Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Stephane VAROQUI
slapos
Commits
5551b0cf
Commit
5551b0cf
authored
Aug 24, 2016
by
Nicolas Wavrant
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
resilient: replaces dropbear ssh server by sshd from openssh
parent
fc7c0aea
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
100 additions
and
61 deletions
+100
-61
stack/resilient/buildout.cfg
stack/resilient/buildout.cfg
+6
-4
stack/resilient/instance-pull-backup.cfg.in
stack/resilient/instance-pull-backup.cfg.in
+15
-16
stack/resilient/pbsready-export.cfg.in
stack/resilient/pbsready-export.cfg.in
+11
-6
stack/resilient/pbsready-import.cfg.in
stack/resilient/pbsready-import.cfg.in
+11
-6
stack/resilient/pbsready.cfg.in
stack/resilient/pbsready.cfg.in
+57
-29
No files found.
stack/resilient/buildout.cfg
View file @
5551b0cf
...
@@ -3,6 +3,7 @@ extends =
...
@@ -3,6 +3,7 @@ extends =
../../component/apache/buildout.cfg
../../component/apache/buildout.cfg
../../component/bash/buildout.cfg
../../component/bash/buildout.cfg
../../component/dropbear/buildout.cfg
../../component/dropbear/buildout.cfg
../../component/openssh/buildout.cfg
../../component/gzip/buildout.cfg
../../component/gzip/buildout.cfg
../../component/rdiff-backup/buildout.cfg
../../component/rdiff-backup/buildout.cfg
../../component/rsync/buildout.cfg
../../component/rsync/buildout.cfg
...
@@ -26,6 +27,7 @@ parts =
...
@@ -26,6 +27,7 @@ parts =
recipe = zc.recipe.egg
recipe = zc.recipe.egg
eggs =
eggs =
collective.recipe.template
collective.recipe.template
collective.recipe.environment
#----------------
#----------------
#--
#--
...
@@ -39,7 +41,7 @@ eggs =
...
@@ -39,7 +41,7 @@ eggs =
recipe = slapos.recipe.template
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready.cfg.in
url = ${:_profile_base_location_}/pbsready.cfg.in
output = ${buildout:directory}/pbsready.cfg
output = ${buildout:directory}/pbsready.cfg
md5sum =
d2b06a13354127e9cbbf1c5d21791cb4
md5sum =
9eba09cd5f6e25f08eafbf1cb77582d5
mode = 0644
mode = 0644
[pbsready-import]
[pbsready-import]
...
@@ -48,7 +50,7 @@ mode = 0644
...
@@ -48,7 +50,7 @@ mode = 0644
recipe = slapos.recipe.template
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-import.cfg.in
url = ${:_profile_base_location_}/pbsready-import.cfg.in
output = ${buildout:directory}/pbsready-import.cfg
output = ${buildout:directory}/pbsready-import.cfg
md5sum =
dd13497575d13b92c3abb0a633777e2c
md5sum =
b4a48d7fc502ca08d14b52097ccc4c6e
mode = 0644
mode = 0644
[pbsready-export]
[pbsready-export]
...
@@ -57,14 +59,14 @@ mode = 0644
...
@@ -57,14 +59,14 @@ mode = 0644
recipe = slapos.recipe.template
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-export.cfg.in
url = ${:_profile_base_location_}/pbsready-export.cfg.in
output = ${buildout:directory}/pbsready-export.cfg
output = ${buildout:directory}/pbsready-export.cfg
md5sum =
bfd71e454140cf13179d408e10f95bf8
md5sum =
c819c0711d58e952f16b93d96654139c
mode = 0644
mode = 0644
[template-pull-backup]
[template-pull-backup]
recipe = slapos.recipe.template
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-pull-backup.cfg.in
url = ${:_profile_base_location_}/instance-pull-backup.cfg.in
output = ${buildout:directory}/instance-pull-backup.cfg
output = ${buildout:directory}/instance-pull-backup.cfg
md5sum =
cb7acac7ab41bf44c20d6d03bfad8217
md5sum =
232fcad0892e56d62f45e79ec01c7c3e
mode = 0644
mode = 0644
[template-replicated]
[template-replicated]
...
...
stack/resilient/instance-pull-backup.cfg.in
View file @
5551b0cf
...
@@ -7,8 +7,7 @@ parts =
...
@@ -7,8 +7,7 @@ parts =
cron
cron
cron-entry-logrotate
cron-entry-logrotate
sshkeys-authority
sshkeys-authority
sshkeys-dropbear
sshkeys-openssh
## Monitor for pbs
## Monitor for pbs
monitor-base
monitor-base
...
@@ -59,7 +58,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds
...
@@ -59,7 +58,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks
notifier-callbacks = $${basedirectory:notifier}/callbacks
#----------------
#----------------
#--
#--
#-- Set up the equeue and notifier.
#-- Set up the equeue and notifier.
...
@@ -111,7 +109,7 @@ callbacks = $${directory:notifier-callbacks}
...
@@ -111,7 +109,7 @@ callbacks = $${directory:notifier-callbacks}
equeue-socket = $${equeue:socket}
equeue-socket = $${equeue:socket}
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup
sshclient-binary = $${
dropbear-client:wrapper
}
sshclient-binary = $${
openssh-client:wrapper-path
}
known-hosts = $${directory:dot-ssh}/known_hosts
known-hosts = $${directory:dot-ssh}/known_hosts
promises-directory = $${basedirectory:promises}
promises-directory = $${basedirectory:promises}
directory = $${directory:pbs-backup}
directory = $${directory:pbs-backup}
...
@@ -190,29 +188,30 @@ recipe = slapos.cookbook:sshkeys_authority
...
@@ -190,29 +188,30 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${
dropbear:location}/bin/dropbearkey
keygen-binary = ${
openssh:location}/bin/ssh-keygen
[sshkeys-
dropbear
]
[sshkeys-
openssh
]
<= sshkeys-authority
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
recipe = slapos.cookbook:sshkeys_authority.request
name = pbs
name = pbs
type = rsa
type = rsa
executable = $${
dropbear-client:wrapper
}
executable = $${
openssh-client:wrapper-path
}
public-key = $${
dropbear
-client:identity-file}.pub
public-key = $${
openssh
-client:identity-file}.pub
private-key = $${
dropbear
-client:identity-file}
private-key = $${
openssh
-client:identity-file}
wrapper = $${rootdirectory:bin}/do_backup
wrapper = $${rootdirectory:bin}/do_backup
#----------------
#----------------
#--
#--
#--
Dropbear
.
#--
OpenSSH
.
[dropbear-client]
[openssh-client]
recipe = slapos.cookbook:dropbear.client
recipe = slapos.cookbook:wrapper
dbclient-binary = ${dropbear:location}/bin/dbclient
wrapper = $${rootdirectory:bin}/ssh
home = $${basedirectory:ssh-home}
home = $${basedirectory:ssh-home}
identity-file = $${basedirectory:ssh-home}/id_rsa
identity-file = $${:home}/id_rsa
command-line = ${openssh:location}/bin/ssh -T -o "UserKnownHostsFile $${pbs:known-hosts}" -i $${:identity-file}
wrapper-path = $${rootdirectory:bin}/ssh
parameters-extra = true
#----------------
#----------------
...
@@ -240,7 +239,7 @@ monitor-username = $${htpasswd:username}
...
@@ -240,7 +239,7 @@ monitor-username = $${htpasswd:username}
[publish-connection-information]
[publish-connection-information]
recipe = slapos.cookbook:publish
recipe = slapos.cookbook:publish
ssh-key = $${sshkeys-
dropbear
:public-key-value}
ssh-key = $${sshkeys-
openssh
:public-key-value}
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
feeds-url = http://[$${notifier:host}]:$${notifier:port}/get/
feeds-url = http://[$${notifier:host}]:$${notifier:port}/get/
monitor-base-url = $${publish:monitor-base-url}
monitor-base-url = $${publish:monitor-base-url}
...
...
stack/resilient/pbsready-export.cfg.in
View file @
5551b0cf
...
@@ -11,10 +11,12 @@ parts =
...
@@ -11,10 +11,12 @@ parts =
cron
cron
cron-entry-logrotate
cron-entry-logrotate
sshkeys-authority
sshkeys-authority
dropbear-server
sshd-raw-server
sshkeys-dropbear
sshd-graceful
resilient-sshkeys-dropbear-promise
sshkeys-sshd
dropbear-server-pbs-authorized-key
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
notifier
cron-entry-backup
cron-entry-backup
...
@@ -28,8 +30,11 @@ pid = $${:var}/pid
...
@@ -28,8 +30,11 @@ pid = $${:var}/pid
# Define port of ssh server. It has to be different from import so that it
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
# ipv4...)
[dropbear-server]
[sshd-port]
port = 22221
recipe = slapos.cookbook:free_port
minimum = 22200
maximum = 22209
ip = $${slap-network-information:global-ipv6}
[resilient-publish-connection-parameter]
[resilient-publish-connection-parameter]
notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name}
notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name}
...
...
stack/resilient/pbsready-import.cfg.in
View file @
5551b0cf
...
@@ -11,10 +11,12 @@ parts =
...
@@ -11,10 +11,12 @@ parts =
cron
cron
cron-entry-logrotate
cron-entry-logrotate
sshkeys-authority
sshkeys-authority
dropbear-server
sshd-raw-server
sshkeys-dropbear
sshd-graceful
resilient-sshkeys-dropbear-promise
sshkeys-sshd
dropbear-server-pbs-authorized-key
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
notifier
resiliency-takeover-script
resiliency-takeover-script
...
@@ -33,8 +35,11 @@ takeover-password = $${resilient-web-takeover-password:passwd}
...
@@ -33,8 +35,11 @@ takeover-password = $${resilient-web-takeover-password:passwd}
# Define port of ssh server. It has to be different from import so that it
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
# ipv4...)
[dropbear-server]
[sshd-port]
port = 22220
recipe = slapos.cookbook:free_port
minimum = 22210
maximum = 22219
ip = $${slap-network-information:global-ipv6}
# Define port of notifier (same reason)
# Define port of notifier (same reason)
[notifier]
[notifier]
...
...
stack/resilient/pbsready.cfg.in
View file @
5551b0cf
...
@@ -8,9 +8,11 @@ parts =
...
@@ -8,9 +8,11 @@ parts =
cron-entry-logrotate
cron-entry-logrotate
sshkeys-authority
sshkeys-authority
dropbear-server
dropbear-server
sshkeys-dropbear
sshd-graceful
resilient-sshkeys-dropbear-promise
sshkeys-sshd
dropbear-server-pbs-authorized-key
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
notifier
...
@@ -30,7 +32,7 @@ recipe = slapos.cookbook:mkdirectory
...
@@ -30,7 +32,7 @@ recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log
log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service
services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run
run = $${rootdirectory:var}/run
script
= $${rootdirectory:etc}/script
script
s = $${rootdirectory:etc}/run
backup = $${rootdirectory:srv}/backup
backup = $${rootdirectory:srv}/backup
promises = $${rootdirectory:etc}/promise
promises = $${rootdirectory:etc}/promise
services = $${rootdirectory:etc}/service
services = $${rootdirectory:etc}/service
...
@@ -120,14 +122,14 @@ create = true
...
@@ -120,14 +122,14 @@ create = true
<= logrotate
<= logrotate
recipe = slapos.cookbook:logrotate.d
recipe = slapos.cookbook:logrotate.d
name = equeue
name = equeue
log = $${equeue:log} $${
dropbear-sshd
:log}
log = $${equeue:log} $${
sshd-server
:log}
frequency = daily
frequency = daily
rotate-num = 30
rotate-num = 30
#----------------
#----------------
#--
#--
#-- Sets up an rdiff-backup server (with a
dropbear
server for ssh)
#-- Sets up an rdiff-backup server (with a
openssh
server for ssh)
[rdiff-backup-server]
[rdiff-backup-server]
recipe = slapos.cookbook:pbs
recipe = slapos.cookbook:pbs
...
@@ -170,33 +172,57 @@ context =
...
@@ -170,33 +172,57 @@ context =
#----------------
#----------------
#--
#--
#-- Dropbear.
#-- OpenSSH.
