-
-
Notifications
You must be signed in to change notification settings - Fork 64
docs: add guide for externally controlled hardware #593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| # External Host Requirements for PSF Salt Management | ||
|
|
||
| This document outlines the requirements and processes for external hosts that will be managed by the | ||
| Python Software Foundation's Salt infrastructure. | ||
|
|
||
| ## Overview | ||
|
|
||
| When providing hardware for PSF services, your serve will be managed through our Salt configuration management system. | ||
JacobCoffee marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| This document details the network, security, and access requirements for integration with our infrastructure. | ||
|
|
||
| ## Network Requirements | ||
|
|
||
| ### Required Ports | ||
|
|
||
| Your server MUST allow **outbound** connections to the following ports on our Salt master: | ||
|
|
||
| | Port | Protocol | Purpose | Salt Master | | ||
| |----------|----------|------------------------------|--------------------| | ||
| | **4505** | TCP | Salt Publisher (ZeroMQ) | salt-master.psf.io | | ||
| | **4506** | TCP | Salt Request Server (ZeroMQ) | salt-master.psf.io | | ||
|
|
||
| ### Inbound Access Requirements | ||
|
|
||
| Your server MUST allow **inbound** connections on: | ||
|
|
||
| | Port | Protocol | Purpose | Access | | ||
| |--------|----------|----------------|---------------| | ||
| | **22** | TCP | SSH Management | PSF Sysadmins | | ||
|
|
||
| ### DNS Requirements | ||
|
|
||
| - Preferrably, the Server will be accessible via a stable DNS name | ||
| - PSF Salt master is accessible at `salt-master.psf.io` | ||
| - Static IP address preferred (IP changes require coordination) | ||
|
|
||
| ## Security Configuration | ||
|
|
||
| ### SSH Access | ||
|
|
||
| **Initial Setup:** | ||
| - Root SSH access required for initial bootstrap | ||
| - SSH key-based authentication only (no password authentication) | ||
| - Source keys from GitHub profiles ([@JacobCoffee](https://github.com/JacobCoffee.keys), [@ewdurbin](https://github.com/ewdurbin.keys)) | ||
|
|
||
| > **Note**: Root login will be disabled after user accounts are created | ||
|
|
||
| **Production Access:** | ||
| - SSH access provided to PSF sysadmins and service managers | ||
| - All access through SSH keys managed in Salt pillar data | ||
| - No direct root access after initial setup | ||
|
|
||
| ### System Hardening | ||
|
|
||
| Salt will automatically apply comprehensive security hardening (see [Salt harden state](../salt/base/harden)): | ||
|
|
||
| **SSH Hardening:** | ||
| - Root login disabled after bootstrap | ||
| - Password authentication disabled | ||
| - Strong cryptographic algorithms only | ||
| - Connection limits and timeout controls | ||
| - X11 forwarding disabled | ||
|
|
||
| **System Security:** | ||
| - Firewall rules (iptables) with default deny policy | ||
| - File system permissions hardened | ||
| - Core dumps disabled | ||
| - Account lockout policies (5 failed attempts = 10 minute lockout) | ||
| - System resource limits configured | ||
|
|
||
| **Network Security:** | ||
| - Stateful firewall with connection tracking | ||
| - IPv4 and IPv6 rules applied | ||
| - Only explicitly allowed ports accessible | ||
| - Internal network traffic restrictions | ||
|
|
||
| ## User Management | ||
|
|
||
| ### User Accounts | ||
|
|
||
| **User Management:** | ||
| - Created from PSF pillar data (see [Salt users pillar data](../pillar/base/users)) | ||
| - The pillar data determines, per service, which users are created, their roles (root, etc.), and their SSH keys | ||
| - Sudo access granted to `psf-admin` group (see [Salt sudo pillar data](../pillar/base/sudoers/init.sls)) | ||
|
|
||
| ### SSH Key Management | ||
|
|
||
| **Key Sources:** | ||
| - SSH keys stored in Salt pillar data | ||
| - Automated key rotation capabilities via Salt highstate runs and Git repository updates | ||
|
|
||
| **Key Deployment:** | ||
| - Keys automatically deployed during Salt runs | ||
| - `authorized_keys` files managed by Salt | ||
| - Revocation through pillar data updates | ||
|
|
||
| ## Security Updates | ||
|
|
||
| ### Automatic Updates | ||
|
|
||
| Salt configures Ubuntu's unattended upgrades: | ||
|
|
||
| **Update Sources:** | ||
| - Ubuntu security updates | ||
| - Ubuntu stable updates | ||
| - Critical package updates | ||
|
|
||
| **Configuration:** | ||
| - Automatic installation of security updates | ||
| - Email notifications to `[email protected]` (see [Salt unattended-upgrades](../salt/unattended-upgrades/config/50unattended-upgrades)) | ||
|
|
||
| **Monitoring:** | ||
| - Monitoring generally happens through Sentry or Datadog metric checks. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,3 +9,4 @@ Guides | |
| migration-recipe.md | ||
| haproxy-registration-guide.md | ||
| port-guide.md | ||
| external-host-requirements.md | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.