Here is my initial stab at a class for the signing server(s).
There is a bridge that clients communicate with (and I'm thinking of forcing this through an ssh tunnel through bastion) and that interacts with koji. There is also the server itself that has the gpg keys on it and does the signing action. The server initiates a connection to the bridge, so only the bridge has to listen for connections.
I think I have this mostly setup right, but I'd like some more eyes on it before I commit. Thanks!
-- Jes
Add a sigul module with bridge and server classes. Adjust the sign-bridge1 node to use the new classes. --- .../nodes/sign-bridge1.fedora.phx.redhat.com.pp | 17 +++- modules/sigul/files/server.conf | 47 ++++++++++ modules/sigul/manifests/init.pp | 97 ++++++++++++++++++++ modules/sigul/templates/bridge.conf.erb | 30 ++++++ 4 files changed, 189 insertions(+), 2 deletions(-) create mode 100644 modules/sigul/files/server.conf create mode 100644 modules/sigul/manifests/init.pp create mode 100644 modules/sigul/templates/bridge.conf.erb
diff --git a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp index 3bfcb8a..6c5d295 100644 --- a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp @@ -3,7 +3,9 @@ node "sign-bridge1.fedora.phx.redhat.com" { include phx include fas::client #include global - #include pkgsigner + # Include the builder infrastructure so that we get the same rpm versions + include yum::repo::builder-infrastructure + include sigul::bridge
# Hack but it's easy to predict and easy to follow: # exec { "disable-ssh": @@ -16,6 +18,17 @@ node "sign-bridge1.fedora.phx.redhat.com" { # command => '/etc/init.d/puppet stop; /sbin/chkconfig puppet off', # }
+ # Firewall Rules, allow sigul server through. + $tcpPorts = [ '44333' ] + $custom = [ ] + + iptables { '/etc/sysconfig/iptables': + content => template('system/iptables-template.conf.erb'), + } + + service { iptables: + ensure => running, + hasstatus => true, + }
- } diff --git a/modules/sigul/files/server.conf b/modules/sigul/files/server.conf new file mode 100644 index 0000000..513cad5 --- /dev/null +++ b/modules/sigul/files/server.conf @@ -0,0 +1,47 @@ +# This is a configuration for the sigul server. + +[server] +# Host name of the publically acessible bridge to clients +bridge-hostname: sign-bridge1 +# Port on which the bridge expects server connections +bridge-port: 44333 +# Maximum accepted size of payload stored on disk +max-file-payload-size: 1073741824 +# Maximum accepted size of payload stored in server's memory +max-memory-payload-size: 1048576 +# Nickname of the server's certificate in the NSS database specified below +server-cert-nickname: sigul-server-cert + +[database] +# Path to a directory containing a SQLite database +;database-path: /var/lib/sigul + +[gnupg] +# Path to a directory containing GPG configuration and keyrings +gnupg-home: /var/lib/sigul/gnupg +# Default primary key type for newly created keys +gnupg-key-type: RSA +# Default primary key length for newly created keys +gnupg-key-length: 4096 +# Default subkey type for newly created keys, empty for no subkey +gnupg-subkey-type: +# Default subkey length for newly created keys if gnupg-subkey-type is not empty +; gnupg-subkey-length: 2048 +# Default key usage flags for newly created keys +gnupg-key-usage: encrypt, sign +# Length of key passphrases used for newsly created keys +passphrase-length: 64 + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the server will +# ask on startup +; nss-password is not specified by default + diff --git a/modules/sigul/manifests/init.pp b/modules/sigul/manifests/init.pp new file mode 100644 index 0000000..aae73eb --- /dev/null +++ b/modules/sigul/manifests/init.pp @@ -0,0 +1,97 @@ +class sigul { + + package { "sigul": + ensure => installed, + } +} + +class sigul::bridge inherits sigul { + + package { "koji"; + ensure => installed, + } + + file { "/etc/sigul/bridge.conf": + owner => "root", + group => "sigul", + mode => 0640, + content => template("sigul/bridge.conf.erb") + require => [ Package["sigul"] ], + } + + file { "/var/lib/sigul/cert8.db": + owner => "sigul", + group => "sigul", + mode => 0600, + source => "puppet:///config/secure/sigul_bridge_cert8.db", + require => Package["sigul"], + } + + file { "/var/lib/sigul/key3.db": + owner => "sigul", + group => "sigul", + mode => 0600, + source => "puppet:///config/secure/sigul_bridge_key3.db", + require => Package["sigul"], + } + + file { "/var/lib/sigul/secmod.db": + owner => "sigul", + group => "sigul", + mode => 0600, + source => "puppet:///config/secure/sigul_bridge_secmod.db", + require => Package["sigul"], + } + + file { "/var/lib/sigul/.fedora-server-ca.cert": + owner => "sigul", + group => "sigul", + mode => 0644, + source => "puppet:///config/secure/fedora-ca.cert", + } + + file { "/var/lib/sigul/.fedora.cert": + owner => "sigul", + group => "sigul", + mode => 0644, + source => "puppet:///config/secure/sigul_key_and_cert.pem", + } + +} + +class sigul::server inherits sigul { + + file { "/etc/sigul/server.conf": + owner => "root", + group => "sigul", + mode => 0640, + source => "puppet:///sigul/server.conf" + require => [ Package["sigul"] ], + } + + file { "/var/lib/sigul/cert8.db": + owner => "sigul", + group => "sigul", + mode => 0600, + source => "puppet:///config/secure/sigul_server_cert8.db", + require => Package["sigul"], + } + + file { "/var/lib/sigul/key3.db": + owner => "sigul", + group => "sigul", + mode => 0600, + source => "puppet:///config/secure/sigul_server_key3.db", + require => Package["sigul"], + } + + file { "/var/lib/sigul/secmod.db": + owner => "sigul", + group => "sigul", + mode => 0600, + source => "puppet:///config/secure/sigul_server_secmod.db", + require => Package["sigul"], + } + +} + diff --git a/modules/sigul/templates/bridge.conf.erb b/modules/sigul/templates/bridge.conf.erb new file mode 100644 index 0000000..01f3ee9 --- /dev/null +++ b/modules/sigul/templates/bridge.conf.erb @@ -0,0 +1,30 @@ +# This is a configuration for the sigul bridge. + +[bridge] +# Nickname of the bridge's certificate in the NSS database specified below +bridge-cert-nickname: sigul-bridge-cert +# Port on which the bridge expects client connections +client-listen-port: 44334 +# Port on which the bridge expects server connections +server-listen-port: 44333 +# A Fedora account system group required for access to the signing server. If +# empty, no Fedora account check is done. +#required-fas-group: +required-fas-group: signers +# User name and password for an account on the Fedora account system that can +# be used to verify group memberships +fas-user-name: fedoradummy +fas-password: <%= fedoraDummyUserPassword %> + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the bridge will +# ask on startup +; nss-password:
--- .../nodes/sign-vault1.fedora.phx.redhat.com.pp | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp index 4c57d01..912d050 100644 --- a/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp @@ -4,7 +4,9 @@ node "sign-vault1" { include phx include fas::client #include global - include pkgsigner + # Include the builder infrastructure so that we get the same rpm versions + include yum::repo::builder-infrastructure + include sigul::server
# Hack but it's easy to predict and easy to follow: # exec { "disable-ssh": @@ -17,5 +19,7 @@ node "sign-vault1" { # command => '/etc/init.d/puppet stop; /sbin/chkconfig puppet off', # }
+# Need iptables blocking everything here +
}
On 2009-07-25 03:53:23 AM, Jesse Keating wrote:
There is a bridge that clients communicate with (and I'm thinking of forcing this through an ssh tunnel through bastion) and that interacts with koji. There is also the server itself that has the gpg keys on it and does the signing action. The server initiates a connection to the bridge, so only the bridge has to listen for connections.
I think I have this mostly setup right, but I'd like some more eyes on it before I commit. Thanks!
Looks excellent to me, my only two comments are that you might want to make the files:
/var/lib/sigul/.fedora-server-ca.cert /var/lib/sigul/.fedora.cert
require => Package["sigul"],
as well since they require the /var/lib/sigul directory (which I assume is provided by the package).
Thanks, Ricky
On Sat, 2009-07-25 at 00:14 -0400, Ricky Zhou wrote:
Looks excellent to me, my only two comments are that you might want to make the files:
/var/lib/sigul/.fedora-server-ca.cert /var/lib/sigul/.fedora.cert
require => Package["sigul"],
as well since they require the /var/lib/sigul directory (which I assume is provided by the package).
Good catch. I'll do that. I'm also going to squash the two commits into one since they are all related and the second one was an after thought.
infrastructure@lists.fedoraproject.org
-
Jesse Keating -
Ricky Zhou