[Freeipa-devel] Multi-master replication with puppet
James
purpleidea at gmail.com
Fri Jun 6 10:38:10 UTC 2014
Hi FreeIPA,
*intro*
As some of you might know, I'm currently working on deploying
multi-master replicas with puppet. Since it looks like there will be
security implications, I wanted to start off by trying to build some
confidence. I want to demonstrate that I am as paranoid about getting
the security bits right as you all are. *cough* I'm looking at you
Simo ;)
I've just announced the first sane implementation for secret handling
in puppet. Since everyone does this wrong, I thought I'd do it right,
by pioneering a new technique. You can read about it here:
https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/
In short, the dm_password and admin_password never get touched by
puppet, and are generated locally on the freeipa server. What this
means is that puppet doesn't know what they are, and as a result,
can't use them to accomplish admin tasks.
*replicas*
ipa-replica-prepare and ipa-replica-install work _too_ well. they're
the one part of freeipa that are so easy to use by a human, but nearly
impossible to use with puppet (without storing the password in
puppet). puppet can't use them as is because they need you to enter a
password (which i don't want it to have). Here is what I propose to do
for accomplishing this. Please correct me if I've made a mistake, or
recommend something different.
ipa-replica-prepare seems to need the dm_password. This seems to be
needed for symmetrically encrypting the bunch of files to transfer to
the replica. Instead, I'll patch this process to allow use of a public
key for asymetric encryption that is unique to the receiving replica.
I'll make sure that each ipa server generates it's own keypair, and
that the public halves are distributed to the sending hosts.
I don't think there is any other need for the dm_password in
ipa-replica-prepare. Did I miss something?
ipa-replica-install needs the dm_password to decrypt the gpg file.
Since I'm handling that with my asymmetric key pair, we don't need the
password for that. mkosek was very kind in helping me dig through this
part a bit, and it seems that the dm_password is needed to allow the
replica to bind to the first server. I would need some help to find an
alternative for this process. As was suggested, perhaps a one-time
password could be generated and sent across the wire (with puppet) to
the replica. Any mechanism that doesn't need the dm_password would be
great.
I don't think there is any other need for the dm_password in
ipa-replica-install. Did I miss something?
Of course if I store the dm_password in puppet, then it's easy to do
this peering because it will be easy to use the password on each host.
I could be done my puppet module already :) But I'm going out of my
way to do it right, so that you'll all be proud of the work too!
*symmetry*
It would be especially elegant and beneficial to FreeIPA and the
puppet module if the process of "peering" was symmetrical, that is to
say, similar for any host. If I could use ipa-server-install to setup
N hosts, and then run a secondary command to cause certain ones to
"join" this would make the process much more natural for puppet. In
addition, this would ensure that the configuration management itself
is HA. Without this type of functionality, then if the first ipa
server isn't available, then config management will be blocked. I
would appreciate any recommendations on how to convert a previously
installed ipa server into a replica. Of course it's fine that it will
have it's data overwritten.
Thanks again!
Cheers,
James
More information about the Freeipa-devel
mailing list