[ocaml-infra] Setting up a host "infra.ocaml.org"

Anil Madhavapeddy anil at recoil.org
Sun Jan 5 17:22:45 GMT 2014


The problem with SSH keys is managing them.  Given a cluster of 10 or so
VMs (which is what we're up to now), we need to manually sync them and
more importantly, deal with revocation.

I was wondering about using GPG to define groups for certain
administration tasks, and derive keys from that.   A bit of Googling found
something similar here: http://web.monkeysphere.info/

I've not tried it yet, so any reports about it would be useful.

-anil

On Sun, Jan 05, 2014 at 11:25:34AM -0500, Yaron Minsky wrote:
> I'm not sure what role SKS would play in this, but GPG seems plausible
> enough.  That said, I'm more used to people doing this with SSH keys, and I
> suspect that's probably an easier and smoother solution.
> 
> y
> 
> 
> On Sun, Jan 5, 2014 at 9:05 AM, Anil Madhavapeddy <anil at recoil.org> wrote:
> 
> > On Tue, Oct 15, 2013 at 12:38:41PM +0200, Sylvain Le Gall wrote:
> > > 2013/10/15 Anil Madhavapeddy <anil at recoil.org>:
> > > > I agree -- I'd like to have a small host for nothing but password and
> > key
> > > > information, and use that to bounce off to all the other infrastructure
> > > > hosts.  If possible, it would be good not to have any customisation on
> > > > there at all (or indeed, Internet-facing web services such as admin
> > > > panels) -- could you host those on another VM?
> > >
> > > Yes, that was the purpose of my request. I want to have in another VM.
> > > Given the fact that it will be almost no admin, it would be easy to
> > > setup and just create a Debian repository there.
> > >
> > > I do not want to share forge.ocaml.org or ssh.ocaml.org VM, because it
> > > will be too sensitive. This is the reason of my request, you will
> > > probably have to set up a VM for those specifically (add my SSH keys
> > > that I have sent you for setting up forge.o.o and ssh.o.o).
> >
> > I'm getting around to creating this VM now, and am looking around for a
> > good way to encrypt the passwords held on the virtual machine.  I notice
> > several candidates in OPAM that might work.
> >
> > Yaron: this might be a mad idea, but should we run SKS and use GPG to
> > encrypt the keys, so that anyone we add to a ring would get access to the
> > infrastructure machines?  Do you know anyone else that uses SKS to help
> > with such sysadmin tasks?
> >
> > -anil
> >
> >
> >
> >
> > >
> > > >
> > > > Rackspace has a nice facility for setting up internal networks, so we
> > > > could run SSH on other services only exposed to this bounce box.
> > > >
> > > > -anil
> > > >
> > > > On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:
> > > >> Hi all,
> > > >>
> > > >> TL;DR I would like to create an isolated host infra.ocaml.org that
> > > >> contains at least a Debian repository.
> > > >>
> > > >> I am considering what need to be done to migrate and improve forge.o.o
> > > >> (right now forge.ocamlcore.org, tomorrow forge.ocaml.org).
> > > >>
> > > >> One of the thing that is "extremly" useful is to have a central,
> > > >> secured hosts holding data repository for all other hosts. In my
> > > >> current "home" installation, I have one host that contains for
> > > >> examples my personnal Debian repository. This repository contains
> > > >> Debian packages that need to be installed on every other hosts and I
> > > >> use it to distribute home-made program accross all hosts using
> > > >> standard Debian apt-get scheme, This may also contains some admin
> > > >> panel/monitoring tools. The hosts is particular because it should be
> > > >> extra protected against attack, since compromising this hosts can lead
> > > >> to compromise all other hosts. In other words you should not use it
> > > >> for public facing products.
> > > >>
> > > >> Right now, the forge.o.o repository is hosted on the forge.o.o itself
> > > >> (but it doesn't distribute data to any other hosts).
> > > >>
> > > >> We may also use a private/public github account to store the
> > > >> repository, if it makes more sense to you. But in this case, we will
> > > >> need to figure how to GPG sign the release file.
> > > >>
> > > >> Here are my questions:
> > > >> - what would you prefer: dedicated hosts or public github or private
> > > >> github (less infra disclosure, less possible attack)
> > > >> - would this kind of central repository be used on other .ocaml.orghosts ?
> > > >> - in case you prefer a host: Anil can you set a small instance (1CPU,
> > > >> 3GB DD, 512MB RAM)
> > > >> - in case you prefer a github repository: Am I allowed to create a
> > > >> private/public github repository on ocaml.org ?
> > > >> - I will inject some fusionforge packages + custom scripts packages,
> > > >> OCaml Labs/OCamlPro people do you have some packages to inject as well
> > > >> ?
> > > >>
> > > >> Regards
> > > >> Sylvain
> > > >> _______________________________________________
> > > >> Infrastructure mailing list
> > > >> Infrastructure at lists.ocaml.org
> > > >> http://lists.ocaml.org/listinfo/infrastructure
> > > >>
> > > >
> > > > --
> > > > Anil Madhavapeddy
> > http://anil.recoil.org
> > > > _______________________________________________
> > > > Infrastructure mailing list
> > > > Infrastructure at lists.ocaml.org
> > > > http://lists.ocaml.org/listinfo/infrastructure
> > >
> >
> > --
> > Anil Madhavapeddy                                 http://anil.recoil.org
> >

-- 
Anil Madhavapeddy                                 http://anil.recoil.org


More information about the Infrastructure mailing list