recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
fork atom
phorge / src / docs / user / cluster / cluster_devices.diviner
at recaptime-dev/main 247 lines 9.0 kB view raw
Matthew Bowker Update Diviner documentation to reference Phorge instead of Phabricator.
1ddb953b
1@title Cluster: Devices 2@group cluster 3 4Guide to configuring hosts to act as cluster devices. 5 6Cluster Context 7=============== 8 9This document describes a step in configuring Phorge to run on 10multiple hosts in a cluster configuration. This is an advanced feature. For 11more information on clustering, see @{article:Clustering Introduction}. 12 13In this context, device configuration is mostly relevant to configuring 14repository services in a cluster. You can find more details about this in 15@{article:Cluster: Repositories}. 16 17 18Overview 19======== 20 21Some cluster services need to be able to authenticate themselves and interact 22with other services. For example, two repository hosts holding copies of the 23same repository must be able to fetch changes from one another, even if the 24repository is private. 25 26Within a cluster, devices authenticate using SSH keys. Some operations happen 27over SSH (using keys in a normal way, as you would when running `ssh` from the 28command line), while others happen over HTTP (using SSH keys to sign requests). 29 30Before hosts can authenticate to one another, you need to configure the 31credentials so other devices know the keys can be trusted. Beyond establishing 32trust, this configuration will establish //device identity//, so each host 33knows which device it is explicitly. 34 35Today, this is primarily necessary when configuring repository clusters. 36 37 38Using Almanac 39============= 40 41The tool Phorge uses to manage cluster devices is the **Almanac** 42application, and most configuration will occur through the application's web 43UI. If you are not familiar with it, see @{article:Almanac User Guide} first. 44This document assumes you are familiar with Almanac concepts. 45 46 47What Lies Ahead 48=============== 49 50Here's a brief overview of the steps required to register cluster devices. The 51remainder of this document walks through these points in more detail. 52 53 - Create an Almanac device record for each device. 54 - Generate, add, and trust SSH keys if necessary. 55 - Install Phorge on the host. 56 - Use `bin/almanac register` from the host to register it as a device. 57 58See below for guidance on each of these steps. 59 60 61Individual vs Shared Keys 62========================= 63 64Before getting started, you should choose how you plan to manage device SSH 65keys. Trust and device identity are handled separately, and there are two ways 66to set up SSH keys so that devices can authenticate with one another: 67 68 - you can generate a unique SSH key for each device; or 69 - you can generate one SSH key and share it across multiple devices. 70 71Using **unique keys** allows the tools to do some more sanity/safety checks and 72makes it a bit more difficult to misconfigure things, but you'll have to do 73more work managing the actual keys. This may be a better choice if you are 74setting up a small cluster (2-3 devices) for the first time. 75 76Using **shared keys** makes key management easier but safety checks won't be 77able to catch a few kinds of mistakes. This may be a better choice if you are 78setting up a larger cluster, plan to expand the cluster later, or have 79experience with Phorge clustering. 80 81Because all cluster keys are all-powerful, there is no material difference 82between these methods from a security or trust viewpoint. Unique keys are just 83potentially easier to administrate at small scales, while shared keys are 84easier at larger scales. 85 86 87Create Almanac Device Records 88============================= 89 90For each host you plan to make part of a Phorge cluster, go to the 91{nav Almanac} application and create a **device** record. For guidance on this 92application, see @{article:Almanac User Guide}. 93 94Add **interfaces** to each device record so Phorge can tell how to 95connect to these hosts. Normally, you'll add one HTTP interface (usually on 96port 80) and one SSH interface (by default, on port 2222) to each device: 97 98For example, if you are building a two-host repository cluster, you may end 99up with records that look like these: 100 101 - Device: `repo001.mycompany.net` 102 - Interface: `123.0.0.1:2222` 103 - Interface: `123.0.0.1:80` 104 - Device: `repo002.mycompany.net` 105 - Interface: `123.0.0.2:2222` 106 - Interface: `123.0.0.2:80` 107 108Note that these hosts will normally run two `sshd` ports: the standard `sshd` 109which you connect to to operate and administrate the host, and the special 110Phorge `sshd` that you connect to to clone and push repositories. 