dustin/sshca-cli/pipeline/pr-master Something is wrong with the build of this commitDetails
In addition to building an RPM package for regular Fedora machines, we
now build a container image containing a statically-linked `sshca-cli`
executable.
The `rustls` feature will enable building with [rustls] instead of
OpenSSL. This will make it so the `sshca-cli` binary can be statically
linked, and thus distributable as a single file.
[rustls]: https://github.com/rustls/rustls
dustin/sshca-cli/pipeline/head This commit looks goodDetails
The cloud aarch64 build machine does not have enough resources to build
multiple versions at once. Requesting multiple CPUs ensures that only
one build pod is scheduled at a time. Since the node has 2 CPUs and
240m CPUs are taken by Longhorn, if we request 1500m CPUs, builds will
run sequentially.
dustin/sshca-cli/pipeline/head This commit looks goodDetails
When this repository was split from the original *dustin/sshca*
repository, the CI pipeline was not imported. It wouldn't have mattered
if it had been, since it wouldn't have worked, anyway, given the path
changes.
The `/sys/firmware/devicetree/base/serial-number` pseudo-file has a
trailing null byte, which causes `Uuid::parse_srr` to fail. This makes
it impossible to authenticate Raspberry Pi devices to the server. The
trailing byte needs to be removed before attempting to parse the serial
number into a UUID to avoid this problem.
The *ssh-host-cert-sign@.service* unit does what it says on the tin:
requests a signed host certificate from an SSHCA server. It is a
template unit, whose instances correspond to SSH key types (RSA, ECDSA,
and Ed25519). The *ssh-host-certs.target* unit depends on the three
instances of the template unit, so they can all be activated together.
This target is only activated on the first boot of the system, to
initially request the certificates.
The *ssh-host-certs-renew.timer* unit periodically renews the SSH hosts
certificates. Its corresponding target unit depends on the three
instances of *ssh-host-cert-sign@.service*, so each certificate will be
renewed independently.
The *sshca-cli* RPM package can be used to install the SSHCA CLI client
on Fedora (and other RPM-based distributions). The `.spec` file was
originally generated using [rust2rpm], but several manual modifications
were required. Notably, the script does not generate `BuildRequres`
tags when run in "vendored" mode (i.e. third-party crate sources are
included in the source RPM package instead of packaged as separate
RPMS).
The CLI tool will be the primary method for interacting with the SSH CA
service. For now, it supports a single operation: `sshca-cli host
sign`, which requests a certificate to be signed by the CA service.`
Dustin