[ocaml-infra] Setting up a host "infra.ocaml.org"

Sylvain Le Gall sylvain at le-gall.net
Sun Jan 5 21:52:10 GMT 2014


Hi,

You can use puppet (we already have a puppet setup for some ocaml.org
hosts, although this is running only on the VM I managed).

You just have to add a SSH public key to a given user and whenever
this user is added to a VM, all his SSH keys get installed.

There are some docs around to install SSH keys in new VM:
http://blog.scottlowe.org/2013/10/21/managing-ssh-authorized-keys-with-puppet/

FYI, I use this techniques on all my personal hosts.

Revocation is just a matter of switching the status from "ensure =>
present" to "ensure => absent".

Regards
Sylvain

2014/1/5 Anil Madhavapeddy <anil at recoil.org>:
> The problem with SSH keys is managing them.  Given a cluster of 10 or so
> VMs (which is what we're up to now), we need to manually sync them and
> more importantly, deal with revocation.
>
> I was wondering about using GPG to define groups for certain
> administration tasks, and derive keys from that.   A bit of Googling found
> something similar here: http://web.monkeysphere.info/
>
> I've not tried it yet, so any reports about it would be useful.
>
> -anil
>
> On Sun, Jan 05, 2014 at 11:25:34AM -0500, Yaron Minsky wrote:
>> I'm not sure what role SKS would play in this, but GPG seems plausible
>> enough.  That said, I'm more used to people doing this with SSH keys, and I
>> suspect that's probably an easier and smoother solution.
>>
>> y
>>
>>
>> On Sun, Jan 5, 2014 at 9:05 AM, Anil Madhavapeddy <anil at recoil.org> wrote:
>>
>> > On Tue, Oct 15, 2013 at 12:38:41PM +0200, Sylvain Le Gall wrote:
>> > > 2013/10/15 Anil Madhavapeddy <anil at recoil.org>:
>> > > > I agree -- I'd like to have a small host for nothing but password and
>> > key
>> > > > information, and use that to bounce off to all the other infrastructure
>> > > > hosts.  If possible, it would be good not to have any customisation on
>> > > > there at all (or indeed, Internet-facing web services such as admin
>> > > > panels) -- could you host those on another VM?
>> > >
>> > > Yes, that was the purpose of my request. I want to have in another VM.
>> > > Given the fact that it will be almost no admin, it would be easy to
>> > > setup and just create a Debian repository there.
>> > >
>> > > I do not want to share forge.ocaml.org or ssh.ocaml.org VM, because it
>> > > will be too sensitive. This is the reason of my request, you will
>> > > probably have to set up a VM for those specifically (add my SSH keys
>> > > that I have sent you for setting up forge.o.o and ssh.o.o).
>> >
>> > I'm getting around to creating this VM now, and am looking around for a
>> > good way to encrypt the passwords held on the virtual machine.  I notice
>> > several candidates in OPAM that might work.
>> >
>> > Yaron: this might be a mad idea, but should we run SKS and use GPG to
>> > encrypt the keys, so that anyone we add to a ring would get access to the
>> > infrastructure machines?  Do you know anyone else that uses SKS to help
>> > with such sysadmin tasks?
>> >
>> > -anil
>> >
>> >
>> >
>> >
>> > >
>> > > >
>> > > > Rackspace has a nice facility for setting up internal networks, so we
>> > > > could run SSH on other services only exposed to this bounce box.
>> > > >
>> > > > -anil
>> > > >
>> > > > On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:
>> > > >> Hi all,
>> > > >>
>> > > >> TL;DR I would like to create an isolated host infra.ocaml.org that
>> > > >> contains at least a Debian repository.
>> > > >>
>> > > >> I am considering what need to be done to migrate and improve forge.o.o
>> > > >> (right now forge.ocamlcore.org, tomorrow forge.ocaml.org).
>> > > >>
>> > > >> One of the thing that is "extremly" useful is to have a central,
>> > > >> secured hosts holding data repository for all other hosts. In my
>> > > >> current "home" installation, I have one host that contains for
>> > > >> examples my personnal Debian repository. This repository contains
>> > > >> Debian packages that need to be installed on every other hosts and I
>> > > >> use it to distribute home-made program accross all hosts using
>> > > >> standard Debian apt-get scheme, This may also contains some admin
>> > > >> panel/monitoring tools. The hosts is particular because it should be
>> > > >> extra protected against attack, since compromising this hosts can lead
>> > > >> to compromise all other hosts. In other words you should not use it
>> > > >> for public facing products.
>> > > >>
>> > > >> Right now, the forge.o.o repository is hosted on the forge.o.o itself
>> > > >> (but it doesn't distribute data to any other hosts).
>> > > >>
>> > > >> We may also use a private/public github account to store the
>> > > >> repository, if it makes more sense to you. But in this case, we will
>> > > >> need to figure how to GPG sign the release file.
>> > > >>
>> > > >> Here are my questions:
>> > > >> - what would you prefer: dedicated hosts or public github or private
>> > > >> github (less infra disclosure, less possible attack)
>> > > >> - would this kind of central repository be used on other .ocaml.orghosts ?
>> > > >> - in case you prefer a host: Anil can you set a small instance (1CPU,
>> > > >> 3GB DD, 512MB RAM)
>> > > >> - in case you prefer a github repository: Am I allowed to create a
>> > > >> private/public github repository on ocaml.org ?
>> > > >> - I will inject some fusionforge packages + custom scripts packages,
>> > > >> OCaml Labs/OCamlPro people do you have some packages to inject as well
>> > > >> ?
>> > > >>
>> > > >> Regards
>> > > >> Sylvain
>> > > >> _______________________________________________
>> > > >> Infrastructure mailing list
>> > > >> Infrastructure at lists.ocaml.org
>> > > >> http://lists.ocaml.org/listinfo/infrastructure
>> > > >>
>> > > >
>> > > > --
>> > > > Anil Madhavapeddy
>> > http://anil.recoil.org
>> > > > _______________________________________________
>> > > > Infrastructure mailing list
>> > > > Infrastructure at lists.ocaml.org
>> > > > http://lists.ocaml.org/listinfo/infrastructure
>> > >
>> >
>> > --
>> > Anil Madhavapeddy                                 http://anil.recoil.org
>> >
>
> --
> Anil Madhavapeddy                                 http://anil.recoil.org
> _______________________________________________
> Infrastructure mailing list
> Infrastructure at lists.ocaml.org
> http://lists.ocaml.org/listinfo/infrastructure


More information about the Infrastructure mailing list