Schema ====================== service: service_type: [user_service | public_service | internal_service] Features to add ========================== templates -------------------- templates for nodes and services stored in leap_platform commands: leap add-service # menu of services, copies from the template leap add-node # you pick a service among those enabled, then it copies template deploy --------------------- leap bootstrap leap dryrun leap deploy key management ------------------------- leap add-ssh-keypair leap add-x509-keypair json validation ------------------------ json validation http://www.kuwata-lab.com/kwalify/ruby/users-guide.html useful liberaries ================================ notes to myself user interaction gli -- http://davetron5000.github.com/gli/rdoc/classes/GLI/DSL.html sub -- https://github.com/37signals/sub readline highline https://github.com/JEG2/highline/tree/master/examples terminal-tables rainbow http://stackoverflow.com/questions/9577718/what-ruby-libraries-should-i-use-for-building-a-console-based-application testing aruba -- test for cli help gem-man -- install man pages with gems ronn -- write man pages in markdown push examples https://github.com/net-ssh/net-ssh https://github.com/seattlerb/rake-remote_task http://docs.seattlerb.org/rake-remote_task/ https://github.com/seattlerb/rake-remote_task/blob/master/lib/rake/remote_task.rb calling rsync from ruby https://github.com/RichGuk/rrsync/blob/master/rrsync.rb http://rubyforge.org/projects/six-rsync/ https://github.com/automateit/automateit http://www.jedi.be/blog/2009/11/17/shell-scripting-dsl-in-ruby/ parallel shell https://github.com/delano/rye https://github.com/adamwiggins/rush ssh keygen https://github.com/duritong/puppet-sshd/blob/master/lib/puppet/parser/functions/ssh_keygen.rb invoke puppet https://github.com/davidwinter/sooty/blob/master/lib/sooty.rb ssh ================================ fingerprints -------------------- ssh-keygen -lf tells you the fingerprint of an encryption key ls -1 /etc/ssh/*key* /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub fetch the public host ida of a bunch of nodes: ssh-keyscan -t rsa ssh certificate authority ---------------------------------- maybe wait off on this: "The certificate cert format seems to have changed between 5.5 and 6.0" search for "ssh-keygen -s" http://blog.habets.pp.se/2011/07/OpenSSH-certificates http://en.community.dell.com/techcenter/b/techcenter/archive/2011/09/08/setting-up-certificate-authority-keys-with-openssh-version-5-4.aspx http://serverfault.com/questions/264515/how-to-revoke-an-ssh-certificate-not-ssh-identity-file agent forwarding --------------------------------- http://lyte.id.au/2012/03/19/ssh-agent-forwarding-is-a-bug/ instead: home$ ssh -o 'ProxyCommand ssh you@hop1 nc %h %p' ssh you@hop2 hop2$ known_hosts ---------------- man sshd, search for known_hosts StrictHostKeyChecking="yes" @revoked -- should we put revoked keys in known_hosts, and when/how... @cert-authority -- should we use it? ruby --------------- ruby net::ssh def generate_key_fingerprint(key) blob = Net::SSH::Buffer.from(:key, key).to_s fingerprint = OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":") [blob, fingerprint] rescue ::Exception => e [nil, "(could not generate fingerprint: #{e.message})"] end def exchange_keys result = send_kexinit verify_server_key(result[:server_key]) session_id = verify_signature(result) confirm_newkeys return { :session_id => session_id, :server_key => result[:server_key], :shared_secret => result[:shared_secret], :hashing_algorithm => digester } end DNS ====================================== problem: we want to be able to refer to the nodes by hostname (in a variety of programs) without requiring an external dns server. idea: simple lightweight ruby dns server -- https://github.com/ioquatix/rubydns another ruby dns server (eventmachine) -- https://github.com/nricciar/em-dns-server modify /etc/resolveconf/resolve.conf.d/tail with nameserver locahost maybe like this: resolveconf -a eth0.leap 'nameserver localhost' the problem is that there is probably already a resolving nameserver living at localhost. linux doesn't appear to have a way to let you specify the port number for dns lookups (unlike bsd). boo a few other possibilies: * alter /etc/hosts * alter dnsmasq to use additional /etc/hosts files (simple switch for this). dnsmasq is running on my desktop, although there is no /etc/dnsmasq. * write a libnss_ruby or something that would let you use a custom db for /etc/nsswitch.conf see http://uw714doc.sco.com/en/SEC_admin/nssover.html ssh solution: ssh -l root -o "HostName=10.9.8.7" -o "HostKeyAlias=server_a" server_a .. MISC ==================== http://skim.la/2012/01/16/rsa-public-key-interoperability-between-ruby-and-android/