diff options
| author | Joey Hess <joeyh@debian.org> | 2014-07-09 22:11:31 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@debian.org> | 2014-07-09 22:11:31 -0400 |
| commit | 82da31b3e0e9acdfbca4c48eb12ab1f28515ba10 (patch) | |
| tree | 0a3e0c6e134680e35665364b2cd6895863bcc990 /doc | |
propellor (0.8.1) unstable; urgency=medium
* Run apt-get update in initial bootstrap.
* --list-fields now includes a table of fields that are not currently set,
but would be used if they got set.
* Remove .gitignore from cabal file list, to avoid build failure on Debian.
Closes: #754334
# imported from the archive
Diffstat (limited to 'doc')
30 files changed, 585 insertions, 0 deletions
diff --git a/doc/README.mdwn b/doc/README.mdwn new file mode 100644 index 00000000..71b265f5 --- /dev/null +++ b/doc/README.mdwn @@ -0,0 +1,71 @@ +[Propellor](https://propellor.branchable.com/) is a +configuration management system using Haskell and Git. +Each system has a list of properties, which Propellor ensures +are satisfied. + +Propellor is configured via a git repository, which typically lives +in `~/.propellor/` on your development machine. Propellor clones the +repository to each host it manages, in a +[secure](http://propellor.branchable.com/security/) way. The git repository +contains the full source code to Propellor, along with its config file. + +Properties are defined using Haskell. Edit `~/.propellor/config.hs` +to get started. There is fairly complete +[API documentation](http://hackage.haskell.org/package/propellor/), +which includes many built-in Properties for dealing with +[Apt](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Apt.html) +and +[Apache](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Apache.html) +, +[Cron](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Cron.html) +and +[Commands](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Cmd.html) +, +[Dns](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Dns.html) +and +[Docker](http://hackage.haskell.org/package/propellor/docs/Propellor-Property-Docker.html), etc. + +There is no special language as used in puppet, chef, ansible, etc.. just +the full power of Haskell. Hopefully that power can be put to good use in +making declarative properties that are powerful, nicely idempotent, and +easy to adapt to a system's special needs! + +If using Haskell to configure Propellor seems intimidating, +see [configuration for the Haskell newbie](https://propellor.branchable.com/haskell_newbie/). + +## quick start + +1. Get propellor installed + `cabal install propellor` + or + `apt-get install propellor` +2. Run propellor for the first time. It will set up a `~/.propellor/` git + repository for you. +3. If you don't have a gpg private key already, generate one: `gpg --gen-key` +4. Run: `propellor --add-key $KEYID`, which will make propellor trust + your gpg key, and will sign your `~/.propellor` repository using it. +5. `cd ~/.propellor/`; use git to push the repository to a central + server (github, or your own git server). Configure that central + server as the origin remote of the repository. +6. Edit `~/.propellor/config.hs`, and add a host you want to manage. + You can start by not adding any properties, or only a few. +7. Pick a host and run: `propellor --spin $HOST` +8. Now you have a simple propellor deployment, but it doesn't do + much to the host yet, besides installing propellor. + + So, edit `~/.propellor/config.hs` to configure the host (maybe + start with a few simple properties), and re-run step 7. + Repeat until happy and move on to the next host. :) +9. To move beyond manually running `propellor --spin` against hosts + when you change their properties, add a property to your hosts + like: `Cron.runPropellor "30 * * * *"` + + Now they'll automatically update every 30 minutes, and you can + `git commit -S` and `git push` changes that affect any number of + hosts. +10. Write some neat new properties and send patches to <propellor@joeyh.name>! + +## debugging + +Set `PROPELLOR_DEBUG=1` to make propellor print out all the commands it runs +and any other debug messages that Properties choose to emit. diff --git a/doc/comments.mdwn b/doc/comments.mdwn new file mode 100644 index 00000000..e19962b9 --- /dev/null +++ b/doc/comments.mdwn @@ -0,0 +1,9 @@ +[[!sidebar content=""" +[[!inline pages="comment_pending(*)" feedfile=pendingmoderation +description="comments pending moderation" show=-1]] +Comments in the [[!commentmoderation desc="moderation queue"]]: +[[!pagecount pages="comment_pending(*)"]] +"""]] + +Recent comments posted to this site: +[[!inline pages="comment(*)" template="comment"]] diff --git a/doc/forum.mdwn b/doc/forum.mdwn new file mode 100644 index 00000000..414b335d --- /dev/null +++ b/doc/forum.mdwn @@ -0,0 +1,4 @@ +This is a place to discuss using propellor, share tips and tricks, etc. +If you need help, advice, or anything, post about it here. + +[[!inline pages="forum/* and !*/Discussion" archive=yes rootpage=forum postformtext="Add a new thread titled:"]] diff --git a/doc/forum/cabal_install_problem.mdwn b/doc/forum/cabal_install_problem.mdwn new file mode 100644 index 00000000..50525e03 --- /dev/null +++ b/doc/forum/cabal_install_problem.mdwn @@ -0,0 +1,5 @@ +I just did a cabal install of propellor + +The binaries it installs are called wrapper and config, although the makefile/documentation say that at least one of them should be called propellor. + +Is this correct? diff --git a/doc/forum/cabal_install_problem/comment_1_2201805f80683575c4675e3268dfabc0._comment b/doc/forum/cabal_install_problem/comment_1_2201805f80683575c4675e3268dfabc0._comment new file mode 100644 index 00000000..4cd56232 --- /dev/null +++ b/doc/forum/cabal_install_problem/comment_1_2201805f80683575c4675e3268dfabc0._comment @@ -0,0 +1,8 @@ +[[!comment format=mdwn + username="http://joeyh.name/" + ip="2001:4830:1600:187::2" + subject="comment 1" + date="2014-06-09T16:34:29Z" + content=""" +wrapper should be named propellor. This is fixed in git. +"""]] diff --git a/doc/forum/remote.origin_not_copied_to_managed_host__63__.mdwn b/doc/forum/remote.origin_not_copied_to_managed_host__63__.mdwn new file mode 100644 index 00000000..6efdbae8 --- /dev/null +++ b/doc/forum/remote.origin_not_copied_to_managed_host__63__.mdwn @@ -0,0 +1,95 @@ +The only remote which seems to be copied to /root/.propellor/.git/config is upstream... My /home/user/.propellor/.git/config contains a "origin" remote, but this part (as well as the master branch part) of my git config is not copied to the /root/.propellor/.git/config of a host I'm trying to manage... + +propellor fails with the following message: + + user@laptop:~$ PROPELLOR_DEBUG=1 propellor --spin laptop.localdomain + if ! cabal build; then cabal configure; cabal build; fi + Building propellor-0.5.0... + Preprocessing library propellor-0.5.0... + In-place registering propellor-0.5.0... + Preprocessing executable 'propellor' for propellor-0.5.0... + Preprocessing executable 'config' for propellor-0.5.0... + ln -sf dist/build/config/config propellor + + + [2014-04-21 18:07:45 CEST] command line: Spin "laptop.localdomain" + [2014-04-21 18:07:45 CEST] call: make ["build"] + if ! cabal build; then cabal configure; cabal build; fi + Building propellor-0.5.0... + Preprocessing library propellor-0.5.0... + In-place registering propellor-0.5.0... + Preprocessing executable 'propellor' for propellor-0.5.0... + Preprocessing executable 'config' for propellor-0.5.0... + ln -sf dist/build/config/config propellor + Propellor build ... done + [2014-04-21 18:07:48 CEST] read: git ["config","remote.deploy.url"] + [2014-04-21 18:07:48 CEST] read: git ["config","remote.origin.url"] + [2014-04-21 18:07:48 CEST] call: git ["commit","--gpg-sign","--allow-empty","-a","-m","propellor spin"] + + You need a passphrase to unlock the secret key for + ... + + [master ee393d6] propellor spin + [2014-04-21 18:07:48 CEST] call: git ["push"] + Counting objects: 1, done. + Writing objects: 100% (1/1), 852 bytes | 0 bytes/s, done. + Total 1 (delta 0), reused 0 (delta 0) + To git@remote-origin:propellor.git + 16a1f8b..ee393d6 master -> master + [2014-04-21 18:08:21 CEST] chat: ssh ["-o","ControlPath=/home/user/.ssh/propellor/laptop.localdomain.sock","-o","ControlMaster=auto","-o","ControlPersist=yes","root@laptop.localdomain","sh -c 'if [ ! -d /usr/local/propellor ] ; then apt-get --no-install-recommends --no-upgrade -y install git make && echo STATUSNeedGitClone ; else cd /usr/local/propellor && if ! test -x ./propellor; then make deps build; fi && ./propellor --boot laptop.localdomain ; fi'"] + Initialized empty Git repository in /root/.propellor/.git/ + warning: no common commits + From https://github.com/joeyh/propellor + * [new branch] joeyconfig -> upstream/joeyconfig + * [new branch] master -> upstream/master + * [new branch] setup -> upstream/setup + * [new tag] 0.1 -> 0.1 + * [new tag] 0.1.1 -> 0.1.1 + * [new tag] 0.1.2 -> 0.1.2 + * [new tag] 0.2.0 -> 0.2.0 + * [new tag] 0.2.1 -> 0.2.1 + * [new tag] 0.2.2 -> 0.2.2 + * [new tag] 0.2.3 -> 0.2.3 + * [new tag] 0.3.0 -> 0.3.0 + * [new tag] 0.3.1 -> 0.3.1 + * [new tag] 0.4.0 -> 0.4.0 + * [new tag] 0.5.0 -> 0.5.0 + * [new tag] debian/0.3.1 -> debian/0.3.1 + * [new tag] debian/0.4.0 -> debian/0.4.0 + * [new tag] debian/0.5.0 -> debian/0.5.0 + Merge made by the 'ours' strategy. + if [ "cabal" = ./Setup ]; then ghc --make Setup; fi + cabal configure + Warning: The package list for 'hackage.haskell.org' does not exist. Run 'cabal + update' to download it. + Resolving dependencies... + Configuring propellor-0.5.0... + if ! cabal build; then cabal configure; cabal build; fi + Building propellor-0.5.0... + Preprocessing executable 'propellor' for propellor-0.5.0... + [ 1 of 14] Compiling Utility.Env ( Utility/Env.hs, dist/build/propellor/propellor-tmp/Utility/Env.o ) + ... + [14 of 14] Compiling Main ( propellor.hs, dist/build/propellor/propellor-tmp/Main.o ) + Linking dist/build/propellor/propellor ... + Preprocessing library propellor-0.5.0... + [ 1 of 58] Compiling Utility.QuickCheck ( Utility/QuickCheck.hs, dist/build/Utility/QuickCheck.o ) + ... + [58 of 58] Compiling Propellor.CmdLine ( Propellor/CmdLine.hs, dist/build/Propellor/CmdLine.o ) + In-place registering propellor-0.5.0... + Preprocessing executable 'config' for propellor-0.5.0... + [ 1 of 44] Compiling Utility.QuickCheck ( Utility/QuickCheck.hs, dist/build/config/config-tmp/Utility/QuickCheck.o ) + ... + [44 of 44] Compiling Main ( config.hs, dist/build/config/config-tmp/Main.o ) + Linking dist/build/config/config ... + ln -sf dist/build/config/config propellor + fatal: No remote repository specified. Please, specify either a URL or a + remote name from which new revisions should be fetched. + Git fetch ... failed + merge: origin/master - not something we can merge + propellor: /usr/local/propellor/.lock: openFd: does not exist (No such file or directory) + Setting up your propellor repo in /root/.propellor + + + + ** error: protocol error (perhaps the remote propellor failed to run?) + propellor: user error (ssh ["-o","ControlPath=/home/user/.ssh/propellor/laptop.localdomain.sock","-o","ControlMaster=auto","-o","ControlPersist=yes","root@laptop.localdomain","sh -c 'if [ ! -d /usr/local/propellor ] ; then apt-get --no-install-recommends --no-upgrade -y install git make && echo STATUSNeedGitClone ; else cd /usr/local/propellor && if ! test -x ./propellor; then make deps build; fi && ./propellor --boot laptop.localdomain ; fi'"] exited 1) diff --git a/doc/forum/remote.origin_not_copied_to_managed_host__63__/comment_1_e9e7e5e728ec23fd6025203a1aa0596b._comment b/doc/forum/remote.origin_not_copied_to_managed_host__63__/comment_1_e9e7e5e728ec23fd6025203a1aa0596b._comment new file mode 100644 index 00000000..df403694 --- /dev/null +++ b/doc/forum/remote.origin_not_copied_to_managed_host__63__/comment_1_e9e7e5e728ec23fd6025203a1aa0596b._comment @@ -0,0 +1,25 @@ +[[!comment format=mdwn + username="http://joeyh.name/" + ip="209.250.56.114" + subject="comment 1" + date="2014-04-24T17:47:41Z" + content=""" +I tried using propellor from scratch on a fresh system, and I cannot reproduce this problem. + +/root/.propellor should only be created if /usr/bin/propellor is run as root. A normal use of propellor does not run /usr/bin/propellor as root (and your commands don't show you doing that). + +This is the instant where something unexplained happens: + +<pre> +[2014-04-21 18:08:21 CEST] chat: ssh [\"-o\",\"ControlPath=/home/user/.ssh/propellor/laptop.localdomain.sock\",\"-o\",\"ControlMaster=auto\",\"-o\",\"ControlPersist=yes\",\"root@laptop.localdomain\",\"sh -c 'if [ ! -d /usr/local/propellor ] ; then apt-get --no-install-recommends --no-upgrade -y install git make && echo STATUSNeedGitClone ; else cd /usr/local/propellor && if ! test -x ./propellor; then make deps build; fi && ./propellor --boot laptop.localdomain ; fi'\"] +Initialized empty Git repository in /root/.propellor/.git/ +</pre> + +It ssh's in, and it apparently runs propellor. But apparently without running \"make deps build\" first, which is weird. (And as we see later, without /usr/local/propellor existing at all, which is weirder!) +The ./propellor (in /usr/local/propellor) that it's supposed to run should be a symlink to dist/build/config/config, which is the program built from config.hs. It's not the same program as /usr/bin/propellor, which is a wrapper build from propellor.hs. However, it appears that in your case, when it sshed in, it ran /usr/bin/propellor, or something that behaves a lot like it.. + +My guesses: + +1. Perhaps you modified the source tree in some strange way. (Doubtful) +2. Perhaps you have some other configuration, eg a ssh authorized keys file for root with a forced command that runs /usr/bin/propellor. This will defeat propellor's own bootstrap code, and would exactly explain what you pasted. +"""]] diff --git a/doc/haskell_newbie.mdwn b/doc/haskell_newbie.mdwn new file mode 100644 index 00000000..f1a81e40 --- /dev/null +++ b/doc/haskell_newbie.mdwn @@ -0,0 +1,120 @@ +[[!meta title="Propellor configuration for the Haskell newbie"]] + +Propellor's config file is written in Haskell, and +[Haskell](http://www.haskell.org/) is invaluable to extend Propellor with +your own custom properties. But you don't need to know about monads to +configure Propellor! + +Let's take a quick tour of the `config.hs` file.. + +[[!format haskell """ +-- | This is the main configuration file for Propellor, and is used to build +-- the propellor program. +"""]] + +So, `-- ` starts a comment in this file. + +[[!format haskell """ +import Propellor +import Propellor.CmdLine +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.User as User +import qualified Propellor.Property.Cron as Cron +"""]] + +This loads up Propellor's modules. You'll almost certainly want these; +many more can be found in the [API documentation](http://hackage.haskell.org/package/propellor). + +[[!format haskell """ +main :: IO () +main = defaultMain hosts +"""]] + +This config file *is* the Propellor program, and so it needs a little +stub to go run itself. No need to ever change this part. +`hosts` is the list of hosts that you configure, and it comes next: + +[[!format haskell """ +-- The hosts propellor knows about. +-- Edit this to configure propellor! +hosts :: [Host] +hosts = + [ host "mybox.example.com" + & os (System (Debian Unstable) "amd64") + & Apt.stdSourcesList + , host "server.example.com" + & os (System (Debian Stable) "amd64") + & Apt.stdSourcesList + & Apt.installed ["ssh"] + ] +"""]] + +This defines a list of hosts, with two hosts in it. + +The configuration for the mybox host first tells propellor what +OS it's running. Then the `stdSourcesList` line tells propellor to +configure its `/etc/apt/sources.list`, using its OS. +(Of course you might want to change that `Unstable` to `Stable`.) + +Each property of the host is prefixed with an "&" operator. This just makes +a list of properties. + +Some other properties you may find in your config.hs, or want to add: + +[[!format haskell """ + & Apt.unattendedUpgrades + & User.hasSomePassword "root" + & "/etc/default/foodaemon" `File.containsLine` "ENABLED=yes" + & Cron.runPropellor "30 * * * *" +"""]] + +Some of these properties can be reverted -- this makes Propellor undo whatever +effects they might have. For example, unattended upgrades can be scary, so +maybe you turned that on, but want to disable it now. To do so, just change +the "&" to a "!" + +[[!format haskell """ + ! Apt.unattendedUpgrades +"""]] + +Some properties cannot be reverted. Yet. It takes coding to implement +revertability. If you try to revert a property that does not support +reversion, propellor will **fail to compile**! This is a good thing.. +it avoids you getting confused or bad things happening. + +The error message when this happens might look a little scary. But if +you read through it, it's remarkably precise about what and where the problem +is. + +<pre> +config.hs:30:19: + Couldn't match expected type `RevertableProperty' + with actual type `Property' + In the return type of a call of `Apt.installed' + In the second argument of `(!)', namely `Apt.installed ["ssh"]' + In the first argument of `(&)', namely + `host "mybox.example.com" & Apt.stdSourcesList Unstable + & Apt.unattendedUpgrades + ! Apt.installed ["ssh"]' +</pre> + +Similarly, if you make a typo in the config file, you'll probably get a long +but informative error message. + +<pre> +config.hs:27:19: + Not in scope: `Apt.standardSourcesList' + Perhaps you meant one of these: + `Apt.stdSourcesList' (imported from Propellor.Property.Apt) +... +</pre> + +That's really all there is to configuring Propellor. Once you +have a `config.hs` ready to try out, you can run `propellor --spin $host` +on one of the hosts configured in it. + +See the [[README]] for a further quick start. + +(If you'd like to learn a little Haskell after all, check out +[Learn You a Haskell for Great Good](http://learnyouahaskell.com/).) diff --git a/doc/index.mdwn b/doc/index.mdwn new file mode 100644 index 00000000..5311baf7 --- /dev/null +++ b/doc/index.mdwn @@ -0,0 +1,31 @@ +[[!meta title="propellor: property-based host configuration management in haskell"]] + +[[!sidebar content=""" +[[Install]] +[API documentation](http://hackage.haskell.org/package/propellor) +[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=config-joey.hs) +[[Security]] +[[Todo]] +[[Forum]] +"""]] + +[[!inline raw=yes pages="README"]] + +## enjoy + +Hope you find Propellor fun and useful! + +<pre> + -- _ ______`| ,-.__ + {- Propellor -- / \___-=O`/|O`/__| (____.' + Deployed -} -- \ / | / ) _.-"-._ + -- `/-==__ _/__|/__=-| ( \_ +hosts :: [Host] -- * \ | | '--------' +hosts = -- (o) ` +</pre> + +Propellor is free software, licensed under the BSD license. + +## news + +[[!inline pages="news/* and !*/Discussion" show="4" archive=yes]] diff --git a/doc/install.mdwn b/doc/install.mdwn new file mode 100644 index 00000000..ad87cedc --- /dev/null +++ b/doc/install.mdwn @@ -0,0 +1,4 @@ +`git clone git://propellor.branchable.com/ propellor` +Or get it [from github](https://github.com/joeyh/propellor). + +Propellor is recently available in Debian. diff --git a/doc/news/version_0.5.2.mdwn b/doc/news/version_0.5.2.mdwn new file mode 100644 index 00000000..b1a01738 --- /dev/null +++ b/doc/news/version_0.5.2.mdwn @@ -0,0 +1,9 @@ +propellor 0.5.2 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * A bug that caused propellor to hang when updating a running docker + container appears to have been fixed. Note that since it affects + the propellor process that serves as "init" of docker containers, + they have to be restarted for the fix to take effect. + * Licence changed from GPL to BSD. + * A few changes to allow building Propellor on OSX. One user reports + successfully using it there."""]]
\ No newline at end of file diff --git a/doc/news/version_0.5.3.mdwn b/doc/news/version_0.5.3.mdwn new file mode 100644 index 00000000..805e0d55 --- /dev/null +++ b/doc/news/version_0.5.3.mdwn @@ -0,0 +1,6 @@ +propellor 0.5.3 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Fix unattended-upgrades config for !stable. + * Ensure that kernel hostname is same as /etc/hostname when configuring + hostname. + * Added modules for some hosting providers (DigitalOcean, CloudAtCost)."""]]
\ No newline at end of file diff --git a/doc/news/version_0.6.0.mdwn b/doc/news/version_0.6.0.mdwn new file mode 100644 index 00000000..5179f1cb --- /dev/null +++ b/doc/news/version_0.6.0.mdwn @@ -0,0 +1,11 @@ +propellor 0.6.0 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Docker containers now propagate DNS attributes out to the host they're + docked in. So if a docker container sets a DNS alias, every container + it's docked in will automatically be added to a DNS round-robin, + when propellor is used to manage DNS for the domain. + * Apt.stdSourcesList no longer needs a suite to be specified. + * Added --dump to dump out a field of a host's privdata. Useful for editing + it. + * Propellor's output now includes the hostname being provisioned, or + when provisioning a docker container, the container name."""]]
