Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update document for sabakan TLS #280

Merged
merged 1 commit into from
Jan 24, 2024
Merged

update document for sabakan TLS #280

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ Features
To help implementing full disk encryption on client machines, sabakan accepts and stores
encrypted disk encryption keys. The key can be downloaded in the next boot to decrypt
disks.

`sabakan-cryptsetup` is a tool for clients to encrypt disks; the tool generates a disk
encryption key, encrypts it, and sends the encrypted key to sabakan. In the next boot,
it downloads the encrypted key from sabakan, decrypts it, then uses it to decrypt disks.
Expand Down Expand Up @@ -107,13 +107,23 @@ Run sabakan with docker
# create directory to store OS images
$ sudo mkdir -p /var/lib/sabakan

# create server certificate
$ sudo mkdir -p /etc/sabakan
$ make setup-cfssl
$ cd e2e/certs && ./gencerts.sh
$ cd ../..
$ sudo cp e2e/output/certs/server.crt /etc/sabakan/server.crt
$ sudo cp e2e/output/certs/server.key.insecure /etc/sabakan/server.key

# -advertise-url is the canonical URL of this sabakan.
$ docker run -d --read-only --cap-drop ALL --cap-add NET_BIND_SERVICE \
--network host --name sabakan \
--mount type=bind,source=/var/lib/sabakan,target=/var/lib/sabakan \
--mount type=bind,source=/etc/sabakan,target=/etc/sabakan \
ghcr.io/cybozu-go/sabakan:3.1 \
-etcd-endpoints http://foo.bar:2379,http://zot.bar:2379 \
-advertise-url http://12.34.56.78:10080
-advertise-url http://12.34.56.78:10080 \
-advertise-url-https http://12.34.56.78:10443
```

License
Expand Down
15 changes: 15 additions & 0 deletions docs/getting_started.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,26 @@ $ docker run -d --rm --name etcd --network=host --uts=host gcr.io/etcd-developme
$ sudo mkdir -p /var/lib/sabakan
```

### <a name="certs" />Prepare server certificate

Create self-signed server certificate by using script and put it to `/etc/sabakan`:
```console
$ sudo mkdir -p /etc/sabakan
$ git clone github.com/cybozu-go/sabakan
$ make setup-cfssl
$ cd e2e/certs && ./gencerts.sh
$ cd ../..
$ sudo cp e2e/output/certs/server.crt /etc/sabakan/server.crt
$ sudo cp e2e/output/certs/server.key.insecure /etc/sabakan/server.key
```

### <a name="configure" />Prepare sabakan.yml

Save the following contents as `/usr/local/etc/sabakan.yml`:

```yaml
advertise-url: http://localhost:10080
advertise-url-https: https://localhost:10443
etcd:
endpoints:
- http://localhost:2379
Expand Down