Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
iv
slapos
Commits
5551b0cf
Commit
5551b0cf
authored
Aug 24, 2016
by
Nicolas Wavrant
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
resilient: replaces dropbear ssh server by sshd from openssh
parent
fc7c0aea
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
100 additions
and
61 deletions
+100
-61
stack/resilient/buildout.cfg
stack/resilient/buildout.cfg
+6
-4
stack/resilient/instance-pull-backup.cfg.in
stack/resilient/instance-pull-backup.cfg.in
+15
-16
stack/resilient/pbsready-export.cfg.in
stack/resilient/pbsready-export.cfg.in
+11
-6
stack/resilient/pbsready-import.cfg.in
stack/resilient/pbsready-import.cfg.in
+11
-6
stack/resilient/pbsready.cfg.in
stack/resilient/pbsready.cfg.in
+57
-29
No files found.
stack/resilient/buildout.cfg
View file @
5551b0cf
...
...
@@ -3,6 +3,7 @@ extends =
../../component/apache/buildout.cfg
../../component/bash/buildout.cfg
../../component/dropbear/buildout.cfg
../../component/openssh/buildout.cfg
../../component/gzip/buildout.cfg
../../component/rdiff-backup/buildout.cfg
../../component/rsync/buildout.cfg
...
...
@@ -26,6 +27,7 @@ parts =
recipe = zc.recipe.egg
eggs =
collective.recipe.template
collective.recipe.environment
#----------------
#--
...
...
@@ -39,7 +41,7 @@ eggs =
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready.cfg.in
output = ${buildout:directory}/pbsready.cfg
md5sum =
d2b06a13354127e9cbbf1c5d21791cb4
md5sum =
9eba09cd5f6e25f08eafbf1cb77582d5
mode = 0644
[pbsready-import]
...
...
@@ -48,7 +50,7 @@ mode = 0644
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-import.cfg.in
output = ${buildout:directory}/pbsready-import.cfg
md5sum =
dd13497575d13b92c3abb0a633777e2c
md5sum =
b4a48d7fc502ca08d14b52097ccc4c6e
mode = 0644
[pbsready-export]
...
...
@@ -57,14 +59,14 @@ mode = 0644
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-export.cfg.in
output = ${buildout:directory}/pbsready-export.cfg
md5sum =
bfd71e454140cf13179d408e10f95bf8
md5sum =
c819c0711d58e952f16b93d96654139c
mode = 0644
[template-pull-backup]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-pull-backup.cfg.in
output = ${buildout:directory}/instance-pull-backup.cfg
md5sum =
cb7acac7ab41bf44c20d6d03bfad8217
md5sum =
232fcad0892e56d62f45e79ec01c7c3e
mode = 0644
[template-replicated]
...
...
stack/resilient/instance-pull-backup.cfg.in
View file @
5551b0cf
...
...
@@ -7,8 +7,7 @@ parts =
cron
cron-entry-logrotate
sshkeys-authority
sshkeys-dropbear
sshkeys-openssh
## Monitor for pbs
monitor-base
...
...
@@ -59,7 +58,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks
#----------------
#--
#-- Set up the equeue and notifier.
...
...
@@ -111,7 +109,7 @@ callbacks = $${directory:notifier-callbacks}
equeue-socket = $${equeue:socket}
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup
sshclient-binary = $${
dropbear-client:wrapper
}
sshclient-binary = $${
openssh-client:wrapper-path
}
known-hosts = $${directory:dot-ssh}/known_hosts
promises-directory = $${basedirectory:promises}
directory = $${directory:pbs-backup}
...
...
@@ -190,29 +188,30 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${
dropbear:location}/bin/dropbearkey
keygen-binary = ${
openssh:location}/bin/ssh-keygen
[sshkeys-
dropbear
]
[sshkeys-
openssh
]
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
name = pbs
type = rsa
executable = $${
dropbear-client:wrapper
}
public-key = $${
dropbear
-client:identity-file}.pub
private-key = $${
dropbear
-client:identity-file}
executable = $${
openssh-client:wrapper-path
}
public-key = $${
openssh
-client:identity-file}.pub
private-key = $${
openssh
-client:identity-file}
wrapper = $${rootdirectory:bin}/do_backup
#----------------
#--
#--
Dropbear
.
