From 31b6f6d927bf2cb9352fc779942def20a9556d48 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 7 Apr 2024 16:07:50 -0700 Subject: [PATCH 01/13] Add systemd example Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 8 ++++ examples/systemd/README.md | 40 +++++++++++++++++ examples/systemd/conf/agent/main.conf | 28 ++++++++++++ examples/systemd/conf/server/main.conf | 27 ++++++++++++ examples/systemd/system/spire-agent.target | 8 ++++ examples/systemd/system/spire-agent@.service | 44 +++++++++++++++++++ examples/systemd/system/spire-server.target | 8 ++++ examples/systemd/system/spire-server@.service | 44 +++++++++++++++++++ examples/systemd/system/spire.target | 5 +++ 9 files changed, 212 insertions(+) create mode 100644 examples/systemd/Makefile create mode 100644 examples/systemd/README.md create mode 100644 examples/systemd/conf/agent/main.conf create mode 100644 examples/systemd/conf/server/main.conf create mode 100644 examples/systemd/system/spire-agent.target create mode 100644 examples/systemd/system/spire-agent@.service create mode 100644 examples/systemd/system/spire-server.target create mode 100644 examples/systemd/system/spire-server@.service create mode 100644 examples/systemd/system/spire.target diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile new file mode 100644 index 0000000..cd71fd5 --- /dev/null +++ b/examples/systemd/Makefile @@ -0,0 +1,8 @@ +default: + @echo Targets: + @echo " install" + +install: + sudo cp system/* /usr/lib/systemd/system/ + sudo systemctl daemon-reload + #cp -a /etc/spire/agent/main.conf agent/ diff --git a/examples/systemd/README.md b/examples/systemd/README.md new file mode 100644 index 0000000..a06ef27 --- /dev/null +++ b/examples/systemd/README.md @@ -0,0 +1,40 @@ +To install, download the newest spire-server and spire-agent binaries from the spire website and place in /bin + +Run: +``` +make install +``` + +Edit /etc/spire/server/main.conf and update with settings as needed. + +Edit /etc/spire/agent/main.conf and update with settings as needed. + +Enable the main server: + +``` +systemctl enable spire-server@main +``` + +Start the main server: + +``` +systemctl enable spire-server@main +``` + +Enable the main agent: + +``` +systemctl enable spire-agent@main +``` + +Start the main server: + +``` +systemctl enable spire-agent@main +``` + + +# Show Entries from the main server +``` +spire-server entry show -socketPath /run/spire/server/main/private/api.sock +``` diff --git a/examples/systemd/conf/agent/main.conf b/examples/systemd/conf/agent/main.conf new file mode 100644 index 0000000..c978dcc --- /dev/null +++ b/examples/systemd/conf/agent/main.conf @@ -0,0 +1,28 @@ +agent { + log_level = "DEBUG" + trust_domain = "example.org" + server_address = "localhost" + server_port = 8081 + + # Insecure bootstrap is NOT appropriate for production use but is ok for + # simple testing/evaluation purposes. + insecure_bootstrap = true + + join_token = "cdf1885a-1db8-4a83-aa16-ad8c84761fa8" +} + +plugins { + KeyManager "disk" { + plugin_data { + directory = "./" + } + } + + NodeAttestor "join_token" { + plugin_data {} + } + + WorkloadAttestor "systemd" { + plugin_data {} + } +} diff --git a/examples/systemd/conf/server/main.conf b/examples/systemd/conf/server/main.conf new file mode 100644 index 0000000..7d97e6f --- /dev/null +++ b/examples/systemd/conf/server/main.conf @@ -0,0 +1,27 @@ +server { + bind_address = "127.0.0.1" + bind_port = "8081" + trust_domain = "example.org" + log_level = "DEBUG" + ca_ttl = "168h" + default_x509_svid_ttl = "48h" +} + +plugins { + DataStore "sql" { + plugin_data { + database_type = "sqlite3" + connection_string = "./datastore.sqlite3" + } + } + + KeyManager "disk" { + plugin_data { + keys_path = "./keys.json" + } + } + + NodeAttestor "join_token" { + plugin_data {} + } +} diff --git a/examples/systemd/system/spire-agent.target b/examples/systemd/system/spire-agent.target new file mode 100644 index 0000000..7f4feee --- /dev/null +++ b/examples/systemd/system/spire-agent.target @@ -0,0 +1,8 @@ +[Unit] +Description=SPIRE Agent target allowing to start/stop all spire-agent@.service instances at once +PartOf=spire.target +Before=spire.target +Wants=spire.target + +[Install] +WantedBy=multi-user.target spire.target diff --git a/examples/systemd/system/spire-agent@.service b/examples/systemd/system/spire-agent@.service new file mode 100644 index 0000000..4341900 --- /dev/null +++ b/examples/systemd/system/spire-agent@.service @@ -0,0 +1,44 @@ +[Unit] +Description=SPIRE Agent Daemon %i +PartOf=spire-agent.target +After=network-online.target local-fs.target time-sync.target +Before=remote-fs-pre.target spire-agent.target +Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target + +[Service] +WorkingDirectory=/var/lib/spire/agent/%i +StateDirectory=spire/agent/%i +RuntimeDirectory=spire/agent/%i +RuntimeDirectoryPreserve=true +ConfigurationDirectory=spire/agent +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/%i/public/api.sock -expandEnv +ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public +# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=false +# Needed by plugins +PrivateTmp=false +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/spire/agent /run/spire/agent +Restart=on-failure +RestartSec=15 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=true +RestrictRealtime=yes +RestrictSUIDSGID=yes +StartLimitBurst=3 +StartLimitInterval=30min +TasksMax=infinity + +[Install] +WantedBy=spire-agent.target diff --git a/examples/systemd/system/spire-server.target b/examples/systemd/system/spire-server.target new file mode 100644 index 0000000..03bd9b7 --- /dev/null +++ b/examples/systemd/system/spire-server.target @@ -0,0 +1,8 @@ +[Unit] +Description=SPIRE Server target allowing to start/stop all spire-server@.service instances at once +PartOf=spire.target +Before=ceph.target +Wants=spire.target + +[Install] +WantedBy=multi-user.target spire.target diff --git a/examples/systemd/system/spire-server@.service b/examples/systemd/system/spire-server@.service new file mode 100644 index 0000000..e607906 --- /dev/null +++ b/examples/systemd/system/spire-server@.service @@ -0,0 +1,44 @@ +[Unit] +Description=SPIRE Server Daemon %i +PartOf=spire-server.target +After=network-online.target local-fs.target time-sync.target +Before=remote-fs-pre.target spire-server.target +Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target + +[Service] +WorkingDirectory=/var/lib/spire/server/%i +StateDirectory=spire/server/%i +RuntimeDirectory=spire/server/%i +RuntimeDirectoryPreserve=true +ConfigurationDirectory=spire/agent +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/%i/private/api.sock -expandEnv +ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private +# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=false +# Needed by plugins +PrivateTmp=false +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=/ +ReadWritePaths=/var/lib/spire/server /run/spire/server +Restart=on-failure +RestartSec=15 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=true +RestrictRealtime=yes +RestrictSUIDSGID=yes +StartLimitBurst=3 +StartLimitInterval=30min +TasksMax=infinity + +[Install] +WantedBy=spire-server.target diff --git a/examples/systemd/system/spire.target b/examples/systemd/system/spire.target new file mode 100644 index 0000000..2c8cd0e --- /dev/null +++ b/examples/systemd/system/spire.target @@ -0,0 +1,5 @@ +[Unit] +Description=SPIRE target allowing to start/stop all spire*@.service instances at once + +[Install] +WantedBy=multi-user.target From 5fca5e3665f402246631bad2bf2cb9c9a0b7d4eb Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Sun, 7 Apr 2024 16:21:17 -0700 Subject: [PATCH 02/13] Install config files Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index cd71fd5..a2bc3e7 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -5,4 +5,5 @@ default: install: sudo cp system/* /usr/lib/systemd/system/ sudo systemctl daemon-reload - #cp -a /etc/spire/agent/main.conf agent/ + ([ ! -f /etc/spire/agent/main.conf ] && sudo mkdir -p /etc/spire/agent && sudo cp -a conf/agent/main.conf /etc/spire/agent/main.conf) || true + ([ ! -f /etc/spire/agent/main.conf ] && sudo mkdir -p /etc/spire/server && sudo cp -a conf/server/main.conf /etc/spire/server/main.conf) || true From d8841b62f420701765350349bca35c10d94d2785 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 04:30:24 -0700 Subject: [PATCH 03/13] Align layout with the chart Signed-off-by: Kevin Fox --- examples/systemd/README.md | 4 ++-- examples/systemd/system/spire-agent@.service | 4 ++-- examples/systemd/system/spire-server@.service | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/systemd/README.md b/examples/systemd/README.md index a06ef27..04084d9 100644 --- a/examples/systemd/README.md +++ b/examples/systemd/README.md @@ -1,4 +1,4 @@ -To install, download the newest spire-server and spire-agent binaries from the spire website and place in /bin +To install, download the newest spire-server and spire-agent binaries from the SPIRE website and place in /bin Run: ``` @@ -36,5 +36,5 @@ systemctl enable spire-agent@main # Show Entries from the main server ``` -spire-server entry show -socketPath /run/spire/server/main/private/api.sock +spire-server entry show -socketPath /run/spire/server/sockets/main/private/api.sock ``` diff --git a/examples/systemd/system/spire-agent@.service b/examples/systemd/system/spire-agent@.service index 4341900..4f59474 100644 --- a/examples/systemd/system/spire-agent@.service +++ b/examples/systemd/system/spire-agent@.service @@ -8,11 +8,11 @@ Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.targe [Service] WorkingDirectory=/var/lib/spire/agent/%i StateDirectory=spire/agent/%i -RuntimeDirectory=spire/agent/%i +RuntimeDirectory=spire/agent/sockets/%i RuntimeDirectoryPreserve=true ConfigurationDirectory=spire/agent ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/%i/public/api.sock -expandEnv +ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/sockets/%i/public/api.sock -expandEnv ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 LockPersonality=true diff --git a/examples/systemd/system/spire-server@.service b/examples/systemd/system/spire-server@.service index e607906..4cf5c58 100644 --- a/examples/systemd/system/spire-server@.service +++ b/examples/systemd/system/spire-server@.service @@ -8,11 +8,11 @@ Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.targe [Service] WorkingDirectory=/var/lib/spire/server/%i StateDirectory=spire/server/%i -RuntimeDirectory=spire/server/%i +RuntimeDirectory=spire/server/sockets/%i RuntimeDirectoryPreserve=true ConfigurationDirectory=spire/agent ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/%i/private/api.sock -expandEnv +ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 LockPersonality=true From c7c9c6a4fa15782d8b8fd31b7bec461e36753e12 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 04:58:15 -0700 Subject: [PATCH 04/13] Add DESTDIR option Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index a2bc3e7..689b7fa 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -3,7 +3,7 @@ default: @echo " install" install: - sudo cp system/* /usr/lib/systemd/system/ + sudo cp system/* $(DESTDIR)/usr/lib/systemd/system/ sudo systemctl daemon-reload - ([ ! -f /etc/spire/agent/main.conf ] && sudo mkdir -p /etc/spire/agent && sudo cp -a conf/agent/main.conf /etc/spire/agent/main.conf) || true - ([ ! -f /etc/spire/agent/main.conf ] && sudo mkdir -p /etc/spire/server && sudo cp -a conf/server/main.conf /etc/spire/server/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && sudo mkdir -p $(DESTDIR)etc/spire/agent && sudo cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && sudo mkdir -p $(DESTDIR)etc/spire/server && sudo cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true From 48ea1810fae35fc31776a8dc71124ea204849c41 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 05:01:20 -0700 Subject: [PATCH 05/13] Remove sudo Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index 689b7fa..4695c8c 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -3,7 +3,7 @@ default: @echo " install" install: - sudo cp system/* $(DESTDIR)/usr/lib/systemd/system/ - sudo systemctl daemon-reload - ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && sudo mkdir -p $(DESTDIR)etc/spire/agent && sudo cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true - ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && sudo mkdir -p $(DESTDIR)etc/spire/server && sudo cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true + cp system/* $(DESTDIR)/usr/lib/systemd/system/ + systemctl daemon-reload + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true From 02dc0e8993046f3d6f9e1b0d330412e4523a4cc8 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 05:02:52 -0700 Subject: [PATCH 06/13] Add mkdir Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index 4695c8c..ce15de0 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -3,6 +3,7 @@ default: @echo " install" install: + mkdir -p $(DESTDIR)/usr/lib/systemd/system/ cp system/* $(DESTDIR)/usr/lib/systemd/system/ systemctl daemon-reload ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true From f220575b3852e524321f88ea783c442fdda882ea Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 05:03:40 -0700 Subject: [PATCH 07/13] Don't dameon-reload Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index ce15de0..1e2ad8e 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -5,6 +5,5 @@ default: install: mkdir -p $(DESTDIR)/usr/lib/systemd/system/ cp system/* $(DESTDIR)/usr/lib/systemd/system/ - systemctl daemon-reload ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true From 68eefb5a4ecd2f1af2db988f88139e4f0a2a7362 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 06:35:46 -0700 Subject: [PATCH 08/13] Fix mkdir Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index 1e2ad8e..f00e98d 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -5,5 +5,5 @@ default: install: mkdir -p $(DESTDIR)/usr/lib/systemd/system/ cp system/* $(DESTDIR)/usr/lib/systemd/system/ - ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true - ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true From 5da062cd1c1f5d939a702fbf68b269981775336d Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 9 Apr 2024 06:40:07 -0700 Subject: [PATCH 09/13] Fix server config install Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index f00e98d..1d426f8 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -6,4 +6,4 @@ install: mkdir -p $(DESTDIR)/usr/lib/systemd/system/ cp system/* $(DESTDIR)/usr/lib/systemd/system/ ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true - ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/server/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true From baf2309097df88b147fddd34c6e72cae1b78a46c Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 11 Apr 2024 06:15:27 -0700 Subject: [PATCH 10/13] Update examples/systemd/system/spire-server@.service Co-authored-by: Sorin Dumitru Signed-off-by: Kevin Fox --- examples/systemd/system/spire-server@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/systemd/system/spire-server@.service b/examples/systemd/system/spire-server@.service index 4cf5c58..5e4a21b 100644 --- a/examples/systemd/system/spire-server@.service +++ b/examples/systemd/system/spire-server@.service @@ -10,7 +10,7 @@ WorkingDirectory=/var/lib/spire/server/%i StateDirectory=spire/server/%i RuntimeDirectory=spire/server/sockets/%i RuntimeDirectoryPreserve=true -ConfigurationDirectory=spire/agent +ConfigurationDirectory=spire/server ExecReload=/bin/kill -HUP $MAINPID ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private From 735b77f15e85274f997e1ee771b9252fd481c142 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 11 Apr 2024 06:29:40 -0700 Subject: [PATCH 11/13] Incorperate feedback Signed-off-by: Kevin Fox --- examples/systemd/Makefile | 6 +++--- examples/systemd/README.md | 16 +++++++++++----- examples/systemd/system/spire-server.target | 2 +- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile index 1d426f8..fe70781 100644 --- a/examples/systemd/Makefile +++ b/examples/systemd/Makefile @@ -4,6 +4,6 @@ default: install: mkdir -p $(DESTDIR)/usr/lib/systemd/system/ - cp system/* $(DESTDIR)/usr/lib/systemd/system/ - ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && cp -a conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true - ([ ! -f $(DESTDIR)/etc/spire/server/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && cp -a conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true + install system/* $(DESTDIR)/usr/lib/systemd/system/ + ([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true + ([ ! -f $(DESTDIR)/etc/spire/server/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true