From 0bec3a6e05145af5aab7bd6e1a20e1ef4eb870fb Mon Sep 17 00:00:00 2001 From: Brian Picciano Date: Sun, 29 Dec 2024 20:59:15 +0100 Subject: [PATCH] More work on task planning and organization --- tasks/{soon => }/docs/clarify-firewalls.md | 0 tasks/{soon => }/docs/restic-example.md | 2 +- tasks/{soon => }/drafts/chest-management.md | 0 .../drafts/extended-sub-command-descriptions.md | 0 .../{soon => }/drafts/separate-bootstrap-hosts.md | 0 tasks/{soon => }/drafts/shared-dns.md | 0 tasks/{soon => }/misc/daemon-cap-check.md | 0 tasks/{soon => }/misc/daemon-check-config.md | 0 tasks/{soon => }/misc/dnsmasq-startup-block.md | 0 .../misc/garage-dont-restart-on-peer-change.md | 0 tasks/{soon => }/misc/ipv6-support.md | 0 .../misc/minimize-joining-bootstrap-size.md | 0 tasks/{soon => }/misc/nebula-cert-groups.md | 0 tasks/{soon => }/misc/nebula-config-reloading.md | 0 tasks/{soon => }/misc/omitempty-bootstrap.md | 0 tasks/{soon => }/misc/set-config-cas.md | 0 .../{soon => }/misc/storage-allocation-modify.md | 0 tasks/nats/add.md | 2 +- tasks/nats/garage-watcher.md | 6 +++--- tasks/nats/pubsub.md | 9 +++++++++ tasks/nats/rpc.md | 13 +++++++++++++ tasks/remove-host/by-admin.md | 15 +++++++++++++++ tasks/remove-host/by-host.md | 15 +++++++++++++++ tasks/remove-host/watch-hosts.md | 11 +++++++++++ tasks/secrets/propagation/polling.md | 4 +++- tasks/secrets/propagation/putting.md | 2 +- tasks/soon/drafts/certificate-revocation.md | 9 --------- 27 files changed, 72 insertions(+), 16 deletions(-) rename tasks/{soon => }/docs/clarify-firewalls.md (100%) rename tasks/{soon => }/docs/restic-example.md (75%) rename tasks/{soon => }/drafts/chest-management.md (100%) rename tasks/{soon => }/drafts/extended-sub-command-descriptions.md (100%) rename tasks/{soon => }/drafts/separate-bootstrap-hosts.md (100%) rename tasks/{soon => }/drafts/shared-dns.md (100%) rename tasks/{soon => }/misc/daemon-cap-check.md (100%) rename tasks/{soon => }/misc/daemon-check-config.md (100%) rename tasks/{soon => }/misc/dnsmasq-startup-block.md (100%) rename tasks/{soon => }/misc/garage-dont-restart-on-peer-change.md (100%) rename tasks/{soon => }/misc/ipv6-support.md (100%) rename tasks/{soon => }/misc/minimize-joining-bootstrap-size.md (100%) rename tasks/{soon => }/misc/nebula-cert-groups.md (100%) rename tasks/{soon => }/misc/nebula-config-reloading.md (100%) rename tasks/{soon => }/misc/omitempty-bootstrap.md (100%) rename tasks/{soon => }/misc/set-config-cas.md (100%) rename tasks/{soon => }/misc/storage-allocation-modify.md (100%) create mode 100644 tasks/nats/pubsub.md create mode 100644 tasks/nats/rpc.md create mode 100644 tasks/remove-host/by-admin.md create mode 100644 tasks/remove-host/by-host.md create mode 100644 tasks/remove-host/watch-hosts.md delete mode 100644 tasks/soon/drafts/certificate-revocation.md diff --git a/tasks/soon/docs/clarify-firewalls.md b/tasks/docs/clarify-firewalls.md similarity index 100% rename from tasks/soon/docs/clarify-firewalls.md rename to tasks/docs/clarify-firewalls.md diff --git a/tasks/soon/docs/restic-example.md b/tasks/docs/restic-example.md similarity index 75% rename from tasks/soon/docs/restic-example.md rename to tasks/docs/restic-example.md index 13497eb..4332ae9 100644 --- a/tasks/soon/docs/restic-example.md +++ b/tasks/docs/restic-example.md @@ -1,7 +1,7 @@ --- type: task after: - - /soon/drafts/chest-management.md + - /drafts/chest-management.md --- # Restic Example diff --git a/tasks/soon/drafts/chest-management.md b/tasks/drafts/chest-management.md similarity index 100% rename from tasks/soon/drafts/chest-management.md rename to tasks/drafts/chest-management.md diff --git a/tasks/soon/drafts/extended-sub-command-descriptions.md b/tasks/drafts/extended-sub-command-descriptions.md similarity index 100% rename from tasks/soon/drafts/extended-sub-command-descriptions.md rename to tasks/drafts/extended-sub-command-descriptions.md diff --git a/tasks/soon/drafts/separate-bootstrap-hosts.md b/tasks/drafts/separate-bootstrap-hosts.md similarity index 100% rename from tasks/soon/drafts/separate-bootstrap-hosts.md rename to tasks/drafts/separate-bootstrap-hosts.md diff --git a/tasks/soon/drafts/shared-dns.md b/tasks/drafts/shared-dns.md similarity index 100% rename from tasks/soon/drafts/shared-dns.md rename to tasks/drafts/shared-dns.md diff --git a/tasks/soon/misc/daemon-cap-check.md b/tasks/misc/daemon-cap-check.md similarity index 100% rename from tasks/soon/misc/daemon-cap-check.md rename to tasks/misc/daemon-cap-check.md diff --git a/tasks/soon/misc/daemon-check-config.md b/tasks/misc/daemon-check-config.md similarity index 100% rename from tasks/soon/misc/daemon-check-config.md rename to tasks/misc/daemon-check-config.md diff --git a/tasks/soon/misc/dnsmasq-startup-block.md b/tasks/misc/dnsmasq-startup-block.md similarity index 100% rename from tasks/soon/misc/dnsmasq-startup-block.md rename to tasks/misc/dnsmasq-startup-block.md diff --git a/tasks/soon/misc/garage-dont-restart-on-peer-change.md b/tasks/misc/garage-dont-restart-on-peer-change.md similarity index 100% rename from tasks/soon/misc/garage-dont-restart-on-peer-change.md rename to tasks/misc/garage-dont-restart-on-peer-change.md diff --git a/tasks/soon/misc/ipv6-support.md b/tasks/misc/ipv6-support.md similarity index 100% rename from tasks/soon/misc/ipv6-support.md rename to tasks/misc/ipv6-support.md diff --git a/tasks/soon/misc/minimize-joining-bootstrap-size.md b/tasks/misc/minimize-joining-bootstrap-size.md similarity index 100% rename from tasks/soon/misc/minimize-joining-bootstrap-size.md rename to tasks/misc/minimize-joining-bootstrap-size.md diff --git a/tasks/soon/misc/nebula-cert-groups.md b/tasks/misc/nebula-cert-groups.md similarity index 100% rename from tasks/soon/misc/nebula-cert-groups.md rename to tasks/misc/nebula-cert-groups.md diff --git a/tasks/soon/misc/nebula-config-reloading.md b/tasks/misc/nebula-config-reloading.md similarity index 100% rename from tasks/soon/misc/nebula-config-reloading.md rename to tasks/misc/nebula-config-reloading.md diff --git a/tasks/soon/misc/omitempty-bootstrap.md b/tasks/misc/omitempty-bootstrap.md similarity index 100% rename from tasks/soon/misc/omitempty-bootstrap.md rename to tasks/misc/omitempty-bootstrap.md diff --git a/tasks/soon/misc/set-config-cas.md b/tasks/misc/set-config-cas.md similarity index 100% rename from tasks/soon/misc/set-config-cas.md rename to tasks/misc/set-config-cas.md diff --git a/tasks/soon/misc/storage-allocation-modify.md b/tasks/misc/storage-allocation-modify.md similarity index 100% rename from tasks/soon/misc/storage-allocation-modify.md rename to tasks/misc/storage-allocation-modify.md diff --git a/tasks/nats/add.md b/tasks/nats/add.md index 6ecb44a..84346ca 100644 --- a/tasks/nats/add.md +++ b/tasks/nats/add.md @@ -1,5 +1,5 @@ --- -type: tasks +type: task --- Introduce [NATS][nats] as a new service run by Isle. All hosts should join the diff --git a/tasks/nats/garage-watcher.md b/tasks/nats/garage-watcher.md index a928f3a..c37769e 100644 --- a/tasks/nats/garage-watcher.md +++ b/tasks/nats/garage-watcher.md @@ -1,11 +1,11 @@ --- -type: tasks +type: task after: - - ./add.md + - ./pubsub.md --- A simple mechanism should be developed which "watches" a garage directory or -file for changes. This mechanism has too sides. +file for changes. This mechanism has two sides. ## Producer diff --git a/tasks/nats/pubsub.md b/tasks/nats/pubsub.md new file mode 100644 index 0000000..5fb8944 --- /dev/null +++ b/tasks/nats/pubsub.md @@ -0,0 +1,9 @@ +--- +type: task +after: + - ./add.md +--- + +Every host should be able to listen to