STNS pepabo_hatena_tech_con

Transcript

1. QZBNB
   
   (.0
   1&1"#0
   JOD
   
   ϖύϘɾ͸ͯͳٕज़େձʙΠϯϑϥٕज़ج൫ʙ 45/4

2. IUUQTUFOTOBQPODPN γχΞɾΤϯδχΞ ࢁԼ
   ࿨඙!QZBNB ϗεςΟϯάࣄۀ෦ϜʔϜʔυϝΠϯνʔϜ

3. -JOVYϢʔβʔ؅ཧ 1.

4. -JOVYͱ͸ʁ

5. -JOVY

6. -JOVYϢʔβʔ؅ཧ w -JOVYͰ͸ϑΝΠϧॴ༗ऀɺݖݶ؅ཧ͕Ϣʔβʔɾάϧʔϓ ΛݩʹߦΘΕΔ
   w ಛఆͷϢʔβʔݖݶͰίϚϯυΛ࣮ߦ͢Δ4VEPΛ࢝Ίɺ ଟ͘ͷίϚϯυͰϢʔβʔɾάϧʔϓͰ੍ޚ͞Ε͍ͯΔ

7. -JOVYϢʔβʔ؅ཧ Ұͭͷ8&#αʔϏεͰ΋
   ଟ͘ͷ-JOVY͕Քಇ͍ͯ͠Δ

8. -JOVYϢʔβʔ؅ཧ ؤுΔ͘Μ

9. None

10. ͕Μ͹Εͳ͍܅ʁ

11. None

12. -JOVYϢʔβʔ؅ཧ

13. 45/4 w (PMBOH
    w 5PNMܗࣜͷઃఆϑΝΠϧ
    w +40/ΠϯλʔϑΣʔεͷαʔόɾΫϥΠΞϯτ
    w 8SBQQFSΛࣗ༝ʹมߋͰ͖Δ ϓϥΨϒϧ

14. ίϯηϓτ ໊લղܾɺެ։伴औಘɺΞΧ΢ϯτೝূͷΈΛఏڙ ͢Δɻଟ͘Λ΍Βͣɺγϯϓϧʹอͭ͜ͱͰ؅ཧɺ ૊Έ߹ΘͤΛ༰қʹɻ https://github.com/STNS/STNS

15. -JOVYϢʔβʔάϧʔϓͷ໊લղܾ % ls -ltr -rw-r--r-- 1 pyama wheel 0 May

    8 00:09 hatena_pepabo.txt % ls -ltr -rw-r--r-- 1 1000 1000 0 May 8 00:09 hatena_pepabo.txt id:1000 is pyama

16. ΞʔΩςΫνϟ STNS http(1104) ls libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama {

    name:pyama, id: 1000, dir:/home/pyama … } αʔόɾΫϥΠΞϯτؒ͸httpΛར༻ͨ͠ JSONܗࣜͷΠϯλʔϑΣʔε

17. ઃఆϑΝΠϧ
    
    αʔό QPSU
    
    
    JODMVEF
    
    FUDTUOTDPOGE 
    TBMU@FOBCMF
    
    USVF
    TUSFUDIJOH@OVNCFS
    
    
    VTFS
    
    lCBTJD@VTFS
    QBTTXPSE
    
    CBTJD@QBTTXPSE
    <VTFSTFYBNQMF>
    JE
    
    
    

    HSPVQ@JE
    
    
    LFZT
    
    <TTISTB
    99999ʜ>
    <HSPVQTFYBNQMF>
    JE
    
    
    VTFST
    
    <FYBNQMF>
    <TVEPFSTFYBNQMF>
    QBTTXPSE
    
    GEDEBGFBBDBEBCGGCCCDEEDCGB
    

18. stns.conf(αʔό) stns.conf user.conf group.conf deploy.conf ෳ਺ͷઃఆϑΝΠϧʹ෼ׂ͠ɺ ໾ׂ΍૊৫͝ͱʹ؅ཧ͢ΔͱΑ͍

19. ઃఆϑΝΠϧ
    
    ΫϥΠΞϯτ api_end_point = ["http://<server-master>:1104", "http://<server-slave>:1104"] user = "basic_user" password =

    "basic_password" wrapper_path = "/usr/local/bin/stns-query-wrapper" chain_ssh_wrapper = "/usr/libexec/openssh/ssh-ldap-wrapper" ssl_verify = true

20. ྫ͑͹͜͏͍͏͜ͱ΋ग़དྷΔ process libnss-stns libpam-stns query-wrapper key-wrapper /user/name/pyama { name:pyama, id:

    1000, dir:/home/pyama … } Linuxϓϩηεͱͷ΍ΓऔΓ͸STNSΛར༻͠ɺ Ϣʔβʔ৘ใ͸RailsͰ؅ཧ͢Δ

21. σϓϩΠϢʔβʔͷ ؅ཧ

22. σϓϩΠϢʔβʔͷ؅ཧ [email protected] [email protected] [email protected] /home/deploy/.ssh/authrized_keys ʹ֤Ϣʔβʔͷެ։伴Λొ࿥

23. σϓϩΠϢʔβʔͷ؅ཧ ࡢࠓͷWebαʔϏεͰ͸σϓϩΠઐ༻ϢʔβʔΛઃ ͚ͯσϓϩΠ͢Δ͜ͱ͕ଟ͍ɻ ͔͠͠ɺطଘͷ࢓૊ΈͰ࣮ݱ͢Δʹ͸σϓϩΠϢʔ βʔͷ~/.ssh/authorized_keysʹσϓϩΠ͢ΔϢʔ βʔͷެ։伴Λฒ΂ͨΓ͢Δඞཁ͕͋ͬͨ

