From 6a3174076337216a3c4f70de5329b1f0e44a359e Mon Sep 17 00:00:00 2001 From: Andrew Kesterson Date: Sun, 5 Aug 2012 22:04:23 -0400 Subject: [PATCH] more readme --- README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8729da5..dfa4c65 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,12 @@ prevent well-meaning trusted sysadmins from doing really stupid things. It does to secure your systems from malicious code. That security layer is moved up, onto the maintainer, who must verify the sanity of all code they are sending to client machines. +How do you establish the trust relationship? +===== + +DISCO uses rsync(+ssh) with SSH keys, so the answer is, "we don't establish it" - SSH handles +that for us by the server allowing or denying the key. + How do you handle parameters (like puppet ENC, etc)? ===== @@ -206,4 +212,19 @@ MODULE/defs/parameters Each module can define default parameters which will be made available to all clients using the module. These parameters will be merged together on the client at module fetch time, and any node-specific parameters will override any default parameters specified here (they are rsync'ed over the top of each -other). These parameters will be rooted at /MODULE_NAME/... . \ No newline at end of file +other). These parameters will be rooted at /MODULE_NAME/... . + +Server Side Setup +===== + +The only server side setup required for DISCO is to setup an rsyncd and sshd server. This is outside +the purview of this README. + +We would recommend setting up the rsync server to allow your DISCO clients (which MUST run as root), +to come in on a non-priveleged, non-root account. You can still use rsync's module definitions with +non-root users by setting up ~/.rsyncd in that user's home directory, and adding +"--rsh 'ssh -l USER_NAME'" to your /disco/client/cmds/rsync parameter on the clients. This will +allow you to specify your rsync locations in your module definitions as USER@HOST::MODULE_NAME instead +of having to specify a filesystem path, will give you all the benefits of an SSH key trust relationship, +and no concern of incoming root access to the server. (Note that this also prevents the often mysterious +and troublesome SSL certificate issues associated with other CI systems.)