and publish to pubsub channels on NATS. +All messages should be signed by their sending host, and all receiving hosts +should verify these signatures. diff --git a/tasks/nats/rpc.md b/tasks/nats/rpc.md new file mode 100644 index 0000000..ea7033d --- /dev/null +++ b/tasks/nats/rpc.md @@ -0,0 +1,13 @@ +--- +type: task +after: + - ./add.md +--- + +A general RPC mechanism should be developed which allows one group of hosts to +handle RPC calls made by other hosts. Each RPC request should be signed by the +host which is making it, and the response should be signed and encrypted by the +responder. + +The JSONRPC2 framework already developed for communication between CLI and +daemon can be re-used here. diff --git a/tasks/remove-host/by-admin.md b/tasks/remove-host/by-admin.md new file mode 100644 index 0000000..e526ea9 --- /dev/null +++ b/tasks/remove-host/by-admin.md @@ -0,0 +1,15 @@ +--- +type: task +after: + - ./watch-hosts.md +--- + +When a host is removed by a network admin, the admin's daemon should modify that +host's file in the common bucket, changing the HostAssigned section to indicate +that the host is no longer present in the network. + +All other hosts in the network, when a host is updated with an indication that +it's no longer present in the network, should add that host's certificate +fingerprint to the `pki.blocklist` of their local nebula instance. + +The `pki.disconnect_invalid` boolean should always be true in the nebula config. diff --git a/tasks/remove-host/by-host.md b/tasks/remove-host/by-host.md new file mode 100644 index 0000000..44a449f --- /dev/null +++ b/tasks/remove-host/by-host.md @@ -0,0 +1,15 @@ +--- +type: task +after: + - ./watch-hosts.md +--- + +When is removed by the host itself, the host's daemon should modify its file in +the common bucket, changing the HostConfigured section to indicate that the host +is no longer present in the network. + +All other hosts in the network, when a host is updated with an indication that +it's no longer present in the network, should add that host's certificate +fingerprint to the `pki.blocklist` of their local nebula instance. + +The `pki.disconnect_invalid` boolean should always be true in the nebula config. diff --git a/tasks/remove-host/watch-hosts.md b/tasks/remove-host/watch-hosts.md new file mode 100644 index 0000000..e4fa84c --- /dev/null +++ b/tasks/remove-host/watch-hosts.md @@ -0,0 +1,11 @@ +--- +type: task +after: + - /nats/garage-watcher.md +--- + +Hosts should use the garage watcher both when updating and pulling updates to +host information in the common bucket. + +If a host's data is not actually changing then it should not notify the garage +watchers. diff --git a/tasks/secrets/propagation/polling.md b/tasks/secrets/propagation/polling.md index fa85f91..500114f 100644 --- a/tasks/secrets/propagation/polling.md +++ b/tasks/secrets/propagation/polling.md @@ -1,5 +1,7 @@ --- -type: tasks +type: task +after: + - /nats/garage-watcher.md --- Secrets which are placed in the global bucket according to the diff --git a/tasks/secrets/propagation/putting.md b/tasks/secrets/propagation/putting.md index 38a24e1..b1b1a3e 100644 --- a/tasks/secrets/propagation/putting.md +++ b/tasks/secrets/propagation/putting.md @@ -1,5 +1,5 @@ --- -type: tasks +type: task after: - ./polling.md --- diff --git a/tasks/soon/drafts/certificate-revocation.md b/tasks/soon/drafts/certificate-revocation.md deleted file mode 100644 index d9a5922..0000000 --- a/tasks/soon/drafts/certificate-revocation.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -type: task ---- - -# Certificate Revocation Propagation - -When a host is removed from the network the admin host which removed it should -publish a revocation certificate for its old certificate, so that other hosts -know to no longer trust it.