blob: 5ba2854f52cc6d71a616adccc241b770a6102c57 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
Schema
======================
service:
service_type: [user_service | public_service | internal_service]
Features to add
==========================
templates
--------------------
templates for nodes and services stored in leap_platform
commands:
leap add-service # menu of services, copies from the template
leap add-node # you pick a service among those enabled, then it copies template
deploy
---------------------
leap bootstrap
leap dryrun
leap deploy
key management
-------------------------
leap add-ssh-keypair
leap add-x509-keypair
json validation
------------------------
json validation
http://www.kuwata-lab.com/kwalify/ruby/users-guide.html
useful liberaries
================================
notes to myself
user interaction
gli -- http://davetron5000.github.com/gli/rdoc/classes/GLI/DSL.html
sub -- https://github.com/37signals/sub
readline
highline https://github.com/JEG2/highline/tree/master/examples
terminal-tables
rainbow
http://stackoverflow.com/questions/9577718/what-ruby-libraries-should-i-use-for-building-a-console-based-application
testing
aruba -- test for cli
help
gem-man -- install man pages with gems
ronn -- write man pages in markdown
push examples
https://github.com/net-ssh/net-ssh
https://github.com/seattlerb/rake-remote_task
http://docs.seattlerb.org/rake-remote_task/
https://github.com/seattlerb/rake-remote_task/blob/master/lib/rake/remote_task.rb
calling rsync from ruby
https://github.com/RichGuk/rrsync/blob/master/rrsync.rb
http://rubyforge.org/projects/six-rsync/
https://github.com/automateit/automateit
http://www.jedi.be/blog/2009/11/17/shell-scripting-dsl-in-ruby/
parallel shell
https://github.com/delano/rye
https://github.com/adamwiggins/rush
ssh keygen
https://github.com/duritong/puppet-sshd/blob/master/lib/puppet/parser/functions/ssh_keygen.rb
invoke puppet
https://github.com/davidwinter/sooty/blob/master/lib/sooty.rb
ssh
================================
fingerprints
--------------------
ssh-keygen -lf <keyfile> tells you the fingerprint of an encryption key
ls -1 /etc/ssh/*key*
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub
fetch the public host ida of a bunch of nodes:
ssh-keyscan -t rsa <host list>
ssh certificate authority
----------------------------------
maybe wait off on this: "The certificate cert format seems to have changed between 5.5 and 6.0"
search for "ssh-keygen -s"
http://blog.habets.pp.se/2011/07/OpenSSH-certificates
http://en.community.dell.com/techcenter/b/techcenter/archive/2011/09/08/setting-up-certificate-authority-keys-with-openssh-version-5-4.aspx
http://serverfault.com/questions/264515/how-to-revoke-an-ssh-certificate-not-ssh-identity-file
agent forwarding
---------------------------------
http://lyte.id.au/2012/03/19/ssh-agent-forwarding-is-a-bug/
instead:
home$ ssh -o 'ProxyCommand ssh you@hop1 nc %h %p' ssh you@hop2
hop2$
known_hosts
----------------
man sshd, search for known_hosts
StrictHostKeyChecking="yes"
@revoked -- should we put revoked keys in known_hosts, and when/how...
@cert-authority -- should we use it?
ruby
---------------
ruby net::ssh
def generate_key_fingerprint(key)
blob = Net::SSH::Buffer.from(:key, key).to_s
fingerprint = OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":")
[blob, fingerprint]
rescue ::Exception => e
[nil, "(could not generate fingerprint: #{e.message})"]
end
def exchange_keys
result = send_kexinit
verify_server_key(result[:server_key])
session_id = verify_signature(result)
confirm_newkeys
return { :session_id => session_id,
:server_key => result[:server_key],
:shared_secret => result[:shared_secret],
:hashing_algorithm => digester }
end
DNS
======================================
problem: we want to be able to refer to the nodes by hostname (in a variety of programs) without requiring an external dns server.
idea:
simple lightweight ruby dns server -- https://github.com/ioquatix/rubydns
another ruby dns server (eventmachine) -- https://github.com/nricciar/em-dns-server
modify /etc/resolveconf/resolve.conf.d/tail with
nameserver locahost
maybe like this:
resolveconf -a eth0.leap 'nameserver localhost'
the problem is that there is probably already a resolving nameserver living at localhost.
linux doesn't appear to have a way to let you specify the port number for dns lookups (unlike bsd). boo
a few other possibilies:
* alter /etc/hosts
* alter dnsmasq to use additional /etc/hosts files (simple switch for this). dnsmasq is running on my desktop, although there is no /etc/dnsmasq.
* write a libnss_ruby or something that would let you use a custom db for /etc/nsswitch.conf
see http://uw714doc.sco.com/en/SEC_admin/nssover.html
ssh solution:
ssh -l root -o "HostName=10.9.8.7" -o "HostKeyAlias=server_a" server_a
..
MISC
====================
http://skim.la/2012/01/16/rsa-public-key-interoperability-between-ruby-and-android/
|