From e7a1d738c9c95ff059fbaeff107d91a2e1742f8e Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Tue, 1 Mar 2011 21:56:22 +0100
Subject: add egd-management

We can now run hosts with a key in the host mode, so it will
provide entropy to other hosts. Furthermore we can define clients
that will collect entropy from such a host.
---
 files/ekeyd.conf           | 89 +++++++++++++++++++++++++++++++++++++++++++++
 files/ekeyd.conf.daemon    | 90 ++++++++++++++++++++++++++++++++++++++++++++++
 manifests/base.pp          | 13 ++++---
 manifests/client.pp        | 13 +++++++
 manifests/client/base.pp   |  3 ++
 manifests/client/centos.pp |  7 ++++
 manifests/egd.pp           | 17 +++++++++
 manifests/host.pp          | 10 ++++++
 manifests/host/base.pp     | 15 ++++++++
 manifests/host/centos.pp   |  6 ++++
 10 files changed, 259 insertions(+), 4 deletions(-)
 create mode 100644 files/ekeyd.conf
 create mode 100644 files/ekeyd.conf.daemon
 create mode 100644 manifests/client.pp
 create mode 100644 manifests/client/base.pp
 create mode 100644 manifests/client/centos.pp
 create mode 100644 manifests/egd.pp
 create mode 100644 manifests/host.pp
 create mode 100644 manifests/host/base.pp
 create mode 100644 manifests/host/centos.pp

diff --git a/files/ekeyd.conf b/files/ekeyd.conf
new file mode 100644
index 0000000..76a36f1
--- /dev/null
+++ b/files/ekeyd.conf
@@ -0,0 +1,89 @@
+-- -*- Lua -*-
+
+-- Sample configuration file for ekeyd
+
+-- -----------------------------------------------[ General setup ]-----
+
+-- If you want a TCP control socket on 127.0.0.1 then uncomment this
+-- command.
+-- Please note that there is no protection on a TCP socket, anyone on
+-- the box can connect to it and there is no authentication process.
+-- TCPControlSocket "1234"
+
+-- The unix control socket is typically what we use
+UnixControlSocket "/var/run/ekeyd.sock"
+
+-- The keyring contains the keys for the long-term rekey If you change
+-- this location from the default then be aware that the
+-- long-term-rekey tool may not work.
+Keyring "/etc/entropykey/keyring"
+
+-- The daemon background operation may be supressed. In this mode the
+-- daemon will run in the foreground and the controlling tty will not
+-- be released.
+-- Daemonise(false)
+
+-- -------------------------------------------------[ Output Mode ]-----
+
+-- Only one output mode is permitted to be active. Typically on Linux
+-- that would be the kernel output mode, however instead you can opt
+-- to use the EGD interface. Various other daemons then support taking
+-- EGD interfaces and adding entropy to the kernel instead, allowing
+-- multiple clients to retrieve entropy by various means.
+
+-- The SetOutputToKernel option places all the gathered entropy into
+-- the kernel pool. The data placed into the kernel pool is
+-- conservatively estimated to contain 7 shannons of entropy per byte
+-- added.
+-- Note that the data coming from the UDEKEY01 should have one Shannon
+-- of entropy per bit so this value could quite safely be set to
+-- 8. The default value only has the effect of reducing the rate
+-- entropy is mixed into the kernel pool and no other adverse
+-- affect. This default is selected as an conservative choice which is
+-- generally preferable when dealing with random sources.
+SetOutputToKernel(7)
+
+-- The daemon may support the EGD (Entropy Gathering Daemon) socket
+-- protocol. There are two choice to create either a TCP or Unix
+-- socket which speaks the EGD protocol.
+-- Note that you cannot have kernel output *and* EGD output, they are
+-- mutually exclusive.
+-- The EGD protocol support assumes entropy coming off the ekeys is at
+-- the level of 8 shannons per byte and this cannot be changed as it
+-- is a limitation of the EGD protocol itself.  The TCP socket can be
+-- given an optional parameter to specify the IP address to bind to.
+-- It will default to 127.0.0.1 if not specified.
+
+-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]])
+-- EGDUnixSocket "/etc/entropy"
+
+-- EGDUnixSocket can optionally take an octal mode string and
+-- username and group to chmod and chown the socket to.
+-- If you do not wish to change the user or group, use empty strings.
+-- You cannot change the user/group without also providing a mode string.
+-- The default is to leave the user/group alone and set the socket to
+-- mode 0600
+-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers")
+
+-- The SetOutputToFile option writes all gathered entropy to the named
+-- file. No additional processing is performed. The output file must
+-- exist before the daemon is run. This option is generally only
+-- useful if the user wishes to gather data for subsequent testing.
+-- Note as with all the other output options this may be the only
+-- output selection and may not be used with either the kernel or EGD
+-- output enabled.
+
+-- SetOutputToFile "/tmp/entropy" 
+
+-- -----------------------------------------------[ Device Config ]-----
+
+-- Add entropy keys from /dev/entropykey where our default udev rules
+-- will place symbolic links (on GNU/Linux operating systems).
+AddEntropyKeys "/dev/entropykey"
+-- Also add keys from /var/run/entropykeys where the UNIX domain socket
+-- rules will place sockets if using them.
+AddEntropyKeys "/var/run/entropykeys"
+-- On OpenBSD/MirBSD you will probably need to use something like this
+-- instead (match the device minor (here: 0) with the ucom(4) instance
+-- your umodem(4) device attaches to):
+-- AddEntropyKey "/dev/cuaU0"
diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon
new file mode 100644
index 0000000..0b1bcb4
--- /dev/null
+++ b/files/ekeyd.conf.daemon
@@ -0,0 +1,90 @@
+-- -*- Lua -*-
+
+-- Sample configuration file for ekeyd
+
+-- -----------------------------------------------[ General setup ]-----
+
+-- If you want a TCP control socket on 127.0.0.1 then uncomment this
+-- command.
+-- Please note that there is no protection on a TCP socket, anyone on
+-- the box can connect to it and there is no authentication process.
+-- TCPControlSocket "1234"
+
+-- The unix control socket is typically what we use
+UnixControlSocket "/var/run/ekeyd.sock"
+
+-- The keyring contains the keys for the long-term rekey If you change
+-- this location from the default then be aware that the
+-- long-term-rekey tool may not work.
+Keyring "/etc/entropykey/keyring"
+
+-- The daemon background operation may be supressed. In this mode the
+-- daemon will run in the foreground and the controlling tty will not
+-- be released.
+-- Daemonise(false)
+
+-- -------------------------------------------------[ Output Mode ]-----
+
+-- Only one output mode is permitted to be active. Typically on Linux
+-- that would be the kernel output mode, however instead you can opt
+-- to use the EGD interface. Various other daemons then support taking
+-- EGD interfaces and adding entropy to the kernel instead, allowing
+-- multiple clients to retrieve entropy by various means.
+
+-- The SetOutputToKernel option places all the gathered entropy into
+-- the kernel pool. The data placed into the kernel pool is
+-- conservatively estimated to contain 7 shannons of entropy per byte
+-- added.
+-- Note that the data coming from the UDEKEY01 should have one Shannon
+-- of entropy per bit so this value could quite safely be set to
+-- 8. The default value only has the effect of reducing the rate
+-- entropy is mixed into the kernel pool and no other adverse
+-- affect. This default is selected as an conservative choice which is
+-- generally preferable when dealing with random sources.
+-- SetOutputToKernel(7)
+
+-- The daemon may support the EGD (Entropy Gathering Daemon) socket
+-- protocol. There are two choice to create either a TCP or Unix
+-- socket which speaks the EGD protocol.
+-- Note that you cannot have kernel output *and* EGD output, they are
+-- mutually exclusive.
+-- The EGD protocol support assumes entropy coming off the ekeys is at
+-- the level of 8 shannons per byte and this cannot be changed as it
+-- is a limitation of the EGD protocol itself.  The TCP socket can be
+-- given an optional parameter to specify the IP address to bind to.
+-- It will default to 127.0.0.1 if not specified.
+
+-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]])
+EGDTCPSocket(8888, "0.0.0.0")
+-- EGDUnixSocket "/etc/entropy"
+
+-- EGDUnixSocket can optionally take an octal mode string and
+-- username and group to chmod and chown the socket to.
+-- If you do not wish to change the user or group, use empty strings.
+-- You cannot change the user/group without also providing a mode string.
+-- The default is to leave the user/group alone and set the socket to
+-- mode 0600
+-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers")
+
+-- The SetOutputToFile option writes all gathered entropy to the named
+-- file. No additional processing is performed. The output file must
+-- exist before the daemon is run. This option is generally only
+-- useful if the user wishes to gather data for subsequent testing.
+-- Note as with all the other output options this may be the only
+-- output selection and may not be used with either the kernel or EGD
+-- output enabled.
+
+-- SetOutputToFile "/tmp/entropy" 
+
+-- -----------------------------------------------[ Device Config ]-----
+
+-- Add entropy keys from /dev/entropykey where our default udev rules
+-- will place symbolic links (on GNU/Linux operating systems).
+AddEntropyKeys "/dev/entropykey"
+-- Also add keys from /var/run/entropykeys where the UNIX domain socket
+-- rules will place sockets if using them.
+AddEntropyKeys "/var/run/entropykeys"
+-- On OpenBSD/MirBSD you will probably need to use something like this
+-- instead (match the device minor (here: 0) with the ucom(4) instance
+-- your umodem(4) device attaches to):
+-- AddEntropyKey "/dev/cuaU0"
diff --git a/manifests/base.pp b/manifests/base.pp
index e4d572d..24494f4 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -4,15 +4,20 @@ class ekeyd::base {
     ensure => installed,
   }
 
+  file{'/etc/entropykey/ekeyd.conf':
+    source => 'puppet:///modules/ekeyd/ekeyd.conf',
+    require => Package['ekeyd'],
+    notify => Service['ekeyd'],
+    owner => root, group => 0, mode => 0644;
+  }
   service{'ekeyd':
     ensure => running,
     enable => true,
-    require => Package['ekeyd'],
   }
 
   exec{'configure_ekey_key':
-      command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}",
-      unless => "ekeydctl list | grep -q 'Running OK'",
-      require => Service['ekeyd'],
+    command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}",
+    unless => "ekeydctl list | grep -q 'Running OK'",
+    require => Service['ekeyd'],
   } 
 }
diff --git a/manifests/client.pp b/manifests/client.pp
new file mode 100644
index 0000000..89fd253
--- /dev/null
+++ b/manifests/client.pp
@@ -0,0 +1,13 @@
+class ekeyd::client {
+  if !$ekeyd_host { fail("\$ekeyd_host is not set for $fqdn") }
+  case $operatingsystem {
+    centos: { include ekeyd::client::centos }
+    default: { include ekeyd::client::base }
+  }
+
+  if $use_shorewall {
+    class{'shorewall::rules::out::ekeyd':
+      ekeyd_host => $ekeyd_host,
+    }
+  }
+}
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
new file mode 100644
index 0000000..411b7ee
--- /dev/null
+++ b/manifests/client/base.pp
@@ -0,0 +1,3 @@
+class ekeyd::client::base {
+  include ekeyd::egd
+}
diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp
new file mode 100644
index 0000000..b9328bb
--- /dev/null
+++ b/manifests/client/centos.pp
@@ -0,0 +1,7 @@
+class ekeyd::client::centos inherits ekeyd::client::base {
+  file{'/etc/sysconfig/egd-linux':
+    content => "DAEMON_HOST=${ekeyd_host}\n",
+    notify => Service['egd-linux'],
+    owner => root, group => 0, mode => 0644;
+  }
+}
diff --git a/manifests/egd.pp b/manifests/egd.pp
new file mode 100644
index 0000000..8a7da6f
--- /dev/null
+++ b/manifests/egd.pp
@@ -0,0 +1,17 @@
+class ekeyd::egd {
+  package{'ekeyd-egd-linux':
+    ensure => present,
+    before => Service['egd-linux'],
+  }
+
+  service{'egd-linux':
+    enable => true,
+    ensure => running,
+  }
+
+  if $use_shorewall {
+    Service['egd-linux']{
+      require => Service['shorewall'],
+    }
+  }
+}
diff --git a/manifests/host.pp b/manifests/host.pp
new file mode 100644
index 0000000..6b8dd1a
--- /dev/null
+++ b/manifests/host.pp
@@ -0,0 +1,10 @@
+class ekeyd::host inherits ekeyd {
+  case $operatingsystem {
+    centos: { include ekeyd::host::centos }
+    default: { include ekeyd::host::base }
+  }
+
+  if $use_shorewall {
+    include shorewall::rules::ekeyd
+  }
+}
diff --git a/manifests/host/base.pp b/manifests/host/base.pp
new file mode 100644
index 0000000..ec8525b
--- /dev/null
+++ b/manifests/host/base.pp
@@ -0,0 +1,15 @@
+class ekeyd::host::base inherits ekeyd::base {
+  sysctl::value{'kernel.random.write_wakeup_threshold':
+    value => 1024
+  }
+
+  File['/etc/entropykey/ekeyd.conf']{
+    source => 'puppet:///modules/ekeyd/ekeyd.conf.daemon',
+  }
+
+  Service['ekeyd']{
+    before => Service['egd-linux'],
+  }
+
+  include ekeyd::egd
+}
diff --git a/manifests/host/centos.pp b/manifests/host/centos.pp
new file mode 100644
index 0000000..d989d55
--- /dev/null
+++ b/manifests/host/centos.pp
@@ -0,0 +1,6 @@
+class ekeyd::host::centos inherits ekeyd::host::base {
+  file{'/etc/sysconfig/egd-linux':
+    ensure => 'absent',
+    notify => Service['egd-linux'],
+  }
+}
-- 
cgit v1.2.3