From e7a1d738c9c95ff059fbaeff107d91a2e1742f8e Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Mar 2011 21:56:22 +0100 Subject: add egd-management We can now run hosts with a key in the host mode, so it will provide entropy to other hosts. Furthermore we can define clients that will collect entropy from such a host. --- files/ekeyd.conf | 89 +++++++++++++++++++++++++++++++++++++++++++++ files/ekeyd.conf.daemon | 90 ++++++++++++++++++++++++++++++++++++++++++++++ manifests/base.pp | 13 ++++--- manifests/client.pp | 13 +++++++ manifests/client/base.pp | 3 ++ manifests/client/centos.pp | 7 ++++ manifests/egd.pp | 17 +++++++++ manifests/host.pp | 10 ++++++ manifests/host/base.pp | 15 ++++++++ manifests/host/centos.pp | 6 ++++ 10 files changed, 259 insertions(+), 4 deletions(-) create mode 100644 files/ekeyd.conf create mode 100644 files/ekeyd.conf.daemon create mode 100644 manifests/client.pp create mode 100644 manifests/client/base.pp create mode 100644 manifests/client/centos.pp create mode 100644 manifests/egd.pp create mode 100644 manifests/host.pp create mode 100644 manifests/host/base.pp create mode 100644 manifests/host/centos.pp diff --git a/files/ekeyd.conf b/files/ekeyd.conf new file mode 100644 index 0000000..76a36f1 --- /dev/null +++ b/files/ekeyd.conf @@ -0,0 +1,89 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/files/ekeyd.conf.daemon b/files/ekeyd.conf.daemon new file mode 100644 index 0000000..0b1bcb4 --- /dev/null +++ b/files/ekeyd.conf.daemon @@ -0,0 +1,90 @@ +-- -*- Lua -*- + +-- Sample configuration file for ekeyd + +-- -----------------------------------------------[ General setup ]----- + +-- If you want a TCP control socket on 127.0.0.1 then uncomment this +-- command. +-- Please note that there is no protection on a TCP socket, anyone on +-- the box can connect to it and there is no authentication process. +-- TCPControlSocket "1234" + +-- The unix control socket is typically what we use +UnixControlSocket "/var/run/ekeyd.sock" + +-- The keyring contains the keys for the long-term rekey If you change +-- this location from the default then be aware that the +-- long-term-rekey tool may not work. +Keyring "/etc/entropykey/keyring" + +-- The daemon background operation may be supressed. In this mode the +-- daemon will run in the foreground and the controlling tty will not +-- be released. +-- Daemonise(false) + +-- -------------------------------------------------[ Output Mode ]----- + +-- Only one output mode is permitted to be active. Typically on Linux +-- that would be the kernel output mode, however instead you can opt +-- to use the EGD interface. Various other daemons then support taking +-- EGD interfaces and adding entropy to the kernel instead, allowing +-- multiple clients to retrieve entropy by various means. + +-- The SetOutputToKernel option places all the gathered entropy into +-- the kernel pool. The data placed into the kernel pool is +-- conservatively estimated to contain 7 shannons of entropy per byte +-- added. +-- Note that the data coming from the UDEKEY01 should have one Shannon +-- of entropy per bit so this value could quite safely be set to +-- 8. The default value only has the effect of reducing the rate +-- entropy is mixed into the kernel pool and no other adverse +-- affect. This default is selected as an conservative choice which is +-- generally preferable when dealing with random sources. +-- SetOutputToKernel(7) + +-- The daemon may support the EGD (Entropy Gathering Daemon) socket +-- protocol. There are two choice to create either a TCP or Unix +-- socket which speaks the EGD protocol. +-- Note that you cannot have kernel output *and* EGD output, they are +-- mutually exclusive. +-- The EGD protocol support assumes entropy coming off the ekeys is at +-- the level of 8 shannons per byte and this cannot be changed as it +-- is a limitation of the EGD protocol itself. The TCP socket can be +-- given an optional parameter to specify the IP address to bind to. +-- It will default to 127.0.0.1 if not specified. + +-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]]) +EGDTCPSocket(8888, "0.0.0.0") +-- EGDUnixSocket "/etc/entropy" + +-- EGDUnixSocket can optionally take an octal mode string and +-- username and group to chmod and chown the socket to. +-- If you do not wish to change the user or group, use empty strings. +-- You cannot change the user/group without also providing a mode string. +-- The default is to leave the user/group alone and set the socket to +-- mode 0600 +-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers") + +-- The