T2405: add Git support to commit-archive #2241
Conversation
vyosbot
requested review from
a team,
dmbaturin,
sarthurdev,
zdc,
jestabro,
sever-sever and
c-po
and removed request for
a team
|
This check fails: "Check pull request message format / Check pull request title (pull_request)" |
The commit message should include the task ID , for example, |
yunzheng
force-pushed
the
feature/commit-archive-git-backend
branch
from
009eeb6 to
0b8c578
Compare
|
Note that Causes funny problems during smoketests. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Could you solve conflicts? |
yunzheng
force-pushed
the
feature/commit-archive-git-backend
branch
from
0d14dd2 to
52a8f54
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Done! |
|
@jestabro could you take a look ? |
|
Could we drop the current support/implementation for: |
|
Could this not be a common solution for both SCP and SFTP, as they are both SSH based? On the other hand, i've looked into using the I can go ahead and remove |
Please do so and remove /config/auth/commit-archive.key While testing I've seen this: [email protected]# set system config-management commit-archive location https://cpo:[email protected]/cpo/vyos-git
[edit]
[email protected]# commit
Archiving config...
https://cpo:[email protected]/cpo/vyos-git OK
[edit]Is there a way to prevent Also my remote Git repo does not list any file(s) after adding it to VyOS. I'm using GitLab as backend service |
Removed in latest commit
The username and password are now removed from the output.
It looks like you used |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
yunzheng
force-pushed
the
feature/commit-archive-git-backend
branch
from
4a5ed21 to
e36d04b
Compare
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
yunzheng
force-pushed
the
feature/commit-archive-git-backend
branch
from
e36d04b to
eb8842c
Compare
yunzheng
force-pushed
the
feature/commit-archive-git-backend
branch
from
eb8842c to
529216a
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Thanks for the hint! |
Please go ahead and remove the hardcoded
And select the key using: @sarthurdev what you think? |
Seems a good idea to me. Though you'd need to use |
|
Note that I already removed the hardcoded path With that said, I'm looking into implementing vyos@vyos# run generate pki ssh-key install my-keyThis actually doesn't add any SSH-keys to PKI config.. only generate private key that you need to copy yourself and a pub key that is added to the current user for SSH access. (generated authorized_keys file) Next, for the use case that you generate the SSH private key in VyOS itself: vyos@vyos# run generate pki key-pair install my-key
Enter private key type: [rsa, dsa, ec] (Default: rsa)
Enter private key bits: (Default: 2048)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N]
Do you want to install the public key? [Y/n]
Do you want to install the private key? [Y/n]
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.This generate a private and public key pair, but these are not directly OpenSSH compatible. For example the public base64 string is not compatible with OpenSSH format that all Git systems use. Would it not be very confusing and annoying for users if they still need to convert this base64 string to a proper OpenSSH public key? Also I think it's still a security risk to export the full VyOS config with the same private key that is also used for Git write access. Should this not be of concern? Or is possible to mark a PKI key as non exportable? |
|
@sarthurdev I think we should add an option to generate SSH keys as they seem not to match regular key-pairs and add that to the PKI tree? |
Sure I'll look into it. It should be trivial to implement, just need to serialize differently for OpenSSH. I am however in agreement with @yunzheng regarding the security issue. We should look into a way to exclude (or perhaps encrypt) certain nodes/values from the archive. |
|
We can also merge this first and only work with git+https to get some "feedback" and add additional features later on. Please note there is a bug in |
Latest version looks good to me |
|
I want to get choose if I want use PKI or files for all certificates/keys mentions. |
|
@Mergifyio backport sagitta |
✅ Backports have been created
|
Change Summary
This change adds Git support to
commit-archive. Examplecommit-archivelocations for Git:git://[email protected]:username/vyos-configs.gitgit+ssh://[email protected]/username/vyos-configs.gitgit+https://gitea.local.lan/infra/vyos-configs.gitThe commited filename will be
config.boot-<hostname>. So make sure you have unique hosts names if you let multiple VyOS servers commit to the same repository.The username and Full Name will be extracted from the system and used as the author of the Git commit.
The "commit comment" is also properly used as the Git commit message:
vyos@vyos# commit comment "my commit comment"It's recommended to use dedicated SSH keys instead of username and passwords. Therefore, the Git commit-archive backend checks if the following SSH private key exists and uses it accordingly:
/config/auth/commit-archive.keyYou can generate the SSH key using:
Then use the public key as a "deploy key" with write access on the Git repository.
PS: it would also be nice to generate ed25519 keys from VyOS, but that's another feature.
If you really want to use ed25519 keys you can just generate it using:
Just make sure that the private key is readable by the
vyattacfggroup.Types of changes
I refactored the
uploadanddownloadfunction to have an extra parameter calledraise_error=False.The default is False, but when set to true it will raise the Exception instead of printing the error.
Several functions in
process.pyare also slightly refactored so they can properly accept a list of arguments, instead of assuming it is always a singlestrargument.Related Task(s)
Component(s) name
config-management
Proposed changes
The change adds the following extra debian package:
Several changes needed to be made, I opted in to use a "regex" for the location validation instead of relying on the
validate-value --file-transportswhich would require a recompile of vyos-utils package. It was also missing "ssh://" as a valid scheme, while this is listed as a working backend.Changes have been made to
remote.pyto addGitCas a backend, I did not add support fordownloadbut could be done if there is a need for it.Small textual changes have been made to
config_mgmt.pyto mimic the old VyOS commit-archive output. e.g:Before, nothing was outputted before.
Note that SSH Authorized keys is a thing, especially if there are multiple administrators this can be a hassle that everyone needs to accept the SSH key without knowing if it's correct. Therefore it's recommended to directly configure the correct authorized_keys file globally in
/etc/ssh/ssh_known_hosts. For example GitHub lists their public keys here:https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
But otherwise you can also utilize:
ssh-keyscan, eg:How to test
First generate a dedicated SSH key for the commit-archive that can be used as a "deploy key", for example on GitHub, Gitea or GitLab.
Configure the above public key as a new deploy key on your Git repository with write access. Then configure the commit-archive location:
Checklist: