From 633778995c7d0c00c9896c19a9e02f0d7339c799 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 31 Mar 2014 19:12:27 -0400 Subject: propellor spin --- README | 61 +++++++++++++++++++++++++++++-------------------------------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/README b/README index a568d0f5..eb490bb9 100644 --- a/README +++ b/README @@ -26,51 +26,48 @@ of which classes and share which configuration. It might be nice to use reclass[1], but then again a host is configured using simply haskell code, and so it's easy to factor out things like classes of hosts as desired. -## security - -Propellor's security model is that the hosts it's used to deploy are -untrusted, and that the central git repository server is untrusted. - -The only trusted machine is the laptop where you run propellor --spin -to connect to a remote host. - -## bootstrapping and private data +## quick start -To bootstrap propellor on a new host, use: propellor --spin $host +Clone propellor's git repository to your laptop (or whatever). -That clones the git repository to the remote host. -The repository on the remote host will have its origin set to the local git -repository's remote.origin.url (or remote.deploy.url if available). -This way, when propellor is run on the remote host, it can contact -whatever central git repository you're using. -Private data such as passwords, ssh private keys, etc should not be checked -into a propellor git repository in the clear, unless you want to restrict -access to the repository. Which would probably involve a separate fork -for each host and be annoying. -Instead, propellor --spin $host looks for a privdata/$host.gpg file and -if found decrypts it and sends it to the host using ssh. To set a field -in such a file, use: propellor --set $host $field -The field name will be something like 'Password "root"'; see PrivData.hs -for available fields. +## security +Propellor's security model is that the hosts it's used to deploy are +untrusted, and that the central git repository server is untrusted. +The only trusted machine is the laptop where you run propellor --spin +to connect to a remote host. And that one only because you have a ssh key +or login password to the host. -## using git://... securely +Since the hosts propellor deploys are not trusted by the central git +repository, they have to use git:// or http:// to pull from the central +git repository, rather than ssh://. -It's often easiest for a remote host to use a git:// or http:// -url to its origin repository, rather than ssh://. So, to avoid a MITM -attack, propellor checks that any commit it fetched from origin is gpg -signed by a trusted gpg key, and refuses to deploy it otherwise. +So, to avoid a MITM attack, propellor checks that any commit it fetched +from origin is gpg signed by a trusted gpg key, and refuses to deploy it +otherwise. -This is only done when privdata/keyring.gpg exists. To set it up: +That is only done when privdata/keyring.gpg exists. To set it up: gpg --gen-key # only if you don't already have a gpg key propellor --add-key $MYKEYID -In order to be secure from the beginning propellor --spin is used +In order to be secure from the beginning, when propellor --spin is used to bootstrap propellor on a new host, it transfers the local git repositry -to the host over ssh. +to the remote host over ssh. After that, the remote host knows the +gpg key, and will use it to verify git fetches. + +Since the propoellor git repository is public, you can't store +in cleartext private data such as passwords, ssh private keys, etc. + +Instead, propellor --spin $host looks for a privdata/$host.gpg file and +if found decrypts it and sends it to the remote host using ssh. This lets +a remote host know its own private data, without seeing all the rest. + +To securely store private data, use: propellor --set $host $field +The field name will be something like 'Password "root"'; see PrivData.hs +for available fields. [1] http://reclass.pantsfullofunix.net/ -- cgit v1.2.3