extras-buildsys ChangeLog, 1.93, 1.94 README, 1.10, 1.11 plague.spec, 1.20, 1.21
Daniel Williams (dcbw)
fedora-extras-commits at redhat.com
Mon Aug 8 19:11:26 UTC 2005
- Previous message: rpms/libksba/devel libksba-0.9.12.tar.bz2.sig, NONE, 1.1 .cvsignore, 1.4, 1.5 libksba.spec, 1.10, 1.11 sources, 1.4, 1.5 libksba-0.9.11.tar.gz.sig, 1.1, NONE
- Next message: extras-buildsys/utils certhelper.py,NONE,1.1 Makefile,1.4,1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dcbw
Update of /cvs/fedora/extras-buildsys
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9865
Modified Files:
ChangeLog README plague.spec
Log Message:
2005-08-08 Dan Williams <dcbw at redhat.com>
* README
plague.spec
utils/Makefile
utils/certhelper.py
- Make creation of SSL certificates not suck
Index: ChangeLog
===================================================================
RCS file: /cvs/fedora/extras-buildsys/ChangeLog,v
retrieving revision 1.93
retrieving revision 1.94
diff -u -r1.93 -r1.94
--- ChangeLog 8 Aug 2005 02:55:24 -0000 1.93
+++ ChangeLog 8 Aug 2005 19:11:24 -0000 1.94
@@ -1,3 +1,11 @@
+2005-08-08 Dan Williams <dcbw at redhat.com>
+
+ * README
+ plague.spec
+ utils/Makefile
+ utils/certhelper.py
+ - Make creation of SSL certificates not suck
+
2005-08-07 Dan Williams <dcbw at redhat.com>
Play nicely when running more than one builder instance on the same
Index: README
===================================================================
RCS file: /cvs/fedora/extras-buildsys/README,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- README 4 Aug 2005 20:24:06 -0000 1.10
+++ README 8 Aug 2005 19:11:24 -0000 1.11
@@ -223,8 +223,7 @@
The Certificates on the Server:
-config_opts['server_cert'] -> server SSL certificate
-config_opts['server_key'] -> server private key
+config_opts['server_key_and_cert'] -> server SSL certificate and private key
config_opts['ca_cert'] -> CA certificate used to sign both server and builder
certificates
config_opts['ui_ca_cert'] -> CA cert that signs package maintainer's
@@ -232,84 +231,116 @@
plague-clients are authorized
The Certificates on the Builders:
-config_opts['client_cert'] -> builder SSL certificate
-config_opts['client_key'] -> builder private key
+config_opts['builder_key_and_cert'] -> builder SSL certificate and private key
config_opts['ca_cert'] -> _same_ as server's 'ca_cert', the CA certificate
used to sign both server and builder certificates
-Package Maintainer certificates (used by /usr/bin/plague-client,
-from ~/.plague-client.cfg)
-server-ca-cert -> _same_ as server and client's 'ca_cert'
-user-ca-cert -> CA cert that signed the package maintainer's 'user-cert'
-user-key -> package maintainer's private key, can be blank if private key and
- certificate are in the same file
-user-cert -> package maintainer's certificate, signed by 'user-ca-cert' and
- sent to build server to validate the plague-client's connection
+Setting up the Certificates:
+A tool called "certhelper.py" is included in the utils/ directory, or
+possibly as /usr/bin/plague-certhelper if installed from a package. Here we
+use certhelper.py for either program.
-Setting up the Build System Certificate Authority
-1. Set up the CA directory
-cd <somedir>
-mkdir CA
-cd CA
-mkdir newcerts private
-touch index.txt
-echo '01' > serial
+1. Create the Build System Certificate Authority key and certificate:
+certhelper.py ca --outdir=/etc/plague/ca_dir --name=buildsystem
-2. Generate a BSCA private key:
+After entering the certificate's details, if there are no errors, you end up
+with a self-signed certificate in /etc/plague/ca_dir/buildsystem_ca_cert.pem,
+and a CA private key in /etc/plague/ca_dir/private/buildsystem_ca_key.pem. You
+will need buildsystem_ca_cert.pem later.
-openssl genrsa -out private/ca_key.pem 2048
+2. Create a certificate and key for the build server:
-3. Generate the BSCA certificate
+certhelper.py normal --outdir=/etc/plague/server/certs --name=server \
+ --cadir=/etc/plague/ca_dir --caname=buildsystem
-openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem \
- -extensions v3_ca -days 3650
+After entering details for the server's certificate, you end up with a combined
+certificate and private key file in /etc/plague/server/certs/,
+server_key_and_cert.pem. Copy the buildsystem_ca_cert.pem file from step 1 into
+/etc/plague/server/certs as well.
+Update the server's config file in /etc/plague/server/CONFIG.py to match the
+absolute path to server_key_and_cert.pem (the 'server_key_and_cert' config
+option) and also the absolute path to buildsystem_ca_cert.pem (the 'ca_cert'
+config option). Both should be based in /etc/plague/server if you follow the
+directions here.
-4. Generate a build server key
+IMPORTANT: make sure only the build server's user (normally root) can read
+server_key_and_cert.pem, since it contains the server's private key.
-cd <somedir>
-mkdir -p buildsystem/server
-cd buildsystem/server
-openssl genrsa -out server_key.pem 2048
+3. For each builder you plan to deploy, you will need to generate a certificate
+for that builder as well.
