Pro Yearly is on sale from $80 to $50! »

時代が求めたSTNSと僕

 時代が求めたSTNSと僕

第5回ペパボテックカンファレンス〜インフラエンジニア大特集〜

1b838da2065660793d5b26f2cdc32de7?s=128

Kazuhiko Yamashita

May 14, 2016
Tweet

Transcript

  1. ʙՆͷ೔ͷ1986ʙ ࣌୅͕ٻΊͨSTNSͱ๻

  2. hi! GMO Pepabo, Inc. ϗεςΟϯάࣄۀ෦ ϜʔϜʔυϝΠϯάϧʔϓ γχΞΤϯδχΞ @pyama86

  3. blog https://ten-snapon.com

  4. Ϣʔβʔ؅ཧ

  5. Α͋͘Δӡ༻ ɾLDAPͰ؅ཧ ɾߏ੒؅ཧπʔϧͰ/etc/passwdͳͲΛ഑෍͢Δ ɾrpm΍debͰ഑෍͢Δ ɾαʔόϩάΠϯͯ͠useradd pyama

  6. LDAP?

  7. LDAP Lightweight Directory Access Protocol

  8. LDAP ɾLinuxͷϢʔβʔ؅ཧ͚ͩͰ͸ͳ͘ɺPostfixͷΑ͏ ͳϝʔϧαʔόɺόοΫΦϑΟεͰར༻͞ΕΔΑ͏ ͳۈଵ؅ཧγεςϜͳͲͰ΋ରԠ͍ͯ͠Δέʔε͕ ଟ͍ Ϣʔβʔଐੑ؅ཧͷܾఆ൛తଘࡏ

  9. user_name:pyama user_id:1000 group_id:1000 shell:/bin/bash home:/home/pyama LDAP com pepabo user pyama

    ૊৫ͷ֊૚ߏ଄ͱϢʔβʔͷଐੑΛ ؅ཧ͢Δ͜ͱ͕ग़དྷΔ
  10. LDAP

  11. Lightweight?

  12. ΍ΕΔ͜ͱ͕ଟ͍ͱ ӡ༻ͷෳࡶ͞͸૿͢

  13. LDAPͷڊେԽɾཚཱɾͦͯ͠ઓࠃ࣌୅΁ ɾLDAP͕৭ʑͳγεςϜͱ࿈ܞ͗ͯ͢͠ɺڊେԽ ͠ɺ؅ཧ͕೉͘͠ͳ͖ͬͯͨ ɾDevOpsʹΑΔΞϓϦέʔγϣϯΤϯδχΞͷΠϯ ϑϥਐग़ɺΞϓϦέʔγϣϯσϓϩΠ͕SSHϕʔε Ͱ͋Δ͜ͱ͕ଟ͘ɺσβΠφʔͳͲͷ৬छ΋SSHϩ άΠϯ͢Δඞཁ͕ੜ·Εͨ(Ϣʔβʔଐੑͷ૿Ճ)

  14. ݁ՌɺαʔϏε͝ͱʹ αʔόཱͯͨΓͯ͠·ͤΜ͔

  15. ؅ཧͱ͸?

  16. ͋ͷ೔ͷԶୡ͕΍Γ͔ͨͬͨ͜ͱ͸ αʔόʹϩάΠϯͨ͠Γɺ σϓϩΠ͍͚ͨͩͩͬͨ͠͸ͣͩ

  17. None
  18. STNS ɾGoݴޠͰ࣮૷ͨ͠Linuxϛυϧ΢ΣΞ ɾJSONαʔόͱnss,pamϞδϡʔϧͷγεςϜ ɾrhel,debian/i386,x86_64ͷύοέʔδϦϙδτϦΛ ఏڙ

  19. ίϯηϓτ ໊લղܾɺެ։伴औಘɺsudoೝূͷΈΛఏڙ͢Δɻ ଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ ๻ୡͷੈ୅ͷ৽͍͠Ϣʔβʔ؅ཧͷ࢓૊Έ https://github.com/STNS/STNS

