Installation instructions and SSH key helper

INSTALL.md

@@ -4,18 +4,119 @@ These installation notes should cover most Debian Linux variants (on any archite
 
 You can, however, run `piku` on any POSIX-like environment where you have Python, [uWSGI][uwsgi] and SSH.
 
-_TODO: describe the overall installation process._
+For installation, you only require `root`/`sudo` access and the following two files:
+
+* `piku.py`
+* `uwsgi-piku.dist`
+
+Copy them across to the machine you'll be using as a server before you get started with the rest.
 
 ## Setting up the `piku` user (Debian Linux, any architecture)
 
-_TODO: describe the need for a separate user and why it's configured this way._
-
-If you're impatient, you need to make sure you have a `~/.ssh/authorized_keys` file that looks like this:
+`piku` requires a separate user account to run. To create a new user with the right group membership (we're using the built-in `www-data` group because it's generally thought of as a less-privileged group), enter the following commands:
 
 ```bash
-command="FINGERPRINT=<your SSH fingerprint, not used right now> NAME=default /home/piku/piku.py $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding <your ssh key>
+sudo adduser --disabled-password --gecos 'PaaS access' --ingroup www-data piku
 ```
 
+This user _is not supposed to login to your system_. Instead, you'll interact with `piku` via SSH, and set things up by using `su`:
+
+```bash
+sudo su - piku
+mkdir ~/.ssh
+chmod 700 ~/.ssh
+# now copy the piku script to this user account
+cp /tmp/piku.py .
+```
+
+## Dependencies
+
+Before running `piku` for the first time, you need to install the following Python packages at the system level:
+
+```bash
+sudo pip install -U click virtualenv
+```
+
+These may or may not be installed already (`click` usually isn't).
+
+## Setting up SSH access
+
+If you don't have an SSH public key (or never used one before), you need to create one. The following instructions assume you're running some form of UNIX on your own machine (Windows users should check the documentation for their SSH client, unless you have [Cygwin][cygwin] installed).
+
+**On your own machine**, issue the `ssh-keygen` command and follow the prompts:
+
+```bash
+$ ssh-keygen 
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/youruser/.ssh/id_rsa): 
+Created directory '/home/youruser/.ssh'.
+Enter passphrase (empty for no passphrase): 
+Enter same passphrase again: 
+Your identification has been saved in /home/youruser/.ssh/id_rsa.
+Your public key has been saved in /home/youruser/.ssh/id_rsa.pub.
+The key fingerprint is:
+85:29:07:cb:de:ad:be:ef:42:65:00:c8:d2:6b:9e:ff youruser@yourlaptop.lan
+The key's randomart image is:
++--[ RSA 2048]----+
+<...>
++-----------------+
+```
+
+## Adding the key to `piku`
+
+Copy the resulting `id_rsa.pub` (or equivalent, just make sure it's the _public_ file) to your `piku` server and do the following:
+
+```bash
+su - piku
+python piku.py setup:ssh /tmp/id_rsa.pub
+Adding key '85:29:07:cb:de:ad:be:ef:42:65:00:c8:d2:6b:9e:ff'.
+Setting '/home/piku/piku.py' as executable.
+```
+
+Now if you look at `.ssh/authorized_keys`, you should see something like this:
+
+```bash
+cat .ssh/authorized_keys 
+command="FINGERPRINT=85:29:07:cb:de:ad:be:ef:42:65:00:c8:d2:6b:9e:ff NAME=default /home/piku/piku.py $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhTYZi/qeJBKgU3naI8FNjQgeMYnMsEtqrOmUc4lJoPNH2qBUTNkzwThGqsBm2HNLPURWMiEifBqF+kRixMud67Co7Zs9ys7pwFXkJB9bbZasd2JCGfVZ4UYXHnvgejSWkLAV/4bObhsbP2vWOmbbm91Cwn+PGJgoiW08yrd45lsDmgv9cUAJS3e8LkgVELvIDg49yM5ArB88oxwMEoUgWU2OniHmH0o1zw5I8WXHRhHOjb8cGsdTYfXEizRKKRTM2Mu6dKRt1GNL0UbWi8iS3uJHGD3AcQ4ApdMl5X0gTixKHponStOrSMy19/ltuIy8Sjr7KKPxz07ikMYr7Vpcp youruser@yourlaptop.lan
+```
+
+This line is what enables you to SSH (and perform `git` over SSH operations) to the `piku` user, restricting what can be done remotely and passing on to `piku` itself the commands you'll be issuing.
+
+## Testing
+
+From your machine, do:
+
+```bash
+$ ssh piku@pi.lan
+Usage: piku.py [OPTIONS] COMMAND [ARGS]...
+
+  The smallest PaaS you've ever seen
+
+Options:
+  --help  Show this message and exit.
+
+Commands:
+  apps              List applications
+  config            Show application configuration
+  config:get        Retrieve a configuration setting
+  config:live       Show live configuration settings
+  config:set        Set a configuration setting
+  deploy            Deploy an application
+  destroy           Destroy an application
+  disable           Disable an application
+  enable            Enable an application
+  git-hook          INTERNAL: Post-receive git hook
+  git-receive-pack  INTERNAL: Handle git pushes for an app
+  logs              Tail an application log
+  ps                Show application worker count
+  ps:scale          Show application configuration
+  restart           Restart an application
+  setup:ssh         Set up a new SSH key
+Connection to pi.lan closed.
+```
+
+And that's it, you're set. Now to configure [uWSGI][uwsgi], which is what `piku` relies upon to manage your apps at runtime.
+
 ## uWSGI Installation (Debian Linux variants, any architecture)
 
 [uWSGI][uwsgi] can be installed in a variety of fashions. However, these instructions assume you're installing it from source, and as such may vary from system to system.
@@ -32,7 +133,7 @@ sudo pip install uwsgi
 sudo ln -s `which uwsgi` /usr/local/bin/uwsgi-piku
 
 # set up our init script
-sudo cp uwsgi-piku.dist /etc/init.d/uwsgi-piku
+sudo cp /tmp/uwsgi-piku.dist /etc/init.d/uwsgi-piku
 sudo chmod +x /etc/init.d/uwsgi-piku
 sudo update-rc.d uwsgi-piku defaults
 sudo service uwsgi-piku start
@@ -67,3 +168,4 @@ _TODO: complete this._
 
 [goarm]: http://dave.cheney.net/unofficial-arm-tarballs
 [uwsgi]: https://github.com/unbit/uwsgi
+[cygwin]: http://www.cygwin.com

README.md

@@ -15,11 +15,11 @@ From the bottom up:
 - [ ] Proxy deployments to other nodes (build on one box, deploy to many) 
 - [ ] Support Clojure/Java deployments
 - [ ] CLI command documentation
-- [ ] Complete installation instructions (see `INSTALL.md` for a working draft)
 - [ ] Support barebones binary deployments
 - [ ] Sample Go app
 - [ ] Support Go deployments
-- [ ] Installation helper/SSH key add
+- [x] Complete installation instructions (see `INSTALL.md`, which also has a draft of Go installation steps)
+- [x] Installation helper/SSH key setup
 - [x] Worker scaling 
 - [x] Remote CLI commands for changing/viewing applied/live settings
 - [x] Remote tailing of all logfiles for a single application

piku.py

@@ -4,8 +4,8 @@ import os, sys, stat, re, shutil, socket
 from click import argument, command, group, option, secho as echo
 from collections import defaultdict, deque
 from glob import glob
-from os.path import abspath, basename, dirname, exists, getmtime, join, splitext
-from subprocess import call
+from os.path import abspath, basename, dirname, exists, getmtime, join, realpath, splitext
+from subprocess import call, check_output
 from time import sleep
 
 # === Globals - all tweakable settings are here ===
@@ -57,6 +57,8 @@ def setup_authorized_keys(ssh_fingerprint, script_path, pubkey):
     # Restrict features and force all SSH commands to go through our script 
     with open(authorized_keys, 'a') as h:
         h.write("""command="FINGERPRINT=%(ssh_fingerprint)s NAME=default %(script_path)s $SSH_ORIGINAL_COMMAND",no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding %(pubkey)s\n""" % locals())
+    os.chmod(authorized_keys, stat.S_IRUSR | stat.S_IWUSR)
+
         
 
 def parse_procfile(filename):
@@ -538,6 +540,27 @@ def deploy_app(app, settings):
     spawn_app(app, deltas)
 
 
+@piku.command("setup:ssh")
+@argument('public_key_file')
+def add_key(public_key_file):
+    """Set up a new SSH key"""
+    
+    if exists(public_key_file):
+        try:
+            fingerprint = check_output('ssh-keygen -lf %s' % public_key_file, shell=True).split(' ',4)[1]
+            if re.match('(([0-9a-f]{2}\:){16})', '%s:' % fingerprint):
+                key = open(public_key_file).read().strip()
+                echo("Adding key '%s'." % fingerprint, fg='white')
+                this_script = realpath(__file__)
+                setup_authorized_keys(fingerprint, this_script, key)
+                # mark this script as executable (in case we were invoked via interpreter)
+                if not(os.stat(this_script).st_mode & stat.S_IXUSR):
+                    echo("Setting '%s' as executable." % this_script, fg='yellow')
+                    os.chmod(realpath(this_script), os.stat(this_script).st_mode | stat.S_IXUSR)         
+        except:
+            echo("Error: invalid public key file '%s'" % public_key_file, fg='red')
+    
+
 @piku.command("logs")
 @argument('app')
 def tail_logs(app):