Making systems ready for Satellite 6.2's remote execution

This article was originally published on the Red Hat Customer Portal. The information may no longer be current.

Satellite 6.2 ships with the much anticipated remote execution feature, which allows you to run scripts and jobs on a group of systems and then gather and view the output in the Satellite interface.

Remote Execution by itself works fine out of the box for new machines, but already existing machines need to be bootstrapped by adding an SSH public key to root's ~/.ssh/authorized_keys.

You can use Puppet to do this - assuming you are using Puppet at all - in two distinct ways:
- you can use a full module for it, for example the ghoneycutt/ssh module
- you can use hash_resources to place the key generated by Satellite in root's ~/.ssh/authorized_keys

Because there is a pretty large number of ssh related modules on Puppet Forge, I'm not going to go into that in much detail. If you have chosen one of those, it pretty much rules out all the others (that's just how Puppet works), so this would become a pretty long story. It's much easier to use the hash_resources module to manage this single key.

The hash_resources module was written by Stephen Benjamin​ and I'm utterly in love with it. You can use it to transform a hash into a Puppet resource. This is useful for many things, from creating an Apache virtual host with the apache::vhost defined type, a MariaDB database with the mysql::db defined type, or - in this case - setting up an SSH public key for authentication and using that with remote execution.

The setup

The setup is mind-numbingly simple. Just add the hash_resources module to your Puppet CV / environment, add the hash_resources class to your system / host group and override the resources parameter with:

---
ssh_authorized_key:
  'foreman-proxy@satellite.example.com':
    user: root
    type: <%= @host.params['remote_execution_ssh_keys'][0].split(' ')[0] %>
    key: <%= @host.params['remote_execution_ssh_keys'][0].split(' ')[1] %>

Now granted, the above isn't exactly pretty, but it works and doesn't need a separate module at all. An explanation:

The first line specifies the name of an existing resource we want hash_resources to create (ssh_authorized_keys). The second line is the name we want that resource to get (the name / comment of our key, in this case). Lines 4 through 6 are parameters for that resource, starting with the name of the user, then the key type, and finally the body of the key.

I'm using some Ruby to split up the existing global parameter remote_execution_ssh_keys, because the contents of the remote_execution_ssh_keys variable itself isn't suitable to pass to hash_resources. I take the first element of the remote_execution_ssh_keys array, split that on spaces and take the first and second element of that resulting array for SSH key type and SSH key body, respectively.

The above snippet will work fine if you have only a single Satellite, without external capsules. If you have external capsules, you probably want to use a different snippet that distributes all of the remote execution SSH keys to all of your hosts (remember remote_execution_ssh_keys is an array!).

---
ssh_authorized_key:
  <% for _key in @host.params['remote_execution_ssh_keys'] do -%>
  <% key = _key.split(' ') -%>
  <%= key[2] %>:
  user: <%= @host.params['remote_execution_ssh_user'] %>
  type: <%= key[0] %>
  key: <%= key[1] %>
  <% end -%>

The above code isn't any prettier, but it will work on an arbitrary number of SSH keys that need to be distributed. It'll loop over the remote_execution_ssh_keys array and generate input for hash_resources on the fly. It'll even set the user correctly, if you don't want to use the default root account.

Ups and downs