diff --git a/README.md b/README.md index 5400c8c..e3ff5c0 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,12 @@ Examples showing how to deploy SPIRE on Amazon EKS. + [EKS-based SAT with SPIRE 1.5.1](examples/k8s/eks_sat) - This slightly modifies the **Kubernetes Simple SAT** configuration to make it compatible with EKS platform. +## SystemD + +Examples showing how to start up SPIRE services using SystemD + +* [SystemD](examples/systemd) SPIRE services managed by SystemD + ## Getting Help If you have any questions on the above examples, or anything else related to deploying or maintaining SPIRE, please feel free to either [open an issue](https://github.com/spiffe/spire-examples/issues/new) or ask in #help on our [Slack](https://slack.spiffe.io/). diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile new file mode 100644 index 0000000..fe70781 --- /dev/null +++ b/examples/systemd/Makefile @@ -0,0 +1,9 @@ +default: + @echo Targets: + @echo " install" + +install: + mkdir -p $(DESTDIR)/usr/lib/systemd/system/ + install system/* $(DESTDIR)/usr/lib/systemd/system/ + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/server/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true diff --git a/examples/systemd/README.md b/examples/systemd/README.md new file mode 100644 index 0000000..3158b23 --- /dev/null +++ b/examples/systemd/README.md @@ -0,0 +1,48 @@ +# SPIRE services managed by SystemD + +To install, download the newest spire-server and spire-agent binaries from the SPIRE website and place in /bin + +Run: +``` +make install +``` + +Edit /etc/spire/server/main.conf and update with settings as needed. + +Enable the main server: + +``` +systemctl enable spire-server@main +``` + +Start the main server: + +``` +systemctl start spire-server@main +``` + + +# Create a join token +``` +spire-server token generate -spiffeID spiffe://example.org/changeme -socketPath /run/spire/server/sockets/main/private/api.sock +``` + +Edit /etc/spire/agent/main.conf and update with settings as needed, in particular the join token. + +Enable the main agent: + +``` +systemctl enable spire-agent@main +``` + +Start the main agent: + +``` +systemctl start spire-agent@main +``` + + +# Show Entries from the main server +``` +spire-server entry show -socketPath /run/spire/server/sockets/main/private/api.sock +``` diff --git a/examples/systemd/conf/agent/main.conf b/examples/systemd/conf/agent/main.conf new file mode 100644 index 0000000..c978dcc --- /dev/null +++ b/examples/systemd/conf/agent/main.conf @@ -0,0 +1,28 @@ +agent { + log_level = "DEBUG" + trust_domain = "example.org" + server_address = "localhost" + server_port = 8081 + + # Insecure bootstrap is NOT appropriate for production use but is ok for + # simple testing/evaluation purposes. + insecure_bootstrap = true + + join_token = "cdf1885a-1db8-4a83-aa16-ad8c84761fa8" +} + +plugins { + KeyManager "disk" { + plugin_data { + directory = "./" + } + } + + NodeAttestor "join_token" { + plugin_data {} + } + + WorkloadAttestor "systemd" { + plugin_data {} + } +} diff --git a/examples/systemd/conf/server/main.conf b/examples/systemd/conf/server/main.conf new file mode 100644 index 0000000..7d97e6f --- /dev/null +++ b/examples/systemd/conf/server/main.conf @@ -0,0 +1,27 @@ +server { + bind_address = "127.0.0.1" + bind_port = "8081" + trust_domain = "example.org" + log_level = "DEBUG" + ca_ttl = "168h" + default_x509_svid_ttl = "48h" +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "./datastore.sqlite3" + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "./keys.json" + } + } + + NodeAttestor "join_token" { + plugin_data {} + } +} diff --git a/examples/systemd/system/spire-agent.target b/examples/systemd/system/spire-agent.target new file mode 100644 index 0000000..7f4feee --- /dev/null +++ b/examples/systemd/system/spire-agent.target @@ -0,0 +1,8 @@ +[Unit] +Description=SPIRE Agent target allowing to start/stop all spire-agent@.service instances at once +PartOf=spire.target +Before=spire.target +Wants=spire.target + +[Install] +WantedBy=multi-user.target spire.target diff --git a/examples/systemd/system/spire-agent@.service b/examples/systemd/system/spire-agent@.service new file mode 100644 index 0000000..b2ada7b --- /dev/null +++ b/examples/systemd/system/spire-agent@.service @@ -0,0 +1,43 @@ +[Unit] +Description=SPIRE Agent Daemon %i +PartOf=spire-agent.target +After=network-online.target local-fs.target time-sync.target +Before=remote-fs-pre.target spire-agent.target +Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target + +[Service] +WorkingDirectory=/var/lib/spire/agent/%i +StateDirectory=spire/agent/%i +RuntimeDirectory=spire/agent/sockets/%i +RuntimeDirectoryPreserve=true +ConfigurationDirectory=spire/agent +ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/sockets/%i/public/api.sock -expandEnv +ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public +# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=false +# Needed by plugins +PrivateTmp=false +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/spire/agent /run/spire/agent +Restart=on-failure +RestartSec=15 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=true +RestrictRealtime=yes +RestrictSUIDSGID=yes +StartLimitBurst=3 +StartLimitInterval=30min +TasksMax=infinity + +[Install] +WantedBy=spire-agent.target diff --git a/examples/systemd/system/spire-server.target b/examples/systemd/system/spire-server.target new file mode 100644 index 0000000..0ad4365 --- /dev/null +++ b/examples/systemd/system/spire-server.target @@ -0,0 +1,8 @@ +[Unit] +Description=SPIRE Server target allowing to start/stop all spire-server@.service instances at once +PartOf=spire.target +Before=spire.target +Wants=spire.target + +[Install] +WantedBy=multi-user.target spire.target diff --git a/examples/systemd/system/spire-server@.service b/examples/systemd/system/spire-server@.service new file mode 100644 index 0000000..c3942e5 --- /dev/null +++ b/examples/systemd/system/spire-server@.service @@ -0,0 +1,43 @@ +[Unit] +Description=SPIRE Server Daemon %i +PartOf=spire-server.target +After=network-online.target local-fs.target time-sync.target +Before=remote-fs-pre.target spire-server.target +Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target + +[Service] +WorkingDirectory=/var/lib/spire/server/%i +StateDirectory=spire/server/%i +RuntimeDirectory=spire/server/sockets/%i +RuntimeDirectoryPreserve=true +ConfigurationDirectory=spire/server +ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv +ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private +# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=false +# Needed by plugins +PrivateTmp=false +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/spire/server /run/spire/server +Restart=on-failure +RestartSec=15 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=true +RestrictRealtime=yes +RestrictSUIDSGID=yes +StartLimitBurst=3 +StartLimitInterval=30min +TasksMax=infinity + +[Install] +WantedBy=spire-server.target diff --git a/examples/systemd/system/spire.target b/examples/systemd/system/spire.target new file mode 100644 index 0000000..2c8cd0e --- /dev/null +++ b/examples/systemd/system/spire.target @@ -0,0 +1,5 @@ +[Unit] +Description=SPIRE target allowing to start/stop all spire*@.service instances at once + +[Install] +WantedBy=multi-user.target