SetOutputToFile option writes all gathered entropy to the named +-- file. No additional processing is performed. The output file must +-- exist before the daemon is run. This option is generally only +-- useful if the user wishes to gather data for subsequent testing. +-- Note as with all the other output options this may be the only +-- output selection and may not be used with either the kernel or EGD +-- output enabled. + +-- SetOutputToFile "/tmp/entropy" + +-- -----------------------------------------------[ Device Config ]----- + +-- Add entropy keys from /dev/entropykey where our default udev rules +-- will place symbolic links (on GNU/Linux operating systems). +AddEntropyKeys "/dev/entropykey" +-- Also add keys from /var/run/entropykeys where the UNIX domain socket +-- rules will place sockets if using them. +AddEntropyKeys "/var/run/entropykeys" +-- On OpenBSD/MirBSD you will probably need to use something like this +-- instead (match the device minor (here: 0) with the ucom(4) instance +-- your umodem(4) device attaches to): +-- AddEntropyKey "/dev/cuaU0" diff --git a/manifests/base.pp b/manifests/base.pp index e4d572d..24494f4 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,15 +4,20 @@ class ekeyd::base { ensure => installed, } + file{'/etc/entropykey/ekeyd.conf': + source => 'puppet:///modules/ekeyd/ekeyd.conf', + require => Package['ekeyd'], + notify => Service['ekeyd'], + owner => root, group => 0, mode => 0644; + } service{'ekeyd': ensure => running, enable => true, - require => Package['ekeyd'], } exec{'configure_ekey_key': - command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}", - unless => "ekeydctl list | grep -q 'Running OK'", - require => Service['ekeyd'], + command => "ekey-rekey `ekeydctl list | grep \"/dev/entropykey\" | awk -F, '{ print \$5}'` ${ekey_masterkey}", + unless => "ekeydctl list | grep -q 'Running OK'", + require => Service['ekeyd'], } } diff --git a/manifests/client.pp b/manifests/client.pp new file mode 100644 index 0000000..89fd253 --- /dev/null +++ b/manifests/client.pp @@ -0,0 +1,13 @@ +class ekeyd::client { + if !$ekeyd_host { fail("\$ekeyd_host is not set for $fqdn") } + case $operatingsystem { + centos: { include ekeyd::client::centos } + default: { include ekeyd::client::base } + } + + if $use_shorewall { + class{'shorewall::rules::out::ekeyd': + ekeyd_host => $ekeyd_host, + } + } +} diff --git a/manifests/client/base.pp b/manifests/client/base.pp new file mode 100644 index 0000000..411b7ee --- /dev/null +++ b/manifests/client/base.pp @@ -0,0 +1,3 @@ +class ekeyd::client::base { + include ekeyd::egd +} diff --git a/manifests/client/centos.pp b/manifests/client/centos.pp new file mode 100644 index 0000000..b9328bb --- /dev/null +++ b/manifests/client/centos.pp @@ -0,0 +1,7 @@ +class ekeyd::client::centos inherits ekeyd::client::base { + file{'/etc/sysconfig/egd-linux': + content => "DAEMON_HOST=${ekeyd_host}\n", + notify => Service['egd-linux'], + owner => root, group => 0, mode => 0644; + } +} diff --git a/manifests/egd.pp b/manifests/egd.pp new file mode 100644 index 0000000..8a7da6f --- /dev/null +++ b/manifests/egd.pp @@ -0,0 +1,17 @@ +class ekeyd::egd { + package{'ekeyd-egd-linux': + ensure => present, + before => Service['egd-linux'], + } + + service{'egd-linux': + enable => true, + ensure => running, + } + + if $use_shorewall { + Service['egd-linux']{ + require => Service['shorewall'], + } + } +} diff --git a/manifests/host.pp b/manifests/host.pp new file mode 100644 index 0000000..6b8dd1a --- /dev/null +++ b/manifests/host.pp @@ -0,0 +1,10 @@ +class ekeyd::host inherits ekeyd { + case $operatingsystem { + centos: { include ekeyd::host::centos } + default: { include ekeyd::host::base } + } + + if $use_shorewall { + include shorewall::rules::ekeyd + } +} diff --git a/manifests/host/base.pp b/manifests/host/base.pp new file mode 100644 index 0000000..ec8525b --- /dev/null +++ b/manifests/host/base.pp @@ -0,0 +1,15 @@ +class ekeyd::host::base inherits ekeyd::base { + sysctl::value{'kernel.random.write_wakeup_threshold': + value => 1024 + } + + File['/etc/entropykey/ekeyd.conf']{ + source => 'puppet:///modules/ekeyd/ekeyd.conf.daemon', + } + + Service['ekeyd']{ + before => Service['egd-linux'], + } + + include ekeyd::egd +} diff --git a/manifests/host/centos.pp b/manifests/host/centos.pp new file mode 100644 index 0000000..d989d55 --- /dev/null +++ b/manifests/host/centos.pp @@ -0,0 +1,6 @@ +class ekeyd::host::centos inherits ekeyd::host::base { + file{'/etc/sysconfig/egd-linux': + ensure => 'absent', + notify => Service['egd-linux'], + } +} -- cgit v1.2.3