--- gvpe/doc/gvpe.texi 2016/03/30 04:02:50 1.7 +++ gvpe/doc/gvpe.texi 2016/11/10 15:15:23 1.8 @@ -144,7 +144,7 @@ @item EASY TO SETUP -A few lines of config (the config file is shared unmodified between all hosts) and a single run of @t{gvpectrl} to generate the keys suffices to make it work. +A few lines of config (the config file is shared unmodified between all hosts) and generating an RSA key-pair on each node suffices to make it work. @refill @@ -271,42 +271,47 @@ @refill -@subsection STEP 2: create the RSA key pairs for all hosts -Run the following command to generate all key pairs for all nodes (that might take a while): +@subsection STEP 2: create the RSA key pair for each node +Next you have to generate the RSA keys for the nodes. While you can set up GVPE so you can generate all keys on a single host and centrally distribute all keys, it is safer to generate the key for each node on the node, so that the secret/private key does not have to be copied over the network. +@refill +To do so, run the following command to generate a key pair: @refill @example - gvpectrl -c /etc/gvpe -g + gvpectrl -c /etc/gvpe -g nodekey @end example -This command will put the public keys into @t{/etc/gvpe/pubkeys/@emph{nodename}} and the private keys into @t{/etc/gvpe/hostkeys/@emph{nodename}}. +This will create two files, @file{nodekey} and @file{nodekey.privkey}. The former should be copied to @file{/etc/gvpe/pubkey/@emph{nodename}} on the host where your config file is (you will have to create the @file{pubkey} directory first): @refill -@subsection STEP 3: distribute the config files to all nodes -Now distribute the config files and private keys to the other nodes. This should be done in two steps, since only the private keys meant for a node should be distributed (so each node has only it's own private key). -@refill -The example uses rsync-over-ssh -@refill -First all the config files without the hostkeys should be distributed: +@example + scp nodekey confighost:/etc/gvpe/pubkey/nodename +@end example + +The private key @file{nodekey.privkey} should be moved to @file{/etc/gvpe/hostkey}: @refill @example - rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkeys - rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkeys - rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkeys + mkdir -p /etc/gvpe + mv nodekey.privkey /etc/gvpe/hostkey @end example -Then the hostkeys should be copied: + + +@subsection STEP 3: distribute the config files to all nodes +Now distribute the config files and public keys to the other nodes. +@refill +The example uses rsync-over-ssh to copy the config file and all the public keys: @refill @example - rsync -avzessh /etc/gvpe/hostkeys/first first.example.net:/etc/hostkey - rsync -avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey - rsync -avzessh /etc/gvpe/hostkeys/third third.example.net:/etc/hostkey + rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkey + rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkey + rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkey @end example You should now check the configuration by issuing the command @t{gvpectrl -c /etc/gvpe -s} on each node and verify it's output. @@ -337,8 +342,35 @@ @subsection STEP 5: enjoy -... and play around. Sending a -HUP (@t{gvpectrl -kHUP}) to the daemon will make it try to connect to all other nodes again. If you run it from inittab, as is recommended, @t{gvpectrl -k} (or simply @t{killall gvpe}) will kill the daemon, start it again, making it read it's configuration files again. +... and play around. Sending a -HUP (@t{gvpectrl -kHUP}) to the daemon will make it try to connect to all other nodes again. If you run it from inittab @t{gvpectrl -k} (or simply @t{killall gvpe}) will kill the daemon, start it again, making it read it's configuration files again. @refill +To run the GVPE daemon permanently from your SysV init, you can add it to your @file{inittab}, e.g.: +@refill + + +@example + t1:2345:respawn:/bin/sh -c "exec nice -n-20 /path/to/gvpe -D node >/var/log/gvpe.log 2>&1" +@end example + +For systems using systemd, you can use a unit file similar to this one: +@refill + + +@example + [Unit] + Description=gvpe + After=network.target + Before=remote-fs.target + + [Service] + ExecStart=/path/to/gvpe -D node + KillMode=process + Restart=always + + [Install] + WantedBy=multi-user.target +@end example + @section COPYRIGHTS AND LICENSES @@ -1151,9 +1183,9 @@ private-key = relative-path-to-key @cindex private-key -Sets the path (relative to the config directory) to the private key (default: @t{hostkey}). This is a printf format string so every @t{%} must be doubled. A single @t{%s} is replaced by the hostname, so you could use paths like @t{hostkeys/%s} to fetch the files at the location where @t{gvpectrl} puts them. +Sets the path (relative to the config directory) to the private key (default: @t{hostkey}). This is a printf format string so every @t{%} must be doubled. A single @t{%s} is replaced by the hostname, so you could use paths like @t{hostkeys/%s} to be able to share the same config directory between nodes. @refill -Since only the private key file of the current node is used and the private key file should be kept secret per-node to avoid spoofing, it is not recommended to use this feature. +Since only the private key file of the current node is used and the private key file should be kept secret per-node to avoid spoofing, it is not recommended to use this feature this way though. @refill @@ -1536,9 +1568,30 @@ @item -@strong{-g}, @strong{--generate-keys} +@strong{-g}, @strong{--generate-key=path} + +Generates a single RSA key-pair. The public key will be stored in @file{@emph{path}} while the private key will be stored in @file{@emph{path} .privkey}. Neither file must be non-empty for this to succeed. +@refill +The public key file @file{@emph{path}} is normally copied to @file{pubkey/nodename} in the config directory on all nodes, while the private key @file{@emph{path}.privkey} should be copied to the file @file{hostkey} on the node the key is for. +@refill +It's recommended to generate the keypair on the node where it will be used, so that the private key file does not have to travel over the network. +@refill + + +@item +@strong{-G}, @strong{--generate-keys} + +Generate public/private RSA key-pairs for all nodes not having a key and exit. +@refill +Note that in normal configurations this will fail, as there cna only be one private key per host. To make this configuration work you need to specify separate keyfiles for hostkeys in your config file, e.g.: +@refill + + +@example + private-key = hostkeys/%s +@end example -Generate public/private RSA key-pair and exit. +Such a configuration makes it easier to distribute a configuration centrally but requires private keys to be transported securely over the network. @refill @@ -1744,7 +1797,14 @@ @item @t{/etc/gvpe/pubkey/*} -The directory containing the public keys for every node, usually autogenerated by executing @t{gvpectrl --generate-keys}. +The directory containing the public keys for every node, one file per node with the name of the node. +@refill + + +@item +@t{/etc/gvpe/hostkey} + +The file containing the private key of the node GVPE runs on. Unlike all the other files in the @file{/etc/gvpe} directory, this file usually differes for each node that GVPE runs on. @refill