Suggested Dockerfile

[ringerc]

Thanks for the handy tool.

Please consider shipping a Dockerfile that can be used to bundle up an unprivileged container image with this tool, so users don't have to trust the sprawl of npm dependencies with access to the rest of their user accounts.

Here's one I wrote which might be useful as a starting point or for others.

FROM node:20-alpine3.16
RUN adduser -D pd
USER pd
RUN mkdir /home/pd/pd-cli
WORKDIR /home/pd/pd-cli
RUN npm install pagerduty-cli
VOLUME /home/pd/.config/pagerduty-cli
RUN mkdir -p /home/pd/.config/pagerduty-cli && chown pd:pd /home/pd/.config/pagerduty-cli
ENTRYPOINT ["npm", "exec", "--", "pd"]

# run with e.g.
#   docker run -it --rm --mount type=volume,source=pd-cli,destination=/home/pd/.config/pagerduty-cli pd-cli
#
# you will need to use the "auth:set" command the first time, and supply an api token
# created with your PD account under My Account -> User Settings -> API Access
# see https://support.pagerduty.com/docs/api-access-keys#section-generate-a-user-token-rest-api-key

Build with docker buildx build -t pd-cli . within an empty directory containing only the Dockerfile.

I then put this wrapper script in $HOME/.local/bin/pd - you can put it anywhere convenient on your PATH:

#!/bin/bash
docker run -it --rm --mount type=volume,source=pd-cli,destination=/home/pd/.config/pagerduty-cli pd-cli "$@"

A bind-mount could be used to bind the configdir for the CLI from the user's own homedir instead of using a docker volume, but using a volume was more convenient from an unprivileged access-control point of view.

On first use, run

pd auth:set

and enter a PD API token created with your PD account under My Account -> User Settings -> API Access. Watch out, the output will be echoed to the terminal.

Subsequent runs will remember it.

[khntst]

Thanks very much, I got this to work on an EC2 instance. Creating a container, running, etc. But I ran into some strange results. Besids the warning, I get a bunch of junk characters in the output, but then it proceeds to output the results I was looking for.

./pd user:list -k role npm WARN config key key and cert are no longer used for most registry operations. npm WARN config Use registry scoped keyfile and certfile instead. npm WARN config Example: npm WARN config //other-registry.tld/:keyfile=/path/to/key.pem npm WARN config //other-registry.tld/:certfile=/path/to/cert.crt Getting users from PD 1/1 ≡ƒæì, 0/1 ≡ƒæÄ... done ID Name Email Contact emails Contact phones Contact sms ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇ ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇ ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇ ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇ ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇ ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇ

[khntst]

Interesting that someone else already suggested a different Dockerfile approach: https://github.com/martindstone/pagerduty-cli/blob/773086ad2ba071a9f588b4760e196c3fa3275729/Dockerfile

[ringerc]

@khntst The junk characters suggest a text encoding, locale or terminal type mismatch. Probably need to propagate some LC_ vars and TERM into the container or run it with a flag to turn off terminal char pretty-printing.

Thanks for the link to the other dockerfile. I expect you'll see similar issues with that. I wanted one that was quite defensive - minimum privleges, runs as non-root. And one that can cache your creds in a reasonably well protected manner.

[martindstone]

Hi @khntst just catching up on this... it seems like a good idea and I will work on it the next chance I get... thanks very much for the submission

[khntst]

Yeah, I like the idea of limiting privs too. Tried experimenting with various LC_ and TERM. Not making a diff. Then I come in today after the weekend with a fresh terminal connection (via SSM) and it just worked. 'ansi' sequences were even interpreted correctly -- symbols, colors, maybe even progress meter. current TERM=xterm-256color, LANG=enUS.UTF-8. nothing for LC stuff. Drives me mad. Can't figure out if I set something else permanent that fixed it. Seems to be as-original. So I started to run a battery of commands through it. I can get simple lists of stuff. But when I try to run those lists into -csv it just prints the npm version (9.6.6) and thats it, no csv record lines. I notice a warning at the end of the simple lists:

npm notice
npm notice New minor version of npm available! 9.6.6 -> 9.7.2
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.7.2
npm notice Run npm install -g npm@9.7.2 to update!
npm notice

Tried to re-build the container but that did not seem to improve anything. Next I modified this line in Dockerfile (add quiet):

RUN npm install pagerduty-cli --quiet

... which then seemed to cause container to really get rebuilt.

This makes 'npm notice' messages go away from simple list output, but (9.6.6) result symptom still remains.

[khntst]

Ultimately I found that the built-in ssm method of establishing an ssh session exhibits the 'junk characters'.

aws ssm start-session --target <instance>

But the 'standard' ssh method does not. With this method, the ansi coloring and characters of typical pd-cli list output display correctly.

ssh -i ~/.ssh/instance-cert.pem ec2-user@<instance>

However, I am still being stymied by this phenomenon mentioned above.

[ec2-user@ip-10-10-10-10 pd-cli]$ ./pd user:list -k 'teams[*].summary' --csv
9.6.6

... this command displays legit user list content unless I include --csv. Then it only displays the npm version.

I also get this warning text, but it doesn't seem to be stopping normal output.

npm WARN config key `key` and `cert` are no longer used for most registry operations.
npm WARN config Use registry scoped `keyfile` and `certfile` instead.
npm WARN config     Example:
npm WARN config     //other-registry.tld/:keyfile=/path/to/key.pem
npm WARN config     //other-registry.tld/:certfile=/path/to/cert.crt

[khntst]

Sorry if I'm spamming this discussion too much. Thought you guys may be interested in further testing results. Perhaps @ringerc has a better environment set up; so far my container deployment has not been very usable. Although I did get past the junk chars issue noted above.

Some pd-cli commands work, passing in parameters to container, getting simple table results. Others don't seem to work. Here's an example of a multiline command that does not work:

$ ./pd rest:fetch \
>     -e webhooks \
>     -t \
>     -k outbound_integration.summary \
>     -k webhook_object.id \
>     -k webhook_object.summary \
>     -k config.target \
>     --filter outbound_integration.summary=ServiceNow
npm WARN invalid config before="webhooks" set in command line options
npm WARN invalid config Must be one of: null, valid Date string
npm WARN config key `key` and `cert` are no longer used for most registry operations.
npm WARN config Use registry scoped `keyfile` and `certfile` instead.
npm WARN config     Example:
npm WARN config     //other-registry.tld/:keyfile=/path/to/key.pem
npm WARN config     //other-registry.tld/:certfile=/path/to/cert.crt
 ›   Error: Unexpected argument: outbound_integration.summary=ServiceNow
 ›   See more help with --help

[ringerc]

On Linux (Ubuntu) it Just worked for me. I assume your TERM env-var and termcap inside the container don't match those of the terminal emulator.