[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30020 [Internal Services/Tor Sysadmin Team]: switch from our custom YAML implementation to Hiera
#30020: switch from our custom YAML implementation to Hiera
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: anarcat
Type: project | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #29387 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
some more progress, but this time harder stuff: I converted the DNS
servers to Hiera. this involved splitting some classes and exporting
resources. in my travels, those are the important HOST_ROLE_ ferm rules
that I found might be problematic:
{{{
HOST_ROLE_BACULA_DIRECTOR
HOST_ROLE_BACULA_STORAGE
HOST_ROLE_DIP
HOST_ROLE_DNS_SECONDARY
HOST_ROLE_JENKINS
HOST_ROLE_NAGIOSMASTER
HOST_ROLE_PUPPETMASTER
}}}
I also found `HOST_NETNOD` but I think that might be a static definition.
`HOST_ROLE_DNS_SECONDARY` is now gone, and replaced by exported
`ferm::rule` constructs. This works well, but @weasel was somehow worried
about security issues with exported resources, which I am not sure are
relevant in this case.
Another problem is that the ferm` module is setup to ''realize'' the
virtual `ferm::rule` stuff defined everywhere. This implies that the
exported resources are '''also''' realized '''locally'''. That's fairly
harmless, because the host allows itself access to itself, but it's noisy
and annoying.
I don't know why `ferm::rule` entries are virtual everywhere, so that's
something I'd like to explore as well in the future.
Another problem I found when working on the DNS stuff is that the DNS
primary does checks on the the DNS secondaries, seemingly through NRPE,
because it is in the `allowed_hosts` list in the NRPE config. This makes
it impossible to remove the `dns_primary` role from `local.yaml` for now
and I'm not sure how to work around that without creating a global
variable for the DNS primary host, which would be an unfortunate
regression.
So two pending questions:
1. what is the security issue with exported resources? is the current
pattern used in the bind module and prometheus profile acceptable?
2. why are `ferm::rule` entries virtual?
3. how can we export arbitrary IPs in configuration files in Hiera?
specifically, how do we construct NRPE's `allowed_hosts` list of IPs from
other hosts?
My tentative guesses on this are:
1. impact minor, even if security issue (possibility to manipulate
firewall rules between nodes)
2. probably just an oversight?
3. i feel dirty saying it, but a fancy `sed` Exec exported resource?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30020#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs