405277 – sys-cluster/maui-3.3.1-r2 build time secret key configuration

Bug 405277 - sys-cluster/maui-3.3.1-r2 build time secret key configuration

Summary: sys-cluster/maui-3.3.1-r2 build time secret key configuration

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo Cluster Team

URL:
Whiteboard:
Keywords:	PMASKED

Depends on:
Blocks:

Reported:	2012-02-22 15:03 UTC by Volkmar Glauche
Modified:	2020-11-22 14:54 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkmar Glauche 2012-02-22 15:03:15 UTC

sys-cluster/maui uses a secret key defined at compile time to encrypt communication between server and client programs. Looking at the ebuild, there seems to be provision for a MAUI_KEY variable in make.conf when it is compiled for slurm.
When using torque as a resource manager, there seems to be no way to set this key explicitly before emerge. This results in different secret keys being used each time maui is emerged (e.g. on different nodes in a cluster). As a consequence, client binaries built on one host can not communicate to server binaries on another host.
If present, the ebuild should honour a MAUI_KEY variable also when compiled for torque.

Reproducible: Always

Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2012-02-22 17:39:04 UTC

(In reply to comment #0)
> sys-cluster/maui uses a secret key defined at compile time to encrypt
> communication between server and client programs. Looking at the ebuild, there
> seems to be provision for a MAUI_KEY variable in make.conf when it is compiled
> for slurm.
> When using torque as a resource manager, there seems to be no way to set this
> key explicitly before emerge. This results in different secret keys being used
> each time maui is emerged (e.g. on different nodes in a cluster). As a
> consequence, client binaries built on one host can not communicate to server
> binaries on another host.
> If present, the ebuild should honour a MAUI_KEY variable also when compiled for
> torque.

I don't know why it was added in the first place. You don't want something secret to be in a publicly accessible file. The preferred mechanism for injecting key is using EXTRA_ECONF="--with-key=1234" emerge maui.
@alexxy ^^ ?

Out of curiosity why do you install maui on slave nodes?

Comment 2 Volkmar Glauche 2012-02-22 19:43:11 UTC

(In reply to comment #1)

Indeed, using EXTRA_ECONF to pass the secret key is a better way of keeping it secret.
The reason to install maui on some of the cluster nodes is that I want to have the diagnostic and status commands available on e.g. submit hosts. 
Best, Volkmar

Comment 3 Volkmar Glauche 2012-02-23 13:38:49 UTC

(In reply to comment #2)

Replying to myself:
EXTRA_ECONF must be set for each emerge of maui (e.g. re-emerge or update as well). Thus, the key needs to be stored somewhere.
Portage has support of per-package environment variables:

/etc/portage/package.env
/etc/portage/env/

It would be nice if the maui ebuild or doc could suggest to 
1) echo "sys-cluster/maui maui_key.conf" >> /etc/portage/package.env
2) mkdir /etc/portage/env
3) echo EXTRA_ECONF="--with-key=YOURKEY" >> /etc/portage/env/maui_key.conf

This way, a common key can be set without cluttering /etc/make.conf. Obviously, security considerations apply to /etc/portage/env now.

Best,
Volkmar

Comment 4 Larry the Git Cow gentoo-dev

2020-10-24 14:20:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a05c24f0122b62cae823c3123b545014eefd9189

commit a05c24f0122b62cae823c3123b545014eefd9189
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-10-24 14:19:47 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-10-24 14:19:47 +0000

    package.mask: Last rite sys-cluster/maui
    
    Bug: https://bugs.gentoo.org/365713
    Bug: https://bugs.gentoo.org/405277
    Bug: https://bugs.gentoo.org/405437
    Bug: https://bugs.gentoo.org/414793
    Bug: https://bugs.gentoo.org/415699
    Bug: https://bugs.gentoo.org/422799
    Bug: https://bugs.gentoo.org/479288
    Bug: https://bugs.gentoo.org/740928
    Signed-off-by: David Seifert <soap@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)

Comment 5 Larry the Git Cow gentoo-dev

2020-11-22 14:54:48 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23c2fcae268d01a7bcb593febcd963875a822b7c

commit 23c2fcae268d01a7bcb593febcd963875a822b7c
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-11-22 14:54:12 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-11-22 14:54:12 +0000

    sys-cluster/maui: Remove last-rited package
    
    Closes: https://bugs.gentoo.org/365713
    Closes: https://bugs.gentoo.org/405277
    Closes: https://bugs.gentoo.org/405437
    Closes: https://bugs.gentoo.org/414793
    Closes: https://bugs.gentoo.org/415699
    Closes: https://bugs.gentoo.org/422799
    Closes: https://bugs.gentoo.org/479288
    Closes: https://bugs.gentoo.org/740928
    Signed-off-by: David Seifert <soap@gentoo.org>

 profiles/package.mask                            |  6 ---
 sys-cluster/maui/Manifest                        |  1 -
 sys-cluster/maui/files/maui-3.3.1-torque_4.patch | 14 ------
 sys-cluster/maui/files/maui.initd                | 23 ---------
 sys-cluster/maui/maui-3.3.1-r3.ebuild            | 61 ------------------------
 sys-cluster/maui/metadata.xml                    | 12 -----
 6 files changed, 117 deletions(-)