Fixes #37121 - Automatically secure the DHCP OMAPI interface #827
+24
−11
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The tsig-keygen command can be used to generate a TSIG key to secure the OMAPI communication.
This is a draft since I realized I need to rewrite some things. Initially it was based on theforeman/foreman-documentation#2709 but then reading the manual I realized dnssec-keygen in Fedora can no longer create TSIG keys. Luckily, tsig-keygen also exists on EL8. Probably also on Debian/Ubuntu.
Another thing I realized was the very complex permission model. It would be way easier if puppet-dhcp creates a separate file for the OMAPI key with strict permissions and the regular DHCP file only includes that. This would allow us to drop the posix ACLs.