| Name | afterglow JSON |
| Version |
0.1.0.dev0
JSON |
| download |
| home_page | |
| Summary | A configuration tool for ignition based systems |
| upload_time | 2023-07-23 07:04:21 |
| maintainer | |
| docs_url | None |
| author | James |
| requires_python | >=3.11,<4.0 |
| license | |
| keywords |
|
| VCS |
|
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# afterglow
###### WARNING: Project is currently unstable, API's versions and tags can change at any moment
</br>
### A configuration tool for ignition based systems.
Ignition-based systems have a 'one-shot' system configuration, which needs to be generally available to all instances. This means that if you are deploying a service that requires configured secrets, you might be tempted to place them in the Ignition config. However, doing so would involve storing secrets in plain text (potentially uploading them to a hosting service). Not only is this insecure, but it also doesn't truly solve the problem since these secrets are likely to rotate, rendering any static values in the Ignition configuration invalid. This service is intended to allow secret provisioning after boot, similar to how you would provision other servers. This aligns with the general principles of other configuration tools such as Ansible and Puppet
## Principle of operation
This service uses `ssh` and `scp` to copy across configuration files and uses parent/child semantics where the parent provisions the child. A typical boot up flow may look like this:
- Parent (CI/Local/Instance) boots up a new vm on some host provider
- Parent needs to know the childs public key
- Requires the parent knows the IP address of the child node
- Child boots and runs `afterglow child <...>` providing private key
###### Note: In someways this is just kicking the can down the road. We still need to get the secret key onto the child node. How exactly is up to you. Two solutions seems promising:
- Add a volume mount to the instance through the host provider
- Upload a custom FCOS|Flatcar|... image with a preshared key (symmetrical/asymetrical?) used to decrypt a private key in the ignition config
- Some other trust mechanism through the host provider (aws secrets manager) with IAM permissions provided to the instance
- Parent runs `afterglow parent <...>` including child public key connecting to child
- Child initiates `scp` for each configured files.
- Both parent and child process return exit code `0` on successful provisioning
- Child writes lock file to `--lock-path` containing `<file tag> = <sha256sum>` key value pairs
###### Note: The intention of this is to allow use of this in a systemd unit configuration for oneshot behaviour
In the case of copy failure the child process keeps running waiting up to `timeout` for a new parent connection which succeeds.
## Roadmap
- Add CI integration tests
## Usage
### Specify the mode either `parent` or `child`
```bash
usage: afterglow [-h] [parent | child] ...
Copy files from one machine to another
positional arguments:
[parent | child]
child copy files onto this machine
parent copy files from this machine
```
### Parent options
```bash
usage: afterglow parent [-h] --private-key PRIVATE_KEY --child-key CHILD_KEY --ip IP --port PORT --files FILES [FILES ...] [--timeout TIMEOUT]
options:
-h, --help show this help message and exit
--private-key PRIVATE_KEY
Path to private key file
--child-key CHILD_KEY
Path to childs public key
--ip IP The ip addres to connect to
--port PORT The port to connect to
--files FILES [FILES ...]
Colon seperated file:path mapping
--timeout TIMEOUT The time window for which files are expeted to be copied across
```
### Child options
```bash
usage: afterglow child [-h] --private-key PRIVATE_KEY --port PORT --files FILES [FILES ...] [--timeout TIMEOUT]
options:
-h, --help show this help message and exit
--private-key PRIVATE_KEY
Path to private key file
--port PORT The port on which the server will listen
--files FILES [FILES ...]
Colon seperated file:path mapping
--lock-path LOCK_PATH Path to write the lock file to upon successfull provisioning
--timeout TIMEOUT The time window for which files are expeted to be copied across
```
</br>
# Makefile
Simplify docker packaging
## Dependencies
Docker or Podman (pass `USE_PODMAN=1` to use podman)
The pyproject.toml file needs to have a version set correctly
## Targets
- `build`: Builds the Docker or Podman image using the specified Dockerfile and assigns appropriate tags based on the project's version defined in `pyproject.toml`.
- `run`: Runs the Docker or Podman container with the specified runtime arguments (`RUN_ARGS`). It also allows additional runtime arguments to be passed (`DOCKER_ARGS`).
- `clean`: Removes the Docker or Podman image and the running container associated with the project. It stops the running container, removes it, and deletes the image.