[resilient-sshd-config]
[dropbear-server]
# XXX: Add timeout support
recipe = slapos.cookbook:dropbear
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
PidFile $${:path_pid}
Port $${sshd-port:port}
ListenAddress $${slap-network-information:global-ipv6}
Protocol 2
UsePrivilegeSeparation no
HostKey $${directory:ssh}/server_key.rsa
AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
PasswordAuthentication no
PubkeyAuthentication yes
ForceCommand $${rdiff-backup-server:wrapper}
[sshd-raw-server]
recipe = slapos.cookbook:wrapper
host = $${slap-network-information:global-ipv6}
host = $${slap-network-information:global-ipv6}
# Explicitely excludes to define "port" argument. It will be defined in
# pbs-ready-import.cfg.in and pbs-ready-export.cfg.in
home = $${directory:ssh}
wrapper = $${rootdirectory:bin}/raw_sshd
shell = $${rdiff-backup-server:wrapper}
rsa-keyfile = $${directory:ssh}/server_key.rsa
rsa-keyfile = $${directory:ssh}/server_key.rsa
dropbear-binary = ${dropbear:location}/sbin/dropbear
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
[
dropbear-server
-pbs-authorized-key]
[
sshd
-pbs-authorized-key]
<=
dropbear
-server
<=
sshd-raw
-server
recipe = slapos.cookbook:dropbear.add_authorized_key
recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:authorized-key}
key = $${slap-parameter:authorized-key}
[
dropbear-sshd
]
[
sshd-server
]
recipe = collective.recipe.template
recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log
log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh
input = inline:#!/bin/sh
exec $${
dropbear-server:wrapper
} >> $${:log} 2>&1
exec $${
sshd-raw-server:wrapper-path
} >> $${:log} 2>&1
output = $${rootdirectory:bin}/raw_sshd_log
output = $${rootdirectory:bin}/raw_sshd_log
mode = 700
mode = 700
[sshd-graceful]
recipe = slapos.cookbook:wrapper
command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
wrapper-path = $${basedirectory:scripts}/sshd-graceful
[sshd-promise]
recipe = slapos.cookbook:check_port_listening
path = $${basedirectory:promises}/sshd
hostname = $${slap-network-information:global-ipv6}
port = $${sshd-port:port}
#----------------
#----------------
#--
#--
#-- sshkeys
#-- sshkeys
...
@@ -211,29 +237,31 @@ recipe = slapos.cookbook:sshkeys_authority
...
@@ -211,29 +237,31 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${
dropbear:location}/bin/dropbearkey
keygen-binary = ${
openssh:location}/bin/ssh-keygen
[sshkeys-
dropbear
]
[sshkeys-
sshd
]
<= sshkeys-authority
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
recipe = slapos.cookbook:sshkeys_authority.request
name = dropbear
name = dropbear
type = rsa
type = rsa
executable = $${
dropbear-sshd
:output}
executable = $${
sshd-server
:output}
public-key = $${
dropbear
-server:rsa-keyfile}.pub
public-key = $${
sshd-raw
-server:rsa-keyfile}.pub
private-key = $${
dropbear
-server:rsa-keyfile}
private-key = $${
sshd-raw
-server:rsa-keyfile}
wrapper = $${basedirectory:services}/sshd
wrapper = $${basedirectory:services}/sshd
[resilient-sshkeys-
dropbear
-promise]
[resilient-sshkeys-
sshd
-promise]
# Check that public key file exists and is not empty
# Check that public key file exists and is not empty
recipe = collective.recipe.template
recipe = collective.recipe.template
input = inline:#!${bash:location}/bin/bash
input = inline:#!${bash:location}/bin/bash
PUBLIC_KEY_CONTENT="$${sshkeys-
dropbear
:public-key-value}"
PUBLIC_KEY_CONTENT="$${sshkeys-
sshd
:public-key-value}"
if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
exit 1
exit 1
fi
fi
output = $${basedirectory:promises}/public-key-existence
output = $${basedirectory:promises}/public-key-existence
mode = 700
mode = 700
[environment]
recipe = collective.recipe.environment
#----------------
#----------------
#--
#--
...
@@ -241,6 +269,6 @@ mode = 700
...
@@ -241,6 +269,6 @@ mode = 700
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter]
[resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish
recipe = slapos.cookbook:publish
ssh-public-key = $${sshkeys-
dropbear
:public-key-value}
ssh-public-key = $${sshkeys-
sshd
:public-key-value}
ssh-url = ssh://
nobody@[$${dropbear-server:host}]:$${dropbear-server
:port}/$${rdiff-backup-server:path}
ssh-url = ssh://
$${environment:USER}@[$${sshd-raw-server:host}]:$${sshd-port
:port}/$${rdiff-backup-server:path}
ip = $${slap-network-information:global-ipv6}
ip = $${slap-network-information:global-ipv6}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment