1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Prerequisite data
=================
Naming
------
A piece of prerequisite data is identified by two strings. Typically the
first of these specifies the context in which the data is relevant. For an
ssh host key, for example, this context would be a hostname. If it's ``nil``
then the data is valid in any context. The second of these identifies the
data within its context. This is often just the filename in which the
prerequisite data will eventually be stored. It might also be a
human-readable string describing the purpose of the data.
Reserved names
~~~~~~~~~~~~~~
These are exclusive semantics for certain possible pairs of strings
identifying prerequisite data -- to avoid confusion and potential clashes, do
not use prerequisite data identified by strings matching these conditions for
other purposes.
- ``(HOSTNAME . PATH)`` means the data that should be uploaded to ``PATH`` on
``HOSTNAME`` (and usually nowhere else, except in the case of, e.g., a
public key). ``PATH`` must be absolute, not relative.
- ``(_CONTEXT . ITEM)`` is an arbitrary prerequisite data context named
``CONTEXT``; typically ``CONTEXT`` will be a network or grouping name,
rather than referring to a single host. ``ITEM`` might be a path or some
other identifier. Reserved for consfigs; will not be used by property
definitions included with Consfigurator.
- ``("--lisp-system" . SYSTEM)`` means the data is Lisp code which, when
loaded, defines the packages and symbols contained in the ASDF system
``SYSTEM``
- ``("--user-passwd--HOSTNAME" . USER)`` means the data is the password for
user ``USER`` on ``HOSTNAME``
- ``("--git-snapshot" . NAME)`` means the data is a snapshot of a git repo
identified by ``NAME``; see ``DATA.GIT-SNAPSHOT``
- ``("--pgp-pubkey" . FINGERPRINT)`` means the/a OpenPGP public key with
fingerprint FINGERPRINT, ASCII-armoured
- ``("--pgp-seckey" . FINGERPRINT)`` means the/a OpenPGP secret key with
fingerprint FINGERPRINT, ASCII-armoured
- ``("--luks-passphrase" . VOLUME-LABEL)`` means a LUKS passphrase for volume
with label ``VOLUME-LABEL``.
(Proposed convention: Except for the first two items above, these reserved
names should start with ``--`` and use ``--`` to separate parameter values
within the string. Hostnames cannot start with a hyphen.)
Mechanics
---------
Properties declare that they need certain pieces of prerequisite data by
adding static informational attributes, and a deployment of those properties
will make an attempt to provide the data. Properties then either call the
``GET-DATA-STREAM`` function or the ``GET-DATA-STRING`` function, or depend on
the ``DATA-UPLOADED`` property, to get access to the requested data.
A Lisp connection gathers all needed prerequisite data once at the beginning,
and copies it to an on-disk cache inside the home directory of the remote UID
which will run the Lisp image. A POSIX connection only attempts to obtain
prerequisite data when a property's check function indicates the property is
not already applied.
Sources of prerequisite data
----------------------------
Sources of prerequisite data register two functions. The second returns
either a string of the prerequisite data itself, or a path to a file
containing the data. The first returns the latest version number of the data
that source is able to provide -- i.e., the version number of the data that
the second function would return if called.
Consfigurator will call the first function to find out if it needs to call the
first rather than just using its caches. The first function should return nil
if it can't obtain the prerequisite data on this host, perhaps because it
can't decrypt the store. If a prerequisite data source wants to effectively
bypass caching and provide fresh data every time Consfigurator deploys the
host, it can use ``GET-UNIVERSAL-TIME`` as its first function.
Versions are compared using ``UIOP:VERSION<`` and ``UIOP:VERSION<=``.
Security issues
---------------
Nothing is done to prevent prerequisite data being swapped out, so ensure your
swap is encrypted.
Certain connection types require storing unencrypted copies of prerequisite
data under ``~/.cache/consfigurator/data``. Consfigurator only stores data
there when it has to, only the subset of the data that has to be uploaded for
the requested deployment to be successful, and never in the root Lisp.
|