- `rebuild`: `clean` `build`
- `rerun`: `rebuild` `run`
- `push`: Push image to docker hub
- `help`: Show help information
# Developing
## Tech stack
- [pyenv](https://github.com/pyenv/pyenv)
- [python-build-dependencies](https://github.com/pyenv/pyenv/wiki#suggested-build-environment)
- [poetry](https://python-poetry.org/)
- python 3.11
- `pyenv install 3.11`
## Example invocations
### Child
```bash
docker run \
-v ~/.ssh:/root/.ssh:ro \
-v `pwd`:/host \
-p 127.0.0.1:8022:8022 \
dataligand/afterglow:latest child \
--files test_file:/host/child/files \
--lock-path /host/afterglow.lock \
--private-key /root/.ssh/id_ed25519 \
--port 8022
```
### Parent
```bash
docker run \
-v ~/.ssh:/root/.ssh:ro \
-v `pwd`:/root/files:ro \
--network host \
dataligand/afterglow:latest parent \
--files test_file:/root/files/test_file \
--private-key /root/.ssh/id_ed25519 \
--child-key /root/.ssh/id_ed25519.pub \
--ip localhost \
--port 8022
```
Raw data
{
"_id": null,
"home_page": "",
"name": "afterglow",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.11,<4.0",
"maintainer_email": "",
"keywords": "",
"author": "James",
"author_email": "james@dataligand.com",
"download_url": "https://files.pythonhosted.org/packages/36/59/8e891365853b069e506a19602c1aeac8d2473aa0d48f772219a77e2a12f2/afterglow-0.1.0.dev0.tar.gz",
"platform": null,
"description": "# afterglow\n\n###### WARNING: Project is currently unstable, API's versions and tags can change at any moment\n\n</br>\n\n### A configuration tool for ignition based systems.\n\nIgnition-based systems have a 'one-shot' system configuration, which needs to be generally available to all instances. This means that if you are deploying a service that requires configured secrets, you might be tempted to place them in the Ignition config. However, doing so would involve storing secrets in plain text (potentially uploading them to a hosting service). Not only is this insecure, but it also doesn't truly solve the problem since these secrets are likely to rotate, rendering any static values in the Ignition configuration invalid. This service is intended to allow secret provisioning after boot, similar to how you would provision other servers. This aligns with the general principles of other configuration tools such as Ansible and Puppet\n\n## Principle of operation\n\nThis service uses `ssh` and `scp` to copy across configuration files and uses parent/child semantics where the parent provisions the child. A typical boot up flow may look like this:\n\n- Parent (CI/Local/Instance) boots up a new vm on some host provider\n - Parent needs to know the childs public key\n - Requires the parent knows the IP address of the child node\n- Child boots and runs `afterglow child <...>` providing private key\n ###### Note: In someways this is just kicking the can down the road. We still need to get the secret key onto the child node. How exactly is up to you. Two solutions seems promising:\n - Add a volume mount to the instance through the host provider\n - Upload a custom FCOS|Flatcar|... image with a preshared key (symmetrical/asymetrical?) used to decrypt a private key in the ignition config\n - Some other trust mechanism through the host provider (aws secrets manager) with IAM permissions provided to the instance\n- Parent runs `afterglow parent <...>` including child public key connecting to child\n- Child initiates `scp` for each configured files.\n- Both parent and child process return exit code `0` on successful provisioning\n- Child writes lock file to `--lock-path` containing `<file tag> = <sha256sum>` key value pairs\n ###### Note: The intention of this is to allow use of this in a systemd unit configuration for oneshot behaviour\n\nIn the case of copy failure the child process keeps running waiting up to `timeout` for a new parent connection which succeeds.\n\n## Roadmap\n\n- Add CI integration tests\n\n## Usage\n\n### Specify the mode either `parent` or `child`\n\n```bash\nusage: afterglow [-h] [parent | child] ...\n\nCopy files from one machine to another\n\npositional arguments:\n [parent | child]\n child copy files onto this machine\n parent copy files from this machine\n```\n\n### Parent options\n\n```bash\nusage: afterglow parent [-h] --private-key PRIVATE_KEY --child-key CHILD_KEY --ip IP --port PORT --files FILES [FILES ...] [--timeout TIMEOUT]\n\noptions:\n -h, --help show this help message and exit\n --private-key PRIVATE_KEY\n Path to private key file\n --child-key CHILD_KEY\n Path to childs public key\n --ip IP The ip addres to connect to\n --port PORT The port to connect to\n --files FILES [FILES ...]\n Colon seperated file:path mapping\n --timeout TIMEOUT The time window for which files are expeted to be copied across\n```\n\n### Child options\n\n```bash\nusage: afterglow child [-h] --private-key PRIVATE_KEY --port PORT --files FILES [FILES ...] [--timeout TIMEOUT]\n\noptions:\n -h, --help show this help message and exit\n --private-key PRIVATE_KEY\n Path to private key file\n --port PORT The port on which the server will listen\n --files FILES [FILES ...]\n Colon seperated file:path mapping\n --lock-path LOCK_PATH Path to write the lock file to upon successfull provisioning\n --timeout TIMEOUT The time window for which files are expeted to be copied across\n\n```\n\n</br>\n\n# Makefile\n\nSimplify docker packaging\n\n## Dependencies\n\nDocker or Podman (pass `USE_PODMAN=1` to use podman)\n\nThe pyproject.toml file needs to have a version set correctly\n\n## Targets\n\n- `build`: Builds the Docker or Podman image using the specified Dockerfile and assigns appropriate tags based on the project's version defined in `pyproject.toml`.\n\n- `run`: Runs the Docker or Podman container with the specified runtime arguments (`RUN_ARGS`). It also allows additional runtime arguments to be passed (`DOCKER_ARGS`).\n\n- `clean`: Removes the Docker or Podman image and the running container associated with the project. It stops the running container, removes it, and deletes the image.\n\n- `rebuild`: `clean` `build`\n\n- `rerun`: `rebuild` `run`\n\n- `push`: Push image to docker hub\n\n- `help`: Show help information\n\n# Developing\n\n## Tech stack\n\n- [pyenv](https://github.com/pyenv/pyenv)\n - [python-build-dependencies](https://github.com/pyenv/pyenv/wiki#suggested-build-environment)\n- [poetry](https://python-poetry.org/)\n- python 3.11\n - `pyenv install 3.11`\n\n## Example invocations\n\n### Child\n\n```bash\n docker run \\\n -v ~/.ssh:/root/.ssh:ro \\\n -v `pwd`:/host \\\n -p 127.0.0.1:8022:8022 \\\n dataligand/afterglow:latest child \\\n --files test_file:/host/child/files \\\n --lock-path /host/afterglow.lock \\\n --private-key /root/.ssh/id_ed25519 \\\n --port 8022\n```\n\n### Parent\n\n```bash\ndocker run \\\n -v ~/.ssh:/root/.ssh:ro \\\n -v `pwd`:/root/files:ro \\\n --network host \\\n dataligand/afterglow:latest parent \\\n --files test_file:/root/files/test_file \\\n --private-key /root/.ssh/id_ed25519 \\\n --child-key /root/.ssh/id_ed25519.pub \\\n --ip localhost \\\n --port 8022\n```\n",
"bugtrack_url": null,
"license": "",
"summary": "A configuration tool for ignition based systems",
"version": "0.1.0.dev0",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "dc1b60e3e669b5a814e6d34063363ef6872bcb8e4cfe0fdfa302cf98417efdeb",
"md5": "b7141f530fb1274a88e6ebbf1687c36f",
"sha256": "df98566c98259299ab42ae65e3c14a19a89f5324c8aa0b33e09cc0deec77e55a"
},
"downloads": -1,
"filename": "afterglow-0.1.0.dev0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b7141f530fb1274a88e6ebbf1687c36f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.11,<4.0",
"size": 21755,
"upload_time": "2023-07-23T07:04:19",
"upload_time_iso_8601": "2023-07-23T07:04:19.098673Z",
"url": "https://files.pythonhosted.org/packages/dc/1b/60e3e669b5a814e6d34063363ef6872bcb8e4cfe0fdfa302cf98417efdeb/afterglow-0.1.0.dev0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "36598e891365853b069e506a19602c1aeac8d2473aa0d48f772219a77e2a12f2",
"md5": "38524b337435a8746e03119b9fe6e0ee",
"sha256": "a117b7befaf902a8a7f5ca76b76d18b660a3fdece9c761b0652de573bfdc8827"
},
"downloads": -1,
"filename": "afterglow-0.1.0.dev0.tar.gz",
"has_sig": false,
"md5_digest": "38524b337435a8746e03119b9fe6e0ee",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.11,<4.0",
"size": 21629,
"upload_time": "2023-07-23T07:04:21",
"upload_time_iso_8601": "2023-07-23T07:04:21.176414Z",
"url": "https://files.pythonhosted.org/packages/36/59/8e891365853b069e506a19602c1aeac8d2473aa0d48f772219a77e2a12f2/afterglow-0.1.0.dev0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-07-23 07:04:21",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "afterglow"
}
