Add deb and RPM repository config and documentation#1676
Conversation
s3krit
added
B0-silent
kirushik
left a comment
kirushik
left a comment
There was a problem hiding this comment.
By the way, do we package systemd units for polkadot?
I think we probably should (at least eventually), and bonus points for setting the necessary security mechanisms up: running polkadot as a separate unprivileged user, setting up limited capabilities for the daemon, properly handling logs...
README.md
Outdated
| # Import the security@parity.io GPG key | ||
| curl -fsSL 'https://keys.mailvelope.com/pks/lookup?op=get&search=security%40parity.io&options=mr&exact=on' | apt-key add - | ||
| # Add the Parity repository and update the package index | ||
| echo 'deb https://releases.parity.io/deb buster main' >> /etc/apt/sources.list.d/parity.list |
There was a problem hiding this comment.
Can we please suggest putting the key into /usr/share/keyrings/ and using the deb [signed-by=<path to key>] URL… format instead?
There's no real reason to add a system-level apt key for a non-system repo.
(Warning: the key should be dearmored for this to work)
We don't yet no, but there's no reason not to. It would be nicer if we could configure the node with a config file rather than having to edit the systemd service file each time. There are two outstanding issues for this in the Substrate repo (below). |
|
@s3krit the common way to handle this with systemd is to put your options into a env variable in Then load those ENV vars into your Systemd unit with and then maybe using variable expansion when composing a string for the I've seen quite a lot of daemons doing so, including |
s3krit
force-pushed
the
mp-package-config
branch
from
63382ee to
b5622dc
Compare
kirushik
left a comment
kirushik
left a comment
There was a problem hiding this comment.
This is awesome!
Like, I'm really-really happy we're finally doing this.
It's up to you if you're going to fix my two remaining comments, those are really tiny nits.
Side note: maybe let's see if there some additional features of systemd we can use to make this setup more secure by default?
I would suspect @ddorgan would have a lot of first-hand experience in running polkadot services in production, and @DemiMarie to know as much about capability filters and other Linux isolation tools as humanely possible.
README.md
Outdated
| gpg --recv-keys --keyserver hkps://keys.mailvelope.com FF0812D491B96798 | ||
| gpg --export security@parity.io > /usr/share/keyrings/parity.gpg | ||
| # Add the Parity repository and update the package index | ||
| echo 'deb [signed-by=/usr/share/keyrings/parity.gpg] https://releases.parity.io/deb buster main' > /etc/apt/sources.list.d/parity.list |
There was a problem hiding this comment.
It's a really tiny nit, but since we're using the same repo for both buster and focal, maybe let's use some more generic name here in the path? I can easily imagine myself changing the distro name here, and ending up with an incorrect repository URL.
It's not a big issue (trivial to both check and figure out, and is probably only affects a small fraction of potential users anyway) — but I thought I'd better leave it as a note.
DemiMarie
left a comment
DemiMarie
left a comment
There was a problem hiding this comment.
The Debian and Fedora package install directions have a security vulnerability, and there are places where additional documentation could be added. The systemd unit files should be locked down more as well; systemd-analyze security will help with that.
README.md
Outdated
|
|
||
| ``` | ||
| # Import the security@parity.io GPG key | ||
| gpg --recv-keys --keyserver hkps://keys.mailvelope.com FF0812D491B96798 |
There was a problem hiding this comment.
This needs to be a full (40 hex character) fingerprint, to prevent preimage attacks. If keys.mailvelope.com is a pool, we should also point to an individual server, as GPG can’t receive keys from a pool if it cannot resolve DNS.
There was a problem hiding this comment.
40-hex-character fingerprint = 👍
Could you clarify on your second point? Do you mean specifying the keyserver with a single IP address in case of DNS failure? If so, is that a better solution than not being able to receive keys in the event of DNS issues?
There was a problem hiding this comment.
GPG does support using an HTTP proxy, but only for standalone keyservers. It cannot receive keys from a pool without DNS. This has caused problems for me in the past when installing software in QubesOS, since QubesOS TemplateVMs can only access the Internet via a proxy and have no ability to resolve DNS.
| if [ ! -e "$config_file" ]; then | ||
| echo 'POLKADOT_CLI_ARGS=""' > /etc/default/polkadot | ||
| fi |
There was a problem hiding this comment.
| if [ ! -e "$config_file" ]; then | |
| echo 'POLKADOT_CLI_ARGS=""' > /etc/default/polkadot | |
| fi |
This isn’t actually needed, as systemd will treat an unset environment variable as an empty string.
There was a problem hiding this comment.
My intent was to populate the blank config file so that users can edit it as necessary without having to consult the README again to see what the name of the CLI arg environment variable was named.
There was a problem hiding this comment.
Good point. That said, /etc/default/polkadot should be included in the package as a configuration file.
.rpm/polkadot.spec
Outdated
| %define __spec_install_post %{nil} | ||
| %define __os_install_post %{_dbpath}/brp-compress |
There was a problem hiding this comment.
I have written my own RPM spec files and have never seen either of these lines, so I recommend adding a comment explaining what they do.
scripts/packaging/polkadot.service
Outdated
| ProtectKernelTunables=true | ||
| ProtectSystem=strict | ||
| RemoveIPC=true | ||
| RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_PACKET |
There was a problem hiding this comment.
We should not need AF_PACKET. In this case, it is harmless, as it requires CAP_NET_RAW to use, but it is still good practice to avoid it.
Co-authored-by: Demi Marie Obenour <demiobenour@gmail.com>
|
Final nags fixed :) Should be good to merge once green. I'll also manually add some info to the next release notes regarding our shiny new package repos |
This additional config is based on the output of `systemd-analyze security polkadot.service`. We recently added [our own](https://github.com/paritytech/polkadot/blob/master/scripts/packaging/polkadot.service) polkadot.service file in the polkadot repo and spent a little time researching which sandboxing and namespacing options we could take advantage of. Discussion for that PR is [here](paritytech/polkadot#1676 (comment)).
3 participants
This change adds some documentation to the README.md on how to install the latest version of Polkadot using our package repositories, and some additional config to Cargo.toml for building .deb and .rpm packages with cargo-deb and cargo-rpm
Internal documentation on how the repos are maintained can be found here.