#--
OpenSSH
.
[dropbear-client]
recipe = slapos.cookbook:dropbear.client
dbclient-binary = ${dropbear:location}/bin/dbclient
wrapper = $${rootdirectory:bin}/ssh
[openssh-client]
recipe = slapos.cookbook:wrapper
home = $${basedirectory:ssh-home}
identity-file = $${basedirectory:ssh-home}/id_rsa
identity-file = $${:home}/id_rsa
command-line = ${openssh:location}/bin/ssh -T -o "UserKnownHostsFile $${pbs:known-hosts}" -i $${:identity-file}
wrapper-path = $${rootdirectory:bin}/ssh
parameters-extra = true
#----------------
...
...
@@ -240,7 +239,7 @@ monitor-username = $${htpasswd:username}
[publish-connection-information]
recipe = slapos.cookbook:publish
ssh-key = $${sshkeys-
dropbear
:public-key-value}
ssh-key = $${sshkeys-
openssh
:public-key-value}
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
feeds-url = http://[$${notifier:host}]:$${notifier:port}/get/
monitor-base-url = $${publish:monitor-base-url}
...
...
stack/resilient/pbsready-export.cfg.in
View file @
5551b0cf
...
...
@@ -11,10 +11,12 @@ parts =
cron
cron-entry-logrotate
sshkeys-authority
dropbear-server
sshkeys-dropbear
resilient-sshkeys-dropbear-promise
dropbear-server-pbs-authorized-key
sshd-raw-server
sshd-graceful
sshkeys-sshd
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
cron-entry-backup
...
...
@@ -28,8 +30,11 @@ pid = $${:var}/pid
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
[dropbear-server]
port = 22221
[sshd-port]
recipe = slapos.cookbook:free_port
minimum = 22200
maximum = 22209
ip = $${slap-network-information:global-ipv6}
[resilient-publish-connection-parameter]
notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name}
...
...
stack/resilient/pbsready-import.cfg.in
View file @
5551b0cf
...
...
@@ -11,10 +11,12 @@ parts =
cron
cron-entry-logrotate
sshkeys-authority
dropbear-server
sshkeys-dropbear
resilient-sshkeys-dropbear-promise
dropbear-server-pbs-authorized-key
sshd-raw-server
sshd-graceful
sshkeys-sshd
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
resiliency-takeover-script
...
...
@@ -33,8 +35,11 @@ takeover-password = $${resilient-web-takeover-password:passwd}
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
[dropbear-server]
port = 22220
[sshd-port]
recipe = slapos.cookbook:free_port
minimum = 22210
maximum = 22219
ip = $${slap-network-information:global-ipv6}
# Define port of notifier (same reason)
[notifier]
...
...
stack/resilient/pbsready.cfg.in
View file @
5551b0cf
...
...
@@ -8,9 +8,11 @@ parts =
cron-entry-logrotate
sshkeys-authority
dropbear-server
sshkeys-dropbear
resilient-sshkeys-dropbear-promise
dropbear-server-pbs-authorized-key
sshd-graceful
sshkeys-sshd
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
...
...
@@ -30,7 +32,7 @@ recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run
script
= $${rootdirectory:etc}/script
script
s = $${rootdirectory:etc}/run
backup = $${rootdirectory:srv}/backup
promises = $${rootdirectory:etc}/promise
services = $${rootdirectory:etc}/service
...
...
@@ -120,14 +122,14 @@ create = true
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = equeue
log = $${equeue:log} $${
dropbear-sshd
:log}
log = $${equeue:log} $${
sshd-server
:log}
frequency = daily
rotate-num = 30
#----------------
#--
#-- Sets up an rdiff-backup server (with a
dropbear
server for ssh)
#-- Sets up an rdiff-backup server (with a
openssh
server for ssh)
[rdiff-backup-server]
recipe = slapos.cookbook:pbs
...
...
@@ -170,33 +172,57 @@ context =
#----------------
#--
#-- Dropbear.
[dropbear-server]
recipe = slapos.cookbook:dropbear
#-- OpenSSH.
[resilient-sshd-config]
# XXX: Add timeout support
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
PidFile $${:path_pid}
Port $${sshd-port:port}
ListenAddress $${slap-network-information:global-ipv6}
Protocol 2
UsePrivilegeSeparation no
HostKey $${directory:ssh}/server_key.rsa
AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
PasswordAuthentication no
PubkeyAuthentication yes
ForceCommand $${rdiff-backup-server:wrapper}
[sshd-raw-server]
recipe = slapos.cookbook:wrapper
host = $${slap-network-information:global-ipv6}
# Explicitely excludes to define "port" argument. It will be defined in
# pbs-ready-import.cfg.in and pbs-ready-export.cfg.in
home = $${directory:ssh}
wrapper = $${rootdirectory:bin}/raw_sshd
shell = $${rdiff-backup-server:wrapper}
rsa-keyfile = $${directory:ssh}/server_key.rsa
dropbear-binary = ${dropbear:location}/sbin/dropbear
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
[
dropbear-server
-pbs-authorized-key]
<=
dropbear
-server
[
sshd
-pbs-authorized-key]
<=
sshd-raw
-server
recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:authorized-key}
[
dropbear-sshd
]
[
sshd-server
]
recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh
exec $${
dropbear-server:wrapper
} >> $${:log} 2>&1
exec $${
sshd-raw-server:wrapper-path
} >> $${:log} 2>&1
output = $${rootdirectory:bin}/raw_sshd_log
mode = 700
[sshd-graceful]
recipe = slapos.cookbook:wrapper
command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
wrapper-path = $${basedirectory:scripts}/sshd-graceful
[sshd-promise]
recipe = slapos.cookbook:check_port_listening
path = $${basedirectory:promises}/sshd
hostname = $${slap-network-information:global-ipv6}
port = $${sshd-port:port}
#----------------
#--
#-- sshkeys
...
...
@@ -211,29 +237,31 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${
dropbear:location}/bin/dropbearkey
keygen-binary = ${
openssh:location}/bin/ssh-keygen
[sshkeys-
dropbear
]
[sshkeys-
sshd
]
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
name = dropbear
type = rsa
executable = $${
dropbear-sshd
:output}
public-key = $${
dropbear
-server:rsa-keyfile}.pub
private-key = $${
dropbear
-server:rsa-keyfile}
executable = $${
sshd-server
:output}
public-key = $${
sshd-raw
-server:rsa-keyfile}.pub
private-key = $${
sshd-raw
-server:rsa-keyfile}
wrapper = $${basedirectory:services}/sshd
[resilient-sshkeys-
dropbear
-promise]
[resilient-sshkeys-
sshd
-promise]
# Check that public key file exists and is not empty
recipe = collective.recipe.template
input = inline:#!${bash:location}/bin/bash
PUBLIC_KEY_CONTENT="$${sshkeys-
dropbear
:public-key-value}"
PUBLIC_KEY_CONTENT="$${sshkeys-
sshd
:public-key-value}"
if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
exit 1
fi
output = $${basedirectory:promises}/public-key-existence
mode = 700
[environment]
recipe = collective.recipe.environment
#----------------
#--
...
...
@@ -241,6 +269,6 @@ mode = 700
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish
ssh-public-key = $${sshkeys-
dropbear
:public-key-value}
ssh-url = ssh://
nobody@[$${dropbear-server:host}]:$${dropbear-server
:port}/$${rdiff-backup-server:path}
ssh-public-key = $${sshkeys-
sshd
:public-key-value}
ssh-url = ssh://
$${environment:USER}@[$${sshd-raw-server:host}]:$${sshd-port
:port}/$${rdiff-backup-server:path}
ip = $${slap-network-information:global-ipv6}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment