Propellor's security model is that the hosts it's used to deploy are untrusted, and that the central git repository server, if any, is untrusted too.
The only trusted machine is the laptop where you run propellor --spin
to connect to a remote host. And that one only because you have a ssh key
or login password to the host.
Since the hosts propellor deploys do not trust the central git repository, and it doesn't trust them, it's normal to use git:// or http:// to pull from the central git repository, rather than ssh://.
Since propellor doesn't trust the central git repository, it checks that any commit it fetches from it is gpg signed by a trusted gpg key, and refuses to deploy it otherwise.
That is only done when privdata/keyring.gpg exists. To set it up:
gpg --gen-key # only if you don't already have a gpg key
propellor --add-key $MYKEYID
In order to be secure from the beginning, when propellor --spin is used
to bootstrap propellor on a new host, it transfers the local git repository
to the remote host over ssh. After that, the host knows the gpg key, and
will use it to verify git fetches.
Since the propellor git repository is public, you can't store in cleartext private data such as passwords, ssh private keys, etc.
Instead, propellor --spin $host looks for a
~/.propellor/privdata/privdata.gpg file and if found decrypts it,
extracts the private data that the $host needs, and sends it to to the
$host using ssh. This lets a host know its own private data, without
seeing all the rest.
To securely store private data, use: propellor --set $field $context
Propellor will tell you the details when you use a Property that needs
PrivData.
It is not clear to me whether or not it is safe to publish my own propellor repository to a publicly hosted service. It seems to me that when I do ./propellor --add-key MYKEYID, the private key data is stored in the repository as a commit, so pushing it exposes this data to the public. Am I wrong?
Thanks
Makes sense of course, but the message one gets when doing that is a bit misleading.
I ran into another issue: propellor deploys itself to remote host, but then the propellor instance run on remote host cannot read the remote git repo, because:
I am puzzled: Does this mean I should add some for use by the remote host deployed to? This does not make sense so there should be another way... If I change the origin url to use https, then I cannot push locally anymore.
Thanks for your help
Here is the output (truncated):
OK, I manage to get my first propellor config run fine by setting different branch.master.url and branch.master.pushUrl configurations:
I had to nuke the remote /usr/local/propellor directory because it still had wrong configuration with a single remote url.
@Arnaud, see automated spins, including its documentation of a "deploy" remote, which can be used to configure the url that remote hosts should pull from.
Also, propellor can be used now without any centralized repository.
@Philipp, indeed: It's important to realize that all data entered into the privdata with
propellor --setis deployed in cleartext to the machines that use it. Kept in a directory only root can read, but still, important to bear in mind.I've added the ability to use
CryptPasswordinstead ofPasswordtoUser.hasPasswordandUser.hasSomePassword.