Re: [PATCH] Setup sigul bridge and client
On Sat, 2009-07-25 at 06:55 -0700, Toshio Kuratomi wrote: Not necessarily related to enabling the builder repo: Is having the same rpm versions as the builders necessary? Yes. The bridge and server will be dealing with rpms that are being built by koji, and will need to be able to understand the payloads and checksums, as well as perform the larger signing. As we make changes to rpm and update the builders to handle those changes, we'll have to update the signing and composing systems too. -- Jesse Keating Fedora -- FreedomĀ² is a feature! identi.ca: http://identi.ca/jkeating signature.asc Description: This is a digitally signed message part ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
[PATCH] Setup sigul bridge and client
Add a sigul module with bridge and server classes. Adjust the sign-bridge1 node to use the new classes. --- .../nodes/sign-bridge1.fedora.phx.redhat.com.pp| 17 +++- modules/sigul/files/server.conf| 47 ++ modules/sigul/manifests/init.pp| 97 modules/sigul/templates/bridge.conf.erb| 30 ++ 4 files changed, 189 insertions(+), 2 deletions(-) create mode 100644 modules/sigul/files/server.conf create mode 100644 modules/sigul/manifests/init.pp create mode 100644 modules/sigul/templates/bridge.conf.erb diff --git a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp index 3bfcb8a..6c5d295 100644 --- a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp @@ -3,7 +3,9 @@ node sign-bridge1.fedora.phx.redhat.com { include phx include fas::client #include global -#include pkgsigner +# Include the builder infrastructure so that we get the same rpm versions +include yum::repo::builder-infrastructure +include sigul::bridge # Hack but it's easy to predict and easy to follow: # exec { disable-ssh: @@ -16,6 +18,17 @@ node sign-bridge1.fedora.phx.redhat.com { # command = '/etc/init.d/puppet stop; /sbin/chkconfig puppet off', # } +# Firewall Rules, allow sigul server through. +$tcpPorts = [ '44333' ] +$custom = [ ] + +iptables { '/etc/sysconfig/iptables': +content = template('system/iptables-template.conf.erb'), +} + +service { iptables: +ensure = running, +hasstatus = true, +} - } diff --git a/modules/sigul/files/server.conf b/modules/sigul/files/server.conf new file mode 100644 index 000..513cad5 --- /dev/null +++ b/modules/sigul/files/server.conf @@ -0,0 +1,47 @@ +# This is a configuration for the sigul server. + +[server] +# Host name of the publically acessible bridge to clients +bridge-hostname: sign-bridge1 +# Port on which the bridge expects server connections +bridge-port: 44333 +# Maximum accepted size of payload stored on disk +max-file-payload-size: 1073741824 +# Maximum accepted size of payload stored in server's memory +max-memory-payload-size: 1048576 +# Nickname of the server's certificate in the NSS database specified below +server-cert-nickname: sigul-server-cert + +[database] +# Path to a directory containing a SQLite database +;database-path: /var/lib/sigul + +[gnupg] +# Path to a directory containing GPG configuration and keyrings +gnupg-home: /var/lib/sigul/gnupg +# Default primary key type for newly created keys +gnupg-key-type: RSA +# Default primary key length for newly created keys +gnupg-key-length: 4096 +# Default subkey type for newly created keys, empty for no subkey +gnupg-subkey-type: +# Default subkey length for newly created keys if gnupg-subkey-type is not empty +; gnupg-subkey-length: 2048 +# Default key usage flags for newly created keys +gnupg-key-usage: encrypt, sign +# Length of key passphrases used for newsly created keys +passphrase-length: 64 + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the server will +# ask on startup +; nss-password is not specified by default + diff --git a/modules/sigul/manifests/init.pp b/modules/sigul/manifests/init.pp new file mode 100644 index 000..aae73eb --- /dev/null +++ b/modules/sigul/manifests/init.pp @@ -0,0 +1,97 @@ +class sigul { + +package { sigul: +ensure = installed, +} +} + +class sigul::bridge inherits sigul { + +package { koji; +ensure = installed, +} + +file { /etc/sigul/bridge.conf: +owner = root, +group = sigul, +mode= 0640, +content = template(sigul/bridge.conf.erb) +require = [ Package[sigul] ], +} + +file { /var/lib/sigul/cert8.db: +owner = sigul, +group = sigul, +mode= 0600, +source = puppet:///config/secure/sigul_bridge_cert8.db, +require = Package[sigul], +} + +file { /var/lib/sigul/key3.db: +owner = sigul, +group = sigul, +mode= 0600, +source = puppet:///config/secure/sigul_bridge_key3.db, +require = Package[sigul], +} + +file { /var/lib/sigul/secmod.db: +owner = sigul, +group = sigul, +mode= 0600, +source = puppet:///config/secure/sigul_bridge_secmod.db, +require = Package[sigul], +} + +file { /var/lib/sigul/.fedora-server-ca.cert: +owner = sigul, +group = sigul, +mode = 0644, +source = puppet:///config/secure/fedora-ca.cert, +} + +file { /var/lib/sigul/.fedora.cert: +owner = sigul, +
