surjikal/gentoo-minicron.md

## gentoo-minicron.md

      
    Raw
  

              gentoo-minicron.md
            
          
    Repo URL:

https://github.com/jamesrwhite/minicron
Info

The idea here is that one server holds the "hub", aka the Minicron server.
The other servers are simply clients. We use ssh tunneling from clients to communicate with the server.
The server should be able to ssh into the client machines, in order to modify the client's crontab. We
add public keys with a prefix that only allow root ssh access from a single IP (the server's IP).
Prerequisites


SSH server configuration
cat > /etc/ssh/sshd_config
Port 4242
Protocol 2
PermitRootLogin without-password
PasswordAuthentication no

rc-service sshd restart


Linode static networking

https://www.linode.com/docs/networking/linux-static-ip-configuration


Client

The clients must be able to connect to the server. One way to do this is via ssh tunnels.
Acquire the 42.minicron private key. Create a /root/.ssh/config file:
Host 42-core-tunnel
   HostName 192.168.132.240
   User root
   Port 4242
   IdentityFile ~/.ssh/42.minicron.key
   LocalForward 9000 127.0.0.1:9000

To start the tunnel, run this:
ssh -f -N 42-core-tunnel

Server

Generate an ssh keypair for the root user:
ssh-keygen -b 4096

Installation

emerge --sync
emerge -av ruby

gem install minicron

Install minicron.toml config file. See example below.
cat > /etc/minicron.toml

On server only

database

emerge -av mysql
gem install mysql2

Minicron DB

mysql 
minicron db setup

Start server:
minicron server start

Installing public keys on client machines

Since we're allowing the server to perform operations as root on a client machine, we want to be somewhat secure.
When creating a host in minicron, take the public key and append it to that host's /root/.ssh/authorized_keys.
However, add the prefix from="<server ip>" <public key>.

  
## minicron.toml
# Global options
verbose = false
trace = false # Useful for debugging

# Client options
[client]
scheme = "http" # [http, https]
host = "0.0.0.0"
port = 9000
path = "/"
connect_timeout = 5
inactivity_timeout = 5

# Server options
[server]
host = "0.0.0.0"
port = 9000
path = "/"
debug = false # When true the server will not run as a daemon

# Database options
[database]
type = "mysql" # [mysql, sqlite]

# CLI options
[cli]
mode = "line" # [line, char] - line by line output or char by char
dry_run = false # When true the command is run but not sent to the server

# Alerting options
[alerts]
  [alerts.email]
  enabled = true
  from = "mailman@42technologies.com"
  to = "status@42technologies.com"
    [alerts.email.smtp]
    address = "smtp.gmail.com"
    port = 587
    domain = "42technologies.com"
    user_name = "mailman@42technologies.com"
    password = "<password>"
    authentication = "plain"
    enable_starttls_auto = true
	# Global options
	verbose = false
	trace = false # Useful for debugging

	# Client options
	[client]
	scheme = "http" # [http, https]
	host = "0.0.0.0"
	port = 9000
	path = "/"
	connect_timeout = 5
	inactivity_timeout = 5

	# Server options
	[server]
	host = "0.0.0.0"
	port = 9000
	path = "/"
	debug = false # When true the server will not run as a daemon

	# Database options
	[database]
	type = "mysql" # [mysql, sqlite]

	# CLI options
	[cli]
	mode = "line" # [line, char] - line by line output or char by char
	dry_run = false # When true the command is run but not sent to the server

	# Alerting options
	[alerts]
	[alerts.email]
	enabled = true
	from = "mailman@42technologies.com"
	to = "status@42technologies.com"
	[alerts.email.smtp]
	address = "smtp.gmail.com"
	port = 587
	domain = "42technologies.com"
	user_name = "mailman@42technologies.com"
	password = "<password>"
	authentication = "plain"
	enable_starttls_auto = true