24. σϓϩΠϢʔβʔͷ؅ཧ [users.deploy] id = 1000 group_id = 1000 link_users =

    [“foo","bar"] [users.foo] keys = ["ssh-rsa aaa”] [users.bar] keys = ["ssh-rsa bbb"] deployϢʔβʔͰSSHϩάΠϯ͢Δࡍʹɺlink_usersͰ ࢦఆͨ͠Ϣʔβʔͷެ։伴Λར༻ग़དྷΔ →authorized_keysʹॻ͔ͳͯ͘ྑ্͍ʹɺ ɹ୭͕σϓϩΠग़དྷΔͷ͔Ұ໨ྎવ

25. ૊৫ߏ଄Λදݱ͢Δ

26. ૊৫ߏ଄Λදݱ͢Δ ྫ͑͹ɺٕज़1՝ʹॴଐ͢ΔϢʔβʔ͸ɺٕज़෦ͷϢʔ βʔͰ΋͋Δɻͱ͋Δαʔόʹٕज़෦ͷϢʔβʔ͸ϩά Πϯग़དྷΔΑ͏ʹ͍ͨ͠ɻ

27. ૊৫ߏ଄Λදݱ͢Δ [groups.tech] users = ["antipop"] link_groups = [“tech-1"] [groups.tech-1] users

    = ["pyama"] pyama͸tech-1ʹॴଐ͢ΔtechͷϢʔβʔͰ͋Δɻ ۩ମతͳར༻γʔϯ͸sshd_configͷAllowGroupsɺ sudoersͳͲɺάϧʔϓͰ؅ཧ͢Δ৔߹ʹศརɻ

28. ಋೖ

29. ಋೖ IUUQTUOTKQ

30. PTT

31. ಋೖ

32. ಋೖ w SQN EFCڞʹCJU CJU൛ͷఏڙ SFQPTUOTKQ
    
    DVSM
    GT4-
    IUUQTSFQPTUOTKQTDSJQUTZVNSFQPTI
    c
    TI
    
    ZVN
    JOTUBMM
    TUOT
    MJCOTTTUOT
    MJCQBNTUOT IUUQTHJUIVCDPN45/4TUOTDPPLCPPL

    IUUQTHJUIVCDPN45/4QVQQFUTUOT w $IFG 1VQQFUͷΫοΫϒοΫɺϚχϑΣετΛఏڙ
    
    
    1VQQFUϚχϑΣετ͸!IGN͕։ൃͯ͘͠Εͨ
    

33. ಋೖ Πϯετʔϧʙ44)ެ։伴ೝূ·Ͱ
    ෼ඵ

34. ಋೖࣄྫ

35. Ϣʔβʔ؅ཧ΋(JUIVC
    'MPX (JUIVC&OUFSQSJTF͔ΒϢʔβʔσʔλΛ࡞੒͠ɺ1VMM3FRVFTU
    %SPOFͰࣗಈςετɾਓͷ໨ʹΑΔϨϏϡʔ
    σϓϩΠ

36. HFOFSBUF
    CZ
    UIPS 
    DPOpHZNM
    UFBNT
    
    
    UFDIBENJO
    ˒
    (JUIVCͷνʔϜ໊
    
    
    
    NVVBENJO
    
    
    NJOOFBENJO
    
    
    
    
    
    LJCBO
    ˑ
    MJOL@HSPVQΛར༻͠૊৫Λ࿈݁ εΫϦϓτͰ৘ใͷऔಘݩΛ()&ʹू໿͢Δ͜ͱʹΑΓɺϢʔβʔ ͷ௥Ճɺ࡟আΛ()&ʹҠৡ͢Δɻ
    ͦ͏͢Δ͜ͱͰγεςϜ͝ͱͷΞΧ΢ϯτࢄࡏΛ๷͙͜ͱ͕ग़དྷ·

    ͢ɻ

37. ӡ༻Πϝʔδ 2.

38. ӡ༻Πϝʔδ nginx stns nginx stns /HJOYͰ44-Λऴ୺ͭͭ͠ɺ$BQJTUSBOPͳͲͷσϓϩΠπʔϧͰ
    TUOTDPOGΛσϓϩΠ

39. ӡ༻Πϝʔδ nginx stns nginx stns αʔόͷTUOTDPOGΛ௚઀ฤू͠ɺ4$1΍STZODͰಉظ

40. ӡ༻Πϝʔδ ࢖͍౗͢ process libnss-stns libpam-stns query-wrapper key-wrapper FUDEΛར༻͠ɺαʔόϨεͳϢʔβʔ؅ཧ

41. ͱΓ͋͑ͣ৮ͬͯΈΔ

42. ͜Ε͔ΒϢʔβ؅ཧΛ࢝ΊΔ
    ΈΜͳ΁ 3.

43. 45/4ϘΫ͕։ൃऀͩ͠࢖ͬͨ΄͏͕͍͍ w ൥ࡶԽͮ͠Β͍పఈͨ͠γϯϓϧ͞
    w γϯϓϧ͕ނʹ֦ுੑ͕ߴ͍
    w ಋೖͷख͕ؒগͳ͍

44. 45/4ͰϢʔβʔ؅ཧΛ
    ࢝ΊΑ͏

45. 5IBOL
    ZPV

46. ͜͜Ͱঁੑਞ͔Β
    ࣭໰͕ࡴ౸͢Δ