Commit 5551b0cf authored by Nicolas Wavrant's avatar Nicolas Wavrant

resilient: replaces dropbear ssh server by sshd from openssh

parent fc7c0aea
...@@ -3,6 +3,7 @@ extends = ...@@ -3,6 +3,7 @@ extends =
../../component/apache/buildout.cfg ../../component/apache/buildout.cfg
../../component/bash/buildout.cfg ../../component/bash/buildout.cfg
../../component/dropbear/buildout.cfg ../../component/dropbear/buildout.cfg
../../component/openssh/buildout.cfg
../../component/gzip/buildout.cfg ../../component/gzip/buildout.cfg
../../component/rdiff-backup/buildout.cfg ../../component/rdiff-backup/buildout.cfg
../../component/rsync/buildout.cfg ../../component/rsync/buildout.cfg
...@@ -26,6 +27,7 @@ parts = ...@@ -26,6 +27,7 @@ parts =
recipe = zc.recipe.egg recipe = zc.recipe.egg
eggs = eggs =
collective.recipe.template collective.recipe.template
collective.recipe.environment
#---------------- #----------------
#-- #--
...@@ -39,7 +41,7 @@ eggs = ...@@ -39,7 +41,7 @@ eggs =
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready.cfg.in url = ${:_profile_base_location_}/pbsready.cfg.in
output = ${buildout:directory}/pbsready.cfg output = ${buildout:directory}/pbsready.cfg
md5sum = d2b06a13354127e9cbbf1c5d21791cb4 md5sum = 9eba09cd5f6e25f08eafbf1cb77582d5
mode = 0644 mode = 0644
[pbsready-import] [pbsready-import]
...@@ -48,7 +50,7 @@ mode = 0644 ...@@ -48,7 +50,7 @@ mode = 0644
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-import.cfg.in url = ${:_profile_base_location_}/pbsready-import.cfg.in
output = ${buildout:directory}/pbsready-import.cfg output = ${buildout:directory}/pbsready-import.cfg
md5sum = dd13497575d13b92c3abb0a633777e2c md5sum = b4a48d7fc502ca08d14b52097ccc4c6e
mode = 0644 mode = 0644
[pbsready-export] [pbsready-export]
...@@ -57,14 +59,14 @@ mode = 0644 ...@@ -57,14 +59,14 @@ mode = 0644
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-export.cfg.in url = ${:_profile_base_location_}/pbsready-export.cfg.in
output = ${buildout:directory}/pbsready-export.cfg output = ${buildout:directory}/pbsready-export.cfg
md5sum = bfd71e454140cf13179d408e10f95bf8 md5sum = c819c0711d58e952f16b93d96654139c
mode = 0644 mode = 0644
[template-pull-backup] [template-pull-backup]
recipe = slapos.recipe.template recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-pull-backup.cfg.in url = ${:_profile_base_location_}/instance-pull-backup.cfg.in
output = ${buildout:directory}/instance-pull-backup.cfg output = ${buildout:directory}/instance-pull-backup.cfg
md5sum = cb7acac7ab41bf44c20d6d03bfad8217 md5sum = 232fcad0892e56d62f45e79ec01c7c3e
mode = 0644 mode = 0644
[template-replicated] [template-replicated]
......
...@@ -7,8 +7,7 @@ parts = ...@@ -7,8 +7,7 @@ parts =
cron cron
cron-entry-logrotate cron-entry-logrotate
sshkeys-authority sshkeys-authority
sshkeys-dropbear sshkeys-openssh
## Monitor for pbs ## Monitor for pbs
monitor-base monitor-base
...@@ -59,7 +58,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds ...@@ -59,7 +58,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks notifier-callbacks = $${basedirectory:notifier}/callbacks
#---------------- #----------------
#-- #--
#-- Set up the equeue and notifier. #-- Set up the equeue and notifier.
