ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.5.pod
(Generate patch)

Comparing gvpe/doc/gvpe.5.pod (file contents):
Revision 1.11 by root, Wed Jul 10 01:53:33 2013 UTC vs.
Revision 1.12 by root, Wed Nov 2 06:54:13 2016 UTC

66only a single type of buffer and it's always of fixed length. 66only a single type of buffer and it's always of fixed length.
67 67
68=item EASY TO SETUP 68=item EASY TO SETUP
69 69
70A few lines of config (the config file is shared unmodified between all 70A few lines of config (the config file is shared unmodified between all
71hosts) and a single run of C<gvpectrl> to generate the keys suffices to 71hosts) and generating an RSA key-pair on each node suffices to make it
72make it work. 72work.
73 73
74=item MAC-BASED SECURITY 74=item MAC-BASED SECURITY
75 75
76Since every host has it's own private key, other hosts cannot spoof 76Since every host has it's own private key, other hosts cannot spoof
77traffic from this host. That makes it possible to filter packet by MAC 77traffic from this host. That makes it possible to filter packet by MAC
189By enabling routing on the gateway host that runs C<gvpe> all nodes will 189By enabling routing on the gateway host that runs C<gvpe> all nodes will
190be able to reach the other nodes. You can, of course, also use proxy ARP 190be able to reach the other nodes. You can, of course, also use proxy ARP
191or other means of pseudo-bridging, or (best) full routing - the choice is 191or other means of pseudo-bridging, or (best) full routing - the choice is
192yours. 192yours.
193 193
194=head2 STEP 2: create the RSA key pairs for all hosts 194=head2 STEP 2: create the RSA key pair for each node
195 195
196Run the following command to generate all key pairs for all nodes (that 196Next you have to generate the RSA keys for the nodes. While you can set
197might take a while): 197up GVPE so you can generate all keys on a single host and centrally
198distribute all keys, it is safer to generate the key for each node on the
199node, so that the secret/private key does not have to be copied over the
200network.
198 201
202To do so, run the following command to generate a key pair:
203
199 gvpectrl -c /etc/gvpe -g 204 gvpectrl -c /etc/gvpe -g nodekey
200 205
201This command will put the public keys into C<< 206This will create two files, F<nodekey> and F<nodekey.privkey>. The former
202/etc/gvpe/pubkeys/I<nodename> >> and the private keys into C<< 207should be copied to F<< /etc/gvpe/pubkey/I<nodename> >> on the host where
203/etc/gvpe/hostkeys/I<nodename> >>. 208your config file is (you will have to create the F<pubkey> directory
209first):
210
211 scp nodekey confighost:/etc/gvpe/pubkey/nodename
212
213The private key F<nodekey.privkey> should be moved to F</etc/gvpe/hostkey>:
214
215 mkdir -p /etc/gvpe
216 mv nodekey.privkey /etc/gvpe/hostkey
204 217
205=head2 STEP 3: distribute the config files to all nodes 218=head2 STEP 3: distribute the config files to all nodes
206 219
207Now distribute the config files and private keys to the other nodes. This 220Now distribute the config files and public keys to the other nodes.
208should be done in two steps, since only the private keys meant for a node
209should be distributed (so each node has only it's own private key).
210 221
211The example uses rsync-over-ssh 222The example uses rsync-over-ssh to copy the config file and all the public
223keys:
212 224
213First all the config files without the hostkeys should be distributed:
214
215 rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkeys 225 rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkey
216 rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkeys 226 rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkey
217 rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkeys 227 rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkey
218 228
219Then the hostkeys should be copied:
220
221 rsync -avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey
222 rsync -avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey
223 rsync -avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey
224
225You should now check the configuration by issuing the command C<gvpectrl -c 229You should now check the configuration by issuing the command C<gvpectrl
226/etc/gvpe -s> on each node and verify it's output. 230-c /etc/gvpe -s> on each node and verify it's output.
227 231
228=head2 STEP 4: starting gvpe 232=head2 STEP 4: starting gvpe
229 233
230You should then start gvpe on each node by issuing a command like: 234You should then start gvpe on each node by issuing a command like:
231 235
250will make it try to connect to all other nodes again. If you run it from 254will make it try to connect to all other nodes again. If you run it from
251inittab, as is recommended, C<gvpectrl -k> (or simply C<killall gvpe>) will 255inittab, as is recommended, C<gvpectrl -k> (or simply C<killall gvpe>) will
252kill the daemon, start it again, making it read it's configuration files 256kill the daemon, start it again, making it read it's configuration files
253again. 257again.
254 258
259To run the GVPE daemon permanently, you can either add it to your SysV
260F<inittab>, e.g.:
261
262 t1:2345:respawn:/bin/sh -c "exec nice -n-20 /path/to/gvpe -D node >/var/log/gvpe.log 2>&1"
263
264For systems using systemd, you can use a unit file ike this one:
265
266 [Unit]
267 Description=gvpe
268 After=network.target
269 Before=remote-fs.target
270
271 [Service]
272 ExecStart=/path/to/gvpe -D node
273 KillMode=process
274 Restart=always
275
276 [Install]
277 WantedBy=multi-user.target
278
255=head1 SEE ALSO 279=head1 SEE ALSO
256 280
257gvpe.osdep(5) for OS-dependent information, gvpe.conf(5), gvpectrl(8), 281gvpe.osdep(5) for OS-dependent information, gvpe.conf(5), gvpectrl(8),
258and for a description of the transports, protocol, and routing algorithm, 282and for a description of the transports, protocol, and routing algorithm,
259gvpe.protocol(7). 283gvpe.protocol(7).

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines