Upgrade to Pro — share decks privately, control downloads, hide ads and more …

時代が求めたSTNSと僕

 時代が求めたSTNSと僕

第5回ペパボテックカンファレンス〜インフラエンジニア大特集〜

Kazuhiko Yamashita

May 14, 2016
Tweet

More Decks by Kazuhiko Yamashita

Other Decks in Technology

Transcript

  1. ʙՆͷ೔ͷ1986ʙ
    ࣌୅͕ٻΊͨSTNSͱ๻

    View Slide

  2. hi!
    GMO Pepabo, Inc.
    ϗεςΟϯάࣄۀ෦
    ϜʔϜʔυϝΠϯάϧʔϓ
    γχΞΤϯδχΞ
    @pyama86

    View Slide

  3. blog
    https://ten-snapon.com

    View Slide

  4. Ϣʔβʔ؅ཧ

    View Slide

  5. Α͋͘Δӡ༻
    ɾLDAPͰ؅ཧ
    ɾߏ੒؅ཧπʔϧͰ/etc/passwdͳͲΛ഑෍͢Δ
    ɾrpm΍debͰ഑෍͢Δ
    ɾαʔόϩάΠϯͯ͠useradd pyama

    View Slide

  6. LDAP?

    View Slide

  7. LDAP
    Lightweight Directory Access Protocol

    View Slide

  8. LDAP
    ɾLinuxͷϢʔβʔ؅ཧ͚ͩͰ͸ͳ͘ɺPostfixͷΑ͏
    ͳϝʔϧαʔόɺόοΫΦϑΟεͰར༻͞ΕΔΑ͏
    ͳۈଵ؅ཧγεςϜͳͲͰ΋ରԠ͍ͯ͠Δέʔε͕
    ଟ͍
    Ϣʔβʔଐੑ؅ཧͷܾఆ൛తଘࡏ

    View Slide

  9. user_name:pyama
    user_id:1000
    group_id:1000
    shell:/bin/bash
    home:/home/pyama
    LDAP
    com
    pepabo
    user
    pyama
    ૊৫ͷ֊૚ߏ଄ͱϢʔβʔͷଐੑΛ
    ؅ཧ͢Δ͜ͱ͕ग़དྷΔ

    View Slide

  10. LDAP

    View Slide

  11. Lightweight?

    View Slide

  12. ΍ΕΔ͜ͱ͕ଟ͍ͱ
    ӡ༻ͷෳࡶ͞͸૿͢

    View Slide

  13. LDAPͷڊେԽɾཚཱɾͦͯ͠ઓࠃ࣌୅΁
    ɾLDAP͕৭ʑͳγεςϜͱ࿈ܞ͗ͯ͢͠ɺڊେԽ
    ͠ɺ؅ཧ͕೉͘͠ͳ͖ͬͯͨ
    ɾDevOpsʹΑΔΞϓϦέʔγϣϯΤϯδχΞͷΠϯ
    ϑϥਐग़ɺΞϓϦέʔγϣϯσϓϩΠ͕SSHϕʔε
    Ͱ͋Δ͜ͱ͕ଟ͘ɺσβΠφʔͳͲͷ৬छ΋SSHϩ
    άΠϯ͢Δඞཁ͕ੜ·Εͨ(Ϣʔβʔଐੑͷ૿Ճ)

    View Slide

  14. ݁ՌɺαʔϏε͝ͱʹ
    αʔόཱͯͨΓͯ͠·ͤΜ͔

    View Slide

  15. ؅ཧͱ͸?

    View Slide

  16. ͋ͷ೔ͷԶୡ͕΍Γ͔ͨͬͨ͜ͱ͸
    αʔόʹϩάΠϯͨ͠Γɺ
    σϓϩΠ͍͚ͨͩͩͬͨ͠͸ͣͩ

    View Slide

  17. View Slide

  18. STNS
    ɾGoݴޠͰ࣮૷ͨ͠Linuxϛυϧ΢ΣΞ
    ɾJSONαʔόͱnss,pamϞδϡʔϧͷγεςϜ
    ɾrhel,debian/i386,x86_64ͷύοέʔδϦϙδτϦΛ
    ఏڙ

    View Slide

  19. ίϯηϓτ
    ໊લղܾɺެ։伴औಘɺsudoೝূͷΈΛఏڙ͢Δɻ
    ଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ
    ૊Έ߹ΘͤΛ༰қʹɻ
    ๻ୡͷੈ୅ͷ৽͍͠Ϣʔβʔ؅ཧͷ࢓૊Έ
    https://github.com/STNS/STNS

    View Slide

  20. VS LDAP
    ɾTomlܗࣜͷઃఆϑΝΠϧͰՄಡੑ͕ߴ͍
    ɾLinuxͷϢʔβʔ؅ཧʹಛԽ͍ͯ͠ΔͨΊӡ༻͕
    ൥ࡶʹͳΓͮΒ͍
    ɾ൚༻తͳJSONΠϯλʔϑΣʔεͷͨΊ֦ு͕༰қ
    ɾಋೖָ͕͗ͯ͢5ճ͘Β͍ೖΕͨ͘ͳΔ

    View Slide

  21. ͿͬͪΌ͚LDAP೉͍͠
    https://ten-snapon.com/archives/1055

    View Slide

  22. ΞʔΩςΫνϟ
    STNS
    http(1104)
    process
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠
    JSONܗࣜͷΠϯλʔϑΣʔε
    ͞Βʹ೚ҙͷwrapperΛར༻Մೳ

    View Slide

  23. ઃఆϑΝΠϧ
    ɾαʔό
    /etc/stns/stns.conf
    ɾΫϥΠΞϯτ
    /etc/stns/libnss_stns.conf
    /etc/nsswitch.conf → ໊લղܾͷ༏ઌॱҐઃఆ
    /etc/ssh/sshd_config → sshdͷઃఆ
    /etc/nscd.conf → ໊લղܾͷΩϟογϡઃఆ

    View Slide

  24. stns.conf(αʔό)
    port = 1104
    include = "/etc/stns/conf.d/*"
    # ϕʔγοΫೝূΛαϙʔτ
    user = "basic_user"
    password = "basic_password"
    [users.example]
    id = 1001
    group_id = 1001
    keys = ["ssh-rsa XXXXX…"]
    [groups.example]
    id = 1001
    users = ["example"]
    [sudoers.example]
    password =
    "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
    hash_type = "sha256"

    View Slide

  25. stns.conf(αʔό)
    stns.conf user.conf
    group.conf
    deploy.conf
    ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ
    ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

    View Slide

  26. stns.conf(αʔό)
    ɾσϓϩΠϢʔβʔͷఆٛ
    ɾ૊৫ߏ଄Λදݱ͢Δ
    ɾSudoύεϫʔυΛ؅ཧ͢Δ

    View Slide

  27. σϓϩΠϢʔβʔͷ؅ཧ

    View Slide

  28. ΞϓϦέʔγϣϯσϓϩΠ
    [email protected]
    [email protected]
    [email protected]
    /home/deploy/.ssh/authrized_keys
    ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

    View Slide

  29. σϓϩΠϢʔβʔͷ؅ཧ
    ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ
    ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ
    ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ
    βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ
    βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

    View Slide

  30. σϓϩΠϢʔβʔͷ؅ཧ
    [users.deploy]
    id = 1000
    group_id = 1000
    link_users = [“foo","bar"]
    [users.foo]
    keys = ["ssh-rsa aaa”]
    [users.bar]
    keys = ["ssh-rsa bbb"]
    deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ
    ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻͢Δ͜ͱ͕ग़དྷΔ
    →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ
    ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

    View Slide

  31. ૊৫ߏ଄Λදݱ͢Δ

    View Slide

  32. ૊৫ߏ଄Λදݱ͢Δ
    ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ
    βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά
    Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

    View Slide

  33. ૊৫ߏ଄Λදݱ͢Δ
    [groups.tech]
    users = ["antipop"]
    link_groups = [“tech-1"]
    [groups.tech-1]
    users = ["pyama"]
    pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ
    ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ
    sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

    View Slide

  34. SudoύεϫʔυΛ
    ؅ཧ͢Δ

    View Slide

  35. sudoύεϫʔυΛ؅ཧ͢Δ
    $ sudo ls
    [sudo] password for pyama:
    nice_guy.txt
    /etc/sudoersͷઃఆʹґଘ͢Δ͕ɺҰൠతʹ͸
    sudo࣮ߦͨ͠ϢʔβʔͷύεϫʔυΛٻΊΒΕΔ