111 112You should specify the Phorge `sshd` port, **not** the standard `sshd` 113port. 114 115If you're using **unique** SSH keys for each device, continue to the next step. 116 117If you're using **shared** SSH keys, create a third device with no interfaces, 118like `keywarden.mycompany.net`. This device will just be used as a container to 119hold the trusted SSH key and is not a real device. 120 121NOTE: Do **not** create a **service** record yet. Today, service records become 122active immediately once they are created, and you haven't set things up yet. 123 124 125Generate and Trust SSH Keys 126=========================== 127 128Next, you need to generate or upload SSH keys and mark them as trusted. Marking 129a key as trusted gives it tremendous power. 130 131If you're using **unique** SSH keys, upload or generate a key for each 132individual device from the device detail screen in the Almanac web UI. Save the 133private keys for the next step. 134 135If you're using a **shared** SSH key, upload or generate a single key for 136the keywarden device from the device detail screen in the Almanac web UI. 137Save the private key for the next step. 138 139Regardless of how many keys you generated, take the key IDs from the tables 140in the web UI and run this command from the command line for each key, to mark 141each key as trusted: 142 143``` 144phorge/ $ ./bin/almanac trust-key --id <key-id-1> 145phorge/ $ ./bin/almanac trust-key --id <key-id-2> 146... 147``` 148 149The warnings this command emits are serious. The private keys are now trusted, 150and allow any user or device possessing them to sign requests that bypass 151policy checks without requiring additional credentials. Guard them carefully! 152 153If you need to revoke trust for a key later, use `untrust-key`: 154 155``` 156phorge/ $ ./bin/almanac untrust-key --id <key-id> 157``` 158 159Once the keys are trusted, continue to the next step. 160 161 162Install Phorge 163=================== 164 165If you haven't already, install Phorge on each device you plan to enroll 166in the cluster. Cluster repository devices must provide services over both HTTP 167and SSH, so you need to install and configure both a webserver and a 168Phorge `sshd` on these hosts. 169 170Generally, you will follow whatever process you otherwise use when installing 171Phorge. 172 173NOTE: Do not start the daemons on the new devices yet. They won't work properly 174until you've finished configuring things. 175 176Once Phorge is installed, you can enroll the devices in the cluster by 177registering them. 178 179 180Register Devices 181================ 182 183To register a host as an Almanac device, use `bin/almanac register`. 184 185If you are using **unique** keys, run it like this: 186 187``` 188$ ./bin/almanac register \ 189 --device <device> \ 190 --private-key <key> 191``` 192 193For example, you might run this command on `repo001` when using unique keys: 194 195``` 196$ ./bin/almanac register \ 197 --device repo001.mycompany.net \ 198 --private-key /path/to/private.key 199``` 200 201If you are using a **shared** key, this will be a little more complicated 202because you need to override some checks that are intended to prevent mistakes. 203Use the `--identify-as` flag to choose a device identity: 204 205``` 206$ ./bin/almanac register \ 207 --device <keywarden-device> \ 208 --private-key <key> \ 209 --identify-as <actual-device> 210``` 211 212For example, you might run this command on `repo001` when using a shared key: 213 214``` 215$ ./bin/almanac register \ 216 --device keywarden.mycompany.net \ 217 --private-key /path/to/private-key \ 218 --identify-as repo001.mycompany.net 219``` 220 221In particular, note that `--device` is always the **trusted** device associated 222with the trusted key. The `--identify-as` flag allows several different hosts 223to share the same key but still identify as different devices. 224 225The overall effect of the `bin/almanac` command is to copy identity and key 226files into `phorge/conf/keys/`. You can inspect the results by examining 227that directory. The helper script just catches potential mistakes and makes 228sure the process is completed correctly. 229 230Note that a copy of the active private key is stored in the `conf/keys/` 231directory permanently. 232 233When converting a host into a cluster host, you may need to revisit 234@{article:Diffusion User Guide: Repository Hosting} and double check the `sudo` 235permission for the host. In particular, cluster hosts need to be able to run 236`ssh` via `sudo` so they can read the device private key. 237 238 239Next Steps 240========== 241 242Now that devices are registered, you can build cluster services from them. 243Return to the relevant cluster service documentation to continue: 244 245 - build repository clusters with @{article:Cluster: Repositories}; 246 - return to @{article:Clustering Introduction}; or 247 - review the Almanac application with @{article:Almanac User Guide}.