Page MenuHomePhabricator

Configuration management for network operations
Open, NormalPublic0 Story Points

Description

  • Productionize existing configuration management software jnt (potentially renaming it)
  • Integrate with Netbox for device selection and topology data gathering
  • Add safe push method for the configuration: interactive and sequential
  • [stretch] Evaluate Netbox to store network secrets

Event Timeline

Volans triaged this task as Normal priority.Jul 18 2019, 9:34 AM
Volans created this task.
Restricted Application added a project: Operations. · View Herald TranscriptJul 18 2019, 9:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

[stretch] Evaluate Netbox to store network secrets

After playing a bit with secrets in our Netbox test box I've come to the conclusion that they might not be suitable for our use case. To summarize their current state in Netbox:

  1. Secrets are attached to a device, meaning that it seems not possible to "share" a secret between multiple devices or have generic secrets not attached to any device.
  2. Secrets have roles (that allow to restrict users/groups that access) but AFAICT no ACLs, so it seems not possible to create a RO access role for example.
  3. When setting up secrets the admin needs to create a UserKey (RSA) and Netbox will automatically generate a master key that will be encrypted with the admin's key.
  4. To manage secrets each user have to set a UserKey (RSA) and then be activated by a previously activated user. The activation procedure decrypt the master key with the activated user's private key and save an encrypted copy of it (with the new user's public key) to their profile. So basically there are multiple copies of the master key encrypted with each user's public key.
  5. To manage secrets via the API you need a session key, to get one an activated user needs to POST their private RSA key to get a Session Key. So basically in order to allow the software to retrieve secrets from Netbox we'll either need to set an RSA key for the sre_bot Netbox user and have its private key at hand on the management hosts or require the operator to generate a user key and pass it to the software at runtime.

In particular limitation (1, secrets attached to a device) seems mostly a blocker to me for our use case. Also requirement (5, Session Key) seems suboptimal to me for our workflow.
I'd like to hear other thoughts too.

Change 530859 had a related patch set uploaded (by Volans; owner: Volans):
[integration/config@master] Setup CI for operations/software/homer

https://gerrit.wikimedia.org/r/530859

Change 530860 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] Initial structure of the project

https://gerrit.wikimedia.org/r/530860

Change 530861 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] Initial draft of the CLI

https://gerrit.wikimedia.org/r/530861

Change 530862 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] Initial draft of devices configuration parsing

https://gerrit.wikimedia.org/r/530862

Change 530859 merged by jenkins-bot:
[integration/config@master] Setup CI for operations/software/homer

https://gerrit.wikimedia.org/r/530859

Change 530860 merged by jenkins-bot:
[operations/software/homer@master] Initial structure of the project

https://gerrit.wikimedia.org/r/530860

Change 530861 merged by jenkins-bot:
[operations/software/homer@master] Initial draft of the CLI

https://gerrit.wikimedia.org/r/530861

Change 530862 merged by jenkins-bot:
[operations/software/homer@master] Initial draft of devices configuration parsing

https://gerrit.wikimedia.org/r/530862

Change 531124 had a related patch set uploaded (by Volans; owner: Volans):
[integration/docroot@master] doc: add link to Homer documentation

https://gerrit.wikimedia.org/r/531124

Change 531124 merged by jenkins-bot:
[integration/docroot@master] doc: add link to Homer documentation

https://gerrit.wikimedia.org/r/531124

Change 532223 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] setup.py: add missing PyYAML dependency

https://gerrit.wikimedia.org/r/532223

Change 532224 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] doc: add configuration example in documentation

https://gerrit.wikimedia.org/r/532224

Change 532225 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] Configuration: load and merge private config

https://gerrit.wikimedia.org/r/532225

Change 532226 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] devices: add query capability

https://gerrit.wikimedia.org/r/532226

Change 532227 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] cli: rename action compile to generate

https://gerrit.wikimedia.org/r/532227

Change 532223 merged by jenkins-bot:
[operations/software/homer@master] setup.py: add missing PyYAML dependency

https://gerrit.wikimedia.org/r/532223

Change 532224 merged by jenkins-bot:
[operations/software/homer@master] doc: add configuration example in documentation

https://gerrit.wikimedia.org/r/532224

Change 532452 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] devices: add logging

https://gerrit.wikimedia.org/r/532452

Change 532453 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] templates: add rendering of templates

https://gerrit.wikimedia.org/r/532453

Change 532454 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] actions: add generate action

https://gerrit.wikimedia.org/r/532454

Change 532225 merged by jenkins-bot:
[operations/software/homer@master] Configuration: load and merge private config

https://gerrit.wikimedia.org/r/532225

Change 532226 merged by jenkins-bot:
[operations/software/homer@master] devices: add query capability

https://gerrit.wikimedia.org/r/532226

Change 532227 merged by jenkins-bot:
[operations/software/homer@master] cli: rename action compile to generate

https://gerrit.wikimedia.org/r/532227

Change 532452 merged by jenkins-bot:
[operations/software/homer@master] devices: add logging

https://gerrit.wikimedia.org/r/532452

Change 532453 merged by jenkins-bot:
[operations/software/homer@master] templates: add rendering of templates

https://gerrit.wikimedia.org/r/532453

Change 532454 merged by jenkins-bot:
[operations/software/homer@master] actions: add generate action

https://gerrit.wikimedia.org/r/532454

Change 533558 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] transports: add JunOS transport

https://gerrit.wikimedia.org/r/533558

Change 533568 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] config: inject role and site to the configuration

https://gerrit.wikimedia.org/r/533568

Change 533570 had a related patch set uploaded (by Volans; owner: Volans):
[operations/software/homer@master] CLI: suppress ncclient noisy logger

https://gerrit.wikimedia.org/r/533570

Change 533558 merged by jenkins-bot:
[operations/software/homer@master] transports: add JunOS transport

https://gerrit.wikimedia.org/r/533558

Change 533568 merged by jenkins-bot:
[operations/software/homer@master] config: inject role and site to the configuration

https://gerrit.wikimedia.org/r/533568

Change 533570 merged by jenkins-bot:
[operations/software/homer@master] CLI: suppress ncclient noisy logger

https://gerrit.wikimedia.org/r/533570