diff --git a/examples/systemd/README.md b/examples/systemd/README.md index 04084d9..f24494f 100644 --- a/examples/systemd/README.md +++ b/examples/systemd/README.md @@ -7,8 +7,6 @@ make install Edit /etc/spire/server/main.conf and update with settings as needed. -Edit /etc/spire/agent/main.conf and update with settings as needed. - Enable the main server: ``` @@ -18,19 +16,27 @@ systemctl enable spire-server@main Start the main server: ``` -systemctl enable spire-server@main +systemctl start spire-server@main ``` + +# Create a join token +``` +spire-server token generate -spiffeID spiffe://example.org/changeme -socketPath /run/spire/server/sockets/main/private/api.sock +``` + +Edit /etc/spire/agent/main.conf and update with settings as needed, in particular the join token. + Enable the main agent: ``` systemctl enable spire-agent@main ``` -Start the main server: +Start the main agent: ``` -systemctl enable spire-agent@main +systemctl start spire-agent@main ``` diff --git a/examples/systemd/system/spire-server.target b/examples/systemd/system/spire-server.target index 03bd9b7..0ad4365 100644 --- a/examples/systemd/system/spire-server.target +++ b/examples/systemd/system/spire-server.target @@ -1,7 +1,7 @@ [Unit] Description=SPIRE Server target allowing to start/stop all spire-server@.service instances at once PartOf=spire.target -Before=ceph.target +Before=spire.target Wants=spire.target [Install] From fb2afb3cf371c30cc6297407e6057805027cdc83 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Thu, 11 Apr 2024 06:36:03 -0700 Subject: [PATCH 12/13] Remove broken reload signal Signed-off-by: Kevin Fox --- examples/systemd/system/spire-agent@.service | 1 - examples/systemd/system/spire-server@.service | 1 - 2 files changed, 2 deletions(-) diff --git a/examples/systemd/system/spire-agent@.service b/examples/systemd/system/spire-agent@.service index 4f59474..b2ada7b 100644 --- a/examples/systemd/system/spire-agent@.service +++ b/examples/systemd/system/spire-agent@.service @@ -11,7 +11,6 @@ StateDirectory=spire/agent/%i RuntimeDirectory=spire/agent/sockets/%i RuntimeDirectoryPreserve=true ConfigurationDirectory=spire/agent -ExecReload=/bin/kill -HUP $MAINPID ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/sockets/%i/public/api.sock -expandEnv ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 diff --git a/examples/systemd/system/spire-server@.service b/examples/systemd/system/spire-server@.service index 5e4a21b..c3942e5 100644 --- a/examples/systemd/system/spire-server@.service +++ b/examples/systemd/system/spire-server@.service @@ -11,7 +11,6 @@ StateDirectory=spire/server/%i RuntimeDirectory=spire/server/sockets/%i RuntimeDirectoryPreserve=true ConfigurationDirectory=spire/server -ExecReload=/bin/kill -HUP $MAINPID ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 From b23e7d2b13ceb55f7a6ff207304409091f306c4e Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Tue, 16 Jul 2024 13:14:41 -0700 Subject: [PATCH 13/13] Incorperate feedback Signed-off-by: Kevin Fox --- README.md | 6 ++++++ examples/systemd/README.md | 2 ++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 5400c8c..e3ff5c0 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,12 @@ Examples showing how to deploy SPIRE on Amazon EKS. + [EKS-based SAT with SPIRE 1.5.1](examples/k8s/eks_sat) - This slightly modifies the **Kubernetes Simple SAT** configuration to make it compatible with EKS platform. +## SystemD + +Examples showing how to start up SPIRE services using SystemD + +* [SystemD](examples/systemd) SPIRE services managed by SystemD + ## Getting Help If you have any questions on the above examples, or anything else related to deploying or maintaining SPIRE, please feel free to either [open an issue](https://github.com/spiffe/spire-examples/issues/new) or ask in #help on our [Slack](https://slack.spiffe.io/). diff --git a/examples/systemd/README.md b/examples/systemd/README.md index f24494f..3158b23 100644 --- a/examples/systemd/README.md +++ b/examples/systemd/README.md @@ -1,3 +1,5 @@ +# SPIRE services managed by SystemD + To install, download the newest spire-server and spire-agent binaries from the SPIRE website and place in /bin Run: