-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add systemd example #64
Changes from 1 commit
31b6f6d
5fca5e3
d8841b6
c7c9c6a
48ea181
02dc0e8
f220575
68eefb5
5da062c
baf2309
735b77f
fb2afb3
b23e7d2
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
default: | ||
@echo Targets: | ||
@echo " install" | ||
|
||
install: | ||
sudo cp system/* /usr/lib/systemd/system/ | ||
sudo systemctl daemon-reload | ||
#cp -a /etc/spire/agent/main.conf agent/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
To install, download the newest spire-server and spire-agent binaries from the spire website and place in /bin | ||
|
||
Run: | ||
``` | ||
make install | ||
``` | ||
|
||
Edit /etc/spire/server/main.conf and update with settings as needed. | ||
|
||
Edit /etc/spire/agent/main.conf and update with settings as needed. | ||
|
||
Enable the main server: | ||
|
||
``` | ||
systemctl enable spire-server@main | ||
``` | ||
|
||
Start the main server: | ||
|
||
``` | ||
systemctl enable spire-server@main | ||
``` | ||
|
||
Enable the main agent: | ||
Comment on lines
+31
to
+32
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should also specify how to fetch the join token and how to pass it to the service. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Updated. |
||
|
||
``` | ||
systemctl enable spire-agent@main | ||
``` | ||
|
||
Start the main server: | ||
|
||
``` | ||
systemctl enable spire-agent@main | ||
``` | ||
|
||
|
||
# Show Entries from the main server | ||
``` | ||
spire-server entry show -socketPath /run/spire/server/main/private/api.sock | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
agent { | ||
log_level = "DEBUG" | ||
trust_domain = "example.org" | ||
server_address = "localhost" | ||
server_port = 8081 | ||
|
||
# Insecure bootstrap is NOT appropriate for production use but is ok for | ||
# simple testing/evaluation purposes. | ||
insecure_bootstrap = true | ||
|
||
join_token = "cdf1885a-1db8-4a83-aa16-ad8c84761fa8" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is not the best, but I imagine you want to wait for something like that dns/http pop attestor being available, right? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yeah, that would be a better default once its available. This is just an example config file really. Its expected an end user will need to update it to use it properly. |
||
} | ||
|
||
plugins { | ||
KeyManager "disk" { | ||
plugin_data { | ||
directory = "./" | ||
} | ||
} | ||
|
||
NodeAttestor "join_token" { | ||
plugin_data {} | ||
} | ||
|
||
WorkloadAttestor "systemd" { | ||
plugin_data {} | ||
} | ||
Comment on lines
+25
to
+27
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: could also use the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, but I think systemd is a better plugin then unix as a default suggestion. Many different services run as root (ssh, apache, kubelet, etc). But each would probably want its own identity. The systemd attestor can tell them apart. |
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
server { | ||
bind_address = "127.0.0.1" | ||
bind_port = "8081" | ||
trust_domain = "example.org" | ||
log_level = "DEBUG" | ||
ca_ttl = "168h" | ||
default_x509_svid_ttl = "48h" | ||
} | ||
|
||
plugins { | ||
DataStore "sql" { | ||
plugin_data { | ||
database_type = "sqlite3" | ||
connection_string = "./datastore.sqlite3" | ||
} | ||
} | ||
|
||
KeyManager "disk" { | ||
plugin_data { | ||
keys_path = "./keys.json" | ||
} | ||
} | ||
|
||
NodeAttestor "join_token" { | ||
plugin_data {} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[Unit] | ||
Description=SPIRE Agent target allowing to start/stop all spire-agent@.service instances at once | ||
PartOf=spire.target | ||
Before=spire.target | ||
Wants=spire.target | ||
|
||
[Install] | ||
WantedBy=multi-user.target spire.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
[Unit] | ||
Description=SPIRE Agent Daemon %i | ||
PartOf=spire-agent.target | ||
After=network-online.target local-fs.target time-sync.target | ||
Before=remote-fs-pre.target spire-agent.target | ||
Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target | ||
|
||
[Service] | ||
WorkingDirectory=/var/lib/spire/agent/%i | ||
StateDirectory=spire/agent/%i | ||
RuntimeDirectory=spire/agent/%i | ||
RuntimeDirectoryPreserve=true | ||
ConfigurationDirectory=spire/agent | ||
ExecReload=/bin/kill -HUP $MAINPID | ||
kfox1111 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/%i/public/api.sock -expandEnv | ||
ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public | ||
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 | ||
LockPersonality=true | ||
MemoryDenyWriteExecute=true | ||
NoNewPrivileges=true | ||
PrivateDevices=false | ||
# Needed by plugins | ||
PrivateTmp=false | ||
ProtectControlGroups=true | ||
ProtectHome=true | ||
ProtectHostname=true | ||
ProtectKernelLogs=true | ||
ProtectKernelModules=true | ||
ProtectKernelTunables=true | ||
ProtectSystem=strict | ||
ReadOnlyPaths=/ | ||
ReadWritePaths=/var/lib/spire/agent /run/spire/agent | ||
Restart=on-failure | ||
RestartSec=15 | ||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK | ||
RestrictNamespaces=true | ||
RestrictRealtime=yes | ||
RestrictSUIDSGID=yes | ||
StartLimitBurst=3 | ||
StartLimitInterval=30min | ||
TasksMax=infinity | ||
|
||
[Install] | ||
WantedBy=spire-agent.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[Unit] | ||
Description=SPIRE Server target allowing to start/stop all spire-server@.service instances at once | ||
PartOf=spire.target | ||
Before=ceph.target | ||
kfox1111 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Wants=spire.target | ||
|
||
[Install] | ||
WantedBy=multi-user.target spire.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
[Unit] | ||
Description=SPIRE Server Daemon %i | ||
PartOf=spire-server.target | ||
After=network-online.target local-fs.target time-sync.target | ||
Before=remote-fs-pre.target spire-server.target | ||
Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target | ||
|
||
[Service] | ||
WorkingDirectory=/var/lib/spire/server/%i | ||
StateDirectory=spire/server/%i | ||
RuntimeDirectory=spire/server/%i | ||
RuntimeDirectoryPreserve=true | ||
ConfigurationDirectory=spire/agent | ||
kfox1111 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
ExecReload=/bin/kill -HUP $MAINPID | ||
ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/%i/private/api.sock -expandEnv | ||
ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private | ||
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04 | ||
LockPersonality=true | ||
MemoryDenyWriteExecute=true | ||
NoNewPrivileges=true | ||
PrivateDevices=false | ||
# Needed by plugins | ||
PrivateTmp=false | ||
ProtectControlGroups=true | ||
ProtectHome=true | ||
ProtectHostname=true | ||
ProtectKernelLogs=true | ||
ProtectKernelModules=true | ||
ProtectKernelTunables=true | ||
ProtectSystem=strict | ||
ReadOnlyPaths=/ | ||
ReadWritePaths=/var/lib/spire/server /run/spire/server | ||
Restart=on-failure | ||
RestartSec=15 | ||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK | ||
RestrictNamespaces=true | ||
RestrictRealtime=yes | ||
RestrictSUIDSGID=yes | ||
StartLimitBurst=3 | ||
StartLimitInterval=30min | ||
TasksMax=infinity | ||
|
||
[Install] | ||
WantedBy=spire-server.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[Unit] | ||
Description=SPIRE target allowing to start/stop all spire*@.service instances at once | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the "@main" have any benefit here? I'd keep it simple and not have these parameterized
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. It lets you have multiple servers/agents. Either for nesting or redundancy. I do plan on using both.