Re: [vagrant-up] Interactive Provisioning
3,574 views
Skip to first unread message
Stefan Goethals
Jun 21, 2012, 1:06:36 PM6/21/12
to vagra...@googlegroups.com
Just use the provided puppet or chef provisioners. That is exactly what they are intended for..
On Thu, Jun 21, 2012 at 5:44 PM, Matt Bierbaum <matt.b...@gmail.com> wrote:
I was wondering if there was a way to provide user interaction during provisioning. As it is now, I'm using a Shell provisioner that would like to ask for a password to gather a public key from another server. However, the ssh run during `vagrant up` does not allocate a pseudo-tty. Is there a way to provide this option to ssh during the up command. The shell does run successfully when run with ssh -t -p 2222 vagrant@localhost "/bin/bash ~/script.sh". I tried to sneak it into other parts of the ssh command but it appears you've escaped the options well enough.I was also considering using ssh-askpass, but haven't got that to function properly either. The last option is to login to the box and run the script. I was hoping to make these as simple to distribute as possible though.Thanks!
Message has been deleted
Matt Bierbaum
Jun 21, 2012, 1:42:00 PM6/21/12
to vagra...@googlegroups.com
I realize they are very powerful and have been reading about them for some time, but it seems every mention of user input is how to avoid it and most passwords are hard coded into the provisioner. Could you point to a quick example of how to ask user input and put the result in a flat file on the VM or something similar?
Stefan Goethals
Jun 21, 2012, 1:43:07 PM6/21/12
to vagra...@googlegroups.com
I think you need to explain what you are trying to do and think about what you really need.
On Thu, Jun 21, 2012 at 7:40 PM, Matt Bierbaum <matt.b...@gmail.com> wrote:
I realize they are very powerful and have been reading about them for some time, but it seems every mention of user input is how to avoid it and most passwords are hard coded into the provisioner. Could you point to a quick example of how to ask user input and put the result in a flat file on the VM or something similar?
On Thursday, June 21, 2012 1:06:36 PM UTC-4, Stefan Goethals wrote:
Just use the provided puppet or chef provisioners. That is exactly what they are intended for..
Mitchell Hashimoto
Jun 21, 2012, 1:45:00 PM6/21/12
to vagra...@googlegroups.com
Matt,
On Thu, Jun 21, 2012 at 8:44 AM, Matt Bierbaum <matt.b...@gmail.com> wrote:
> I was wondering if there was a way to provide user interaction during
> provisioning. As it is now, I'm using a Shell provisioner that would like
> to ask for a password to gather a public key from another server. However,
> the ssh run during `vagrant up` does not allocate a pseudo-tty. Is there a
> way to provide this option to ssh during the up command. The shell does run
> successfully when run with ssh -t -p 2222 vagrant@localhost "/bin/bash
> ~/script.sh". I tried to sneak it into other parts of the ssh command but
> it appears you've escaped the options well enough.
>
> I was also considering using ssh-askpass, but haven't got that to function
> properly either. The last option is to login to the box and run the script.
> I was hoping to make these as simple to distribute as possible though.
There isn't any way to ask for input because usually thats not what
you want to do. However, it is an idea for the future.
In the meantime, there are a few options:
1. Use a version control ignored local file for storing your
passwords, have your Vagrantfile read this file. This way the
passwords remain on the system.
2. Use environmental variables that are read in the Vagrantfile and
passed as arguments perhaps to the shell script.
I hope this helps.
Best,
Mitchell
>
> Thanks!
On Thu, Jun 21, 2012 at 8:44 AM, Matt Bierbaum <matt.b...@gmail.com> wrote:
> I was wondering if there was a way to provide user interaction during
> provisioning. As it is now, I'm using a Shell provisioner that would like
> to ask for a password to gather a public key from another server. However,
> the ssh run during `vagrant up` does not allocate a pseudo-tty. Is there a
> way to provide this option to ssh during the up command. The shell does run
> successfully when run with ssh -t -p 2222 vagrant@localhost "/bin/bash
> ~/script.sh". I tried to sneak it into other parts of the ssh command but
> it appears you've escaped the options well enough.
>
> I was also considering using ssh-askpass, but haven't got that to function
> properly either. The last option is to login to the box and run the script.
> I was hoping to make these as simple to distribute as possible though.
you want to do. However, it is an idea for the future.
In the meantime, there are a few options:
1. Use a version control ignored local file for storing your
passwords, have your Vagrantfile read this file. This way the
passwords remain on the system.
2. Use environmental variables that are read in the Vagrantfile and
passed as arguments perhaps to the shell script.
I hope this helps.
Best,
Mitchell
>
> Thanks!
Matt Bierbaum
Jun 21, 2012, 2:40:22 PM6/21/12
to vagra...@googlegroups.com
Thank for you for the response. I am currently doing something similar to 1. though I was hoping to remove the need for a password stored in a flatfile. We are trying to distribute a VM to a number of sources (some more secure than others) to join in a computational task. Currently authentication for the box goes through a public key which provides access to shared resources using sshd restrictions and chroot jail. As the provisioning is finished, the idea is that the user enters his credentials to authenticate the box and is then locked out of the box and left with a webserver that outputs its status. However, I was hoping to remove a bit of direct insecurity by removing the password file.
On Thursday, June 21, 2012 1:45:00 PM UTC-4, Mitchell Hashimoto wrote:
Another option would be two stage provision where the main provisioner runs most of the setup. Then, we could ask the user to also run `vagrant ssh -c "finish.sh" -- -t` and resolve credentials at that time. Something like this is an option as well.
Do you have thoughts on better ways to achieve these stand alone compute resources that could live in places of mixed security?
On Thursday, June 21, 2012 1:45:00 PM UTC-4, Mitchell Hashimoto wrote:
Matt,
Patrick Connolly
Jan 25, 2013, 4:45:23 PM1/25/13
to vagra...@googlegroups.com
In case it helps anyone, it's a little less clean than I'd like, but here's how we do it:
On Thursday, June 21, 2012 1:45:00 PM UTC-4, Mitchell Hashimoto wrote:
Generate gitignored config file with rake task:
Load config settings into Vagrantfile and roles:
The values all get loaded into the chef node object in our case:
For what it's worth, we allow these to be set via envvar, and this overwrites the settings in the config.yml file:
So if there's a value named "basebox" in the config.yml file, you can run this to set it to "lucid64" before running any vagrant command:
`basebox=lucid64 vagrant up` or `basebox=lucid64 vagrant reload`
Also handy to reprovision a VM, for example if you have recipes that can rebuild a site from a different branch:
`branch=123-my-new-feature clean=true vagrant provision`
(`clean=true` is the "safety" envvar that is needed to blow away the site docroots)
Anyhow, currently thinking on how to convert this into a vagrant plugin that generalizes the features in between projects.
P
On Thursday, June 21, 2012 1:45:00 PM UTC-4, Mitchell Hashimoto wrote:
Patrick Connolly
Jan 25, 2013, 4:51:28 PM1/25/13
to vagra...@googlegroups.com
This might help:
If your users have ssh keys on their host machines that have access, this gives the chef run (and `vagrant ssh`) access to the forwarded session of the host. So your VM can access anything that the host can via ssh keys :)
Reply all
Reply to author
Forward
0 new messages