[PATCH] Setup sigul bridge and client
Add a sigul module with bridge and server classes. Adjust the sign-bridge1 node to use the new classes. Have sign-vault1 use the sigul::server class to get its configuration --- .../nodes/sign-bridge1.fedora.phx.redhat.com.pp| 17 +++- .../nodes/sign-vault1.fedora.phx.redhat.com.pp |6 +- modules/sigul/files/server.conf| 47 + modules/sigul/manifests/init.pp| 99 modules/sigul/templates/bridge.conf.erb| 30 ++ 5 files changed, 196 insertions(+), 3 deletions(-) create mode 100644 modules/sigul/files/server.conf create mode 100644 modules/sigul/manifests/init.pp create mode 100644 modules/sigul/templates/bridge.conf.erb diff --git a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp index 3bfcb8a..6c5d295 100644 --- a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp @@ -3,7 +3,9 @@ node sign-bridge1.fedora.phx.redhat.com { include phx include fas::client #include global -#include pkgsigner +# Include the builder infrastructure so that we get the same rpm versions +include yum::repo::builder-infrastructure +include sigul::bridge # Hack but it's easy to predict and easy to follow: # exec { disable-ssh: @@ -16,6 +18,17 @@ node sign-bridge1.fedora.phx.redhat.com { # command = '/etc/init.d/puppet stop; /sbin/chkconfig puppet off', # } +# Firewall Rules, allow sigul server through. +$tcpPorts = [ '44333' ] +$custom = [ ] + +iptables { '/etc/sysconfig/iptables': +content = template('system/iptables-template.conf.erb'), +} + +service { iptables: +ensure = running, +hasstatus = true, +} - } diff --git a/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp index 4c57d01..912d050 100644 --- a/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp +++ b/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp @@ -4,7 +4,9 @@ node sign-vault1 { include phx include fas::client #include global -include pkgsigner +# Include the builder infrastructure so that we get the same rpm versions +include yum::repo::builder-infrastructure +include sigul::server # Hack but it's easy to predict and easy to follow: # exec { disable-ssh: @@ -17,5 +19,7 @@ node sign-vault1 { # command = '/etc/init.d/puppet stop; /sbin/chkconfig puppet off', # } +# Need iptables blocking everything here + } diff --git a/modules/sigul/files/server.conf b/modules/sigul/files/server.conf new file mode 100644 index 000..513cad5 --- /dev/null +++ b/modules/sigul/files/server.conf @@ -0,0 +1,47 @@ +# This is a configuration for the sigul server. + +[server] +# Host name of the publically acessible bridge to clients +bridge-hostname: sign-bridge1 +# Port on which the bridge expects server connections +bridge-port: 44333 +# Maximum accepted size of payload stored on disk +max-file-payload-size: 1073741824 +# Maximum accepted size of payload stored in server's memory +max-memory-payload-size: 1048576 +# Nickname of the server's certificate in the NSS database specified below +server-cert-nickname: sigul-server-cert + +[database] +# Path to a directory containing a SQLite database +;database-path: /var/lib/sigul + +[gnupg] +# Path to a directory containing GPG configuration and keyrings +gnupg-home: /var/lib/sigul/gnupg +# Default primary key type for newly created keys +gnupg-key-type: RSA +# Default primary key length for newly created keys +gnupg-key-length: 4096 +# Default subkey type for newly created keys, empty for no subkey +gnupg-subkey-type: +# Default subkey length for newly created keys if gnupg-subkey-type is not empty +; gnupg-subkey-length: 2048 +# Default key usage flags for newly created keys +gnupg-key-usage: encrypt, sign +# Length of key passphrases used for newsly created keys +passphrase-length: 64 + +[daemon] +# The user to run as +unix-user: sigul +# The group to run as +unix-group: sigul + +[nss] +# Path to a directory containing a NSS database +nss-dir: /var/lib/sigul +# Password for accessing the NSS database. If not specified, the server will +# ask on startup +; nss-password is not specified by default + diff --git a/modules/sigul/manifests/init.pp b/modules/sigul/manifests/init.pp new file mode 100644 index 000..be7023d --- /dev/null +++ b/modules/sigul/manifests/init.pp @@ -0,0 +1,99 @@ +class sigul { + +package { sigul: +ensure = installed, +} +} + +class sigul::bridge inherits sigul { + +package { koji; +ensure = installed, +} + +file { /etc/sigul/bridge.conf: +owner = root, +group = sigul, +mode= 0640, +content = template(sigul/bridge.conf.erb) +require = Package[sigul], +} +