時代が求めたSTNSと僕

by Kazuhiko Yamashita

Slide 1

Slide 1 text

ʙՆͷ೔ͷ1986ʙ ࣌୅͕ٻΊͨSTNSͱ๻

Slide 2

Slide 2 text

hi! GMO Pepabo, Inc. ϗεςΟϯάࣄۀ෦ ϜʔϜʔυϝΠϯάϧʔϓ γχΞΤϯδχΞ @pyama86

Slide 3

Slide 3 text

blog https://ten-snapon.com

Slide 4

Slide 4 text

Ϣʔβʔ؅ཧ

Slide 5

Slide 5 text

Α͋͘Δӡ༻ ɾLDAPͰ؅ཧ ɾߏ੒؅ཧπʔϧͰ/etc/passwdͳͲΛ഑෍͢Δ ɾrpm΍debͰ഑෍͢Δ ɾαʔόϩάΠϯͯ͠useradd pyama

Slide 6

Slide 6 text

LDAP?

Slide 7

Slide 7 text

LDAP Lightweight Directory Access Protocol

Slide 8

Slide 8 text

LDAP ɾLinuxͷϢʔβʔ؅ཧ͚ͩͰ͸ͳ͘ɺPostfixͷΑ͏ ͳϝʔϧαʔόɺόοΫΦϑΟεͰར༻͞ΕΔΑ͏ ͳۈଵ؅ཧγεςϜͳͲͰ΋ରԠ͍ͯ͠Δέʔε͕ ଟ͍ Ϣʔβʔଐੑ؅ཧͷܾఆ൛తଘࡏ

Slide 9

Slide 9 text

user_name:pyama user_id:1000 group_id:1000 shell:/bin/bash home:/home/pyama LDAP com pepabo user pyama ૊৫ͷ֊૚ߏ଄ͱϢʔβʔͷଐੑΛ ؅ཧ͢Δ͜ͱ͕ग़དྷΔ

Slide 10

Slide 10 text

LDAP

Slide 11

Slide 11 text

Lightweight?

Slide 12

Slide 12 text

΍ΕΔ͜ͱ͕ଟ͍ͱ ӡ༻ͷෳࡶ͞͸૿͢

Slide 13

Slide 13 text

LDAPͷڊେԽɾཚཱɾͦͯ͠ઓࠃ࣌୅΁ ɾLDAP͕৭ʑͳγεςϜͱ࿈ܞ͗ͯ͢͠ɺڊେԽ ͠ɺ؅ཧ͕೉͘͠ͳ͖ͬͯͨ ɾDevOpsʹΑΔΞϓϦέʔγϣϯΤϯδχΞͷΠϯ ϑϥਐग़ɺΞϓϦέʔγϣϯσϓϩΠ͕SSHϕʔε Ͱ͋Δ͜ͱ͕ଟ͘ɺσβΠφʔͳͲͷ৬छ΋SSHϩ άΠϯ͢Δඞཁ͕ੜ·Εͨ(Ϣʔβʔଐੑͷ૿Ճ)

Slide 14

Slide 14 text

݁ՌɺαʔϏε͝ͱʹ αʔόཱͯͨΓͯ͠·ͤΜ͔

Slide 15

Slide 15 text

؅ཧͱ͸?

Slide 16

Slide 16 text

͋ͷ೔ͷԶୡ͕΍Γ͔ͨͬͨ͜ͱ͸ αʔόʹϩάΠϯͨ͠Γɺ σϓϩΠ͍͚ͨͩͩͬͨ͠͸ͣͩ

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

STNS ɾGoݴޠͰ࣮૷ͨ͠Linuxϛυϧ΢ΣΞ ɾJSONαʔόͱnss,pamϞδϡʔϧͷγεςϜ ɾrhel,debian/i386,x86_64ͷύοέʔδϦϙδτϦΛ ఏڙ

Slide 19

Slide 19 text

ίϯηϓτ ໊લղܾɺެ։伴औಘɺsudoೝূͷΈΛఏڙ͢Δɻ ଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ ๻ୡͷੈ୅ͷ৽͍͠Ϣʔβʔ؅ཧͷ࢓૊Έ https://github.com/STNS/STNS

Slide 20

Slide 20 text

VS LDAP ɾTomlܗࣜͷઃఆϑΝΠϧͰՄಡੑ͕ߴ͍ ɾLinuxͷϢʔβʔ؅ཧʹಛԽ͍ͯ͠ΔͨΊӡ༻͕ ൥ࡶʹͳΓͮΒ͍ ɾ൚༻తͳJSONΠϯλʔϑΣʔεͷͨΊ֦ு͕༰қ ɾಋೖָ͕͗ͯ͢5ճ͘Β͍ೖΕͨ͘ͳΔ

Slide 21

Slide 21 text

ͿͬͪΌ͚LDAP೉͍͠ https://ten-snapon.com/archives/1055

Slide 22

Slide 22 text

ΞʔΩςΫνϟ STNS http(1104) process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε ͞Βʹ೚ҙͷwrapperΛར༻Մೳ

Slide 23

Slide 23 text

ઃఆϑΝΠϧ ɾαʔό /etc/stns/stns.conf ɾΫϥΠΞϯτ /etc/stns/libnss_stns.conf /etc/nsswitch.conf → ໊લղܾͷ༏ઌॱҐઃఆ /etc/ssh/sshd_config → sshdͷઃఆ /etc/nscd.conf → ໊લղܾͷΩϟογϡઃఆ

Slide 24

Slide 24 text

stns.conf(αʔό) port = 1104 include = "/etc/stns/conf.d/*" # ϕʔγοΫೝূΛαϙʔτ user = "basic_user" password = "basic_password" [users.example] id = 1001 group_id = 1001 keys = ["ssh-rsa XXXXX…"] [groups.example] id = 1001 users = ["example"] [sudoers.example] password = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" hash_type = "sha256"

Slide 25

Slide 25 text

stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

Slide 26

Slide 26 text

stns.conf(αʔό) ɾσϓϩΠϢʔβʔͷఆٛ ɾ૊৫ߏ଄Λදݱ͢Δ ɾSudoύεϫʔυΛ؅ཧ͢Δ

Slide 27

Slide 27 text

σϓϩΠϢʔβʔͷ؅ཧ

Slide 28

Slide 28 text

ΞϓϦέʔγϣϯσϓϩΠ [email protected] [email protected] [email protected] /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

Slide 29

Slide 29 text

σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

Slide 30

Slide 30 text

σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users = [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻͢Δ͜ͱ͕ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

Slide 31

Slide 31 text

૊৫ߏ଄Λදݱ͢Δ

Slide 32

Slide 32 text

૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

Slide 33

Slide 33 text

૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_conﬁgͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

Slide 34

Slide 34 text

SudoύεϫʔυΛ ؅ཧ͢Δ

Slide 35

Slide 35 text

sudoύεϫʔυΛ؅ཧ͢Δ $ sudo ls [sudo] password for pyama: nice_guy.txt /etc/sudoersͷઃఆʹґଘ͢Δ͕ɺҰൠతʹ͸ sudo࣮ߦͨ͠ϢʔβʔͷύεϫʔυΛٻΊΒΕΔ

Slide 36

Slide 36 text

sudoύεϫʔυΛ؅ཧ͢Δ [sudoers.example] password = "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2" hash_type = "sha256" /etc/stns/stns.conf /etc/pam.d/sudo auth sufﬁcient libpam_stns.so sudo example ݸผʹϢʔβʔ͝ͱʹύεϫʔυΛ؅ཧ͢ΔखؒΛল͖ɺ ෆਖ਼ΞΫηε࣌ʹsudo͞ΕΔ͜ͱΛ๷͙ (rootύεϫʔυͷ౪ௌରࡦʹ΋)

Slide 37

Slide 37 text

libnss_stns.conf

Slide 38

Slide 38 text

libnss_stns.conf(ΫϥΠΞϯτ) api_end_point = ["http://:1104", "http://:1104"] user = "basic_user" password = "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

Slide 39

Slide 39 text

wrapper_path STNSͰ͸ΠϯλʔϑΣʔεͷϑΥʔϚοτ͑͞߹ͬ ͍ͯΕ͹೚ҙͷόοΫΤϯυΛ࢖༻Մೳɻ $ /usr/local/bin/stns-query-wrapper /user/name/pyama { "pyama": { "id": 10301, "password": "", "hash_type": "", "group_id": 2000, "directory": "", "shell": "", "gecos": "", "keys": [ "ssh-rsa xxx" ], "link_users": null } }

Slide 40

Slide 40 text

όοΫΤϯυʹRailsAPIΛར༻͢Δྫ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id: 1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ ΋͸΍GoݴޠΛར༻͢Δඞཁ΋ͳ͍

Slide 41

Slide 41 text

chain_ssh_wrapper STNSʹՃ͑ͯଞγεςϜ͔Β΋ެ։伴Λऔಘ STNS LDAP stns-key-wrapper ssh-ldap-wrapper sshd chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" LDAPͱͷฒߦӡ༻͕Մೳ

Slide 42

Slide 42 text

࢖ͬͯΈΔʁ

Slide 43

Slide 43 text

ಋೖͷखܰ͞ 1ίϚϯυͰϦϙδτϦΛ௥Ճ͠ɺ yumɺaptͰ࠷৽൛Λར༻Մೳ

Slide 44

Slide 44 text

ಋೖͷखܰ͞ puppetϚχϑΣετɺchefΫοΫϒοΫΛఏڙ Ճ͑ͯ೔ຊޠΠϯετʔϧυΩϡϝϯτ https://github.com/STNS/STNS/blob/master/docs/install_ja.md

