Tech:Private Git: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(create first go at) |
imported>Addshore (fix link) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Orain's private git repo is stored on [[prod7]] and is read-only by the user 'git' and commit only to the user 'root'. |
Orain's private git repo is stored on [[Tech:prod7]] and is read-only by the user 'git' and commit only to the user 'root'. |
||
; User 'git' |
; User 'git' |
||
| Line 7: | Line 7: | ||
; Files stored |
; Files stored |
||
Only ops can commit to the repo via the root user. |
|||
The keypairs for the user 'git' are stored in the repo along with Orain's SSL cert and private key. The ansible variable file is also stored in the repo. Any files that should not be public but need to be available for either general or ansible operations can be stored. Only ops can commit to the repo via the root user. |
|||
== Private == |
|||
The repo stores private data that if compromised, should be reset immediately in order to ensure the security of the servers and services we operate. Below is a complete list of services and variables which are stored in the repo and how to reset them if necessary. |
|||
; SSL |
|||
The clusters SSL cert and SSL private key are both stored in a directory of the repo. If the cert is exposed, there are no concerns assuming the key is still secure. If the private key is exposed, email sysadmin{{@}}orain.org immediately to notify an ops member with SSL access (currently John, but Dusti also has access) to reissue/revoke the cert as appropriate. |
|||
; MariaDB |
|||
A few MariaDB passwords are managed in the repo. The root password, the mediawiki password and the debian installation password. If any are exposed, resetting these should be easy by just modifying the repo and forcing an ansible run (although, upon discovering - changing the passwords immediately is preferred and disabling ansible to prevent re-enabling the old passwords). |
|||
; MediaWiki |
|||
The wgSecretKey and wgUpgradeKey variables are stored in the repo. If either variables are exposed, simply modify them to another random character string. An email to sysadmin{{@}}orain.org should also be made as wgSecretKey is used in various operations within MediaWiki such as password hashing, OAuth secrets and the reinstall screen for MW (should not be an issue though). |
|||
; Redis |
|||
The Redis 'AUTH' password is stored in the repo. If this is exposed, reset the variable to another randomly generated string and force an ansible run. As the installation is restricted to Orain's servers only, exposing this should not have any real user impact. |
|||
; HHVM |
|||
The HHVM administrator server's password is stored in the repo. If this is exposed, reset the variable to something else and email sysadmin{{@}}orain.org. This is because the password allows a user to stop a HHVM instance on a server as well as access some details regarding the operation of HHVM on the server. |
|||
Latest revision as of 20:22, 3 April 2015
Orain's private git repo is stored on Tech:prod7 and is read-only by the user 'git' and commit only to the user 'root'.
- User 'git'
The git user is used to automatically update /root/private on all Orain servers and the account is authenticated via ssh by a private key stored in the private git repo (along with the public key as well). Ansible uses one of the keypairs from the private repo to authenticate to prod7 in order to download the latest code.
- Files stored
Only ops can commit to the repo via the root user.