Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Finished slicing up usage doc, most of tutorial.
Now need to flesh these out, quite possibly rename/re-think them, update the index to reflect and then a new, SHORT tutorial.
- Loading branch information
1 parent
a3ddabe
commit 4ec4995
Showing
6 changed files
with
128 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
============================= | ||
``fab`` options and arguments | ||
============================= | ||
|
||
Put the state.py / main.py stuff in here -- all possible args, info on what | ||
they do, either in-depth or basic info + link to another doc section. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
========================= | ||
Fabfile construction tips | ||
========================= | ||
|
||
Odds and ends about recommended ways to build your fabfile(s). These are just | ||
recommendations -- as always, Fabric is just Python! | ||
|
||
|
||
Importing Fabric itself | ||
======================= | ||
|
||
Simplest method, which is not PEP8-compliant (meaning it's not best practices):: | ||
|
||
from fabric.api import * | ||
|
||
Slightly better, albeit verbose, method which *is* PEP8-compliant:: | ||
|
||
from fabric.api import run, sudo, prompt, abort, ... | ||
|
||
.. note:: | ||
You can also import directly from the individual submodules, e.g. ``from | ||
fabric.utils import abort``. However, all of Fabric's public API is | ||
available via `fabric.api` for convenience purposes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
============ | ||
SSH behavior | ||
============ | ||
|
||
Fabric currently makes use of the `Paramiko | ||
<http://www.lag.net/paramiko/docs/>`_ SSH library for managing all connections, | ||
meaning that there are occasionally spots where it is limited by Paramiko's | ||
capabilities. Below are areas of note where Fabric will exhibit behavior that | ||
isn't consistent with, or as flexible as, the behavior of the ``ssh`` program. | ||
|
||
Unknown hosts | ||
------------- | ||
SSH's host key tracking mechanism keeps tabs on all the hosts you attempt to | ||
connect to, and maintains a ``~/.ssh/known_hosts`` file with mappings between | ||
identifiers (IP address, sometimes with a hostname as well) and SSH keys. (For | ||
details on how this works, please see the `OpenSSH documentation | ||
<http://openssh.org/manual.html>`_.) | ||
|
||
Paramiko is capable of loading up your ``known_hosts`` file, and will then | ||
compare any host it connects to, with that mapping. Settings are available to | ||
determine what happens when an unknown host (a host whose username or IP is not | ||
found in ``known_hosts``) is seen: | ||
|
||
* **Reject**: the host key is rejected and the connection is not made. This | ||
results in a Python exception, which will terminate your Fabric session with a | ||
message that the host is unknown. | ||
* **Add**: the new host key is added to the in-memory list of known hosts, the | ||
connection is made, and things continue normally. Note that this does **not** | ||
modify your on-disk ``known_hosts`` file! | ||
* **Ask**: not yet implemented at the Fabric level, this is a Paramiko option | ||
which would result in the user being prompted about this key and whether to | ||
accept it. | ||
|
||
Whether to reject or add hosts, as above, is controlled in Fabric via the | ||
``env.reject_unknown_hosts`` option, which is False by default for | ||
convenience's sake. | ||
|
||
Known hosts with changed keys | ||
----------------------------- | ||
The point of SSH's key tracking is so that man-in-the-middle attacks can be | ||
detected: if an attacker redirects your SSH traffic to a computer under his | ||
control, and pretends to be your original destination server, the host keys will | ||
differ. Thus, the default behavior of SSH -- and Paramiko -- is to immediately | ||
abort the connection when a host previously recorded in ``known_hosts`` suddenly | ||
starts sending us a different host key. | ||
|
||
In some edge cases such as some EC2 deployments, you may want to ignore this | ||
potential problem. Paramiko, at the time of writing, doesn't give us control | ||
over this behavior, but we can sidestep it by simply skipping the loading of | ||
``known_hosts`` -- if the host list being compared to is empty, then there's no | ||
problem. Set ``env.disable_known_hosts`` to True when you want this behavior; it | ||
is False by default, in order to preserve default SSH behavior. | ||
|
||
.. warning:: | ||
Enabling ``env.disable_known_hosts`` will leave you wide open to | ||
man-in-the-middle attacks! Please use with caution. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters