[certmaster] Documentation and cleanup for minion-to-minion
authorJohn Eckersberg <jeckersb@redhat.com>
Wed, 18 Mar 2009 17:30:31 +0000 (13:30 -0400)
committerJohn Eckersberg <jeckersb@redhat.com>
Wed, 18 Mar 2009 17:44:30 +0000 (13:44 -0400)
* Add man page for certmaster-sync
* Symlink certmaster-sync into triggers for post-sign and post-clean
  (doesn't execute by default)
* Add sync_certs setting to default certmaster.conf
* Create the empty /var/lib/certmaster/peers directory

Makefile
certmaster.spec
docs/certmaster-sync.pod [new file with mode: 0644]
etc/certmaster.conf
setup.py

index 01b915d..91456f2 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,7 @@ manpage:
        pod2man --center="certmaster-request" --release="" ./docs/certmaster-request.pod | gzip -c > ./docs/certmaster-request.1.gz
        pod2man --center="certmaster" --release="" ./docs/certmaster.pod | gzip -c > ./docs/certmaster.1.gz
        pod2man --center="certmaster-ca" --release="" ./docs/certmaster-ca.pod | gzip -c > ./docs/certmaster-ca.1.gz
+       pod2man --center="certmaster-sync" --release="" ./docs/certmaster-sync.pod | gzip -c > ./docs/certmaster-sync.1.gz
 
 messages: certmaster/*.py
        touch $(MESSAGESPOT)
index f7fa30c..e50be18 100644 (file)
@@ -62,6 +62,8 @@ certmaster is a easy mechanism for distributing SSL certificates
 %install
 test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT
 %{__python} setup.py install --prefix=/usr --root=$RPM_BUILD_ROOT
+ln -s %{_bindir}/certmaster-sync $RPM_BUILD_ROOT/var/lib/certmaster/triggers/sign/post/certmaster-sync
+ln -s %{_bindir}/certmaster-sync $RPM_BUILD_ROOT/var/lib/certmaster/triggers/remove/post/certmaster-sync
 
 %clean
 rm -fr $RPM_BUILD_ROOT
@@ -96,6 +98,8 @@ rm -fr $RPM_BUILD_ROOT
 %dir /var/lib/certmaster/triggers/remove/
 %dir /var/lib/certmaster/triggers/remove/pre
 %dir /var/lib/certmaster/triggers/remove/post
+/var/lib/certmaster/triggers/sign/post/certmaster-sync
+/var/lib/certmaster/triggers/remove/post/certmaster-sync
 %doc AUTHORS README LICENSE
 %{_mandir}/man1/*.1.gz
 
diff --git a/docs/certmaster-sync.pod b/docs/certmaster-sync.pod
new file mode 100644 (file)
index 0000000..1519387
--- /dev/null
@@ -0,0 +1,44 @@
+=head1 NAME
+
+certmaster-sync -- syncronize client certificates with Func.
+
+=head1 SYNOPSIS
+
+certmaster-sync [-f|--force]
+
+=head1 DESCRIPTION
+
+certmaster-sync syncronizes client certificates amongst certmaster clients via Func.  It is assumed that the hosts who have requested certificates are reachable via Func for syncronization operations.
+
+certmaster-sync by default is called as a post-sign and post-clean trigger.  In order to enable syncronization you must set B<sync_certs> to B<True>, see B<CONFIGURATION VALUES> below.
+
+The syncronization occurs by querying remote Func methods in B<certmastermod> on the minion hosts.  This will gather information, copy any new certificates, and remove any certificates that have been cleaned.
+
+=head1 OPTIONS
+
+=over
+
+=item -f, --force
+
+Override the configuration value for B<sync_certs> in F</etc/certmaster/certmaster.conf>
+
+=back
+
+=head1 CONFIGURATION VALUES
+
+=over
+
+=item sync_certs
+
+B<sync_certs> determines whether or not the script will actually syncronize or if it will exit with no operation.  You can use -f|--force to override this configuration value.  (Default: False)
+
+=back
+
+=head1 ADDITONAL RESOURCES
+
+See https://fedorahosted.org/certmaster.  It's a Wiki.
+See also https://fedorahosted.org/func
+
+=head1 AUTHOR
+
+John Eckersberg <jeckersb@redhat.com>
index 7664376..cfdca9d 100644 (file)
@@ -9,4 +9,4 @@ cert_dir = /etc/pki/certmaster
 certroot = /var/lib/certmaster/certmaster/certs
 csrroot = /var/lib/certmaster/certmaster/csrs
 cert_extension = cert
-
+sync_certs = False
index 8cf70eb..2a1fcdf 100644 (file)
--- a/setup.py
+++ b/setup.py
@@ -44,12 +44,14 @@ if __name__ == "__main__":
                               (manpath,  ["docs/certmaster.1.gz"]),
                               (manpath,  ["docs/certmaster-request.1.gz"]),
                               (manpath,  ["docs/certmaster-ca.1.gz"]),
+                              (manpath,  ["docs/certmaster-sync.1.gz"]),
                              (rotpath,  ['etc/certmaster_rotate']),
                               (logpath,  []),
                              (certdir,  []),
                              (etcpath,  []),
                              (pkipath,  []),
                              (aclpath,  []),
+                              ("%s/peers"         % certdir,  []),
                              ("%s/sign/pre/"     % trigpath, []),
                               ("%s/sign/post/"    % trigpath, []),
                               ("%s/remove/pre/"   % trigpath, []),