[RFC] add initial proposal for unattended questions

[jreidinger]

Problem

With introduced questions mechanism it is impossible to have real unattended installation.

trello: https://trello.com/c/eMVlSQnU/3364-2-agama-research-design-a-mechanism-to-ask-questions-during-auto-installation

Solution

Create proposal how to modify questions and add support for unattanded installation to them.

[coveralls]

Pull Request Test Coverage Report for Build 5153284815

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 75.686%

---

Totals
Change from base Build 5081178664:	0.0%
Covered Lines:	5396
Relevant Lines:	6890

---

💛 - Coveralls

[lslezak]

Why 4? What about using a single Hash as a parameter? That would also allow to name the parameters, like
{url: "https://example.com", checksum: "123456..."}

[jreidinger]

well, I consider 4 as reasonable number..but it is true, that hash can be also helpful and more flexible.

[lslezak]

I'm not sure if it is a good idea, you do not want to have your LUKS password to be stored in any file.
Even URLs might contain passwords, we have special URL::HidePassword() method in YaST for logging passwords.

[jreidinger]

OK, I can add there that sensitive data is filtered out and replaced by some <sensitive> string?

[lslezak]

Yes, some filtering should be done.
RoR uses [FILTERED] IIRC...

[lslezak]

As written above, saving the user's answers might have security implications, that should only happen on explicit user request.

[lslezak]

I'm not sure if we should support this scenario. I'd expect the vendors would only touch /etc/agama.yaml and possibly some branding files. I feel that this is rather abusing the answers for some different case. We could configure Agama to death.

If we want to have some default answers configurable I'd prefer to configure them via /etc/agama.yaml and do not mix manual and automatic installation to some hybrid solution. That would be difficult to test and maintain, I'd rather not open that box...

E.g. if you want to accept an additional GPG key from a custom repository let's define that together with the URL in the config file.

[jreidinger]

well, basically question is if there is reason to have answers and interactive mode or not ( so basically answer only known questions and for rest ask user instead of using auto reply ).

[mvidner]

I'd like to know how this design affects the D-Bus API

[mvidner]

never trust robots that you do not program yourself :)

@jreidinger very true, you still have to proofread what DeepL gave you to check that it didn't change the meaning.

[mvidner]

So again, I'd like to know how this design affects the D-Bus API.

I can imagine a design, where all of the unattended handling just prevents some/all of the Questions from appearing on the bus so the API would stay the same.

If the API does change, I think it is worthwhile specifying now in this PR

[joseivanlopez]

My thoughts:

• I agree with:
  • Having a file with the provided answers.
  • With a matching mechanism (e.g., what type of question, what device, what repo, etc).
  • With a default answer (but optional).
• I disagree with:
  • Having modes (auto and manual).
  • Having extra data (for matching) in the question itself.

How do I envision it?

• Passing an optional (and encrypted?) file with the answers (similar to autoinstall profile).
• Having a matching mechanism as proposed.
• Having an optional default answer for each question.
• A question is not asked if its answer is already known (why to ask for luks password if it was already provided by an answers file?).
• No difference between auto and manual install. If the answer is known, then take it. Otherwise, ask a question.

[mvidner]

IMHO regexp (regular expressions) are overkill (incompatible dialects...) and I hope substrings or shell patterns will be enough

[jreidinger]

that is good suggestion. Maybe for the first phase we can omit regexp completely and if needed, we can extend it ( so some string that start with some fancy character to support advanced matching ).

[mvidner]

To avoid Mode in the service...
Another (crazy?) design: the service just asks a question on the bus, and there is an "auto answerer client" that answers all questions

[jreidinger]

My thoughts:

* I agree with:
  
  * Having a file with the provided answers.
  * With a matching mechanism (e.g., what type of question, what device, what repo, etc).
  * With a default answer (but optional).

* I disagree with:
  
  * Having modes (auto and manual).
  * Having extra data (for matching) in the question itself.

How do I envision it?

* Passing an optional (and encrypted?) file with the answers (similar to autoinstall profile).

* Having a matching mechanism as proposed.

* Having an optional default answer for each question.

* A question is not asked if its answer is already known (why to ask for luks password if it was already provided by an answers file?).

* No difference between auto and manual install. If the answer is known, then take it. Otherwise, ask a question.

Thanks for notes. I think there is a lot of agreement and just a few collisions.
I think the main one is how unattended installation should look like. For me, if we have unattended installation, it should really be unattended unless major and critical issue appear ( like not able to install anything, not able to partition, etc. ). And for that we have issues and not questions. Question is for me when installer missing some info, but should be able to continue without that info. And in unattended mode questions should never be asked from my POV.

Just to clarify few notes:

1. modes will be only in question object. So no global mode like in yast, just set questions object to unattended mode.
2. we can maybe use that extra data from questions in UI itself, as question can be more limited then data, so we can show it in some details for question or in CLI. E.g. consider some additional details about disk that is luks encrypted.
3. if we do not have extra data in questions for matching, we still need to somehow match answer and question, so if it is only in answer, it means that each object needs to do matching on its own, which can be quite messy.
4. in my proposal is also passing answers file, but if it is missing, just defaults are used. Note about encrypted is good, I will add TODO as we probably do not need it for first iteration
5. What you describe in the last point is basically how can happen my proposal if answers are provided and questions are not set to unattended mode. Question is if it is useful for users.

@imobachgs how do you see it? Especially about requirements for unattended mode and possible blocked by question that is not specified in advance.

[imobachgs]

Not to mention translations...

[jreidinger]

To avoid Mode in the service... Another (crazy?) design: the service just asks a question on the bus, and there is an "auto answerer client" that answers all questions

It is of course possible and nothing prevents it. I just see some disadvantages:

1. default answer has to be in that client, so the clients needs to know about any possible question.
2. It is additional process that will need to run
3. If we use web UI as UI for user there is high chance, that it will quickly show questions and then it will again disappear.

[imobachgs]

About the "unattended mode", I see how it is useful but I also understand @joseivanlopez's concern.

I am a little bit late to the discussion but, IMHO, the important thing is to set the default behavior when an answer is not defined (using an answers.yml file or whatever mechanism). For instance, when performing an autoinstallation, you could set the behavior to use default. On a regular installation, the behavior could be ask the user.

So you do not need to model the concept of mode, but just to set the fallback behavior. Does it make any sense?

[joseivanlopez]

How I see it, auto-installation is exactly the same as the regular installation. The only two differences I see with auto and no auto are:

a) Auto-install automatically sets the given config.
b) Auto-install automatically starts the installation after setting the config.

What it is more, auto-install should not care about having user interaction or not. If we provide all the required info, then the auto-installation can proceed, otherwise it cannot. For example, if the "profile" does not contain user/root password, then the auto-installation cannot continue. I would do the same for questions/answers.

If we don't want to emit questions, then we need to configure our answers mechanism to do something when an answer is unknow (as Imo pointed above). For example (the format is wrong, only as idea):

questions: 
  default: continue (or abort)
  storage:
    default: abort
    luks:
     - device: /dev/sda
       password: linux123

With that approach, we would have a way to provide what to do in any case. And maybe we could also offer the answers mechanism with manual installation and CLI too. For example:

agama config set questions.default=continue
agama install

And this make me think, should questions belong to the "profile" instead of a separate file?

agama config load config.json # including settings and answers
agama config set questions.default=abort

[joseivanlopez]

LGTM

[joseivanlopez]

which is needed