-5. Generate a build server certificate request
+certhelper.py normal --outdir=/etc/plague/builder/certs --name=builder1 \
+ --cadir=/etc/plague/ca_dir --caname=buildsystem
-openssl req -new -nodes -out server_req.pem -key server_key.pem
+After entering details for the builder's certificate, you end up with a single
+file, /etc/plague/builder/certs/builder1_key_and_cert.pem. By default, the
+plague-builder is set up to look for the file "<hostname>.pem" where <hostname>
+is the host name of the builder machine. You will need to rename the
+builder1_key_and_cert.pem file to the builder's hostname with a .pem extension.
+If the builder is on a separate machine, you will need to copy the certificate
+file to that machine along with the CA's certificate, buildsystem_ca_cert.pem,
+and the server's plain certificate, server_cert.pem.
+Update the builder's config file (normally in /etc/plague/builder/CONFIG.py) to
+match the absolute paths to the builder's key_and_cert file, and to the
+build system CA certificate, buildsystem_ca_cert.pem.
-6. Sign the build server certificate request with the BSCA certificate
+IMPORTANT: make sure only root can read builder1_key_and_cert.pem, since it
+contains the buidler's private key.
-openssl ca -out server_cert.pem -infiles server_req.pem
+------------------
+Package Maintainer Certificates:
-7. For each build client you have, you will need to do the following: generate a
-build client key, certificate request, and sign it:
-cd <somedir>/buildsystem
-mkdir client1
-cd client1
-openssl genrsa -out client1_key.pem 2048
-openssl req -new -nodes -out client1_req.pem -key client1_key.pem
-openssl ca -out client1_cert.pem -infiles client1_req.pem
+Config options from ~/.plague-client.cfg, used by /usr/bin/plague-client:
-8. Use the certificates. You now have certificates for the build server and one
-or more clients. You may add clients using step 7 to create and sign their
-certificate requests.
+server-ca-cert -> _same_ as build server and builder's 'ca_cert'
+user-ca-cert -> CA cert that signed the package maintainer's 'user-cert'
+user-key -> package maintainer's private key, can be blank if private key and
+ certificate are in the same file
+user-cert -> package maintainer's certificate, signed by 'user-ca-cert' and
+ sent to build server to validate the plague-client's connection
-9. Copy server_cert.pem, server_key.pem, and ca_cert.pem to a directory on the
-build server. IMPORTANT: make sure only the build server's user can read
-server_key.pem, since it is the server's private key. Then, modify the
-server's CONFIG.py file and point the respective config options to the _full_
-path to each file.
-10. Copy client1_cert.pem, client1_key.pem, and ca_cert.pem to a direcrory on
-the build client. IMPORTANT: make sure only the build client's user can read
-client1_key.pem, since it is the client's private key. Then, modify the
-client's CONFIG.py file and point the respective config options to the _full_
-path to each file.
+To allow package maintainers to connect and queue up packages, it is best to use
+a completely separate Certificate Authority to sign user certificates. If you
+use the same CA as you use for the build server and builders, any maintainer
+could set up a rogue builder using his/her certificate. To prevent this, create
+a new certificate authority for package maintainer certificates.
+
+1. The procedure closely follows the steps for the build system certificate
+setup. Create the CA in the same way (using a different --outdir and --name of
+course). The *_ca_cert.pem file that certhelper.py spits out should be added to
+the build server's CONFIG.py file for the 'ui_ca_cert' config option. It should
+also be distributed to package maintainers, who enter this certificate in their
+~/.plague-client.cfg file as the 'user-ca-cert' config option.
+
+certhelper.py ca --outdir=/etc/plague/user_ca_dir --name=users
+
+
+2. To create user certificates, do the same steps as for creating builder
+certificates above, except MAKE SURE to enter that user's email address at the
+certificate information entry's "Email Address []:" prompt. This is essential
+for user validation and notification of build status.
+
+certhelper.py normal --outdir=/tmp/user_certs --name=user1 \
+ --cadir=/etc/plague/user_ca_dir --caname=users
+
+Here, certhelper.py will produce a file called user1_key_and_cert.pem in
+/tmp/user_certs. Send this file, along with users_ca_cert.pem and
+buildsystem_ca_cert.pem, to the package maintainer whose email address you
+entered for this certificate. The package maintainer then sets up his/her
+~/.plague-client.cfg to point to the correct files:
+
+'user-ca-cert' => users_ca_cert.pem
+'server-ca-cert' => buildsystem_ca_cert.pem
+'user-cert' => user1_key_and_cert.pem
+'user-key' => should be blank
Index: plague.spec
===================================================================
RCS file: /cvs/fedora/extras-buildsys/plague.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- plague.spec 28 Jul 2005 21:46:05 -0000 1.20
+++ plague.spec 8 Aug 2005 19:11:24 -0000 1.21
@@ -145,6 +145,7 @@
%files utils
%defattr(-, root, root)
%{_bindir}/%{name}-user-manager.py*
+%{_binder}/%{name}-certhelper.py*
%changelog
- Previous message: rpms/libksba/devel libksba-0.9.12.tar.bz2.sig, NONE, 1.1 .cvsignore, 1.4, 1.5 libksba.spec, 1.10, 1.11 sources, 1.4, 1.5 libksba-0.9.11.tar.gz.sig, 1.1, NONE
- Next message: extras-buildsys/utils certhelper.py,NONE,1.1 Makefile,1.4,1.5
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list