Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add systemd example #64

Merged
merged 13 commits into from
Jul 17, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add systemd example
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
  • Loading branch information
kfox1111 committed Apr 7, 2024
commit 31b6f6d927bf2cb9352fc779942def20a9556d48
8 changes: 8 additions & 0 deletions examples/systemd/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
default:
@echo Targets:
@echo " install"

install:
sudo cp system/* /usr/lib/systemd/system/
sudo systemctl daemon-reload
#cp -a /etc/spire/agent/main.conf agent/
40 changes: 40 additions & 0 deletions examples/systemd/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
To install, download the newest spire-server and spire-agent binaries from the spire website and place in /bin

Run:
```
make install
```

Edit /etc/spire/server/main.conf and update with settings as needed.

Edit /etc/spire/agent/main.conf and update with settings as needed.

Enable the main server:

```
systemctl enable spire-server@main
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the "@main" have any benefit here? I'd keep it simple and not have these parameterized

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. It lets you have multiple servers/agents. Either for nesting or redundancy. I do plan on using both.

```

Start the main server:

```
systemctl enable spire-server@main
```

Enable the main agent:
Comment on lines +31 to +32
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also specify how to fetch the join token and how to pass it to the service.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.


```
systemctl enable spire-agent@main
```

Start the main server:

```
systemctl enable spire-agent@main
```


# Show Entries from the main server
```
spire-server entry show -socketPath /run/spire/server/main/private/api.sock
```
28 changes: 28 additions & 0 deletions examples/systemd/conf/agent/main.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
agent {
log_level = "DEBUG"
trust_domain = "example.org"
server_address = "localhost"
server_port = 8081

# Insecure bootstrap is NOT appropriate for production use but is ok for
# simple testing/evaluation purposes.
insecure_bootstrap = true

join_token = "cdf1885a-1db8-4a83-aa16-ad8c84761fa8"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the best, but I imagine you want to wait for something like that dns/http pop attestor being available, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, that would be a better default once its available.

This is just an example config file really. Its expected an end user will need to update it to use it properly.

}

plugins {
KeyManager "disk" {
plugin_data {
directory = "./"
}
}

NodeAttestor "join_token" {
plugin_data {}
}

WorkloadAttestor "systemd" {
plugin_data {}
}
Comment on lines +25 to +27
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could also use the unix attestore here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but I think systemd is a better plugin then unix as a default suggestion. Many different services run as root (ssh, apache, kubelet, etc). But each would probably want its own identity. The systemd attestor can tell them apart.

}
27 changes: 27 additions & 0 deletions examples/systemd/conf/server/main.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
server {
bind_address = "127.0.0.1"
bind_port = "8081"
trust_domain = "example.org"
log_level = "DEBUG"
ca_ttl = "168h"
default_x509_svid_ttl = "48h"
}

plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "./datastore.sqlite3"
}
}

KeyManager "disk" {
plugin_data {
keys_path = "./keys.json"
}
}

NodeAttestor "join_token" {
plugin_data {}
}
}
8 changes: 8 additions & 0 deletions examples/systemd/system/spire-agent.target
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[Unit]
Description=SPIRE Agent target allowing to start/stop all spire-agent@.service instances at once
PartOf=spire.target
Before=spire.target
Wants=spire.target

[Install]
WantedBy=multi-user.target spire.target
44 changes: 44 additions & 0 deletions examples/systemd/system/spire-agent@.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
[Unit]
Description=SPIRE Agent Daemon %i
PartOf=spire-agent.target
After=network-online.target local-fs.target time-sync.target
Before=remote-fs-pre.target spire-agent.target
Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target

[Service]
WorkingDirectory=/var/lib/spire/agent/%i
StateDirectory=spire/agent/%i
RuntimeDirectory=spire/agent/%i
RuntimeDirectoryPreserve=true
ConfigurationDirectory=spire/agent
ExecReload=/bin/kill -HUP $MAINPID
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/%i/public/api.sock -expandEnv
ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=false
# Needed by plugins
PrivateTmp=false
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/
ReadWritePaths=/var/lib/spire/agent /run/spire/agent
Restart=on-failure
RestartSec=15
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=yes
RestrictSUIDSGID=yes
StartLimitBurst=3
StartLimitInterval=30min
TasksMax=infinity

[Install]
WantedBy=spire-agent.target
8 changes: 8 additions & 0 deletions examples/systemd/system/spire-server.target
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[Unit]
Description=SPIRE Server target allowing to start/stop all spire-server@.service instances at once
PartOf=spire.target
Before=ceph.target
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
Wants=spire.target

[Install]
WantedBy=multi-user.target spire.target
44 changes: 44 additions & 0 deletions examples/systemd/system/spire-server@.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
[Unit]
Description=SPIRE Server Daemon %i
PartOf=spire-server.target
After=network-online.target local-fs.target time-sync.target
Before=remote-fs-pre.target spire-server.target
Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target

[Service]
WorkingDirectory=/var/lib/spire/server/%i
StateDirectory=spire/server/%i
RuntimeDirectory=spire/server/%i
RuntimeDirectoryPreserve=true
ConfigurationDirectory=spire/agent
kfox1111 marked this conversation as resolved.
Show resolved Hide resolved
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/%i/private/api.sock -expandEnv
ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=false
# Needed by plugins
PrivateTmp=false
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/
ReadWritePaths=/var/lib/spire/server /run/spire/server
Restart=on-failure
RestartSec=15
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=yes
RestrictSUIDSGID=yes
StartLimitBurst=3
StartLimitInterval=30min
TasksMax=infinity

[Install]
WantedBy=spire-server.target
5 changes: 5 additions & 0 deletions examples/systemd/system/spire.target
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[Unit]
Description=SPIRE target allowing to start/stop all spire*@.service instances at once

[Install]
WantedBy=multi-user.target