Camilo MATAJIRA

Self-Service Infrastructure

Camilo Matajira Avatar
Camilo Matajira

Objective

Linux System Administrators are constantly interrupted with tasks that could be delegated to someone else. For example:

  • Create a new user in X, Y and Z server
  • Delete user (former employee).
  • Update user SSH keys.
  • Create user in the SFTP.

This project proposes a way of delegating this kind of tasks to managers or lead developers, so that System Administrators can concentrate on tasks that give higher return to the company.

The Stack

The idea is to create a web application that allows users to self-serve infrastructure services.
For the web application I use Flask, to make the application look good I use Bootstrap.
To handle the connection between the client and the servers I use Celery. Currently, the only service supported is to ‘Create a User’. The script to do it is a Python wrapper for ‘useradd’ written with TDD.

Python 3.5
Flask
Celery
RabbitMQ
MySQL

Security: The complexity of the project

The tasks that I want to automate have something in common: the need for root privileges in the machine, and hence the need of the System Administrator. The reason that apps that try to automate this process become complex, is precisely the handling of security.

Applications like Ansible Tower or Rundeck rely mainly on SSH. Basically, the application triggers a script that performs SSH in the machine, and execute the tasks. Leaving a private key with root privileges somewhere near a web service is something that cause any System Administrator shivers. This is the reasons that this kind of tasks are not yet completely automated. (Though the privileges of the ssh-key user, can be constrained).

My approach is instead to use a messaging system (RabbitMQ) and make the servers subscribe to the queue. We will send the tasks to the queue using Celery. Hence, no need for ssh-keys. To handle the root privileges we execute the task with the ‘celery’ user, and we provide very constrained sudo privileges to the user.

State of the project

The first service of the project, create user, is finished. I would like to start implementing the other services (delete user, create sftp user etc.).
I finished the testing on Docker containers that resemble a Debian 9 environment. However I would like to perform some tests with Virtual Machines using Terraform.

Finally, I still have work to do in the deployment part of the application. My objective is to be able to create a .deb package that could be installed using dpkg.

Gitlab

You can check the source code here.

Author

  • Camilo MATAJIRA see www.camilomatajira.com

Tagged in :

, , , , , , , , ,
Camilo Matajira Avatar
Camilo Matajira