kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 1 Projects 1 Activity

Configure kredits-github #37

Merged
greg merged 12 commits from feature/35-kredits_github into master 2019-04-25 14:03:15 +00:00
Conversation 8 Commits 12 Files Changed 12 +296
raucao commented 2019-04-19 17:47:03 +00:00
Owner
Copy Link

This is running on barnard.kosmos.org, but for some reason that I can't figure out nginx just refuses connections to the site. All configs and services look good to me, and nothing is throwing errors.

closes #35

This is running on `barnard.kosmos.org`, but for some reason that I can't figure out nginx just refuses connections to the site. All configs and services look good to me, and nothing is throwing errors. closes #35
raucao changed title from Configure kosmos-github to Configure kredits-github 2019-04-19 17:49:17 +00:00
raucao commented 2019-04-19 17:50:00 +00:00
Author
Owner
Copy Link

Sorry, the commit has the wrong app name.

Sorry, the commit has the wrong app name.
raucao commented 2019-04-20 08:26:32 +00:00
Author
Owner
Copy Link

I fixed the issue. All working now.

I fixed the issue. All working now.
greg commented 2019-04-23 08:40:36 +00:00
Owner
Copy Link

As the environment contains secret I'm switching the systemd unit to use EnvironmentFile instead.

LGTM apart from that and the references to sockethub that I fixed.

As the environment contains secret I'm switching the systemd unit to use [EnvironmentFile](https://coreos.com/os/docs/latest/using-environment-variables-in-systemd-units.html#environmentfile-directive) instead. LGTM apart from that and the references to sockethub that I fixed.
greg changed title from Configure kredits-github to WIP: Configure kredits-github 2019-04-23 08:40:43 +00:00
raucao commented 2019-04-23 08:48:40 +00:00
Author
Owner
Copy Link

As the environment contains secret I’m switching the systemd unit to use EnvironmentFile instead.

I cannot see how that makes it more secure from the document you linked. Care to explain?

(I assume this comes from me pasting a sentence from and link to the official systemd docs, where it says you shouldn't put secrets in systemd environment vars?)

Also, wouldn't we need to do that for all our cookbooks/systemd units then? (Meaning there's an issue missing about it.)

> As the environment contains secret I’m switching the systemd unit to use EnvironmentFile instead. I cannot see how that makes it more secure from the document you linked. Care to explain? (I assume this comes from me pasting a sentence from and link to the official systemd docs, where it says you shouldn't put secrets in systemd environment vars?) Also, wouldn't we need to do that for *all* our cookbooks/systemd units then? (Meaning there's an issue missing about it.)
greg commented 2019-04-23 12:11:55 +00:00
Owner
Copy Link

I checked, it turns out I misunderstood EnvironmentFile. Using it I thought it wouldn't show the environment variables in /proc/$ID/environ, but that can only be read by root, not regular users. So we can use Environment directives, as long as the systemd unit file is not world readable (so the unit file itself to be something like 640)

I think every systemd unit file that contains secrets shouldn't be world readable, we can create an issue about it

I have also found this regarding EnvironmentFile, Poettering said it was a mistake: https://unix.stackexchange.com/a/419061

I checked, it turns out I misunderstood EnvironmentFile. Using it I thought it wouldn't show the environment variables in `/proc/$ID/environ`, but that can only be read by root, not regular users. So we can use Environment directives, as long as the systemd unit file is not world readable (so the unit file itself to be something like 640) I think every systemd unit file that contains secrets shouldn't be world readable, we can create an issue about it I have also found this regarding `EnvironmentFile`, Poettering said it was a mistake: https://unix.stackexchange.com/a/419061
greg commented 2019-04-23 12:21:16 +00:00
Owner
Copy Link

I reverted my EnvironmentFile change and fixed the permission in 2cf6112

I reverted my `EnvironmentFile` change and fixed the permission in 2cf6112
raucao commented 2019-04-23 12:34:42 +00:00
Author
Owner
Copy Link

OK, but that still doesn't explain why this one cookbook would be the only one where we have to solve the problem. I merely did what we do in literally all of our site cookbooks.

Also, that still leaves the question about env vars in systemd units being unsecure for other reasons than reading the file itself, as outlined by the systemd docs I linked.

OK, but that still doesn't explain why this one cookbook would be the only one where we have to solve the problem. I merely did what we do in literally all of our site cookbooks. Also, that still leaves the question about env vars in systemd units being unsecure for other reasons than reading the file itself, as outlined by the systemd docs I linked.
greg commented 2019-04-23 12:53:48 +00:00
Owner
Copy Link

Can you link that page again? I can't find it

Edit: I created #38 for the Systemd environment variables

Can you link that page again? I can't find it Edit: I created #38 for the Systemd environment variables
raucao changed title from WIP: Configure kredits-github to Configure kredits-github 2019-04-24 16:55:25 +00:00
greg closed this pull request 2019-04-25 14:03:15 +00:00
greg deleted branch feature/35-kredits_github 2019-04-25 14:03:21 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
service
accounts
Kosmos Accounts

  
service
discourse
Kosmos Community Forums

  
service
drone-ci
Kosmos Drone CI

  
service
email
mail.kosmos.org

  
service
garage
S3-compatible object storage

  
service
gitea
Kosmos Gitea

  
service
ipfs
Kosmos IPFS

  
service
mastodon
kosmos.social

  
service
postgres
Database cluster

  
service
remotestorage
Portable data storage for the Web

  
service
wiki
Kosmos Wiki

  
service
xmpp
Kosmos Chat

  
bug

Something is not working

  
design

Graphic/visual design

  
dev environment

Config, builds, CI, deployment, etc.

  
docs

Documentation

  
duplicate

This issue or pull request already exists

  
enhancement

Improving existing functionality

  
feature

New functionality

  
good first issue

Dive in, and start contributing

  
idea

Something to consider

  
invalid

Not a bug

  
kredits-1

Small contribution

  
kredits-2

Medium contribution

  
kredits-3

Large contribution

  
on hold

Currently not actionable

  
ops

Manual IT ops activities

  
question

Looking for an answer

  
release
major

  
release
minor

  
release
patch

  
security

All your base are belong to us

  
ui/ux

User interface, process design, etc.

  
wontfix

This won't be fixed

No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: kosmos/chef#37
No description provided.
Delete Branch "feature/35-kredits_github"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?