
nix/options.nix Outdated Show resolved Hide resolved
grahamc
grahamc reviewed Apr 16, 2020
View reviewed changes
nix/options.nix Outdated Show resolved Hide resolved
grahamc
grahamc reviewed Apr 16, 2020
View reviewed changes
nixops/backends/__init__.py Outdated
@@ -137,6 +145,8 @@ def set_common_state(self, defn) -> None:
if not self.has_fast_connection:
self.ssh.enable_compression()

self.ssh.privilege_escalation_command_set(defn.privilege_escalation_command)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we put set_ first? What is more pythonic?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know what's more pythonic. Personally I tend to like suffixing the operation so editor completion will suggest related operations.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The most Pythonic way would actually be not to use setters/getters at all but just mutate the attribute.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's leave it like this for now and reconsider in the future SSH/SSHMaster refactor you and me discussed.

@adisbladis adisbladis mentioned this pull request Apr 19, 2020
Merged
chreekat
chreekat reviewed Apr 19, 2020
View reviewed changes
Copy link

@chreekat chreekat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! I made some comments/suggestions. None of them should be considered blockers; feel free to disregard or delay acting on them.

Thanks for chipping away at nixops!

nix/eval-machine-info.nix Outdated Show resolved Hide resolved
nix/options.nix Outdated Show resolved Hide resolved
nix/options.nix Outdated Show resolved Hide resolved
nix/options.nix Outdated Show resolved Hide resolved
@adisbladis adisbladis force-pushed the non-root-deploys branch 2 times, most recently from 6cad1f0 to 9586880 Compare April 20, 2020 07:09
@grahamc grahamc added this to the 2.0 milestone Apr 20, 2020
@grahamc
Copy link
Member

grahamc commented Apr 21, 2020

I gave this a go on a regular ol' server and it worked well. I then tried it on kif which sends some keys:

$ nixops deploy --deployment personal --include kif
building all machine configurations...
kif.........> copying closure...
personal> closures copied successfully
kif.........> uploading key ‘vault-login’...
kif.........> scp: /run/keys/.vault-login.tmp: Permission denied
kif.........> error: Traceback (most recent call last):
  File "/home/grahamc/projects/github.com/NixOS/nixops/nixops/deployment.py", line 920, in worker
    m.send_keys()
  File "/home/grahamc/projects/github.com/NixOS/nixops/nixops/backends/__init__.py", line 330, in send_keys
    self.upload_file(tmp, tmp_outfile)
  File "/home/grahamc/projects/github.com/NixOS/nixops/nixops/backends/__init__.py", line 478, in upload_file
    return self._logged_exec(cmdline)
  File "/home/grahamc/projects/github.com/NixOS/nixops/nixops/backends/__init__.py", line 413, in _logged_exec
    return nixops.util.logged_exec(command, self.logger, **kwargs)
  File "/home/grahamc/projects/github.com/NixOS/nixops/nixops/util.py", line 207, in logged_exec
    raise CommandFailed(err, res)
nixops.util.CommandFailed: command ‘['scp', '-P', '22', '-o', 'StrictHostKeyChecking=accept-new', '-i', '/run/user/1000/nixops-tmp04t91o0s/id_nixops-kif', '-oControlPath=/run/user/1000/nixops-ssh-tmp7jl7pc7v/master-socket', '/run/user/1000/nixops-tmp04t91o0s/key-kif', 'grahamc@10.5.3.16:/run/keys/.vault-login.tmp']’ failed on machine ‘kif’ (exit code 1)

I think we're going to need to go back to the drawing board a bit and plan this a bit more. In particular:

  • callers of run_command have the assumption they're root
  • upload_file does too

Leaving me with a couple questions:

  • Does this feature make uploading riskier by uploading files as the user and then moving them in to place via sudo?
  • What is the API guarantee we want to retain around run_command?

I'm sorry to drag this PR out.

@grahamc grahamc added this to In progress in kanban Apr 23, 2020
@grahamc grahamc moved this from In progress to To do in kanban Apr 23, 2020
@adisbladis adisbladis force-pushed the non-root-deploys branch 2 times, most recently from c94af80 to 9210af6 Compare April 23, 2020 17:47
@adisbladis adisbladis mentioned this pull request Apr 24, 2020
Closed
adisbladis added a commit to adisbladis/nixops that referenced this pull request Apr 24, 2020
@adisbladis
Use rsync instead of scp for file copying
b626820 
This will allow us to pass options to openssh and escalate
privileges (see NixOS#1270) more easily.

Closes NixOS#1322
@adisbladis
Add extra SSH options attribute to deployment
a4299c6
@adisbladis
Make privilege escalation command configurable
0d9994b
@adisbladis
targetUser option: Clarify what happens when option set to null
b025338
@adisbladis
backends: Remove redundant ssh_user check
b230b2b
@adisbladis
deployment.privilegeEscalationCommand: Add note about ending privileg…
7ad4abf 
…e escalation command with --
@adisbladis
ssh_util.get_target: user is non-optional, remove None check
9d458f8
@adisbladis
Make an explicit targetUser required (dont suppor the None) case
0678350 
This is so that we won't get inconsistencies between different
subcommands like `nixops send-keys` (which doesn't eval) the
deployment attributes.

This change should be reverted at a later date when we have made these
commands evaluate the configuration.
@adisbladis
script_defs: Get ssh user from machine in parse_machine
76d5396
@adisbladis
script_defs: Get machine directly from parse_machine
f116003
cole-h
cole-h suggested changes May 4, 2020
View reviewed changes
Copy link
Member

@cole-h cole-h left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also note that the headers aren't formatted correctly: https://github.com/NixOS/nixops/blob/a577be5eb5b82e1ef533c9348f61b3996c446988/doc/guides/deploy-without-root.rst

doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Show resolved Hide resolved
cole-h
cole-h suggested changes May 4, 2020
View reviewed changes
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Outdated Show resolved Hide resolved
doc/guides/deploy-without-root.rst Show resolved Hide resolved
@adisbladis adisbladis force-pushed the non-root-deploys branch 2 times, most recently from f655a38 to 9f32108 Compare May 4, 2020 21:01
cole-h
cole-h suggested changes May 4, 2020
View reviewed changes
doc/guides/deploy-without-root.rst Show resolved Hide resolved
doc/guides/deploy-without-root.rst Show resolved Hide resolved
doc/guides/deploy-without-root.rst Show resolved Hide resolved
grahamc and others added 2 commits May 4, 2020 22:06
@grahamc @cole-h @adisbladis
docs: non-root deployments
ed18159 
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
@grahamc @cole-h @adisbladis
nixops ssh,mount: document the interaction with targetUser
8818250 
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
@grahamc grahamc merged commit d12bac6 into NixOS:master May 5, 2020
kanban automation moved this from To do to Done May 5, 2020
@adisbladis
Copy link
Member Author

🎉 🚀

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-3/7154/1

@cprussin cprussin mentioned this pull request Feb 1, 2021
Closed
@septem9er septem9er mentioned this pull request May 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grahamc grahamc grahamc left review comments

@chreekat chreekat chreekat left review comments

@cole-h cole-h cole-h requested changes

Assignees
No one assigned
Labels
None yet
Projects
kanban
  
Done
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

Allow nixops to use another user than root for SSHing
5 participants
@adisbladis @nixos-discourse @grahamc @chreekat @cole-h