#! /usr/bin/env python
# -*- coding: utf-8 -*-
from fabric.api import env, run, sudo, task
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
compute = build('compute', 'v1', credentials=credentials)
# sets static project
# project = 'test1'
env.key_filename = 'google_compute_engine'
forward_agent = True
@task
# gets bastion host and sets env.gateway to be used as ssh gateway
def ag_get_bh(project):
request = compute.instances().aggregatedList(project=project)
response = request.execute()
for zone, instances in response['items'].items():
for host in instances.get("instances", []):
if host['status'] == 'RUNNING':
if 'bh' in host['name']:
env.gateway = host['networkInterfaces'][0]['accessConfigs'][0]['natIP']
else:
print('No bastion host found')
@task
# gets running hosts in a single project across all zones
def ag_get_host(project):
request = compute.instances().aggregatedList(project=project)
response = request.execute()
env.hosts = []
for zone, instances in response['items'].items():
for host in instances.get("instances", []):
if host['status'] == 'RUNNING':
env.hosts.append(host['name'])
@task
# identifies OS platform to be used in sec_update()
def get_platform():
x = sudo("python -c 'import platform; print(platform.platform())'")
if x.failed:
raise Exception("Python not installed")
else:
return x
print(x)
@task
# runs security updates
def sec_update():
if 'redhat' or 'centos' in get_platform().lower():
sudo('echo 3 > /proc/sys/vm/drop_caches')
sudo('yum -y --disablerepo=rhui* install google-rhui-client-rhel7')
sudo('yum update yum -y')
sudo('yum update-minimal --security -y')
elif 'ubuntu' or 'debian' in get_platform().lower():
sudo('apt-get install unattended-upgrades')
sudo('unattended-upgrades –v')
上面的代码获取堡垒主机,这是我env.gateway,然后它从GCP API获取主机并设置env.hosts,然后检查主机操作系统,然后应用安全更新。
仅当通过 ssh 代理(env.gateway)运行脚本时,get_platform()永远不会运行,因此sec_updates中的 if 语句永远不会执行,因此我的操作系统特定逻辑永远不会执行。在本地运行时,(不使用env.gateway)get_platform()正确执行。有什么想法吗?
不完全确定这里发生了什么,但我最终从另一个正在运行且代码正确执行的备份文件中复制并粘贴了脚本。如果有人感兴趣,以下是工作脚本:
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from fabric.api import env, run, sudo, task
from googleapiclient.discovery import build
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
compute = build('compute', 'v1', credentials=credentials)
# set to path of private key
env.key_filename = 'google_compute_engine'
forward_agent = True
@task
# gets bastion host and sets env.gateway to be used as ssh gateway
def ag_get_bh(project):
request = compute.instances().aggregatedList(project=project)
response = request.execute()
for zone, instances in response['items'].items():
for host in instances.get("instances", []):
if host['status'] == 'RUNNING':
if 'bh' in host['name']:
env.gateway = host['networkInterfaces'][0]['accessConfigs'][0]['natIP']
else:
print('No bastion host found')
@task
# gets running hosts in a single project across all zones
def ag_get_host(project):
request = compute.instances().aggregatedList(project=project)
response = request.execute()
env.hosts = []
for zone, instances in response['items'].items():
for host in instances.get("instances", []):
if host['status'] == 'RUNNING':
env.hosts.append(host['name'])
@task
# gets uptime
def uptime():
run('uptime')
@task
# gets disk space
def disk_space():
run('df -h')
# gets OS platform to be used in sec_update()
def get_platform():
x = sudo("python -c 'import platform; print(platform.platform())'")
if x.failed:
raise Exception("Python not installed")
else:
return x
@task
# runs OS security updates
def sec_update():
if 'redhat' in get_platform().lower():
sudo('echo 3 > /proc/sys/vm/drop_caches')
sudo('yum -y --disablerepo=rhui* install google-rhui-client-rhel7')
sudo('yum update yum -y')
sudo('yum update-minimal --security -y')
elif 'centos' in get_platform().lower():
sudo('echo 3 > /proc/sys/vm/drop_caches')
sudo('yum update yum -y')
sudo('yum update-minimal --security -y')
elif 'ubuntu' or 'debian' in get_platform().lower():
sudo('apt-get install unattended-upgrades')
sudo('unattended-upgrades -v')
else:
print("No supported OS found")