    View Slide

  36. sudoύεϫʔυΛ؅ཧ͢Δ
    [sudoers.example]
    password =
    "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2"
    hash_type = "sha256"
    /etc/stns/stns.conf
    /etc/pam.d/sudo
    auth sufficient libpam_stns.so sudo example
    ݸผʹϢʔβʔ͝ͱʹύεϫʔυΛ؅ཧ͢ΔखؒΛল͖ɺ
    ෆਖ਼ΞΫηε࣌ʹsudo͞ΕΔ͜ͱΛ๷͙
    (rootύεϫʔυͷ౪ௌରࡦʹ΋)

    View Slide

  37. libnss_stns.conf

    View Slide

  38. libnss_stns.conf(ΫϥΠΞϯτ)
    api_end_point = ["http://:1104", "http://:1104"]
    user = "basic_user"
    password = "basic_password"
    wrapper_path = "/usr/local/bin/stns-query-wrapper"
    chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"
    ssl_verify = true

    View Slide

  39. wrapper_path
    STNSͰ͸ΠϯλʔϑΣʔεͷϑΥʔϚοτ͑͞߹ͬ
    ͍ͯΕ͹೚ҙͷόοΫΤϯυΛ࢖༻Մೳɻ
    $ /usr/local/bin/stns-query-wrapper /user/name/pyama
    {
    "pyama": {
    "id": 10301,
    "password": "",
    "hash_type": "",
    "group_id": 2000,
    "directory": "",
    "shell": "",
    "gecos": "",
    "keys": [
    "ssh-rsa xxx"
    ],
    "link_users": null
    }
    }

    View Slide

  40. όοΫΤϯυʹRailsAPIΛར༻͢Δྫ
    process
    libnss-stns
    libpam-stns
    query-wrapper
    key-wrapper
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ
    Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ
    ΋͸΍GoݴޠΛར༻͢Δඞཁ΋ͳ͍

    View Slide

  41. chain_ssh_wrapper
    STNSʹՃ͑ͯଞγεςϜ͔Β΋ެ։伴Λऔಘ
    STNS
    LDAP
    stns-key-wrapper
    ssh-ldap-wrapper
    sshd
    chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"
    LDAPͱͷฒߦӡ༻͕Մೳ

    View Slide

  42. ࢖ͬͯΈΔʁ

    View Slide

  43. ಋೖͷखܰ͞
    1ίϚϯυͰϦϙδτϦΛ௥Ճ͠ɺ
    yumɺaptͰ࠷৽൛Λར༻Մೳ

    View Slide

  44. ಋೖͷखܰ͞
    puppetϚχϑΣετɺchefΫοΫϒοΫΛఏڙ
    Ճ͑ͯ೔ຊޠΠϯετʔϧυΩϡϝϯτ
    https://github.com/STNS/STNS/blob/master/docs/install_ja.md

    View Slide

  45. ੑೳධՁ
    ଌఆ؀ڥ
    ɾMacBookAir 13inch
    ɾ1.7GHz Core i7
    ɾϝϞϦ8G
    ্ه؀ڥͰVirtualBoxVMΛCPUίΞ1ɺϝϞϦ1GByte
    Ͱىಈ

    View Slide

  46. ੑೳධՁ
    ςετσʔλΛ1000݅౤ೖ
    require "toml"
    users = Hash.new { |h,k| h[k] = Hash.new(&h.default_proc) }
    (1..1000).each do |n|
    users[:users]["user_#{n}"]["id"] = n
    users[:users]["user_#{n}"]["group_id"] = n
    end
    puts TOML::Generator.new(users).body
    $ ab -k -c 100 -n 100000 http://localhost:11104/user/name/user_1
    abΛར༻͠ɺಉ࣌઀ଓ100Ͱ10ສΞΫηε
    Total transferred: 36600000 bytes
    HTML transferred: 19000000 bytes
    Requests per second: 11543.13 [#/sec] (mean)
    Time per request: 8.663 [ms] (mean)
    Time per request: 0.087 [ms] (mean, across all concurrent requests)
    Transfer rate: 4125.77 [Kbytes/sec] received

    View Slide

  47. ߏ੒ྫ
    nginx
    stns
    nginx
    stns
    keepalived keepalived
    nginxͰSSLΛऴ୺
    ෛՙ෼ࢄͭͭ͠ɺSSLͱϕʔγοΫೝূΛ
    ར༻͠ɺηΩϡΞʹӡ༻͢Δ

    View Slide

  48. ಋೖࣄྫ

    View Slide

  49. GitHub Flow

    View Slide

  50. GitHub FlowͰϢʔβʔ؅ཧ
    thor Λར༻͠Github(GHE)͔Β
    Ϣʔβʔ৘ใɺάϧʔϓ৘ใ
    ެ։伴৘ใΛੜ੒͢Δ
    [users.pyama]
    id = 1000
    group_id =1000
    keys = ["ssh-rsa xxx”]
    [groups.muu-developer]
    id = 1000
    bundle exec thor build

    View Slide

  51. GitHub FlowͰϢʔβʔ؅ཧ
    ࡞੒͞ΕͨtomlϑΝΠϧΛϓϧϦΫΤετ
    ಉ࣌ʹdroneͰ໊લղܾͷςετΛߦ͏
    [users.pyama]
    id = 1000
    group_id =1000
    keys = ["ssh-rsa xxx”]
    [groups.muu-developer]
    id = 1000

    View Slide

  52. GitHub FlowͰϢʔβʔ؅ཧ
    มߋ಺༰ΛϨϏϡʔޙɺCapistranoͰσϓϩΠ
    [users.pyama]
    id = 1000
    group_id =1000
    keys = ["ssh-rsa
    xxx”]
    [groups.muu-

    View Slide

  53. GitHub FlowͰϢʔβʔ؅ཧ
    ɾ։ൃͱಉ͡Α͏ʹϢʔβʔ؅ཧΛߦ͏͜ͱͰ
    ख͔ܰͭਖ਼֬ʹαʔόΞΫηεݖݶΛఏڙ
    ɾGitHubΛར༻͢Δ͜ͱͰূ੻؅ཧ͕༰қʹ
    ɾCIπʔϧͱ૊Έ߹ΘͤΔ͜ͱͰɺಈ࡞Λอূ͢Δ

    View Slide

  54. ·ͱΊ

    View Slide

  55. ๻͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍
    1.൥ࡶԽͨ͠Ϣʔβʔ؅ཧΛ΍Γ௚͢खஈͱͯ͠Ͳ
    ͏ͩΖ͏͔
    2.Web։ൃͷΑ͏ʹϢʔβʔ΋σϓϩΠ͢Δͱͳ͔
    ͳ͔ྑ͍

    View Slide

  56. ͦͯ͠ɺ͜Ε͔Βͷ࿩

    View Slide

  57. ࠓޙͷػೳ௥Ճ
    ɾ֎෦APIΛར༻Մೳʹ͢Δ
    ɾύεϫʔυόοΫΤϯυΛ࣮૷ʁ

    View Slide

  58. ֎෦APIར༻
    wrapper-cmd = [“original-command.rb”]
    STNS
    stns-module
    /user/name/pyama
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    original-command.rb
    run
    {
    name:pyama,
    id: 1000,
    dir:/home/pyama

    }
    STNSʹϢʔβʔ৘ใΛొ࿥͢Δඞཁ͕ͳ͘ͳΓɺ
    ֎෦γεςϜͱͷ࿈ܞ͕ߋʹՃ଎

    View Slide

  59. ύεϫʔυόοΫΤϯυΛ࣮૷ʁ
    STNS
    stns-module passwd pyama DatabaseͳͲ
    change password
    ΫϥΠΞϯταΠυ͔ΒpasswdͳͲΛར༻͠ɺ
    ύεϫʔυΛมߋՄೳʹ͢Δػೳ
    ๻͕࣮૷ʹফۃతͳͨΊɺੈ࿦ʹҕͶ͍ͨ

    View Slide

  60. ࠓͷ࣌୅ʹ͋ͬͨ
    Ϣʔβ؅ཧΛ

    View Slide

  61. ͝ਗ਼ௌ
    ༗೉͏͍͟͝·ͨ͠

    View Slide

  62. ͜͜Ͱঁੑਞ͔Β࣭໰͕
    ࡴ౸͢Δ

    View Slide