From d7f66cb313caca63284a6f6f25d1e34aa0c39834 Mon Sep 17 00:00:00 2001 From: Brian Picciano Date: Tue, 24 Dec 2024 09:39:01 +0100 Subject: [PATCH] Spec out some new tasks, re-organize old ones --- tasks/README.md | 3 -- tasks/s3fs-fuse/global.md | 15 ++++++++++ tasks/secrets/propagation/README.md | 29 +++++++++++++++++++ tasks/secrets/propagation/polling.md | 8 +++++ tasks/secrets/propagation/putting.md | 8 +++++ tasks/soon/{code => misc}/daemon-cap-check.md | 0 .../{code => misc}/daemon-check-config.md | 0 .../{code => misc}/dnsmasq-startup-block.md | 0 .../garage-dont-restart-on-peer-change.md | 0 tasks/soon/{code => misc}/ipv6-support.md | 3 ++ .../minimize-joining-bootstrap-size.md | 0 .../soon/{code => misc}/nebula-cert-groups.md | 0 .../{code => misc}/nebula-config-reloading.md | 0 tasks/soon/misc/omitempty-bootstrap.md | 7 +++++ tasks/soon/{code => misc}/set-config-cas.md | 0 .../storage-allocation-modify.md | 0 16 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 tasks/s3fs-fuse/global.md create mode 100644 tasks/secrets/propagation/README.md create mode 100644 tasks/secrets/propagation/polling.md create mode 100644 tasks/secrets/propagation/putting.md rename tasks/soon/{code => misc}/daemon-cap-check.md (100%) rename tasks/soon/{code => misc}/daemon-check-config.md (100%) rename tasks/soon/{code => misc}/dnsmasq-startup-block.md (100%) rename tasks/soon/{code => misc}/garage-dont-restart-on-peer-change.md (100%) rename tasks/soon/{code => misc}/ipv6-support.md (71%) rename tasks/soon/{code => misc}/minimize-joining-bootstrap-size.md (100%) rename tasks/soon/{code => misc}/nebula-cert-groups.md (100%) rename tasks/soon/{code => misc}/nebula-config-reloading.md (100%) create mode 100644 tasks/soon/misc/omitempty-bootstrap.md rename tasks/soon/{code => misc}/set-config-cas.md (100%) rename tasks/soon/{code => misc}/storage-allocation-modify.md (100%) diff --git a/tasks/README.md b/tasks/README.md index 864fc24..f2c05b9 100644 --- a/tasks/README.md +++ b/tasks/README.md @@ -4,9 +4,6 @@ This directory contains [busiless][busiless] task files. Each file corresponds to a task which must be done, unless it is located in a `drafts` directory in which case it is still under consideration. -Tasks are organized according to when they are planned for, except for tasks in -the `soon` directory which are only planned in the loosest sense of the word. - ## Usage Creating new task files is as simple as creating a new markdown file with the diff --git a/tasks/s3fs-fuse/global.md b/tasks/s3fs-fuse/global.md new file mode 100644 index 0000000..3fd60d7 --- /dev/null +++ b/tasks/s3fs-fuse/global.md @@ -0,0 +1,15 @@ +--- +type: task +after: + - /secrets/propagation/* +--- + +We use the [s3fs-fuse](https://github.com/s3fs-fuse/s3fs-fuse) project to set up +an easily usable global network file system for all hosts in the network. + +The global network filesystem is based out of its own bucket in garage, separate +from all others. + +## To Figure Out + +Where does the filesystem get mounted? How does that get configured? diff --git a/tasks/secrets/propagation/README.md b/tasks/secrets/propagation/README.md new file mode 100644 index 0000000..80c0d9a --- /dev/null +++ b/tasks/secrets/propagation/README.md @@ -0,0 +1,29 @@ +# Secret Propagation + +Secrets are pieces of data which are not (necessarily) shared amongst all hosts +in a network. There are three clases of secrets: + +* Secrets which are particular to a single host, and will never leave that host. + These values are not managed using the secrets manager, but rather are kept in + the bootstrap. + +* Secrets which only a subset of hosts have. These secrets may be propagated to + other hosts, either automatically or by request of a user. + +* Secrets which all hosts have. These are not really "secrets" from the + network's perspective, but are convenient to manage as such. + +Secret propagation is related to the second two cases. Secrets to be propagated +are placed in a known sub-directory in the global bucket, destined either for a +single host or all hosts. When destined for a single host they are encrypted +using that host's public encryption key. + +The known sub-directory is `/secrets`. + +Secrets destined for all hosts are placed within that directory as-is, named for +the ID, in plaintext. These are never deleted, even though new hosts will be +given them as part of their initial bootstrap. + +Secrets destined for a particular host are placed under `/secrets/`, +named after the ID, encrypted using the destination host's public encryption +key. Once the destination host grabs a secret it will be deleted. diff --git a/tasks/secrets/propagation/polling.md b/tasks/secrets/propagation/polling.md new file mode 100644 index 0000000..fa85f91 --- /dev/null +++ b/tasks/secrets/propagation/polling.md @@ -0,0 +1,8 @@ +--- +type: tasks +--- + +Secrets which are placed in the global bucket according to the +[README.md](./README.md) should be periodically pulled down into each host. When +secrets are destined only for the host they should be deleted after they've been +pulled down. diff --git a/tasks/secrets/propagation/putting.md b/tasks/secrets/propagation/putting.md new file mode 100644 index 0000000..38a24e1 --- /dev/null +++ b/tasks/secrets/propagation/putting.md @@ -0,0 +1,8 @@ +--- +type: tasks +after: + - ./polling.md +--- + +A mechanism should be created for secrets to be placed in the `/secrets` +sub-directory of the global bucket, as laid out by the [README.md](./README.md). diff --git a/tasks/soon/code/daemon-cap-check.md b/tasks/soon/misc/daemon-cap-check.md similarity index 100% rename from tasks/soon/code/daemon-cap-check.md rename to tasks/soon/misc/daemon-cap-check.md diff --git a/tasks/soon/code/daemon-check-config.md b/tasks/soon/misc/daemon-check-config.md similarity index 100% rename from tasks/soon/code/daemon-check-config.md rename to tasks/soon/misc/daemon-check-config.md diff --git a/tasks/soon/code/dnsmasq-startup-block.md b/tasks/soon/misc/dnsmasq-startup-block.md similarity index 100% rename from tasks/soon/code/dnsmasq-startup-block.md rename to tasks/soon/misc/dnsmasq-startup-block.md diff --git a/tasks/soon/code/garage-dont-restart-on-peer-change.md b/tasks/soon/misc/garage-dont-restart-on-peer-change.md similarity index 100% rename from tasks/soon/code/garage-dont-restart-on-peer-change.md rename to tasks/soon/misc/garage-dont-restart-on-peer-change.md diff --git a/tasks/soon/code/ipv6-support.md b/tasks/soon/misc/ipv6-support.md similarity index 71% rename from tasks/soon/code/ipv6-support.md rename to tasks/soon/misc/ipv6-support.md index 6a26a69..77a59a0 100644 --- a/tasks/soon/code/ipv6-support.md +++ b/tasks/soon/misc/ipv6-support.md @@ -4,6 +4,9 @@ type: task # IPv6 Support +NOTE: this is actually blocked on nebula, which does not yet support IPv6 +overlay ranges. But they are working on it. + It should be possible for nebula IP ranges to use designated private IPv6 ranges. Depending on how wide these ranges are it might even be possible for CreateNetwork to automatically assign an IP range, with some hope that there's diff --git a/tasks/soon/code/minimize-joining-bootstrap-size.md b/tasks/soon/misc/minimize-joining-bootstrap-size.md similarity index 100% rename from tasks/soon/code/minimize-joining-bootstrap-size.md rename to tasks/soon/misc/minimize-joining-bootstrap-size.md diff --git a/tasks/soon/code/nebula-cert-groups.md b/tasks/soon/misc/nebula-cert-groups.md similarity index 100% rename from tasks/soon/code/nebula-cert-groups.md rename to tasks/soon/misc/nebula-cert-groups.md diff --git a/tasks/soon/code/nebula-config-reloading.md b/tasks/soon/misc/nebula-config-reloading.md similarity index 100% rename from tasks/soon/code/nebula-config-reloading.md rename to tasks/soon/misc/nebula-config-reloading.md diff --git a/tasks/soon/misc/omitempty-bootstrap.md b/tasks/soon/misc/omitempty-bootstrap.md new file mode 100644 index 0000000..49700d4 --- /dev/null +++ b/tasks/soon/misc/omitempty-bootstrap.md @@ -0,0 +1,7 @@ +--- +type: task +--- + +When marshaling bootstrap data to yaml/json, it would be good to be a bit more +aggressive about `omitempty` tags. The bootstrap file is getting quite big +already, even with just 5 hosts in the network. diff --git a/tasks/soon/code/set-config-cas.md b/tasks/soon/misc/set-config-cas.md similarity index 100% rename from tasks/soon/code/set-config-cas.md rename to tasks/soon/misc/set-config-cas.md diff --git a/tasks/soon/code/storage-allocation-modify.md b/tasks/soon/misc/storage-allocation-modify.md similarity index 100% rename from tasks/soon/code/storage-allocation-modify.md rename to tasks/soon/misc/storage-allocation-modify.md