Add some useful debug scripts for Vault access, OVH credentials access and client setup, and VIP assignment checks
- debug_connection_vault.py
- debug_vault_ovh_credentials.py
- debug_check_vip_ovh.py
Details
Details
On /usr/local/libexec/carp :
- sudo python3 debug_connection_vault.py : to verify Vault connection
- sudo python3 debug_vault_ovh_credentials.py : to ensure the OVH client works by performing a /me API call
- sudo python3 debug_check_vip_ovh.py : to check which router MAC currently holds the VIP on OVH
Diff Detail
Diff Detail
- Repository
- rOPS Nasqueron Operations
- Lint
Lint Skipped - Unit
No Test Coverage - Branch
- arcpatch-D4034
- Build Status
Buildable 6659 Build 6947: arc lint + arc unit
Event Timeline
| roles/router/carp/files/debug_check_vip_ovh.py | ||
|---|---|---|
| 23 | Should be provisioned by Salt. We've two strategies for that. (1) older strategy was to templatize Python scripts, ie treat this as Jinja templates (2) newer strategy is usually to provision a YAML template with Salt, and keep this as a pure Python script reading that YAML I've checked, PyYAML is installed on router role, so second strategy works: dereckson in 🌐 router-002 in ~ ❯ python3 Python 3.11.14 (main, Feb 7 2026, 01:06:44) [Clang 19.1.7 (https://github.com/llvm/llvm-project.git llvmorg-19.1.7-0-gcd7080 on freebsd15 Type "help", "copyright", "credits" or "license" for more information. >>> import yaml >>> | |
| roles/router/carp/init.sls | ||
| 44 | Don't put .py prefix Put everything in {{ dirs.bin }}/ directly. That's the convention on UNIX machines. | |
Comment Actions
Many changes:
- Adapt the debug scripts on how should an executable UNIX be : https://github.com/nasqueron/snippets/blob/main/python/command.py
- Improved scripts structure by separating configuration, helper functions, main function and entry point.
- According to https://man.freebsd.org/cgi/man.cgi?query=hier&sektion=7, /usr/libexec contains utilities executed by programs, making it the appropriate location for the debug scripts.
- Set correct permissions (not 0 in front and string (like '0644') for Salt (more like 644), only on Ansible) for the debug scripts.
- Executable files do not require extensions on Unix systems, as execution is determined by the shebang.
- Using a YAML file (method PyYAML) to get the value of VAULT_CONFIG (created on D4033)
| roles/router/carp/files/debug_check_vip_ovh | ||
|---|---|---|
| 1 ↗ | (On Diff #10569) | |
| 32 ↗ | (On Diff #10569) | Apply black to format Python Also, it could be easier to maintain if we DIRECTLY use the config dictionary in the code: that way, we know where in the configuration file that variable is set. |
| 51 ↗ | (On Diff #10569) | secret could be in config too |
| roles/router/carp/init.sls | ||
| 43 |
{% for script in ["debug_check_vip_ovh", ...] %}
/usr/local/libexec/carp/{{ script }}:
file.managed:
- source: salt://roles/router/carp/files/{{ script }}.py
- makedirs: True
- mode: 755 | |
Comment Actions
So to clarify for executable scripts files:
- in Salt, we put the extension: .sh, .php, .py, .tcl, etc.
- on the server, we provision without the extension
Comment Actions
- use /usr/bin/env python3 shebang
- use config dictionary directly instead of intermediate variables
- rename scripts to .py in repository
- refactor init.sls to use a loop for script deployment
Comment Actions
We should put the executables in the folder bin, it is the UNIX convention, so in FreeBSD, it will be /usr/local/bin.
Comment Actions
Actually, those scripts should not be placed in the folder bin.
Even if the bin directory is intended for user-facing commands that are meant to be executed manually like those
scripts.
However, those scripts are only used for debugging the CARP failover mechanism that is not intended to be used as a regular
command, this script is placed in the folder libexec. So it is better to place them with the script carp-ovh-failover.
Comment Actions
Actually, this config CARP will work only in FreeBSD machine because DEVD works only in FreeBSD, so it is not necessary to use dir from map.jinja,
we can put manually the path directory for the scripts that will help the final script carp-ovh-failover that works only in FreeBSD.
| roles/router/carp/files/debug_connection_vault.py | ||
|---|---|---|
| 42 | ||
| 45 | ||
| roles/router/carp/files/debug_vault_ovh_credentials.py | ||
| 53 | To print the credentials won't be helpful, as it will just be a collection of characters, without any hint it will be accepted or not by the API. Let's use them immediately: client = ovh.Client(...) Build the OVH client isn't enough to check the credentials, we need to run a small query like /me to ensure it works. | |
Comment Actions
Changes:
- Send all error to STDERR with file=sys.stderr
- Use the OVH /me endpoint to perform a real API call and ensure the credentials are valid and authentication is working