時代が求めたSTNSと僕

Transcript

1. ʙՆͷ೔ͷ1986ʙ ࣌୅͕ٻΊͨSTNSͱ๻

2. hi! GMO Pepabo, Inc. ϗεςΟϯάࣄۀ෦ ϜʔϜʔυϝΠϯάϧʔϓ γχΞΤϯδχΞ @pyama86

3. blog https://ten-snapon.com

4. Ϣʔβʔ؅ཧ

5. Α͋͘Δӡ༻ ɾLDAPͰ؅ཧ ɾߏ੒؅ཧπʔϧͰ/etc/passwdͳͲΛ഑෍͢Δ ɾrpm΍debͰ഑෍͢Δ ɾαʔόϩάΠϯͯ͠useradd pyama

6. LDAP?

7. LDAP Lightweight Directory Access Protocol

8. LDAP ɾLinuxͷϢʔβʔ؅ཧ͚ͩͰ͸ͳ͘ɺPostfixͷΑ͏ ͳϝʔϧαʔόɺόοΫΦϑΟεͰར༻͞ΕΔΑ͏ ͳۈଵ؅ཧγεςϜͳͲͰ΋ରԠ͍ͯ͠Δέʔε͕ ଟ͍ Ϣʔβʔଐੑ؅ཧͷܾఆ൛తଘࡏ

9. user_name:pyama user_id:1000 group_id:1000 shell:/bin/bash home:/home/pyama LDAP com pepabo user pyama

   ૊৫ͷ֊૚ߏ଄ͱϢʔβʔͷଐੑΛ ؅ཧ͢Δ͜ͱ͕ग़དྷΔ

10. LDAP

11. Lightweight?

12. ΍ΕΔ͜ͱ͕ଟ͍ͱ ӡ༻ͷෳࡶ͞͸૿͢

13. LDAPͷڊେԽɾཚཱɾͦͯ͠ઓࠃ࣌୅΁ ɾLDAP͕৭ʑͳγεςϜͱ࿈ܞ͗ͯ͢͠ɺڊେԽ ͠ɺ؅ཧ͕೉͘͠ͳ͖ͬͯͨ ɾDevOpsʹΑΔΞϓϦέʔγϣϯΤϯδχΞͷΠϯ ϑϥਐग़ɺΞϓϦέʔγϣϯσϓϩΠ͕SSHϕʔε Ͱ͋Δ͜ͱ͕ଟ͘ɺσβΠφʔͳͲͷ৬छ΋SSHϩ άΠϯ͢Δඞཁ͕ੜ·Εͨ(Ϣʔβʔଐੑͷ૿Ճ)

14. ݁ՌɺαʔϏε͝ͱʹ αʔόཱͯͨΓͯ͠·ͤΜ͔

15. ؅ཧͱ͸?

16. ͋ͷ೔ͷԶୡ͕΍Γ͔ͨͬͨ͜ͱ͸ αʔόʹϩάΠϯͨ͠Γɺ σϓϩΠ͍͚ͨͩͩͬͨ͠͸ͣͩ

17. None

18. STNS ɾGoݴޠͰ࣮૷ͨ͠Linuxϛυϧ΢ΣΞ ɾJSONαʔόͱnss,pamϞδϡʔϧͷγεςϜ ɾrhel,debian/i386,x86_64ͷύοέʔδϦϙδτϦΛ ఏڙ

19. ίϯηϓτ ໊લղܾɺެ։伴औಘɺsudoೝূͷΈΛఏڙ͢Δɻ ଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ ๻ୡͷੈ୅ͷ৽͍͠Ϣʔβʔ؅ཧͷ࢓૊Έ https://github.com/STNS/STNS

20. VS LDAP ɾTomlܗࣜͷઃఆϑΝΠϧͰՄಡੑ͕ߴ͍ ɾLinuxͷϢʔβʔ؅ཧʹಛԽ͍ͯ͠ΔͨΊӡ༻͕ ൥ࡶʹͳΓͮΒ͍ ɾ൚༻తͳJSONΠϯλʔϑΣʔεͷͨΊ֦ு͕༰қ ɾಋೖָ͕͗ͯ͢5ճ͘Β͍ೖΕͨ͘ͳΔ

21. ͿͬͪΌ͚LDAP೉͍͠ https://ten-snapon.com/archives/1055

22. ΞʔΩςΫνϟ STNS http(1104) process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε ͞Βʹ೚ҙͷwrapperΛར༻Մೳ

23. ઃఆϑΝΠϧ ɾαʔό /etc/stns/stns.conf ɾΫϥΠΞϯτ /etc/stns/libnss_stns.conf /etc/nsswitch.conf → ໊લղܾͷ༏ઌॱҐઃఆ /etc/ssh/sshd_config →

    sshdͷઃఆ /etc/nscd.conf → ໊લղܾͷΩϟογϡઃఆ

24. stns.conf(αʔό) port = 1104 include = "/etc/stns/conf.d/*" # ϕʔγοΫೝূΛαϙʔτ user

    = "basic_user" password = "basic_password" [users.example] id = 1001 group_id = 1001 keys = ["ssh-rsa XXXXX…"] [groups.example] id = 1001 users = ["example"] [sudoers.example] password = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" hash_type = "sha256"

25. stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

26. stns.conf(αʔό) ɾσϓϩΠϢʔβʔͷఆٛ ɾ૊৫ߏ଄Λදݱ͢Δ ɾSudoύεϫʔυΛ؅ཧ͢Δ

27. σϓϩΠϢʔβʔͷ؅ཧ

28. ΞϓϦέʔγϣϯσϓϩΠ [email protected] [email protected] [email protected] /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

29. σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

30. σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =

    [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻͢Δ͜ͱ͕ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

31. ૊৫ߏ଄Λදݱ͢Δ

32. ૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

33. ૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users

    = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

34. SudoύεϫʔυΛ ؅ཧ͢Δ

35. sudoύεϫʔυΛ؅ཧ͢Δ $ sudo ls [sudo] password for pyama: <pyamaύεϫʔυ> nice_guy.txt

    /etc/sudoersͷઃఆʹґଘ͢Δ͕ɺҰൠతʹ͸ sudo࣮ߦͨ͠ϢʔβʔͷύεϫʔυΛٻΊΒΕΔ

36. sudoύεϫʔυΛ؅ཧ͢Δ [sudoers.example] password = "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2" hash_type = "sha256" /etc/stns/stns.conf /etc/pam.d/sudo

    auth sufficient libpam_stns.so sudo example ݸผʹϢʔβʔ͝ͱʹύεϫʔυΛ؅ཧ͢ΔखؒΛল͖ɺ ෆਖ਼ΞΫηε࣌ʹsudo͞ΕΔ͜ͱΛ๷͙ (rootύεϫʔυͷ౪ௌରࡦʹ΋)

37. libnss_stns.conf

38. libnss_stns.conf(ΫϥΠΞϯτ) api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

39. wrapper_path STNSͰ͸ΠϯλʔϑΣʔεͷϑΥʔϚοτ͑͞߹ͬ ͍ͯΕ͹೚ҙͷόοΫΤϯυΛ࢖༻Մೳɻ $ /usr/local/bin/stns-query-wrapper /user/name/pyama { "pyama": { "id":

    10301, "password": "", "hash_type": "", "group_id": 2000, "directory": "", "shell": "", "gecos": "", "keys": [ "ssh-rsa xxx" ], "link_users": null } }

40. όοΫΤϯυʹRailsAPIΛར༻͢Δྫ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ ΋͸΍GoݴޠΛར༻͢Δඞཁ΋ͳ͍

41. chain_ssh_wrapper STNSʹՃ͑ͯଞγεςϜ͔Β΋ެ։伴Λऔಘ STNS LDAP stns-key-wrapper ssh-ldap-wrapper sshd chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper"

    LDAPͱͷฒߦӡ༻͕Մೳ

42. ࢖ͬͯΈΔʁ

43. ಋೖͷखܰ͞ 1ίϚϯυͰϦϙδτϦΛ௥Ճ͠ɺ yumɺaptͰ࠷৽൛Λར༻Մೳ

44. ಋೖͷखܰ͞ puppetϚχϑΣετɺchefΫοΫϒοΫΛఏڙ Ճ͑ͯ೔ຊޠΠϯετʔϧυΩϡϝϯτ https://github.com/STNS/STNS/blob/master/docs/install_ja.md

45. ੑೳධՁ ଌఆ؀ڥ ɾMacBookAir 13inch ɾ1.7GHz Core i7 ɾϝϞϦ8G ্ه؀ڥͰVirtualBoxVMΛCPUίΞ1ɺϝϞϦ1GByte Ͱىಈ

46. ੑೳධՁ ςετσʔλΛ1000݅౤ೖ require "toml" users = Hash.new { |h,k| h[k]

    = Hash.new(&h.default_proc) } (1..1000).each do |n| users[:users]["user_#{n}"]["id"] = n users[:users]["user_#{n}"]["group_id"] = n end puts TOML::Generator.new(users).body $ ab -k -c 100 -n 100000 http://localhost:11104/user/name/user_1 abΛར༻͠ɺಉ࣌઀ଓ100Ͱ10ສΞΫηε Total transferred: 36600000 bytes HTML transferred: 19000000 bytes Requests per second: 11543.13 [#/sec] (mean) Time per request: 8.663 [ms] (mean) Time per request: 0.087 [ms] (mean, across all concurrent requests) Transfer rate: 4125.77 [Kbytes/sec] received

47. ߏ੒ྫ nginx stns nginx stns keepalived keepalived nginxͰSSLΛऴ୺ ෛՙ෼ࢄͭͭ͠ɺSSLͱϕʔγοΫೝূΛ ར༻͠ɺηΩϡΞʹӡ༻͢Δ

48. ಋೖࣄྫ

49. GitHub Flow

50. GitHub FlowͰϢʔβʔ؅ཧ thor Λར༻͠Github(GHE)͔Β Ϣʔβʔ৘ใɺάϧʔϓ৘ใ ެ։伴৘ใΛੜ੒͢Δ [users.pyama] id = 1000

    group_id =1000 keys = ["ssh-rsa xxx”] [groups.muu-developer] id = 1000 bundle exec thor build

51. GitHub FlowͰϢʔβʔ؅ཧ ࡞੒͞ΕͨtomlϑΝΠϧΛϓϧϦΫΤετ ಉ࣌ʹdroneͰ໊લղܾͷςετΛߦ͏ [users.pyama] id = 1000 group_id =1000

    keys = ["ssh-rsa xxx”] [groups.muu-developer] id = 1000

52. GitHub FlowͰϢʔβʔ؅ཧ มߋ಺༰ΛϨϏϡʔޙɺCapistranoͰσϓϩΠ [users.pyama] id = 1000 group_id =1000 keys

    = ["ssh-rsa xxx”] [groups.muu-

53. GitHub FlowͰϢʔβʔ؅ཧ ɾ։ൃͱಉ͡Α͏ʹϢʔβʔ؅ཧΛߦ͏͜ͱͰ ख͔ܰͭਖ਼֬ʹαʔόΞΫηεݖݶΛఏڙ ɾGitHubΛར༻͢Δ͜ͱͰূ੻؅ཧ͕༰қʹ ɾCIπʔϧͱ૊Έ߹ΘͤΔ͜ͱͰɺಈ࡞Λอূ͢Δ

54. ·ͱΊ

55. ๻͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ 1.൥ࡶԽͨ͠Ϣʔβʔ؅ཧΛ΍Γ௚͢खஈͱͯ͠Ͳ ͏ͩΖ͏͔ 2.Web։ൃͷΑ͏ʹϢʔβʔ΋σϓϩΠ͢Δͱͳ͔ ͳ͔ྑ͍

56. ͦͯ͠ɺ͜Ε͔Βͷ࿩

57. ࠓޙͷػೳ௥Ճ ɾ֎෦APIΛར༻Մೳʹ͢Δ ɾύεϫʔυόοΫΤϯυΛ࣮૷ʁ

58. ֎෦APIར༻ wrapper-cmd = [“original-command.rb”] STNS stns-module /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } original-command.rb run { name:pyama, id: 1000, dir:/home/pyama … } STNSʹϢʔβʔ৘ใΛొ࿥͢Δඞཁ͕ͳ͘ͳΓɺ ֎෦γεςϜͱͷ࿈ܞ͕ߋʹՃ଎

59. ύεϫʔυόοΫΤϯυΛ࣮૷ʁ STNS stns-module passwd pyama DatabaseͳͲ change password ΫϥΠΞϯταΠυ͔ΒpasswdͳͲΛར༻͠ɺ ύεϫʔυΛมߋՄೳʹ͢Δػೳ

    ๻͕࣮૷ʹফۃతͳͨΊɺੈ࿦ʹҕͶ͍ͨ

60. ࠓͷ࣌୅ʹ͋ͬͨ Ϣʔβ؅ཧΛ

61. ͝ਗ਼ௌ ༗೉͏͍͟͝·ͨ͠

62. ͜͜Ͱঁੑਞ͔Β࣭໰͕ ࡴ౸͢Δ