[Fedora-packaging] Guideline Draft: Service First-Time Setup

Stephen Gallagher sgallagh at redhat.com
Tue Mar 3 13:31:40 UTC 2015 

I've been working on a new package guidelines draft[1] for dealing 
with packages that provide a service and need some level of first-time 
configuration before the service can run.

One of the issues we're dealing with in the world of Fedora Atomic and 
other environments where VMs or systems are cloned is the issue of 
keeping system-specific data out of those clones. In particular, we 
want to make sure that clones of a system don't have the same private 
keys or certificates as its siblings.

Classically, the way that many services set up this configuration is 
during the %post phase of RPM installation; they create whatever 
certificates, etc. they need at this time and then the service will 
run when it is started. Admins will set up their systems with the 
packages they want and then run a tool like virt-sysprep to clear out 
system-specific information. The problem with this approach is that in 
many cases, this results in a system that cannot run many of its 
services without additional steps being taken on the new cloned VM to 
re-generate these components.

This proposed set of guidelines provides two major new changes to this 
process:

1) It requires that all system-specific generated files are moved into 
the service start itself and out of %post. This means that any time 
the files needed are not present, they are generated at service start 
time.

2) It provides a detailed description of a secure process to produce 
"self-signed" service certificates for bootstrapping the services. 
This follows a newer approach to generating certificates that allows 
safe importing of the certificates for use on the local system (and 
even for sharing that certificate with other machines in the event 
that a proper certificate chain is unavailable, such as many non-
production environments).

Once these guidelines are approved, I will also be developing helper 
scripts to accomplish the certificate generation so that packagers 
will have an easier time following this guideline.

The OpenSSL portions of this guideline were written by me and reviewed 
by Kai Engert and Miloslav Trmac. The NSS portions were written by Kai 
Engert and reviewed by myself and Miloslav Trmac.

I opened an FPC ticket[2] to track this as well.

[1] https://fedoraproject.org/wiki/User:Sgallagh/FirstTimeSetupDraft
[2] https://fedorahosted.org/fpc/ticket/506
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/packaging/attachments/20150303/c270b260/attachment.sig>

More information about the packaging mailing list