...@@ -111,7 +109,7 @@ callbacks = $${directory:notifier-callbacks} ...@@ -111,7 +109,7 @@ callbacks = $${directory:notifier-callbacks}
equeue-socket = $${equeue:socket} equeue-socket = $${equeue:socket}
notifier-binary = ${buildout:bin-directory}/pubsubnotifier notifier-binary = ${buildout:bin-directory}/pubsubnotifier
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup
sshclient-binary = $${dropbear-client:wrapper} sshclient-binary = $${openssh-client:wrapper-path}
known-hosts = $${directory:dot-ssh}/known_hosts known-hosts = $${directory:dot-ssh}/known_hosts
promises-directory = $${basedirectory:promises} promises-directory = $${basedirectory:promises}
directory = $${directory:pbs-backup} directory = $${directory:pbs-backup}
...@@ -190,29 +188,30 @@ recipe = slapos.cookbook:sshkeys_authority ...@@ -190,29 +188,30 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests} request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys} keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${dropbear:location}/bin/dropbearkey keygen-binary = ${openssh:location}/bin/ssh-keygen
[sshkeys-dropbear] [sshkeys-openssh]
<= sshkeys-authority <= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request recipe = slapos.cookbook:sshkeys_authority.request
name = pbs name = pbs
type = rsa type = rsa
executable = $${dropbear-client:wrapper} executable = $${openssh-client:wrapper-path}
public-key = $${dropbear-client:identity-file}.pub public-key = $${openssh-client:identity-file}.pub
private-key = $${dropbear-client:identity-file} private-key = $${openssh-client:identity-file}
wrapper = $${rootdirectory:bin}/do_backup wrapper = $${rootdirectory:bin}/do_backup
#---------------- #----------------
#-- #--
#-- Dropbear. #-- OpenSSH.
[dropbear-client] [openssh-client]
recipe = slapos.cookbook:dropbear.client recipe = slapos.cookbook:wrapper
dbclient-binary = ${dropbear:location}/bin/dbclient
wrapper = $${rootdirectory:bin}/ssh
home = $${basedirectory:ssh-home} home = $${basedirectory:ssh-home}
identity-file = $${basedirectory:ssh-home}/id_rsa identity-file = $${:home}/id_rsa
command-line = ${openssh:location}/bin/ssh -T -o "UserKnownHostsFile $${pbs:known-hosts}" -i $${:identity-file}
wrapper-path = $${rootdirectory:bin}/ssh
parameters-extra = true
#---------------- #----------------
...@@ -240,7 +239,7 @@ monitor-username = $${htpasswd:username} ...@@ -240,7 +239,7 @@ monitor-username = $${htpasswd:username}
[publish-connection-information] [publish-connection-information]
recipe = slapos.cookbook:publish recipe = slapos.cookbook:publish
ssh-key = $${sshkeys-dropbear:public-key-value} ssh-key = $${sshkeys-openssh:public-key-value}
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
feeds-url = http://[$${notifier:host}]:$${notifier:port}/get/ feeds-url = http://[$${notifier:host}]:$${notifier:port}/get/
monitor-base-url = $${publish:monitor-base-url} monitor-base-url = $${publish:monitor-base-url}
......
...@@ -11,10 +11,12 @@ parts = ...@@ -11,10 +11,12 @@ parts =
cron cron
cron-entry-logrotate cron-entry-logrotate
sshkeys-authority sshkeys-authority
dropbear-server sshd-raw-server
sshkeys-dropbear sshd-graceful
resilient-sshkeys-dropbear-promise sshkeys-sshd
dropbear-server-pbs-authorized-key sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier notifier
cron-entry-backup cron-entry-backup
...@@ -28,8 +30,11 @@ pid = $${:var}/pid ...@@ -28,8 +30,11 @@ pid = $${:var}/pid
# Define port of ssh server. It has to be different from import so that it # Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition, # supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...) # ipv4...)
