rear: document usage of DRLM only on trusted network #42
Comments
|
Hi @gdha, We'll take a look at this, we thing this part of code could be enhanced , but before changing anything, we want to find the best way to do it, also being able to manage the new multiple backups option in rear. In the meantime, do you want that we update any documentation? I assume this is not very urgent, the bugzilla is from 2015. ;) Are you agree with this? |
|
Agree - not urgent.
Thanks for picking this one up,
Gratien
…On Thu, Jan 19, 2017 at 1:29 PM, Didac Oliveira ***@***.***> wrote:
Hi @gdha <https://github.com/gdha>,
We'll take a look at this, we thing this part of code could be enhanced ,
but before changing anything, we want to find the best way to do it, also
being able to manage the new multiple backups option in rear.
In the meantime, do you want that we update any documentation? I assume
this is not very urgent, the bugzilla is from 2015. ;)
Are you agree with this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#42 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA2POaqlRprvXQEbH9jKIiUsPCKH57Hyks5rT1dEgaJpZM4Ln0Bo>
.
|
|
Hi @gdha, I have almost finished the code changes to use a ssl certificate by default in DRLM_REST_OPTS among other improvements. I wonder if we can set up those DRLM_* variables in ReaR default.conf in order to document them properly as requested in the BZ. Regards, |
|
@didacog sure seems valid to do so. |
|
OK @gdha, regarding dev/master branch, I've just seen you updated dev branch, where you want me to send the changes? Also on DRLM_REST_OPTS defaults we want to use --capath=/etc/rear/cert and store DRLM ssl certs there, there is any problem to create that folder on rear by default? I will appreciate other suggestions. Thanks! |
|
@didacog master or dev - take master as we do ;-) |
|
OK perfect, I will change my default branch to master again on my rear fork then. Regarding /etc/rear/cert, this will be the default folder to store SSL certs used by rear, now only used by DRLM I guess. curl will use this folder to verify SSL connection with the certs stored in it. |
|
@didacog ok good point - describe it clearly it is meant for ReaR and not for DRLM only. I do understand that for now only DRLM will use it, but that can change later of course |
|
I will set something like: # ReaR default SSL certificates location. ReaR will use it to store required certificates it uses. REAR_CAPATH=/etc/rear/cert and ... ... DRLM_REST_OPTS="--capath $REAR_CAPATH" Are you agree with the REAR_CAPATH var name? Regards, |
|
@didacog That sounds fine to me - thanks. |
|
To create the new /etc/rear/cert folder by default I changed those files: install-config:
...
install -d -m0700 $(DESTDIR)$(sysconfdir)/rear/cert/
packaging/rpm/rear.spec: %files
...
%config(noreplace) %{_sysconfdir}/rear/cert/
packaging/debian/rules: # The DESTDIR Has To Be Exactly debian/rear
mkdir -vp \
...
debian/rear/etc/rear/cert/ \
Am I forgeting something? :-P Thanks in advance! |
|
@didacog not that I'm aware of ;-) |
|
Ok, anyway I will test make deb & rpm from my fork before sending PR. Thx! |
|
I've updated my rear fork with the changes (https://github.com/didacog/rear/tree/drlm_mgmnt_sec_improvements), now we will test them with the changes on DRLM side (develop branch) and when ready I will send the PR. Regards, |
|
@gdha I have the code ready to PR, but waiting on rear/rear#1229 (comment) |
|
Hi @gdha, Now that rear/rear#1252 was merged, do you think that this issue can be closed? and also, the bugzilla I guess :-P Kind regards, |
According https://bugzilla.redhat.com/show_bug.cgi?id=1239003
Part of the code I`m worried about is (usr/share/rear/lib/drlm-functions.sh):
DRLM_CFG=$(curl $DRLM_REST_OPTS https://$DRLM_SERVER/clients/$DRLM_ID)
eval "$DRLM_CFG"
The responsibility to make sure the certificate and server authenticity is checked is in the hand of user, and thus should be documented. Specifically, user should be guided to specify path to CA or server certificate, or, in case of using --insecure param to run this only on a trusted network.
The text was updated successfully, but these errors were encountered: