I've been working on a new package guidelines draft[1] for dealing with packages that provide a service and need some level of first-time configuration before the service can run. One of the issues we're dealing with in the world of Fedora Atomic and other environments where VMs or systems are cloned is the issue of keeping system-specific data out of those clones. In particular, we want to make sure that clones of a system don't have the same private keys or certificates as its siblings. Classically, the way that many services set up this configuration is during the %post phase of RPM installation; they create whatever certificates, etc. they need at this time and then the service will run when it is started. Admins will set up their systems with the packages they want and then run a tool like virt-sysprep to clear out system-specific information. The problem with this approach is that in many cases, this results in a system that cannot run many of its services without additional steps being taken on the new cloned VM to re-generate these components. This proposed set of guidelines provides two major new changes to this process: 1) It requires that all system-specific generated files are moved into the service start itself and out of %post. This means that any time the files needed are not present, they are generated at service start time. 2) It provides a detailed description of a secure process to produce "self-signed" service certificates for bootstrapping the services. This follows a newer approach to generating certificates that allows safe importing of the certificates for use on the local system (and even for sharing that certificate with other machines in the event that a proper certificate chain is unavailable, such as many non- production environments). Once these guidelines are approved, I will also be developing helper scripts to accomplish the certificate generation so that packagers will have an easier time following this guideline. The OpenSSL portions of this guideline were written by me and reviewed by Kai Engert and Miloslav Trmac. The NSS portions were written by Kai Engert and reviewed by myself and Miloslav Trmac. I opened an FPC ticket[2] to track this as well. [1] https://fedoraproject.org/wiki/User:Sgallagh/FirstTimeSetupDraft [2] https://fedorahosted.org/fpc/ticket/506
Attachment:
signature.asc
Description: This is a digitally signed message part
-- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