\ No newline at end of file diff --git a/doc/news/version_0.7.0.mdwn b/doc/news/version_0.7.0.mdwn new file mode 100644 index 00000000..6ce0b517 --- /dev/null +++ b/doc/news/version_0.7.0.mdwn @@ -0,0 +1,9 @@ +propellor 0.7.0 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * combineProperties no longer stops when a property fails; now it continues + trying to satisfy all properties on the list before propigating the + failure. + * Attr is renamed to Info. + * Renamed wrapper to propellor to make cabal installation of propellor work. + * When git gpg signature of a fetched git branch cannot be verified, + propellor will now continue running, but without merging in that branch."""]]
\ No newline at end of file diff --git a/doc/news/version_0.8.0.mdwn b/doc/news/version_0.8.0.mdwn new file mode 100644 index 00000000..69dbb927 --- /dev/null +++ b/doc/news/version_0.8.0.mdwn @@ -0,0 +1,20 @@ +propellor 0.8.0 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Completely reworked privdata storage. There is now a single file, + and each host is sent only the privdata that its Properties actually use. + To transition existing privdata, run propellor against a host and + watch out for the red failure messages, and run the suggested commands + to store the privdata using the new storage scheme. You may find + it useful to run the old version of propellor to extract data from the old + privdata files during this migration. + Several properties that use privdata now require a context to be + specified. If in doubt, you can use anyContext, or + Context "hostname.example.com" + * Add --edit to edit a privdata value in $EDITOR. + * Add --list-fields to list all currently set privdata fields, along with + the hosts that use them. + * Fix randomHostKeys property to run openssh-server's postinst in a + non-failing way. + * Hostname.sane now cleans up the 127.0.0.1 localhost line in /etc/hosts, + to avoid eg, apache complaining "Could not reliably determine the + server's fully qualified domain name"."""]]
\ No newline at end of file diff --git a/doc/security.mdwn b/doc/security.mdwn new file mode 100644 index 00000000..075d68ec --- /dev/null +++ b/doc/security.mdwn @@ -0,0 +1,37 @@ +Propellor's security model is that the hosts it's used to deploy are +untrusted, and that the central git repository server is untrusted too. + +The only trusted machine is the laptop where you run `propellor --spin` +to connect to a remote host. And that one only because you have a ssh key +or login password to the host. + +Since the hosts propellor deploys are not trusted by the central git +repository, they have to use git:// or http:// to pull from the central +git repository, rather than ssh://. + +So, to avoid a MITM attack, propellor checks that any commit it fetches +from origin is gpg signed by a trusted gpg key, and refuses to deploy it +otherwise. + +That is only done when privdata/keyring.gpg exists. To set it up: + + gpg --gen-key # only if you don't already have a gpg key + propellor --add-key $MYKEYID + +In order to be secure from the beginning, when `propellor --spin` is used +to bootstrap propellor on a new host, it transfers the local git repositry +to the remote host over ssh. After that, the remote host knows the +gpg key, and will use it to verify git fetches. + +Since the propoellor git repository is public, you can't store +in cleartext private data such as passwords, ssh private keys, etc. + +Instead, `propellor --spin $host` looks for a +`~/.propellor/privdata/privdata.gpg` file and if found decrypts it, +extracts the private that that the $host needs, and sends it to to the +$host using ssh. This lets a host know its own private data, without +seeing all the rest. + +To securely store private data, use: `propellor --set $field $context` +Propellor will tell you the details when you use a Property that needs +PrivData. diff --git a/doc/todo.mdwn b/doc/todo.mdwn new file mode 100644 index 00000000..06e3db4f --- /dev/null +++ b/doc/todo.mdwn @@ -0,0 +1,6 @@ +This is propellor's todo list. Link items to [[todo/done]] when done. + +See also: [Debian BTS](http://bugs.debian.org/propellor). + +[[!inline pages="./todo/* and !./todo/done and !link(done) +and !*/Discussion" actions=yes postform=yes show=0 archive=yes]] diff --git a/doc/todo/better_privdata.mdwn b/doc/todo/better_privdata.mdwn new file mode 100644 index 00000000..1ee9e14f --- /dev/null +++ b/doc/todo/better_privdata.mdwn @@ -0,0 +1,12 @@ +It can be annoying to need to move privdata values around when moving +services between hosts, which is otherwise often just a cut-n-paste +of a line in config.hs. + +It would be better if privdata were all stored in one Map, and the set of +privdata that a host's current properties need were sent to it +automatically, rather than the current 1-file-per-host separation. + +For this to work though, each property that uses privdata would need to add +to the host's Info the privdata field it uses. + +> [[done]]! --[[Joey]] diff --git a/doc/todo/docker_todo_list.mdwn b/doc/todo/docker_todo_list.mdwn new file mode 100644 index 00000000..1321445d --- /dev/null +++ b/doc/todo/docker_todo_list.mdwn @@ -0,0 +1,3 @@ +* There is no way for a property of a docker container to require + some property be met outside the container. For example, some servers + need ntp installed for a good date source. diff --git a/doc/todo/docker_todo_list/comment_1_3801d48190c029a8591ab188427b31b6._comment b/doc/todo/docker_todo_list/comment_1_3801d48190c029a8591ab188427b31b6._comment new file mode 100644 index 00000000..ff217423 --- /dev/null +++ b/doc/todo/docker_todo_list/comment_1_3801d48190c029a8591ab188427b31b6._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="gueux" + ip="109.190.19.251" + subject="CMD" + date="2014-04-21T13:49:08Z" + content=""" +It would be great to be able to set the CMD of a docker container. + +http://docs.docker.io/reference/builder/#cmd +"""]] diff --git a/doc/todo/docker_todo_list/comment_2_441591f9aa106e8d6d1fa7fd6be0fc6f._comment b/doc/todo/docker_todo_list/comment_2_441591f9aa106e8d6d1fa7fd6be0fc6f._comment new file mode 100644 index 00000000..24ec5da3 --- /dev/null +++ b/doc/todo/docker_todo_list/comment_2_441591f9aa106e8d6d1fa7fd6be0fc6f._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="http://joeyh.name/" + ip="209.250.56.114" + subject="comment 2" + date="2014-04-24T23:31:09Z" + content=""" +propellor does not build docker containers, I think that's the point where a CMD is set. + +It would probably make sense to have a mode where docker run is not passed any explicit command to run, which would let the predefined CMD be used. Although this would not let propellor run inside the container, so it could not perform any provisioning of it. In this mode, propellor would only be able to ensure that a container was installed and start it running with its default configuration. +"""]] diff --git a/doc/todo/done.mdwn b/doc/todo/done.mdwn new file mode 100644 index 00000000..e7c98081 --- /dev/null +++ b/doc/todo/done.mdwn @@ -0,0 +1,4 @@ +recently fixed [[todo]] items. + +[[!inline pages="./* and link(./done) and !*/Discussion" sort=mtime show=10 +archive=yes]] diff --git a/doc/todo/hooks.mdwn b/doc/todo/hooks.mdwn new file mode 100644 index 00000000..a62aa5e7 --- /dev/null +++ b/doc/todo/hooks.mdwn @@ -0,0 +1,7 @@ +* Need a way to run an action when a property changes, but only + run it once for the whole. For example, may want to restart apache, + but only once despite many config changes being made to satisfy + properties. onChange is a poor substitute.a +* Relatedly, a property that say, installs systemd needs to have a way + to reboot the system when a change is made. But this should only + happen at the very end, after everything else. diff --git a/doc/todo/info_propigation_out_of_nested_properties.mdwn b/doc/todo/info_propigation_out_of_nested_properties.mdwn new file mode 100644 index 00000000..9e69b0b4 --- /dev/null +++ b/doc/todo/info_propigation_out_of_nested_properties.mdwn @@ -0,0 +1,28 @@ +Currently, Info about a Host's Properties is manually gathered and +propigated. propertyList combines the Info of the Properties in the list. +Docker.docked extracts relevant Info from the Properties of the container +(but not al of it, intentionally!). + +This works, but it's error-prone. Consider this example: + + withOS desc $ \o -> case o of + (Just (System (Debian Unstable) _)) -> ensureProperty foo + _ -> ensureProperty bar + +Here, the Info of `foo` is not propigated out. Nor is `bar`'s Info. +Of course, only one of them will be run, and only its info should be propigated +out.. + +One approach might be to make the Propellor monad be able to be run in two +modes. In one mode, it actually perform IO, etc. In the other mode, all +liftIO is a no-op, but all Info encountered is accumulated using a Reader +monad. This might need two separate monad definitions. + +That is surely doable, but the withOS example above shows a problem with it -- +the OS is itself part of a Host's info, so won't be known until all its +properties have been examined for info! + +Perhaps that can be finessed. We don't really need to propigate out OS info. +Just DNS and PrivDataField Info. So info could be collected in 2 passes, +first as it's done now by static propertyInfo values. Then by running +the Properties in the Reader monad. diff --git a/doc/todo/metapackage.mdwn b/doc/todo/metapackage.mdwn new file mode 100644 index 00000000..bd14f858 --- /dev/null +++ b/doc/todo/metapackage.mdwn @@ -0,0 +1,5 @@ +* Should be possible to generate a metapackage of all packages that + properties direct apt to install. Then any other packages can be + auto-removed. This would just be a matter of storing the apt-installed + packages in to Info or somewhere. Although not removing essential and base packages + could be problimatic. diff --git a/doc/todo/ssh__95__user_+_sudo.mdwn b/doc/todo/ssh__95__user_+_sudo.mdwn new file mode 100644 index 00000000..2269cecd --- /dev/null +++ b/doc/todo/ssh__95__user_+_sudo.mdwn @@ -0,0 +1 @@ +It would be great to be able to ssh to a user different from root, and then to use sudo to run commands. diff --git a/doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment b/doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment new file mode 100644 index 00000000..e0dc1d7f --- /dev/null +++ b/doc/todo/ssh__95__user_+_sudo/comment_1_3bc008e42587a3313f81ee740d7d80f0._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="http://joeyh.name/" + ip="209.250.56.214" + subject="comment 1" + date="2014-04-21T13:31:13Z" + content=""" +Running propellor that way would probably need ssh to allocate a tty in order for sudo's password prompt to work. And it adds complexity. Does it add security? I don't think so, PermitRootLogin=without-password or PasswordAuthentication=no is not going to let anyone brute force the root account. + +PermitRootLogin=forced-commands-only might be worth making easy to set up, so the only command that can be run with some special propellor-specific ssh key is propellor. +"""]] diff --git a/doc/todo/ssh__95__user_+_sudo/comment_2_35722c7d6f6c3e2315fbf72878066c01._comment b/doc/todo/ssh__95__user_+_sudo/comment_2_35722c7d6f6c3e2315fbf72878066c01._comment new file mode 100644 index 00000000..8dc6299b --- /dev/null +++ b/doc/todo/ssh__95__user_+_sudo/comment_2_35722c7d6f6c3e2315fbf72878066c01._comment @@ -0,0 +1,8 @@ +[[!comment format=mdwn + username="gueux" + ip="109.190.19.251" + subject="comment 2" + date="2014-04-21T13:54:39Z" + content=""" +I didn't knew \"PermitRootLogin=forced-commands-only\", it seems great! +"""]] diff --git a/doc/todo/ssh__95__user_+_sudo/comment_3_d1e4040677b39342be00359210c02156._comment b/doc/todo/ssh__95__user_+_sudo/comment_3_d1e4040677b39342be00359210c02156._comment new file mode 100644 index 00000000..506b543a --- /dev/null +++ b/doc/todo/ssh__95__user_+_sudo/comment_3_d1e4040677b39342be00359210c02156._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="http://joeyh.name/" + ip="209.250.56.114" + subject="comment 3" + date="2014-04-24T22:17:31Z" + content=""" +Except that it led you to run into the failure mode described at [[forum/remote.origin_not_copied_to_managed_host?]] + +So now we have a concrete change to make: Make /usr/bin/propellor work if it's forced as the only command that can be run. Including making propellor's host bootstrapping work via it. +"""]] diff --git a/doc/todo/ssh_hostkey_Info.mdwn b/doc/todo/ssh_hostkey_Info.mdwn new file mode 100644 index 00000000..a7f8a66a --- /dev/null +++ b/doc/todo/ssh_hostkey_Info.mdwn @@ -0,0 +1,7 @@ +* Either `Ssh.hostKey` should set the sshPubKey info + (which seems hard, as info needs to be able to be calculated without + running any IO code, and here IO is needed along with decrypting the + PrivData..), or the public key should not be stored in + the PrivData, and instead configured using the info. + Getting the ssh host key into the info will allow automatically + exporting it via DNS (SSHFP record) |