Logging similar to this should be added

https://github.com/choria-io/mcorpc-agent-provider/blob/fe7fdf323d6bc270fb56fe32418bb1bbe2fec518/mcorpc/agent.go#L99

We need a way to implement agents as external processes. The ruby provider is kind of the general approach but it does it via a shim which starts up old mco, we dont need all that for the generic case.

We should have a thing that:

• delivers a request to STDIN or temp file of any external process
• receives reply on STDOUT or temp file of any external process

We kind of do this for ruby, so we can use something similar to:

https://github.com/choria-io/mcorpc-agent-provider/blob/58eedaa63fe933b2830463fc0e6b83f455cb881f/mcorpc/ruby/agent.go#L28-L46

For the request and reply is just https://github.com/choria-io/mcorpc-agent-provider/blob/58eedaa63fe933b2830463fc0e6b83f455cb881f/mcorpc/mcorpc.go#L65-L70

With an accompanying DDL and some kind of logic for where to go look for external process delivered agents we should be able to make it work.

We'll need a few other things:

• Agent program should respond to --should-activate by exiting 0 for yes 1 for no
• Auditing is done in the wrapper prior to calling the agent/action
• Authorization will be supported once choria has a authorizer which it doesnt have now

Today this doesnt exist, we'd build a new agent provider plugin that delivers this.

/cc @optiz0r and @vjanelle

When the ruby provider sees a .json file, it assumes there's a corresponding .rb file, but the .json file could be there for a Go-based agent.

Clients need to know how many nodes were discovered (and indeed they can supply the targets) but we also support limiting so we should add 2 callbacks:

• 1 called before discovery is done - not called when targets is supplied, allowing clients to print Discovering...
• 1 called after discovery and limits, it gets passed the discovered count and limited count and can return error. When it returns error the request ends, allowing clients to print totals and adjust progress reports etc

https://github.com/choria-io/mcorpc-agent-provider/blob/5ca6551d08f87186ad7911ba1fb1946c68a92a45/mcorpc/ruby/util.go#L32

path here is the full path, should use fileinfo.Name()

As per choria-io/go-choria#446

choria-legacy/mcollective-choria#560

Match that in choria-plugins/action-policy#7

Same as choria-legacy/mcollective-choria#557 so DDLs align

In order to support the new choria req CLI we need to be able to convert map[string]string as received from the CLI into the correct data types that the DDL would expect on the receiving end else we cant call anything with int inputs etc

This means a bunch of things:

• We need to parse the input sections, today we leave as json.RawMessage
• We need to understand the type property for all typical JSON types and support validation
• We need to understand things like type list and string with maxlength and validate those
• We need to understand validators like ipv4address and validate using go-validator
• We need to be able to convert "10" into 10.0 float etc
• We need to be able to convert map[string]string into map[string]interface{} after first turning each value into its right type

the choria req command has a bunch of nasty code for formatting replies either as json or text, we should make some helpers here instead to assist with doing that and for reuse in other apps

It appears from reading the code while creating #14 that the discovery time is going to be completely lost since each request makes new stats:

https://github.com/choria-io/mcorpc-agent-provider/blob/98d3c43c6d31f93a0713c5cc03901d0afa8246e3/mcorpc/client/client.go#L204-L207

might need to investigate if thats the case or not

With go agents, external agents etc, we need to support action policy compatible authz so we need to port it and stick it into:

https://github.com/choria-io/mcorpc-agent-provider/blob/e18b1f6dfae4ef37fcdc77bc141321ec3e7f2b6e/mcorpc/agent.go#L112

this will then cover all kinds of rpc agent which is quite risky.

something perhaps based on a callback to the client so they can do whatever they like

Agents can have config in the plugin.d dir but the directory isnt a fixed point - different OS, different deployment methods etc.

We should set CHORIA_EXTERNAL_CONFIG in the environment that points to a path of the agent config - which might not exist if there is no config.

Summary

Using https://github.com/choria-io/go-external I created a simple choria agent that should list users with a list action (user list) that doesn't take any inputs (none are declared in the ddl or json), but when I try to invoke it via mco rpc I get an error about missing inputs:

$ mco rpc --verbose -I csqmgmt-puppetmaster02.grass.corp user list
 * [ ============================================================> ] 1 / 1
csqmgmt-puppetmaster02.grass.corp       : Validation failed: request contains inputs while none are declared in the DDL
    {}

I suspect that this is because somewhere along the line the lack of input is converted into an empty hash which is not the same as no input and thus fails validation in the mcorpc-agent-provider library.

Note that I verified that my agent generally works - the echo action which I copied from example in the README works fine within the same agent:

[alexander.hermes@csqmgmt-puppetmaster02 ~]$ mco rpc user echo -I csqmgmt-puppetmaster02.grass.corp "message=foo"

 * [ ============================================================> ] 1 / 1

csqmgmt-puppetmaster02.grass.corp        
   
   Echo: foo

Logs

choria-audit.log extract showing the two actions being submitted.

{"timestamp":"2019-11-25T02:09:45.182154+0000","request_id":"39619513748a511fa60dd547c94af119","request_time":1574647785,"caller":"choria=alexander.hermes.mcollective","sender":"csqmgmt-puppetmaster02.grass.corp","agent":"user","action":"echo","data":{"message":"foo","process_results":true}}
{"timestamp":"2019-11-25T02:09:50.854554+0000","request_id":"f7c4e19db756502191196f9903ba1f39","request_time":1574647790,"caller":"choria=alexander.hermes.mcollective","sender":"csqmgmt-puppetmaster02.grass.corp","agent":"user","action":"list","data":{"process_results":true}}

choria.log extract showing the successful echo action followed by a failed list action:

{"agent":"user","component":"server","identity":"csqmgmt-puppetmaster02.grass.corp","level":"debug","msg":"Attempting to call external agent user#echo (/opt/puppetlabs/mcollective/plugins/mcollective/agent/user) with a timeout 15","subsystem":"agents","time":"2019-11-25T10:09:45+08:00"}
{"level":"debug","msg":"Sending a broadcast message to NATS target 'mcollective.reply.csqmgmt-puppetmaster02.grass.corp.3381.1' for message 39619513748a511fa60dd547c94af119 type reply","time":"2019-11-25T10:09:45+08:00"}
{"level":"debug","msg":"Publishing 785 bytes to mcollective.reply.csqmgmt-puppetmaster02.grass.corp.3381.1","time":"2019-11-25T10:09:45+08:00"}

<snip validation stuff>


{"component":"server","identity":"csqmgmt-puppetmaster02.grass.corp","level":"debug","msg":"Matching request f7c4e19db756502191196f9903ba1f39 with agent filters '[]string{\"user\"}'","subsystem":"discovery","time":"2019-11-25T10:09:50+08:00"}
{"component":"server","identity":"csqmgmt-puppetmaster02.grass.corp","level":"debug","msg":"Handling message f7c4e19db756502191196f9903ba1f39 with timeout 15000000000","subsystem":"agents","time":"2019-11-25T10:09:50+08:00"}
{"agent":"user","component":"server","identity":"csqmgmt-puppetmaster02.grass.corp","level":"info","msg":"Handling message f7c4e19db756502191196f9903ba1f39 for user#list from choria=alexander.hermes.mcollective","subsystem":"agents","time":"2019-11-25T10:09:50+08:00"}
{"agent":"user","component":"server","identity":"csqmgmt-puppetmaster02.grass.corp","level":"debug","msg":"Attempting to call external agent user#list (/opt/puppetlabs/mcollective/plugins/mcollective/agent/user) with a timeout 15","subsystem":"agents","time":"2019-11-25T10:09:50+08:00"}
{"agent":"user","component":"server","identity":"csqmgmt-puppetmaster02.grass.corp","level":"error","msg":"Validation failed: request contains inputs while none are declared in the DDL","subsystem":"agents","time":"2019-11-25T10:09:50+08:00"}
{"level":"debug","msg":"Sending a broadcast message to NATS target 'mcollective.reply.csqmgmt-puppetmaster02.grass.corp.3412.1' for message f7c4e19db756502191196f9903ba1f39 type reply","time":"2019-11-25T10:09:50+08:00"}
{"level":"debug","msg":"Publishing 853 bytes to mcollective.reply.csqmgmt-puppetmaster02.grass.corp.3412.1","time":"2019-11-25T10:09:50+08:00"}

Details of my test setup

System

$ uname -a
Linux csqmgmt-puppetmaster02.grass.corp 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
LSB Version:	:core-4.1-amd64:core-4.1-noarch
Distributor ID:	CentOS
Description:	CentOS Linux release 7.6.1810 (Core) 
Release:	7.6.1810
Codename:	Core

Agent source

See the repo at https://github.com/ExalDraen/choria-plugin-user-agent

DDL

metadata :name        => "user",
         :description => "Interact with users on a system",
         :author      => "Alexander Hermes (@ExalDraen)",
         :license     => "GNU General Public License v3.0",
         :version     => "0.1.0",
         :url         => "https://github.com/exaldraen/choria-plugin-user-agent",
         :provider    => "external",
         :timeout     => 15


action "echo", :description => "Echo text back" do
  display :ok

  input :message,
        :prompt      => "The message to send for echoing",
        :description => "This message will be echoed back",
        :type        => :string,
        :validation  => :shellsafe,
        :maxlength   => 512,
        :optional    => false




  output :message,
         :description => "Echo of the original message",
         :display_as  => "Echo",
         :type        => "string"

end

action "list", :description => "List logged-in users on a system" do
  display :ok



  output :user_list,
         :description => "List of logged-in users",
         :display_as  => "User LIst",
         :type        => "string"

end

JSON

{
  "$schema": "https://choria.io/schemas/mcorpc/ddl/v1/agent.json",
  "metadata": {
    "license": "GNU General Public License v3.0",
    "author": "Alexander Hermes (@ExalDraen)",
    "timeout": 15,
    "name": "user",
    "version": "0.1.0",
    "url": "https://github.com/exaldraen/choria-plugin-user-agent",
    "description": "Interact with users on a system",
    "provider": "external"
  },
  "actions": [
    {
      "action": "echo",
      "input": {
        "message": {
          "prompt": "The message to send for echoing",
          "description": "This message will be echoed back",
          "type": "string",
          "optional": false,
          "validation": "shellsafe",
          "maxlength": 512
        }
      },
      "output": {
        "message": {
          "description": "Echo of the original message",
          "display_as": "Echo",
          "type": "string"
        }
      },
      "display": "ok",
      "description": "Echo text back"
    },
    {
      "action": "list",
      "input": {},
      "output": {
        "user_list": {
          "description": "List of logged-in users",
          "display_as": "User LIst",
          "type": "string"
        }
      },
      "display": "ok",
      "description": "List logged-in users on a system"
    }
  ]
}

Did not test the scenario where a rego file would have multiple allow statements

Ruby mco would let someone type :type => Hash in the DDL and then check if the thing is a type Hash, thats quite annoying and open ended.

We should formalize and support types "Hash", "hash", "Array" and "array" and validate and convert those.

If the map[string]string being passed in has a input of either of those types try to JSON parse it and validate that the things in there is right, this would allow CLI users to type JSON in the CLI automatically

should use github.com/guptarohit/asciigraph to chart numbers sent to it

We need to support analogues of limit, limit_targets and limit_seed

Limit method can be one of random or first
When random and if limit_seed is set the random number generator is seeded with that
limit can either be a integer number of a percentage like 10%

See MCollective::RPC::Client#pick_nodes_from_discovered

This is to support choria-io/go-choria#651

Agent @ github.com/choria-io/provisioning-agent/agent

https://github.com/choria-io/mcorpc-agent-provider/blob/98d3c43c6d31f93a0713c5cc03901d0afa8246e3/mcorpc/client/client.go#L185

No effort is made to pass the collective set in the agent options onto the broadcast discovery tool meaning this can only ever discover in main collective

A new action should be added gencsr which should write a private key and csr to either dir(configfile)/ssl/{private,csr}.pem or in the configured SSL dir and returns the CSR along with the effective dir the SSL should live in.

Later in the configure action it should take an optional certificate, ca and ssldir that will then trigger a save.

The returning of the ssldir bit is so that an machine appropriate config can be generated for the manual provider

https://github.com/choria-io/mcorpc-agent-provider/blob/98d3c43c6d31f93a0713c5cc03901d0afa8246e3/mcorpc/client/client.go#L190-L191

This is now not needed since a client will always reset the options and passing in options on every request is required

https://github.com/choria-io/mcorpc-agent-provider/blob/98d3c43c6d31f93a0713c5cc03901d0afa8246e3/mcorpc/client/client.go#L204

Data aggregators are little ruby plugins that live in the data stream of RPC replies and aggregate what they see, these are used in CLI to summarize output especially when only failures are shown but people still want a overview of what happened.

While super userful it turns out only a number of key ones seem to be widely used:

% grep -h aggregate /opt/puppetlabs/mcollective/plugins/mcollective/agent/*ddl| tr -s '[:blank:]'|awk -F "(" '{print $1}'|sort |uniq -c
      5  aggregate average
      5  aggregate boolean_summary
      1  aggregate nagios_states
      1  aggregate process_summary
     45  aggregate summary

Thus if we supported summary (which can also be boolean_summary) we'll hit most, possibly add average time permitting.

The situation for writing agents in the go agent is pretty dire, you either have to recompile it or ship a ton of ruby stuff. Tengo is a nice little scripting language that embeds in Go and can help us out here.

There's a WIP here https://github.com/choria-io/mcorpc-agent-provider/tree/wip_tengo we should put this out as a preview feature enabled via feature flag or something to solicit feedback

Today with the new plugin system each plugin needs someting like this:

package agent

import "github.com/choria-io/go-choria/plugin"

// Plugin is a choria plugin
type Plugin struct{}

// ChoriaPlugin produces the plugin for choria
func ChoriaPlugin() plugin.Pluggable {
	return &Plugin{}
}

// PluginInstance implements plugin.Pluggable
func (p *Plugin) PluginInstance() interface{} {
	return New
}

// PluginVersion implements plugin.Pluggable
func (p *Plugin) PluginVersion() string {
	return Metadata.Version
}

// PluginName implements plugin.Pluggable
func (p *Plugin) PluginName() string {
	return Metadata.Name
}

// PluginType implements plugin.Pluggable
func (p *Plugin) PluginType() plugin.Type {
	return plugin.AgentPlugin
}

This should be easy to create using a factory that takes the metadata and the New and this package should provide that factory

When converting JSON ddls to ruby we have a few issues:

• all numbers from json files are floats when handled as interface{} so we need to improve some things there to avoid panics
• all validations are shown as :foo when its a regex, so that becomes :.+ which is bad
• output type is always shown, sometimes as ""
• the word aggregate should be before the names of aggregate funcs

Experiment with using rego for filtering policy requests.

Including the ability to set a random seed

It wont be perfect but a ToRuby() would be great

Support viewing agents, support state transitioning agents

https://blog.containo.us/announcing-yaegi-263a1e2d070a?gi=540bf528e1ce

Relates to choria-io/go-choria#617