[Feature request] Add support for dry-run configuration checks

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.

https://sssd.io

GNU General Public License v3.0

608 stars 247 forks source link

[Feature request] Add support for dry-run configuration checks #5179

Open k0ste opened 4 years ago

k0ste commented 4 years ago

For automation tools sssd should support --dry-run configuration checks (example: /usr/bin/sssd --config-file /tmp/sssd_.conf --dry-run), i.e. before put config to /etc/sssd/sssd.conf and restart sssd.service. When config is valid, sssd should terminate with zero exit code, otherwise exit code should be non zero.

Currently sssctl binary support config-check option, but impossible to declare path to file for perform checks, and also man for this utility is empty.

sumit-bose commented 4 years ago

Hi,

I think this is just recently fixed by PR #5143 for issue #5142. If this is what you are looking for, please close this ticket.

bye, Sumit

k0ste commented 4 years ago

@sumit-bose, yes, thanks. But quality of checks works not as expected.

In this example we get exit-code 1 when try to check config, because validator try to check /etc/conf.d dir, obviously has not exists.

[root@linux01 /]# sssctl config-check --config /tmp/temp_Sdqwer2 
Issues identified by validators: 0

Messages generated during configuration merging: 1
Directory /tmp/conf.d does not exist.

Used configuration snippet files: 0

Next example with test data:

[sssd]
config_file_version = string
services = nss1
domains = what?&!*
debug_level = true

[ssh]
ssh_hash_known_hosts = 666

We get zero exit-code without any warnings, but all of this options invalid:

[root@linux01 /]# sssctl config-check --config /etc/sssd/temp_Sdqwer 
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0
[root@linux01 /]# echo $?
0

sumit-bose commented 4 years ago

Hi,

I'm afraid this is somewhat expected since the checks currently only test is only valid sections are present and if only allowed options are in the specific sections. No option values are checked at the moment. So we can use this ticket to track adding checks for some option values. But please note, it would not be possible to check all values because some can only be tested at run-time, e.g. LDAP attribute names.

@thalman, can you check if it make sense to allow a missing conf.d directory when checking a alternative config file with the --config option?

bye, Sumit

thalman commented 4 years ago

@k0ste (cc @sumit-bose), if you specify --config like this

[root@linux01 /]# sssctl config-check --config /tmp/temp_Sdqwer2

the check should (does) look into /tmp/conf.d not /etc/conf.d (i. e. conf.d is looked up in the same place where the config file is located).

HTH Tom

k0ste commented 4 years ago

@thalman, actually don't need to any lookups to /tmp/conf.d, deployment tool don't use any includes (conf.d) and all configuration placed in one file.

sumit-bose commented 4 years ago

Hi,

@thalman, it looks like a missing directory is treated as an error and the return code is 1 even is the config is otherwise ok.

bye, Sumit

thalman commented 4 years ago

Well this is the behaviour we have in SSSD for ages and missing conf.d is considered to be an error. I doubt that we will change this, tough that dedicated errorlevel for missing conf.d can be implemented should be good enough.

As a workaround the automation tool actually can create empty conf.d.

thalman commented 4 years ago

@k0ste after some other feedback I created new option for sssctl-check (see https://github.com/SSSD/sssd/pull/5244)

I think that it covers your needs, you can point config-check to snippet dir and you will actually test whether some existing snippets doesn't break your config:

[root@linux01 /]# sssctl config-check --config /tmp/temp_Sdqwer2 --snippet /etc/sssd/conf.d

HTH

k0ste commented 4 years ago

It's not solve this issue.

sssctl still checks permissions of file that we can't control;
sssctl still need any conf.d directory;

My suggestion is: add bool flag, like automation or nostrict to skip ERR_INI_INVALID_PERMISSION and ERR_INI_ADD_SNIPPETS_FAILED checks for temp file.

thalman commented 4 years ago

There are few approaches that you can take.

you may create your own (empty) conf.d - so you can control the source
you can point to /etc/sssd/conf.d to check whether your config will still work with custom snippets placed there.

Depends on what is the use-case. I would prefer to keep the test strict.

k0ste commented 4 years ago

I found that ansible template module already validate result with final permissions.

2020-07-14_14-33

you may create your own (empty) conf.d - so you can control the source

Task for create dir.
Set handler for deletion.
Flush handler for deletetion dir.

For example I need to deploy 100 nodes 10 times per months, this is 3000 useless tasks. I don't think this is unix-way of solving problems.

andreboscatto commented 1 year ago

To revisit: We can try to find a solution (If conf.d doesn't exist AND it is not required, assume it is empty, otherwise throws an error)