summaryrefslogtreecommitdiff
path: root/DEVNOTES
blob: 5ba2854f52cc6d71a616adccc241b770a6102c57 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
Schema
======================

service:
  service_type: [user_service | public_service | internal_service]


Features to add
==========================

templates
--------------------

templates for nodes and services stored in leap_platform

commands:

    leap add-service   # menu of services, copies from the template
    leap add-node      # you pick a service among those enabled, then it copies template

deploy
---------------------

    leap bootstrap
    leap dryrun
    leap deploy

key management
-------------------------

    leap add-ssh-keypair
    leap add-x509-keypair

json validation
------------------------

json validation
http://www.kuwata-lab.com/kwalify/ruby/users-guide.html


useful liberaries
================================

notes to myself

user interaction
  gli -- http://davetron5000.github.com/gli/rdoc/classes/GLI/DSL.html
  sub -- https://github.com/37signals/sub
  readline
  highline  https://github.com/JEG2/highline/tree/master/examples
  terminal-tables
  rainbow
  http://stackoverflow.com/questions/9577718/what-ruby-libraries-should-i-use-for-building-a-console-based-application

testing
  aruba -- test for cli

help
  gem-man -- install man pages with gems
  ronn -- write man pages in markdown

push examples

  https://github.com/net-ssh/net-ssh
  https://github.com/seattlerb/rake-remote_task
    http://docs.seattlerb.org/rake-remote_task/
    https://github.com/seattlerb/rake-remote_task/blob/master/lib/rake/remote_task.rb
  calling rsync from ruby
    https://github.com/RichGuk/rrsync/blob/master/rrsync.rb
    http://rubyforge.org/projects/six-rsync/
  https://github.com/automateit/automateit
  http://www.jedi.be/blog/2009/11/17/shell-scripting-dsl-in-ruby/
  parallel shell
    https://github.com/delano/rye
    https://github.com/adamwiggins/rush

ssh keygen
  https://github.com/duritong/puppet-sshd/blob/master/lib/puppet/parser/functions/ssh_keygen.rb

invoke puppet
  https://github.com/davidwinter/sooty/blob/master/lib/sooty.rb


ssh
================================

fingerprints
--------------------

ssh-keygen -lf <keyfile> tells you the fingerprint of an encryption key

  ls -1 /etc/ssh/*key*
  /etc/ssh/ssh_host_dsa_key
  /etc/ssh/ssh_host_dsa_key.pub
  /etc/ssh/ssh_host_rsa_key
  /etc/ssh/ssh_host_rsa_key.pub

fetch the public host ida of a bunch of nodes:
  ssh-keyscan -t rsa <host list>

ssh certificate authority
----------------------------------

maybe wait off on this: "The certificate cert format seems to have changed between 5.5 and 6.0"

search for "ssh-keygen -s"

http://blog.habets.pp.se/2011/07/OpenSSH-certificates
http://en.community.dell.com/techcenter/b/techcenter/archive/2011/09/08/setting-up-certificate-authority-keys-with-openssh-version-5-4.aspx
http://serverfault.com/questions/264515/how-to-revoke-an-ssh-certificate-not-ssh-identity-file

agent forwarding
---------------------------------

http://lyte.id.au/2012/03/19/ssh-agent-forwarding-is-a-bug/

instead:

  home$ ssh -o 'ProxyCommand ssh you@hop1 nc %h %p' ssh you@hop2
  hop2$



known_hosts
----------------

man sshd, search for known_hosts

StrictHostKeyChecking="yes"

@revoked -- should we put revoked keys in known_hosts, and when/how...

@cert-authority -- should we use it?

ruby
---------------

ruby net::ssh

      def generate_key_fingerprint(key)
        blob = Net::SSH::Buffer.from(:key, key).to_s
        fingerprint = OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":")

        [blob, fingerprint]
      rescue ::Exception => e
        [nil, "(could not generate fingerprint: #{e.message})"]
      end

      def exchange_keys
        result = send_kexinit
        verify_server_key(result[:server_key])
        session_id = verify_signature(result)
        confirm_newkeys

        return { :session_id        => session_id,
                 :server_key        => result[:server_key],
                 :shared_secret     => result[:shared_secret],
                 :hashing_algorithm => digester }
      end

DNS
======================================

problem: we want to be able to refer to the nodes by hostname (in a variety of programs) without requiring an external dns server.

idea:

   simple lightweight ruby dns server -- https://github.com/ioquatix/rubydns
   another ruby dns server (eventmachine) -- https://github.com/nricciar/em-dns-server

   modify /etc/resolveconf/resolve.conf.d/tail with
     nameserver locahost
   maybe like this:
     resolveconf -a eth0.leap 'nameserver localhost'

   the problem is that there is probably already a resolving nameserver living at localhost.
   linux doesn't appear to have a way to let you specify the port number for dns lookups (unlike bsd). boo

   a few other possibilies:
   * alter /etc/hosts
   * alter dnsmasq to use additional /etc/hosts files (simple switch for this). dnsmasq is running on my desktop, although there is no /etc/dnsmasq.
   * write a libnss_ruby or something that would let you use a custom db for /etc/nsswitch.conf
     see http://uw714doc.sco.com/en/SEC_admin/nssover.html

ssh solution:

  ssh -l root -o "HostName=10.9.8.7" -o "HostKeyAlias=server_a" server_a
..


MISC
====================

http://skim.la/2012/01/16/rsa-public-key-interoperability-between-ruby-and-android/