I've been working on a new package guidelines draft[1] for dealing
with packages that provide a service and need some level of first-time
configuration before the service can run.
One of the issues we're dealing with in the world of Fedora Atomic and
other environments where VMs or systems are cloned is the issue of
keeping system-specific data out of those clones. In particular, we
want to make sure that clones of a system don't have the same private
keys or certificates as its siblings.
Classically, the way that many services set up this configuration is
during the %post phase of RPM installation; they create whatever
certificates, etc. they need at this time and then the service will
run when it is started. Admins will set up their systems with the
packages they want and then run a tool like virt-sysprep to clear out
system-specific information. The problem with this approach is that in
many cases, this results in a system that cannot run many of its
services without additional steps being taken on the new cloned VM to
re-generate these components.
This proposed set of guidelines provides two major new changes to this
process:
1) It requires that all system-specific generated files are moved into
the service start itself and out of %post. This means that any time
the files needed are not present, they are generated at service start
time.
2) It provides a detailed description of a secure process to produce
"self-signed" service certificates for bootstrapping the services.
This follows a newer approach to generating certificates that allows
safe importing of the certificates for use on the local system (and
even for sharing that certificate with other machines in the event
that a proper certificate chain is unavailable, such as many non-
production environments).
Once these guidelines are approved, I will also be developing helper
scripts to accomplish the certificate generation so that packagers
will have an easier time following this guideline.
The OpenSSL portions of this guideline were written by me and reviewed
by Kai Engert and Miloslav Trmac. The NSS portions were written by Kai
Engert and reviewed by myself and Miloslav Trmac.
I opened an FPC ticket[2] to track this as well.
[1]
https://fedoraproject.org/wiki/User:Sgallagh/FirstTimeSetupDraft
[2]
https://fedorahosted.org/fpc/ticket/506