  20. VS LDAP ɾTomlܗࣜͷઃఆϑΝΠϧͰՄಡੑ͕ߴ͍ ɾLinuxͷϢʔβʔ؅ཧʹಛԽ͍ͯ͠ΔͨΊӡ༻͕ ൥ࡶʹͳΓͮΒ͍ ɾ൚༻తͳJSONΠϯλʔϑΣʔεͷͨΊ֦ு͕༰қ ɾಋೖָ͕͗ͯ͢5ճ͘Β͍ೖΕͨ͘ͳΔ

  21. ͿͬͪΌ͚LDAP೉͍͠ https://ten-snapon.com/archives/1055

  22. ΞʔΩςΫνϟ STNS http(1104) process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε ͞Βʹ೚ҙͷwrapperΛར༻Մೳ
  23. ઃఆϑΝΠϧ ɾαʔό /etc/stns/stns.conf ɾΫϥΠΞϯτ /etc/stns/libnss_stns.conf /etc/nsswitch.conf → ໊લղܾͷ༏ઌॱҐઃఆ /etc/ssh/sshd_config →

    sshdͷઃఆ /etc/nscd.conf → ໊લղܾͷΩϟογϡઃఆ
  24. stns.conf(αʔό) port = 1104 include = "/etc/stns/conf.d/*" # ϕʔγοΫೝূΛαϙʔτ user

    = "basic_user" password = "basic_password" [users.example] id = 1001 group_id = 1001 keys = ["ssh-rsa XXXXX…"] [groups.example] id = 1001 users = ["example"] [sudoers.example] password = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" hash_type = "sha256"
  25. stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

  26. stns.conf(αʔό) ɾσϓϩΠϢʔβʔͷఆٛ ɾ૊৫ߏ଄Λදݱ͢Δ ɾSudoύεϫʔυΛ؅ཧ͢Δ

  27. σϓϩΠϢʔβʔͷ؅ཧ

  28. ΞϓϦέʔγϣϯσϓϩΠ deploy@muumuu-domain.com deploy@muumuu-domain.com deploy@muumuu-domain.com /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

  29. σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

  30. σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =

    [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻͢Δ͜ͱ͕ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ
  31. ૊৫ߏ଄Λදݱ͢Δ

  32. ૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

  33. ૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users

    = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ
  34. SudoύεϫʔυΛ ؅ཧ͢Δ

  35. sudoύεϫʔυΛ؅ཧ͢Δ $ sudo ls [sudo] password for pyama: <pyamaύεϫʔυ> nice_guy.txt

    /etc/sudoersͷઃఆʹґଘ͢Δ͕ɺҰൠతʹ͸ sudo࣮ߦͨ͠ϢʔβʔͷύεϫʔυΛٻΊΒΕΔ
  36. sudoύεϫʔυΛ؅ཧ͢Δ [sudoers.example] password = "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2" hash_type = "sha256" /etc/stns/stns.conf /etc/pam.d/sudo

    auth sufficient libpam_stns.so sudo example ݸผʹϢʔβʔ͝ͱʹύεϫʔυΛ؅ཧ͢ΔखؒΛল͖ɺ ෆਖ਼ΞΫηε࣌ʹsudo͞ΕΔ͜ͱΛ๷͙ (rootύεϫʔυͷ౪ௌରࡦʹ΋)
  37. libnss_stns.conf

  38. libnss_stns.conf(ΫϥΠΞϯτ) api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true
  39. wrapper_path STNSͰ͸ΠϯλʔϑΣʔεͷϑΥʔϚοτ͑͞߹ͬ ͍ͯΕ͹೚ҙͷόοΫΤϯυΛ࢖༻Մೳɻ $ /usr/local/bin/stns-query-wrapper /user/name/pyama { "pyama": { "id":

    10301, "password": "", "hash_type": "", "group_id": 2000, "directory": "", "shell": "", "gecos": "", "keys": [ "ssh-rsa xxx" ], "link_users": null } }
  40. όοΫΤϯυʹRailsAPIΛར༻͢Δྫ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ ΋͸΍GoݴޠΛར༻͢Δඞཁ΋ͳ͍
  41. chain_ssh_wrapper STNSʹՃ͑ͯଞγεςϜ͔Β΋ެ։伴Λऔಘ STNS LDAP stns-key-wrapper ssh-ldap-wrapper sshd chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"

    LDAPͱͷฒߦӡ༻͕Մೳ
  42. ࢖ͬͯΈΔʁ

  43. ಋೖͷखܰ͞ 1ίϚϯυͰϦϙδτϦΛ௥Ճ͠ɺ yumɺaptͰ࠷৽൛Λར༻Մೳ

  44. ಋೖͷखܰ͞ puppetϚχϑΣετɺchefΫοΫϒοΫΛఏڙ Ճ͑ͯ೔ຊޠΠϯετʔϧυΩϡϝϯτ https://github.com/STNS/STNS/blob/master/docs/install_ja.md

  45. ੑೳධՁ ଌఆ؀ڥ ɾMacBookAir 13inch ɾ1.7GHz Core i7 ɾϝϞϦ8G ্ه؀ڥͰVirtualBoxVMΛCPUίΞ1ɺϝϞϦ1GByte Ͱىಈ

  46. ੑೳධՁ ςετσʔλΛ1000݅౤ೖ require "toml" users = Hash.new { |h,k| h[k]

    = Hash.new(&h.default_proc) } (1..1000).each do |n| users[:users]["user_#{n}"]["id"] = n users[:users]["user_#{n}"]["group_id"] = n end puts TOML::Generator.new(users).body $ ab -k -c 100 -n 100000 http://localhost:11104/user/name/user_1 abΛར༻͠ɺಉ࣌઀ଓ100Ͱ10ສΞΫηε Total transferred: 36600000 bytes HTML transferred: 19000000 bytes Requests per second: 11543.13 [#/sec] (mean) Time per request: 8.663 [ms] (mean) Time per request: 0.087 [ms] (mean, across all concurrent requests) Transfer rate: 4125.77 [Kbytes/sec] received
  47. ߏ੒ྫ nginx stns nginx stns keepalived keepalived nginxͰSSLΛऴ୺ ෛՙ෼ࢄͭͭ͠ɺSSLͱϕʔγοΫೝূΛ ར༻͠ɺηΩϡΞʹӡ༻͢Δ

  48. ಋೖࣄྫ

  49. GitHub Flow

  50. GitHub FlowͰϢʔβʔ؅ཧ thor Λར༻͠Github(GHE)͔Β Ϣʔβʔ৘ใɺάϧʔϓ৘ใ ެ։伴৘ใΛੜ੒͢Δ [users.pyama] id = 1000

    group_id =1000 keys = ["ssh-rsa xxx”] [groups.muu-developer] id = 1000 bundle exec thor build
  51. GitHub FlowͰϢʔβʔ؅ཧ ࡞੒͞ΕͨtomlϑΝΠϧΛϓϧϦΫΤετ ಉ࣌ʹdroneͰ໊લղܾͷςετΛߦ͏ [users.pyama] id = 1000 group_id =1000

    keys = ["ssh-rsa xxx”] [groups.muu-developer] id = 1000
  52. GitHub FlowͰϢʔβʔ؅ཧ มߋ಺༰ΛϨϏϡʔޙɺCapistranoͰσϓϩΠ [users.pyama] id = 1000 group_id =1000 keys

    = ["ssh-rsa xxx”] [groups.muu-
  53. GitHub FlowͰϢʔβʔ؅ཧ ɾ։ൃͱಉ͡Α͏ʹϢʔβʔ؅ཧΛߦ͏͜ͱͰ ख͔ܰͭਖ਼֬ʹαʔόΞΫηεݖݶΛఏڙ ɾGitHubΛར༻͢Δ͜ͱͰূ੻؅ཧ͕༰қʹ ɾCIπʔϧͱ૊Έ߹ΘͤΔ͜ͱͰɺಈ࡞Λอূ͢Δ

  54. ·ͱΊ

  55. ๻͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ 1.൥ࡶԽͨ͠Ϣʔβʔ؅ཧΛ΍Γ௚͢खஈͱͯ͠Ͳ ͏ͩΖ͏͔ 2.Web։ൃͷΑ͏ʹϢʔβʔ΋σϓϩΠ͢Δͱͳ͔ ͳ͔ྑ͍

  56. ͦͯ͠ɺ͜Ε͔Βͷ࿩

  57. ࠓޙͷػೳ௥Ճ ɾ֎෦APIΛར༻Մೳʹ͢Δ ɾύεϫʔυόοΫΤϯυΛ࣮૷ʁ

  58. ֎෦APIར༻ wrapper-cmd = [“original-command.rb”] STNS stns-module /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } original-command.rb run { name:pyama, id: 1000, dir:/home/pyama … } STNSʹϢʔβʔ৘ใΛొ࿥͢Δඞཁ͕ͳ͘ͳΓɺ ֎෦γεςϜͱͷ࿈ܞ͕ߋʹՃ଎
  59. ύεϫʔυόοΫΤϯυΛ࣮૷ʁ STNS stns-module passwd pyama DatabaseͳͲ change password ΫϥΠΞϯταΠυ͔ΒpasswdͳͲΛར༻͠ɺ ύεϫʔυΛมߋՄೳʹ͢Δػೳ

    ๻͕࣮૷ʹফۃతͳͨΊɺੈ࿦ʹҕͶ͍ͨ
  60. ࠓͷ࣌୅ʹ͋ͬͨ Ϣʔβ؅ཧΛ

  61. ͝ਗ਼ௌ ༗೉͏͍͟͝·ͨ͠

  62. ͜͜Ͱঁੑਞ͔Β࣭໰͕ ࡴ౸͢Δ