Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt "password-store" #53 #54

Merged
merged 1 commit into from
Dec 4, 2023
Merged

Adopt "password-store" #53 #54

merged 1 commit into from
Dec 4, 2023

Conversation

phillxnet
Copy link
Member

@phillxnet phillxnet commented Dec 2, 2023
edited

Align with rockstor-core changes regarding 'pass' adoption for secrets storage. Install via OS provided 'password-store'. See partner draft PR: https://github.com/rockstor/rockstor-core/pull/2756/files

Includes

  • Additional minimal setup of GNUPG & pass to enable %check scriptlet function as we need a running Django instance for our tests.
  • BuildRequires 'password-store' OS package for 'pass': required for %check scriptlet.
  • Requires 'password-store' OS package on all OS targets.
  • Minor README.md typos.

Fixes #53

@phillxnet
Adopt "password-store" rockstor#53
b00dca1 
Align with rockstor-core changes regarding 'pass' adoption
for secrets storage. Install via OS provided 'password-store'.
## Includes
- Additional minimal setup of GNUPG & pass to enable %check
scriptlet function as we need a running Django instance for
our tests.
- BuildRequires 'password-store' OS package for 'pass':
required for %check scriptlet.
- Requires 'password-store' OS package on all OS targets.
- Minor README.md typos.
@phillxnet
Copy link
Member Author

Testing

BuildRequires

error: Failed build dependencies:
	password-store is needed by rockstor-5.0.5-2756.x86_64

and once fulfilled we have:

%check scriptlet:

Executing(%check): /bin/sh -e /var/tmp/rpm-tmp.rqGtyu
+ umask 022
+ cd /home/buildbot/worker/Poetry-Build-on-Leap15-5/rpmbuild
+ cd rockstor-core-5.0.5-2756
+ export LANG=C.UTF-8
+ LANG=C.UTF-8
+ export PYTHONIOENCODING=utf8
+ PYTHONIOENCODING=utf8
+ /usr/local/bin/poetry install --no-interaction --no-ansi
+ /usr/bin/gpg --quick-generate-key --batch --passphrase '' rockstor@localhost
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key BEF5B29317E2F7A4 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/4B5AEAB87DA836A1D7273367BEF5B29317E2F7A4.rev'
+ /usr/bin/pass init rockstor@localhost
mkdir: created directory '/root/.password-store/'
Password store initialized for rockstor@localhost
+ /usr/bin/pass generate --no-symbols --force python-keyring/rockstor/SECRET_KEY 100
mkdir: created directory '/root/.password-store/python-keyring'
mkdir: created directory '/root/.password-store/python-keyring/rockstor'
The generated password for python-keyring/rockstor/SECRET_KEY is:
sE99gjqPh9Ft0Kgx8jaWHoAc1B7UXk3qyY05LfQRS4sCjoj2EAdPFiOxmZeokRyFOObKHqDjyOKS........
+ export DJANGO_SETTINGS_MODULE=settings
+ DJANGO_SETTINGS_MODULE=settings
+ /usr/local/bin/poetry run django-admin collectstatic --no-input --verbosity 1
Error: python-keyring/rockstor/SECRET_KEY_FALLBACK is not in the password store.
Error: python-keyring/rockstor/CLIENT_SECRET is not in the password store.
No SECRET_KEY_FALLBACK - rotated on reboot / rockstor services restart.
515 static files copied to '/home/buildbot/worker/Poetry-Build-on-Leap15-5/rpmbuild/rockstor-core-5.0.5-2756/static', 517 post-processed.
+ cd src/rockstor/
+ /usr/local/bin/poetry run django-admin test
Error: python-keyring/rockstor/SECRET_KEY_FALLBACK is not in the password store.
Error: python-keyring/rockstor/CLIENT_SECRET is not in the password store.
Creating test database for alias 'default'...
No SECRET_KEY_FALLBACK - rotated on reboot / rockstor services restart.
Found 278 test(s).
Creating test database for alias 'smart_manager'...
System check identified no issues (0 silenced).
......................................................................................................................................................................................................................................................................................
----------------------------------------------------------------------
Ran 278 tests in 31.606s
OK
Destroying test database for alias 'default'...
Destroying test database for alias 'smart_manager'...
+ exit 0
  • Where we have the expected missing SECRET_KEY_FALLBACK and CLIENT_SECRET as we don't setup them up. But this is not a blocker for our collectstatic, where-as SECRET_KEY is not allowed to be none so we have to set that..
  • We do have an exposed in rpmbuild log SECRET_KEY but in two reboots it will be replaced anyway and this in only on an rpmbuild host.

%posttrans scriptlet

Executed after install and where we run build.sh for initial setup:

Running post-transaction scripts [..
%posttrans(rockstor-5.0.5-2756.x86_64) script output:
...
gpg: A key for "rockstor@localhost" already exists
Password store initialized for rockstor@localhost
The generated password for python-keyring/rockstor/SECRET_KEY is:
h9iXrX7WJRPhrX4bQ47nj1wxgCiM3i3Ktpn5eRZSAtrLzcQ1KdwPFVZvyzhn7gtO.........
Error: python-keyring/rockstor/SECRET_KEY_FALLBACK is not in the password store.
Error: python-keyring/rockstor/CLIENT_SECRET is not in the password store.
No SECRET_KEY_FALLBACK - rotated on reboot / rockstor services restart.
...
515 static files copied to '/opt/rockstor/static', 517 post-processed.

ROCKSTOR BUILD SCRIPT COMPLETED
...
If installing from source, from scratch, for development; i.e. NOT via RPM:
Note GnuPG & password-store ExecStartPre steps in /opt/rockstor/conf/rockstor-pre.service
1. Run 'cd /opt/rockstor'.
2. Run 'systemctl start postgresql'.
3. Run 'export DJANGO_SETTINGS_MODULE=settings'.
4. Run 'export PASSWORD_STORE_DIR=/root/.password-store'.
5. Run 'poetry run initrock' as root (equivalent to rockstor-pre.service ExecStart).
6. Run 'systemctl enable --now rockstor-bootstrap'.
No config-backups-rpmsave directory found.
..done]
  • We have build.sh reinstating unconditionally the required SECRET_KEY, just in case. %check had already done this but we are installing on the build host.
  • We have a successful collectstatic.
  • And our new somewhat redundant but good for developer awareness extended instructions re pass and ExecStartPre directives.

Successful install of test rpm on rpmbuild host.

@phillxnet
Copy link
Member Author

phillxnet commented Dec 2, 2023
edited

Pass status

On first rpm install, with no prior rockstor install, we have the following 'pass' state for the root user:

rleap15-5:~ # pass
Password Store
└── python-keyring
    └── rockstor
        ├── CLIENT_SECRET
        ├── SECRET_KEY_FALLBACK
        └── SECRET_KEY
  • SECRET_KEY: initially set by %check for collect static and test; & then again during %posttrans's invoking build.sh after initial rpm install.
  • SECRET_KEY_FALLBACK: set by rockstor-pre.service via rename of last (build.sh) SECRET_KEY instance.
  • SECRET_KEY: is then re-instantiated a-fresh by rockstor-pre.service ExecStartPre by way of a rotation.
  • CLIENT_SECRET: set by initrock invoked by ExecStart in rockstor-pre.service: but only if we are a fresh install - or it didn't already exist. This way it remains constant (unless wiped) per install/reinstall.

@phillxnet phillxnet mentioned this pull request Dec 2, 2023
Closed
@phillxnet
Copy link
Member Author

The custom testing rpm instance also rebooted successfully on the rpmbuild host.

@phillxnet phillxnet mentioned this pull request Dec 2, 2023
Merged
@phillxnet
Copy link
Member Author

For a 5.0.5-0 to 5.0.5-2758 rpm update test, via Web-UI, see the following comment in the partner rockstor-core issue:
rockstor/rockstor-core#2758 (comment)

@phillxnet phillxnet merged commit b2f3a45 into rockstor:testing Dec 4, 2023
@phillxnet phillxnet deleted the 53-Adopt-password-store branch December 4, 2023 17:35
@phillxnet phillxnet mentioned this pull request Dec 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@phillxnet