Algo: Allow all interactive questions to have config entries in config.cfg

Created on 30 Dec 2016  路  10Comments  路  Source: trailofbits/algo

When running the ./algo command there are a number of interactive questions.

If I want to run this command with the same options on a regular basis (rotating servers) I should be able to configure the answers to those questions in the config file with boolean values for each. I should be able to run algo non-interactively.

All 10 comments

That's reasonable. If you want access to a similar feature now, you can use the scripted deployment instructions here: https://github.com/trailofbits/algo/blob/master/docs/ADVANCED.md

@grempe alternatively you can use this syntax for repeated testing:

#!/bin/bash

mkdir tmp
cd tmp
apt install -q -y python-setuptools build-essential libssl-dev libffi-dev python-dev
git clone https://github.com/trailofbits/algo.git && cd algo

# Optional, but helpful for reporting issues (e.g., current master):
git reset --hard 148686e8fdb0bb12e1f1d88475c15f1f1cc84771
easy_install pip && pip install -r requirements.txt

# For this example:
#  DigitalOcean, DO API token, DO SSH key, NYC region, algo.local hostname default,
#  yes to sec enhance, y to ad block, yes to dns resolver, no to auditd, 
#  no to per-user ssh tunneling, no to always-on wifi, no to always-on cell,
#  no to Win 10 client reduced security

cat <<END > cmd
1
[YOUR-API-TOKEN]
[YOUR-REGISTERED-DO-KEY.PUB]
5

y
y
y
n
n
n
n
n
END
./algo < cmd

Thanks @kennwhite thats a good script for testing for sure. It would be too scary to run after a git pull on the repo for regular VPN server rotation though. Having a nice contract with the config file would be a happier path. :-)

On second though, the shell script helper is not meant to be a stable target for scripting. It's there to guide non-technical users through the installation process. The questions it asks and other details about it frequently change and it is not expected to be a stable target for development. If you want to script a deploy, then you should do it with the scripted deploy features that are already available and provide identical functionality to what you've requested.

Thanks Kenn for your script! I'm going to add that as an example in ADVANCED.md.

Hmmm, I'm disappointed you closed this. I don't think I was asking that the interactive prompts go away for all, and I was also not suggesting that the algo command be a stable target for scripting (although Ken provided a helpful, though fragile, script to do just that).

What I was requesting was that there be the ability to answer those questions before the fact using (likely commented by default) options in the config file. A config file that users are already needing to modify. Having both interactive and config entry driven deployment of a server are not mutually exclusive.

An commonly seen alternative would be to also add command line flags to the algo script that allow specifying the answers at command line runtime.

Having to run through a (likely growing) list of interview questions, and having to remember which options I chose previously, does not seem to be as friendly as it could be.

I'm not sure why this is not a solution for you? It runs a deploy in a single step.

https://github.com/trailofbits/algo/blob/master/docs/ADVANCED.md#scripted-deployment

I just ran it to test it out (on macOS Sierra, with python and ansible installed via homebrew). It successfully ran with the following:

$ ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=MY_API_KEY do_ssh_name=my_ssh_key do_server_name=test.local do_region=sfo1'

Some comments:

  • I don't seem to be able to specify whether I want it to run with VPN always on wifi/cellular (or at least its not documented on the advanced page how to do so)
  • This is an advanced technique. Will never be as easy as commenting/uncommenting lines in the config and the advanced page docs are sure to fall out of sync with reality, whereas pushing an updated config is something you are more likely to have heavily tested.
  • Its not documented what the do_ssh_name=my_ssh_key should be set to. A path to a key? A name? I set it to something meaningless but I don't see what it did.
  • Running this script with an already existing algo server running seems to have replaced the SSH key on the DO server SSH config according to DO's history page. Its not clear to me from the docs how you are handling SSH keys and I have not poked around in the code yet to see.
  • You have to figure out that the -t tag requires you to enter cloud or server role tags, comma separated. You list them on the advanced page, but again, you have to hunt around to find out what they mean.
  • It can leave my API key in a script file or in my shell history if I'm not careful

So, sure, it took me only a few minutes to figure it out how to get it to work but I've also spent some hours familiarizing myself. But if the goal is to make the tool 1-click then this is not the way to go to make it friendly, and to make it easy to re-use a config IMHO.

Glad it worked. Happy to take a pull request that updates those docs.

ok, I will file a PR for some updates to the advanced docs. Doesn't really address this issue though (but I think you know that), since the advanced method is not feature compatible with the algo script (e.g. no way to specify vpn always on for wifi/cellular). I'll file bug reports for missing advanced features I see if you are fundamentally set in not making algo configurable.

See issues #197 and #199 (and pull requests for each) which address some of the issues I commented on above.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ShlomiPorush picture ShlomiPorush  路  3Comments

baimafeima picture baimafeima  路  5Comments

dmwyatt picture dmwyatt  路  3Comments

dguido picture dguido  路  3Comments

RonCan picture RonCan  路  3Comments