anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor(swarm-mgmt): move agent/updater certs to /etc/decnet (root-owned)

Browse Source
This commit is contained in:
anti
2026-04-19 05:32:39 -04:00
parent bc5f43c3f7
commit e67b6d7f73
2 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
decnet/web/router/swarm_mgmt/api_enroll_bundle.py
View File

@@ -178,8 +178,8 @@ def _render_decnet_ini(master_host: str) -> bytes:
f"master-host = {master_host}\n" f"master-host = {master_host}\n"
"swarm-syslog-port = 6514\n" "swarm-syslog-port = 6514\n"
"agent-port = 8765\n" "agent-port = 8765\n"
"agent-dir = /root/.decnet/agent\n" "agent-dir = /etc/decnet/agent\n"
"updater-dir = /root/.decnet/updater\n" "updater-dir = /etc/decnet/updater\n"
).encode() ).encode()

19
decnet/web/templates/enroll_bootstrap.sh.j2
View File

@@ -31,27 +31,30 @@ install -Dm0644 etc/decnet/decnet.ini /etc/decnet/decnet.ini
# Log directory the baked-in INI points at — must exist before `decnet` imports config. # Log directory the baked-in INI points at — must exist before `decnet` imports config.
install -d -m0755 /var/log/decnet install -d -m0755 /var/log/decnet
REAL_USER="${SUDO_USER:-root}" # Certs live under /etc/decnet/ (root-owned, 0600 keys) — this is a root
REAL_HOME="$(getent passwd "$REAL_USER" | cut -d: -f6)" # daemon's data, not a user's. The baked INI's `agent-dir`/`updater-dir`
# point at these paths.
for f in ca.crt worker.crt worker.key; do for f in ca.crt worker.crt worker.key; do
install -Dm0600 -o "$REAL_USER" -g "$REAL_USER" \ install -Dm0600 -o root -g root \
"home/.decnet/agent/$f" "$REAL_HOME/.decnet/agent/$f" "home/.decnet/agent/$f" "/etc/decnet/agent/$f"
done done
chmod 0755 /etc/decnet/agent
WITH_UPDATER="{{ with_updater }}" WITH_UPDATER="{{ with_updater }}"
if [[ "$WITH_UPDATER" == "true" && -d home/.decnet/updater ]]; then if [[ "$WITH_UPDATER" == "true" && -d home/.decnet/updater ]]; then
for f in ca.crt updater.crt updater.key; do for f in ca.crt updater.crt updater.key; do
install -Dm0600 -o "$REAL_USER" -g "$REAL_USER" \ install -Dm0600 -o root -g root \
"home/.decnet/updater/$f" "$REAL_HOME/.decnet/updater/$f" "home/.decnet/updater/$f" "/etc/decnet/updater/$f"
done done
chmod 0755 /etc/decnet/updater
fi fi
# Guarantee the pip-installed entrypoint is executable (some setuptools+editable # Guarantee the pip-installed entrypoint is executable (some setuptools+editable
# combos drop it with mode 0644) and expose it on PATH. # combos drop it with mode 0644) and expose it on PATH.
chmod 0755 "$INSTALL_DIR/.venv/bin/decnet" chmod 0755 "$INSTALL_DIR/.venv/bin/decnet"
ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet
sudo -u "$REAL_USER" /usr/local/bin/decnet agent --daemon /usr/local/bin/decnet agent --daemon
if [[ "$WITH_UPDATER" == "true" ]]; then if [[ "$WITH_UPDATER" == "true" ]]; then
sudo -u "$REAL_USER" /usr/local/bin/decnet updater --daemon /usr/local/bin/decnet updater --daemon
fi fi
echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned." echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned."