#30020: switch from our custom YAML implementation to Hiera -------------------------------------------------+------------------------- Reporter: anarcat | Owner: anarcat Type: project | Status: | assigned Priority: Medium | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: #29387 | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by anarcat): some more progress, but this time harder stuff: I converted the DNS servers to Hiera. this involved splitting some classes and exporting resources. in my travels, those are the important HOST_ROLE_ ferm rules that I found might be problematic: {{{ HOST_ROLE_BACULA_DIRECTOR HOST_ROLE_BACULA_STORAGE HOST_ROLE_DIP HOST_ROLE_DNS_SECONDARY HOST_ROLE_JENKINS HOST_ROLE_NAGIOSMASTER HOST_ROLE_PUPPETMASTER }}} I also found `HOST_NETNOD` but I think that might be a static definition. `HOST_ROLE_DNS_SECONDARY` is now gone, and replaced by exported `ferm::rule` constructs. This works well, but @weasel was somehow worried about security issues with exported resources, which I am not sure are relevant in this case. Another problem is that the ferm` module is setup to ''realize'' the virtual `ferm::rule` stuff defined everywhere. This implies that the exported resources are '''also''' realized '''locally'''. That's fairly harmless, because the host allows itself access to itself, but it's noisy and annoying. I don't know why `ferm::rule` entries are virtual everywhere, so that's something I'd like to explore as well in the future. Another problem I found when working on the DNS stuff is that the DNS primary does checks on the the DNS secondaries, seemingly through NRPE, because it is in the `allowed_hosts` list in the NRPE config. This makes it impossible to remove the `dns_primary` role from `local.yaml` for now and I'm not sure how to work around that without creating a global variable for the DNS primary host, which would be an unfortunate regression. So two pending questions: 1. what is the security issue with exported resources? is the current pattern used in the bind module and prometheus profile acceptable? 2. why are `ferm::rule` entries virtual? 3. how can we export arbitrary IPs in configuration files in Hiera? specifically, how do we construct NRPE's `allowed_hosts` list of IPs from other hosts? My tentative guesses on this are: 1. impact minor, even if security issue (possibility to manipulate firewall rules between nodes) 2. probably just an oversight? 3. i feel dirty saying it, but a fancy `sed` Exec exported resource? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30020#comment:2> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs