Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jean-Paul Smets
slapos
Commits
5551b0cf
Commit
5551b0cf
authored
Aug 24, 2016
by
Nicolas Wavrant
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
resilient: replaces dropbear ssh server by sshd from openssh
parent
fc7c0aea
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
100 additions
and
61 deletions
+100
-61
stack/resilient/buildout.cfg
stack/resilient/buildout.cfg
+6
-4
stack/resilient/instance-pull-backup.cfg.in
stack/resilient/instance-pull-backup.cfg.in
+15
-16
stack/resilient/pbsready-export.cfg.in
stack/resilient/pbsready-export.cfg.in
+11
-6
stack/resilient/pbsready-import.cfg.in
stack/resilient/pbsready-import.cfg.in
+11
-6
stack/resilient/pbsready.cfg.in
stack/resilient/pbsready.cfg.in
+57
-29
No files found.
stack/resilient/buildout.cfg
View file @
5551b0cf
...
...
@@ -3,6 +3,7 @@ extends =
../../component/apache/buildout.cfg
../../component/bash/buildout.cfg
../../component/dropbear/buildout.cfg
../../component/openssh/buildout.cfg
../../component/gzip/buildout.cfg
../../component/rdiff-backup/buildout.cfg
../../component/rsync/buildout.cfg
...
...
@@ -26,6 +27,7 @@ parts =
recipe = zc.recipe.egg
eggs =
collective.recipe.template
collective.recipe.environment
#----------------
#--
...
...
@@ -39,7 +41,7 @@ eggs =
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready.cfg.in
output = ${buildout:directory}/pbsready.cfg
md5sum =
d2b06a13354127e9cbbf1c5d21791cb4
md5sum =
9eba09cd5f6e25f08eafbf1cb77582d5
mode = 0644
[pbsready-import]
...
...
@@ -48,7 +50,7 @@ mode = 0644
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-import.cfg.in
output = ${buildout:directory}/pbsready-import.cfg
md5sum =
dd13497575d13b92c3abb0a633777e2c
md5sum =
b4a48d7fc502ca08d14b52097ccc4c6e
mode = 0644
[pbsready-export]
...
...
@@ -57,14 +59,14 @@ mode = 0644
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/pbsready-export.cfg.in
output = ${buildout:directory}/pbsready-export.cfg
md5sum =
bfd71e454140cf13179d408e10f95bf8
md5sum =
c819c0711d58e952f16b93d96654139c
mode = 0644
[template-pull-backup]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/instance-pull-backup.cfg.in
output = ${buildout:directory}/instance-pull-backup.cfg
md5sum =
cb7acac7ab41bf44c20d6d03bfad8217
md5sum =
232fcad0892e56d62f45e79ec01c7c3e
mode = 0644
[template-replicated]
...
...
stack/resilient/instance-pull-backup.cfg.in
View file @
5551b0cf
...
...
@@ -7,8 +7,7 @@ parts =
cron
cron-entry-logrotate
sshkeys-authority
sshkeys-dropbear
sshkeys-openssh
## Monitor for pbs
monitor-base
...
...
@@ -59,7 +58,6 @@ notifier-feeds = $${basedirectory:notifier}/feeds
notifier-callbacks = $${basedirectory:notifier}/callbacks
#----------------
#--
#-- Set up the equeue and notifier.
...
...
@@ -111,7 +109,7 @@ callbacks = $${directory:notifier-callbacks}
equeue-socket = $${equeue:socket}
notifier-binary = ${buildout:bin-directory}/pubsubnotifier
rdiffbackup-binary = ${buildout:bin-directory}/rdiff-backup
sshclient-binary = $${
dropbear-client:wrapper
}
sshclient-binary = $${
openssh-client:wrapper-path
}
known-hosts = $${directory:dot-ssh}/known_hosts
promises-directory = $${basedirectory:promises}
directory = $${directory:pbs-backup}
...
...
@@ -190,29 +188,30 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${
dropbear:location}/bin/dropbearkey
keygen-binary = ${
openssh:location}/bin/ssh-keygen
[sshkeys-
dropbear
]
[sshkeys-
openssh
]
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
name = pbs
type = rsa
executable = $${
dropbear-client:wrapper
}
public-key = $${
dropbear
-client:identity-file}.pub
private-key = $${
dropbear
-client:identity-file}
executable = $${
openssh-client:wrapper-path
}
public-key = $${
openssh
-client:identity-file}.pub
private-key = $${
openssh
-client:identity-file}
wrapper = $${rootdirectory:bin}/do_backup
#----------------
#--
#--
Dropbear
.
#--
OpenSSH
.
[dropbear-client]
recipe = slapos.cookbook:dropbear.client
dbclient-binary = ${dropbear:location}/bin/dbclient
wrapper = $${rootdirectory:bin}/ssh
[openssh-client]
recipe = slapos.cookbook:wrapper
home = $${basedirectory:ssh-home}
identity-file = $${basedirectory:ssh-home}/id_rsa
identity-file = $${:home}/id_rsa
command-line = ${openssh:location}/bin/ssh -T -o "UserKnownHostsFile $${pbs:known-hosts}" -i $${:identity-file}
wrapper-path = $${rootdirectory:bin}/ssh
parameters-extra = true
#----------------
...
...
@@ -240,7 +239,7 @@ monitor-username = $${htpasswd:username}
[publish-connection-information]
recipe = slapos.cookbook:publish
ssh-key = $${sshkeys-
dropbear
:public-key-value}
ssh-key = $${sshkeys-
openssh
:public-key-value}
notification-url = http://[$${notifier:host}]:$${notifier:port}/notify
feeds-url = http://[$${notifier:host}]:$${notifier:port}/get/
monitor-base-url = $${publish:monitor-base-url}
...
...
stack/resilient/pbsready-export.cfg.in
View file @
5551b0cf
...
...
@@ -11,10 +11,12 @@ parts =
cron
cron-entry-logrotate
sshkeys-authority
dropbear-server
sshkeys-dropbear
resilient-sshkeys-dropbear-promise
dropbear-server-pbs-authorized-key
sshd-raw-server
sshd-graceful
sshkeys-sshd
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
cron-entry-backup
...
...
@@ -28,8 +30,11 @@ pid = $${:var}/pid
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
[dropbear-server]
port = 22221
[sshd-port]
recipe = slapos.cookbook:free_port
minimum = 22200
maximum = 22209
ip = $${slap-network-information:global-ipv6}
[resilient-publish-connection-parameter]
notification-id = http://[$${notifier:host}]:$${notifier:port}/get/$${notifier-exporter:name}
...
...
stack/resilient/pbsready-import.cfg.in
View file @
5551b0cf
...
...
@@ -11,10 +11,12 @@ parts =
cron
cron-entry-logrotate
sshkeys-authority
dropbear-server
sshkeys-dropbear
resilient-sshkeys-dropbear-promise
dropbear-server-pbs-authorized-key
sshd-raw-server
sshd-graceful
sshkeys-sshd
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
resiliency-takeover-script
...
...
@@ -33,8 +35,11 @@ takeover-password = $${resilient-web-takeover-password:passwd}
# Define port of ssh server. It has to be different from import so that it
# supports export/import using same IP (slaprunner, slapos-in-partition,
# ipv4...)
[dropbear-server]
port = 22220
[sshd-port]
recipe = slapos.cookbook:free_port
minimum = 22210
maximum = 22219
ip = $${slap-network-information:global-ipv6}
# Define port of notifier (same reason)
[notifier]
...
...
stack/resilient/pbsready.cfg.in
View file @
5551b0cf
...
...
@@ -8,9 +8,11 @@ parts =
cron-entry-logrotate
sshkeys-authority
dropbear-server
sshkeys-dropbear
resilient-sshkeys-dropbear-promise
dropbear-server-pbs-authorized-key
sshd-graceful
sshkeys-sshd
sshd-promise
resilient-sshkeys-sshd-promise
sshd-pbs-authorized-key
notifier
...
...
@@ -30,7 +32,7 @@ recipe = slapos.cookbook:mkdirectory
log = $${rootdirectory:var}/log
services = $${rootdirectory:etc}/service
run = $${rootdirectory:var}/run
script
= $${rootdirectory:etc}/script
script
s = $${rootdirectory:etc}/run
backup = $${rootdirectory:srv}/backup
promises = $${rootdirectory:etc}/promise
services = $${rootdirectory:etc}/service
...
...
@@ -120,14 +122,14 @@ create = true
<= logrotate
recipe = slapos.cookbook:logrotate.d
name = equeue
log = $${equeue:log} $${
dropbear-sshd
:log}
log = $${equeue:log} $${
sshd-server
:log}
frequency = daily
rotate-num = 30
#----------------
#--
#-- Sets up an rdiff-backup server (with a
dropbear
server for ssh)
#-- Sets up an rdiff-backup server (with a
openssh
server for ssh)
[rdiff-backup-server]
recipe = slapos.cookbook:pbs
...
...
@@ -170,33 +172,57 @@ context =
#----------------
#--
#-- Dropbear.
[dropbear-server]
recipe = slapos.cookbook:dropbear
#-- OpenSSH.
[resilient-sshd-config]
# XXX: Add timeout support
recipe = slapos.recipe.template:jinja2
rendered = $${directory:etc}/resilient-sshd.conf
path_pid = $${directory:run}/resilient-sshd.pid
template = inline:
PidFile $${:path_pid}
Port $${sshd-port:port}
ListenAddress $${slap-network-information:global-ipv6}
Protocol 2
UsePrivilegeSeparation no
HostKey $${directory:ssh}/server_key.rsa
AuthorizedKeysFile $${directory:ssh}/.ssh/authorized_keys
PasswordAuthentication no
PubkeyAuthentication yes
ForceCommand $${rdiff-backup-server:wrapper}
[sshd-raw-server]
recipe = slapos.cookbook:wrapper
host = $${slap-network-information:global-ipv6}
# Explicitely excludes to define "port" argument. It will be defined in
# pbs-ready-import.cfg.in and pbs-ready-export.cfg.in
home = $${directory:ssh}
wrapper = $${rootdirectory:bin}/raw_sshd
shell = $${rdiff-backup-server:wrapper}
rsa-keyfile = $${directory:ssh}/server_key.rsa
dropbear-binary = ${dropbear:location}/sbin/dropbear
home = $${directory:ssh}
command-line = ${openssh:location}/sbin/sshd -D -e -f $${resilient-sshd-config:rendered}
wrapper-path = $${rootdirectory:bin}/raw_sshd
[
dropbear-server
-pbs-authorized-key]
<=
dropbear
-server
[
sshd
-pbs-authorized-key]
<=
sshd-raw
-server
recipe = slapos.cookbook:dropbear.add_authorized_key
key = $${slap-parameter:authorized-key}
[
dropbear-sshd
]
[
sshd-server
]
recipe = collective.recipe.template
log = $${basedirectory:log}/sshd.log
input = inline:#!/bin/sh
exec $${
dropbear-server:wrapper
} >> $${:log} 2>&1
exec $${
sshd-raw-server:wrapper-path
} >> $${:log} 2>&1
output = $${rootdirectory:bin}/raw_sshd_log
mode = 700
[sshd-graceful]
recipe = slapos.cookbook:wrapper
command-line = $${directory:bin}/killpidfromfile $${runner-sshd-config:path_pid} SIGHUP
wrapper-path = $${basedirectory:scripts}/sshd-graceful
[sshd-promise]
recipe = slapos.cookbook:check_port_listening
path = $${basedirectory:promises}/sshd
hostname = $${slap-network-information:global-ipv6}
port = $${sshd-port:port}
#----------------
#--
#-- sshkeys
...
...
@@ -211,29 +237,31 @@ recipe = slapos.cookbook:sshkeys_authority
request-directory = $${sshkeys-directory:requests}
keys-directory = $${sshkeys-directory:keys}
wrapper = $${basedirectory:services}/sshkeys_authority
keygen-binary = ${
dropbear:location}/bin/dropbearkey
keygen-binary = ${
openssh:location}/bin/ssh-keygen
[sshkeys-
dropbear
]
[sshkeys-
sshd
]
<= sshkeys-authority
recipe = slapos.cookbook:sshkeys_authority.request
name = dropbear
type = rsa
executable = $${
dropbear-sshd
:output}
public-key = $${
dropbear
-server:rsa-keyfile}.pub
private-key = $${
dropbear
-server:rsa-keyfile}
executable = $${
sshd-server
:output}
public-key = $${
sshd-raw
-server:rsa-keyfile}.pub
private-key = $${
sshd-raw
-server:rsa-keyfile}
wrapper = $${basedirectory:services}/sshd
[resilient-sshkeys-
dropbear
-promise]
[resilient-sshkeys-
sshd
-promise]
# Check that public key file exists and is not empty
recipe = collective.recipe.template
input = inline:#!${bash:location}/bin/bash
PUBLIC_KEY_CONTENT="$${sshkeys-
dropbear
:public-key-value}"
PUBLIC_KEY_CONTENT="$${sshkeys-
sshd
:public-key-value}"
if [[ ! -n "$PUBLIC_KEY_CONTENT" || "$PUBLIC_KEY_CONTENT" == *None* ]]; then
exit 1
fi
output = $${basedirectory:promises}/public-key-existence
mode = 700
[environment]
recipe = collective.recipe.environment
#----------------
#--
...
...
@@ -241,6 +269,6 @@ mode = 700
# XXX-Cedric: when "aggregation" system is done in libslap, directly publish.
[resilient-publish-connection-parameter]
recipe = slapos.cookbook:publish
ssh-public-key = $${sshkeys-
dropbear
:public-key-value}
ssh-url = ssh://
nobody@[$${dropbear-server:host}]:$${dropbear-server
:port}/$${rdiff-backup-server:path}
ssh-public-key = $${sshkeys-
sshd
:public-key-value}
ssh-url = ssh://
$${environment:USER}@[$${sshd-raw-server:host}]:$${sshd-port
:port}/$${rdiff-backup-server:path}
ip = $${slap-network-information:global-ipv6}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment