[rudder-dev] Relay synchronisation via rsync
Benoit Peccatte
benoit.peccatte at normation.com
Tue Jun 14 12:16:39 CEST 2016
Hello everyone,
When people have a lot of rules or a lots of nodes, they also have a lot
of generated promises.
When you run a relay, those promises can take a lot of time to synchronize.
To avoid this we devised an rsync based with the help of some of our
best users.
This can reduce synchronization time "a lot".
But let's see how to do it.
_*How does it work ?*__*
*_- The update promises will be changed to make it run an rsync command
instead of a cfengine download if a specific flag is set
- rsync will connect to the server via ssh on the rudder user
- The key used to connect will be derived from the cfengine key (openssl
command to be defined)
- The authorized keys will be filled by the webapp on the server since
it knows the public keys of each relai
- A script on the server triggered by ssh remote_command will check that
the remote relay is allow to synchronize the directory it is asking on
each ssh connection
- The relay will get its promises over rsync over ssh which can be
really fast
*_Prerequisite: the rudder user_**
*First we need a specific rudder user on the server so that we do not
use root to connect to the rudder server.
This in itself is a challenge because today we only have a rudder group.
To do this we need to:
- make the package create a new "rudder" user with the "rudder" group
- change the group of the generated ncf and generated promises to "rudder"
- change the right of those directories to g+rs, this will make sure
that we will always have read access to those files from the rudder user
- change the post install script to change existing rights
- test that this properly works with cf-serverd
This should be sufficient for our current case, but it allows us to
imagine a day where jetty and cf-serverd could run as the "rudder" user
instead of "root".
We would like to be able to synchronize the shared-files directory too.
But since this directory is under direct control of the user and its
access rights can be used in promises we won't touch its sgid bit nor
synchronize it by default. If the user want to synchronize it via rsync
he will need to make sure he has posix acl activated on this directory,
run a command to add the rudder group via those acls and then activate
the rsync protocol spécifically for this directory.
_*Other steps*__*
*_- Have the rudder user on the server and the rudder group on the relays
- Create a technique to manage the authorized_keys file on the server
(it will be based on a system variable that holds uuid/key pairs from
the webapp)
- On the relay, create a technique (or maybe a postinstall script would
do better) that:
* create the ssh key from the cfengine key and put it in a known place
* call ssh-keyscan to add the server's key to ~/.ssh/known_hosts
- Create an rsync ACL script that takes 1 parameters (the UUID of a
host), it will:
* know that it is running from ssh, so know the remote command used
* check that this command is authorized by its parameter (share/<uuid>
ncf and shared-files only are authorized)
* https://www.samba.org/ftp/unpacked/rsync/support/rrsync can be a
good source of how to do this
- Add a flag file in generated promises to avoid running rsync if it's
not necessary (maybe it can be implemented using a filter-from-file
option in rsync to avoid using cfengine again)
- Add an option in the interface to configure synchronization via rsync
instead of regular synchronization
- Add an option in the interface to synchronize shared-files too
- Be ware that a relay can become a server for another relay so
everything on the server must work on another machine
Note:
During our meeting we talked about a user on the agent by i can't
remember why.
If you see something wrong or if you want to add a comment, just hit reply !
Cheers,
--
------------------------------------------------------------------------
*Logo Normation Benoît Peccatte*
/Responsable cloud development/
Normation <http://www.normation.com>
------------------------------------------------------------------------
*87, Rue de Turbigo, 75003 Paris, France*
Phone: +33 (0)1 85 08 48 96
------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20160614/b2cdd20e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo-square3.gif
Type: image/gif
Size: 1036 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20160614/b2cdd20e/attachment.gif>
More information about the rudder-dev
mailing list