Slide 45

Slide 45 text

ੑೳධՁ ଌఆ؀ڥ ɾMacBookAir 13inch ɾ1.7GHz Core i7 ɾϝϞϦ8G ্ه؀ڥͰVirtualBoxVMΛCPUίΞ1ɺϝϞϦ1GByte Ͱىಈ

Slide 46

Slide 46 text

ੑೳධՁ ςετσʔλΛ1000݅౤ೖ require "toml" users = Hash.new { |h,k| h[k] = Hash.new(&h.default_proc) } (1..1000).each do |n| users[:users]["user_#{n}"]["id"] = n users[:users]["user_#{n}"]["group_id"] = n end puts TOML::Generator.new(users).body $ ab -k -c 100 -n 100000 http://localhost:11104/user/name/user_1 abΛར༻͠ɺಉ࣌઀ଓ100Ͱ10ສΞΫηε Total transferred: 36600000 bytes HTML transferred: 19000000 bytes Requests per second: 11543.13 [#/sec] (mean) Time per request: 8.663 [ms] (mean) Time per request: 0.087 [ms] (mean, across all concurrent requests) Transfer rate: 4125.77 [Kbytes/sec] received

Slide 47

Slide 47 text

ߏ੒ྫ nginx stns nginx stns keepalived keepalived nginxͰSSLΛऴ୺ ෛՙ෼ࢄͭͭ͠ɺSSLͱϕʔγοΫೝূΛ ར༻͠ɺηΩϡΞʹӡ༻͢Δ

Slide 48

Slide 48 text

ಋೖࣄྫ

Slide 49

Slide 49 text

GitHub Flow

Slide 50

Slide 50 text

GitHub FlowͰϢʔβʔ؅ཧ thor Λར༻͠Github(GHE)͔Β Ϣʔβʔ৘ใɺάϧʔϓ৘ใ ެ։伴৘ใΛੜ੒͢Δ [users.pyama] id = 1000 group_id =1000 keys = ["ssh-rsa xxx”] [groups.muu-developer] id = 1000 bundle exec thor build

Slide 51

Slide 51 text

GitHub FlowͰϢʔβʔ؅ཧ ࡞੒͞ΕͨtomlϑΝΠϧΛϓϧϦΫΤετ ಉ࣌ʹdroneͰ໊લղܾͷςετΛߦ͏ [users.pyama] id = 1000 group_id =1000 keys = ["ssh-rsa xxx”] [groups.muu-developer] id = 1000

Slide 52

Slide 52 text

GitHub FlowͰϢʔβʔ؅ཧ มߋ಺༰ΛϨϏϡʔޙɺCapistranoͰσϓϩΠ [users.pyama] id = 1000 group_id =1000 keys = ["ssh-rsa xxx”] [groups.muu-

Slide 53

Slide 53 text

GitHub FlowͰϢʔβʔ؅ཧ ɾ։ൃͱಉ͡Α͏ʹϢʔβʔ؅ཧΛߦ͏͜ͱͰ ख͔ܰͭਖ਼֬ʹαʔόΞΫηεݖݶΛఏڙ ɾGitHubΛར༻͢Δ͜ͱͰূ੻؅ཧ͕༰қʹ ɾCIπʔϧͱ૊Έ߹ΘͤΔ͜ͱͰɺಈ࡞Λอূ͢Δ

Slide 54

Slide 54 text

·ͱΊ

Slide 55

Slide 55 text

๻͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ 1.൥ࡶԽͨ͠Ϣʔβʔ؅ཧΛ΍Γ௚͢खஈͱͯ͠Ͳ ͏ͩΖ͏͔ 2.Web։ൃͷΑ͏ʹϢʔβʔ΋σϓϩΠ͢Δͱͳ͔ ͳ͔ྑ͍

Slide 56

Slide 56 text

ͦͯ͠ɺ͜Ε͔Βͷ࿩

Slide 57

Slide 57 text

ࠓޙͷػೳ௥Ճ ɾ֎෦APIΛར༻Մೳʹ͢Δ ɾύεϫʔυόοΫΤϯυΛ࣮૷ʁ

Slide 58

Slide 58 text

֎෦APIར༻ wrapper-cmd = [“original-command.rb”] STNS stns-module /user/name/pyama { name:pyama, id: 1000, dir:/home/pyama … } original-command.rb run { name:pyama, id: 1000, dir:/home/pyama … } STNSʹϢʔβʔ৘ใΛొ࿥͢Δඞཁ͕ͳ͘ͳΓɺ ֎෦γεςϜͱͷ࿈ܞ͕ߋʹՃ଎

Slide 59

Slide 59 text

ύεϫʔυόοΫΤϯυΛ࣮૷ʁ STNS stns-module passwd pyama DatabaseͳͲ change password ΫϥΠΞϯταΠυ͔ΒpasswdͳͲΛར༻͠ɺ ύεϫʔυΛมߋՄೳʹ͢Δػೳ ๻͕࣮૷ʹফۃతͳͨΊɺੈ࿦ʹҕͶ͍ͨ