[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #32914 [Internal Services/Tor Sysadmin Team]: review the puppet bootstrapping process

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #32914 [Internal Services/Tor Sysadmin Team]: review the puppet bootstrapping process
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 09 Jan 2020 22:07:53 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 09 Jan 2020 17:08:05 -0500
In-reply-to: <047.d91de1ad6560b01977f64d5cb60f3c76@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.d91de1ad6560b01977f64d5cb60f3c76@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#32914: review the puppet bootstrapping process
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  anarcat
     Type:  task                                 |         Status:
                                                 |  accepted
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Minor                                |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:  #31239                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  assigned => accepted


Comment:

 i looked here and there. i found a "bootstrap" bolt script here:

 https://forge.puppet.com/puppetlabs/bootstrap

 but that requires bolt, and from what i understand, it's just this awful
 `curl | bash` shell scripts that sucks in something from the central
 puppetmaster:

 https://github.com/puppetlabs/puppetlabs-
 bootstrap/blob/master/tasks/linux.sh

 so not really useful.

 there's something called "autosigning" in Puppet, which tells the puppet
 master to just sign the new nodes automatically:

 https://puppet.com/docs/puppet/latest/ssl_autosign.html

 some people do Naive autosigning in development, but manually verify new
 nodes before signing them. it's basically what we do: the copy-paste
 script we have does that, somehow.

 a possible improvement on that is "policy autosigning" where the
 puppetmaster delegates to an external program the task of verifying the
 certificate. the external program gets the CSR and succeeds or fails the
 verification. presumably the CSR could include some magic secret that the
 master could verify, but i don't see how this could be used by us.

 i think the best way to improve the script would be two-fold:

  1. include the Puppetmaster CA in the install process
  2. install the Puppet package in the install process
  3. add a tpa-puppet-node-add script that takes a sha256 as an argument
 (or prompt) and signs it after verification on the master
  4. configure puppet to configure itself to run as a cron job instead of a
 daemon (instead of doing this by hand during the install)

 This has a few implications:

  * the puppetmaster is a special snowflake that needs manual
 reconfiguration of the install process when rebuilt from scratch (already
 the case)
  * no manual step is required on the new nodes to configure Puppet, as the
 CA is setup automatically during install
  * Puppet first runs as a daemon, but then needs to configure itself to
 run as a cron job (or timer) - this is done that way so that we don't have
 to run puppet by hand during the install
  * the install process *must* communicate the checksum of the agent cert
 reliably and securely as part of the install process

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32914#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #32914 [Internal Services/Tor Sysadmin Team]: review the puppet bootstrapping process
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #22893 [Core Tor/Tor]: prop224: Make intro point per-service and not per-descriptor
Next by Author: Re: [tor-bugs] #32948 [Applications/Tor Browser]: Make referer behavior consistent regardless of private browing mode status
Previous by thread: [tor-bugs] #32914 [Internal Services/Tor Sysadmin Team]: review the puppet bootstrapping process
Next by thread: Re: [tor-bugs] #32914 [Internal Services/Tor Sysadmin Team]: review the puppet bootstrapping process
Index(es):
- Author
- Thread