Install Template Builder dependencies

2023.2 2023.1 2022.1

Dependency sets for Template Builder

There are two sets of dependencies for Template Builder. The first set — python, textfsm, and jinja2 — is required for Template Builder to function. The second set — chroot, sudo, and ldd — is required to allow Template Builder to execute Jinja2 templates in a contained context. Without this second set of dependencies and the appropriate configuration in place, Jinja2 templates will have access to environment variables from the parent process and the file system. It is highly recommended that you configure Template Builder to execute Jinja2 templates in a contained context.

Install the base dependencies

Install Python 3

Starting with Python version 3.4, pip is included as part of the Python installers.

$ sudo yum install -y python3

Verify the Python version

$ python3 --version

Verify the pip3 version

$ pip3 --version

Install TextFSM and Jinja2

Once TextFSM and Jinja2 are available, the template parser will be able to function properly.

$ sudo pip3 install textfsm
$ sudo pip3 install jinja2

Verify installed versions

$ pip3 freeze

Install the security configuration

Install shell utilities

Make sure the following shell utilities are installed. These are likely already present on your system.

$ yum -y install sudo glibc-common coreutils

Permit sudo chroot without a password prompt (Platform 6.1.1 or earlier)

Verify that the user running the server (usually pronghorn) is permitted to run sudo chroot without a password prompt. The example below accomplishes this, but the system administrator is expected to tailor these commands to their needs. As long as the server is permitted to run chroot through sudo without a password prompt, Template Builder can sandbox Jinja2 template execution.

$ echo "pronghorn ALL=(ALL) NOPASSWD: $(command -v chroot)" >> /etc/sudoers.d/itential

Verify file permissions for Python dependencies (Platform 6.1.1 or earlier)

Make sure Template Builder is permitted to copy in all dependencies required by Python. These are the dependencies output by the ldd command, as well as all paths in Python’s internal sys.path constant. If file permissions prevent Template Builder from copying these files into its chroot jail directory, Python will not be able to execute within the sandbox subshell and Template Builder will fall back to executing in insecure mode.

Test the security configuration

Ensure Itential Platform is running

Ensure Itential Platform is running.

Examine the logs

Template Builder reports that it is creating a sandbox directory for Jinja2 template execution, and when finished, it reports either the success or failure of the process. On the first run of the server, this will likely take several minutes. Template Builder will respond to API requests that it is still initializing until it is finished.

Run a Jinja2 template

Once Template Builder has finished initializing the sandbox directory, run a Jinja2 template.

Verify secure mode in the logs

Examine the server logs and confirm there are no warnings stating that Jinja2 execution is running in insecure mode.