[tor-bugs] #30020 [Internal Services/Tor Sysadmin Team]: switch from our custom YAML implementation to Hiera

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 17 19:42:22 UTC 2019


#30020: switch from our custom YAML implementation to Hiera
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  anarcat
     Type:  project                              |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:  #29387                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 some more progress, but this time harder stuff: I converted the DNS
 servers to Hiera. this involved splitting some classes and exporting
 resources. in my travels, those are the important HOST_ROLE_ ferm rules
 that I found might be problematic:

 {{{
 HOST_ROLE_BACULA_DIRECTOR
 HOST_ROLE_BACULA_STORAGE
 HOST_ROLE_DIP
 HOST_ROLE_DNS_SECONDARY
 HOST_ROLE_JENKINS
 HOST_ROLE_NAGIOSMASTER
 HOST_ROLE_PUPPETMASTER
 }}}

 I also found `HOST_NETNOD` but I think that might be a static definition.

 `HOST_ROLE_DNS_SECONDARY` is now gone, and replaced by exported
 `ferm::rule` constructs. This works well, but @weasel was somehow worried
 about security issues with exported resources, which I am not sure are
 relevant in this case.

 Another problem is that the ferm` module is setup to ''realize'' the
 virtual `ferm::rule` stuff defined everywhere. This implies that the
 exported resources are '''also''' realized '''locally'''. That's fairly
 harmless, because the host allows itself access to itself, but it's noisy
 and annoying.

 I don't know why `ferm::rule` entries are virtual everywhere, so that's
 something I'd like to explore as well in the future.

 Another problem I found when working on the DNS stuff is that the DNS
 primary does checks on the the DNS secondaries, seemingly through NRPE,
 because it is in the `allowed_hosts` list in the NRPE config. This makes
 it impossible to remove the `dns_primary` role from `local.yaml` for now
 and I'm not sure how to work around that without creating a global
 variable for the DNS primary host, which would be an unfortunate
 regression.

 So two pending questions:

  1. what is the security issue with exported resources? is the current
 pattern used in the bind module and prometheus profile acceptable?

  2. why are `ferm::rule` entries virtual?

  3. how can we export arbitrary IPs in configuration files in Hiera?
 specifically, how do we construct NRPE's `allowed_hosts` list of IPs from
 other hosts?

 My tentative guesses on this are:

  1. impact minor, even if security issue (possibility to manipulate
 firewall rules between nodes)
  2. probably just an oversight?
  3. i feel dirty saying it, but a fancy `sed` Exec exported resource?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30020#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list