[dropbear-server] [sshd-port]
port = 22221 recipe = slapos.cookbook:free_port
minimum = 22200
maximum = 22209
ip = $${slap-network-information:global-ipv6}
[resilient-publish-connection-parameter] [resilient-publish-connection-parameter]
notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name} notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name}
......
...@@ -11,10 +11,12 @@ parts = ...@@ -11,10 +11,12 @@ parts =
cron cron
cron-entry-logrotate cron-entry-logrotate
sshkeys-authority sshkeys-authority
dropbear-server sshd-raw-server
sshkeys-dropbear sshd-graceful
resilient-sshkeys-dropbear-promise sshkeys-sshd
dropbear-server-pbs-authorized-key sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier notifier
resiliency-takeover-script resiliency-takeover-script
...@@ -33,8 +35,11 @@ takeover-password = $${resilient-web-takeover-password:passwd} ...@@ -33,8 +35,11 @@ takeover-password = $${resilient-web-takeover-password:passwd}
# Define port of ssh server. It has to be different from import so that it # Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition, # supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...) # ipv4...)
[dropbear-server] [sshd-port]
port = 22220 recipe = slapos.cookbook:free_port
minimum = 22210
maximum = 22219
ip = $${slap-network-information:global-ipv6}
# Define port of notifier (same reason) # Define port of notifier (same reason)
[notifier] [notifier]
......
...@@ -8,9 +8,11 @@ parts = ...@@ -8,9 +8,11 @@ parts =
cron-entry-logrotate cron-entry-logrotate
sshkeys-authority sshkeys-authority
dropbear-server dropbear-server
sshkeys-dropbear sshd-graceful
resilient-sshkeys-dropbear-promise sshkeys-sshd
dropbear-server-pbs-authorized-key sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier notifier
...@@ -30,7 +32,7 @@ recipe = slapos.cookbook:mkdirectory ...@@ -30,7 +32,7 @@ recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run run = $${rootdirectory:var}/run
script = $${rootdirectory:etc}/script scripts = $${rootdirectory:etc}/run
backup = $${rootdirectory:srv}/backup backup = $${rootdirectory:srv}/backup
promises = $${rootdirectory:etc}/promise promises = $${rootdirectory:etc}/promise
services = $${rootdirectory:etc}/service services = $${rootdirectory:etc}/service
...@@ -120,14 +122,14 @@ create = true ...@@ -120,14 +122,14 @@ create = true
<= logrotate <= logrotate
recipe = slapos.cookbook:logrotate.d recipe = slapos.cookbook:logrotate.d
name = equeue name = equeue
log = $${equeue:log} $${dropbear-sshd:log} log = $${equeue:log} $${sshd-server:log}
frequency = daily frequency = daily
rotate-num = 30 rotate-num = 30
#---------------- #----------------
#-- #--
#-- Sets up an rdiff-backup server (with a dropbear server for ssh) #-- Sets up an rdiff-backup server (with a openssh server for ssh)
[rdiff-backup-server] [rdiff-backup-server]
recipe = slapos.cookbook:pbs recipe = slapos.cookbook:pbs
...@@ -170,33 +172,57 @@ context = ...@@ -170,33 +172,57 @@ context =
#---------------- #----------------
#-- #--
#-- Dropbear. #-- OpenSSH.
[resilient-sshd-config]
[dropbear-server] # XXX: Add timeout support
recipe = slapos.cookbook:dropbear recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
PidFile $${:path_pid}
Port $${sshd-port:port}
ListenAddress $${slap-network-information:global-ipv6}
Protocol 2
UsePrivilegeSeparation no
HostKey $${directory:ssh}/server_key.rsa
AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
PasswordAuthentication no
PubkeyAuthentication yes
ForceCommand $${rdiff-backup-server:wrapper}
[sshd-raw-server]
recipe = slapos.cookbook:wrapper
host = $${slap-network-information:global-ipv6} host = $${slap-network-information:global-ipv6}
# Explicitely excludes to define "port" argument. It will be defined in
# pbs-ready-import.cfg.in and pbs-ready-export.cfg.in
home = $${directory:ssh}
wrapper = $${rootdirectory:bin}/raw_sshd
shell = $${rdiff-backup-server:wrapper}
rsa-keyfile = $${directory:ssh}/server_key.rsa rsa-keyfile = $${directory:ssh}/server_key.rsa
dropbear-binary = ${dropbear:location}/sbin/dropbear home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
[dropbear-server-pbs-authorized-key] [sshd-pbs-authorized-key]
<= dropbear-server <= sshd-raw-server
recipe = slapos.cookbook:dropbear.add_authorized_key recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:authorized-key} key = $${slap-parameter:authorized-key}
[dropbear-sshd] [sshd-server]
recipe = collective.recipe.template recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh input = inline:#!/bin/sh
exec $${dropbear-server:wrapper} >> $${:log} 2>&1 exec $${sshd-raw-server:wrapper-path} >> $${:log} 2>&1
output = $${rootdirectory:bin}/raw_sshd_log output = $${rootdirectory:bin}/raw_sshd_log
mode = 700 mode = 700
[sshd-graceful]
recipe = slapos.cookbook:wrapper
command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
wrapper-path = $${basedirectory:scripts}/sshd-graceful
[sshd-promise]
recipe = slapos.cookbook:check_port_listening
path = $${basedirectory:promises}/sshd
hostname = $${slap-network-information:global-ipv6}
port = $${sshd-port:port}
#---------------- #----------------
#-- #--
#-- sshkeys #-- sshkeys
...@@ -211,29 +237,31 @@ recipe = slapos.cookbook:sshkeys_authority ...@@ -211,29 +237,31 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests} request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys} keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${dropbear:location}/bin/dropbearkey keygen-binary = ${openssh:location}/bin/ssh-keygen
[sshkeys-dropbear] [sshkeys-sshd]
<= sshkeys-authority <= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request recipe = slapos.cookbook:sshkeys_authority.request
name = dropbear name = dropbear
type = rsa type = rsa
executable = $${dropbear-sshd:output} executable = $${sshd-server:output}
public-key = $${dropbear-server:rsa-keyfile}.pub public-key = $${sshd-raw-server:rsa-keyfile}.pub
private-key = $${dropbear-server:rsa-keyfile} private-key = $${sshd-raw-server:rsa-keyfile}
wrapper = $${basedirectory:services}/sshd wrapper = $${basedirectory:services}/sshd
[resilient-sshkeys-dropbear-promise] [resilient-sshkeys-sshd-promise]
# Check that public key file exists and is not empty # Check that public key file exists and is not empty
recipe = collective.recipe.template recipe = collective.recipe.template
input = inline:#!${bash:location}/bin/bash input = inline:#!${bash:location}/bin/bash
PUBLIC_KEY_CONTENT="$${sshkeys-dropbear:public-key-value}" PUBLIC_KEY_CONTENT="$${sshkeys-sshd:public-key-value}"
if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
exit 1 exit 1
fi fi
output = $${basedirectory:promises}/public-key-existence output = $${basedirectory:promises}/public-key-existence
mode = 700 mode = 700
[environment]
recipe = collective.recipe.environment
#---------------- #----------------
#-- #--
...@@ -241,6 +269,6 @@ mode = 700 ...@@ -241,6 +269,6 @@ mode = 700
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish. # XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter] [resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish recipe = slapos.cookbook:publish
ssh-public-key = $${sshkeys-dropbear:public-key-value} ssh-public-key = $${sshkeys-sshd:public-key-value}
ssh-url = ssh://nobody@[$${dropbear-server:host}]:$${dropbear-server:port}/$${rdiff-backup-server:path} ssh-url = ssh://$${environment:USER}@[$${sshd-raw-server:host}]:$${sshd-port:port}/$${rdiff-backup-server:path}
ip = $${slap-network-information:global-ipv6} ip = $${slap-network-information:global-ipv6}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment