/
TRANSPORTS
147 lines (82 loc) · 3.75 KB
/
TRANSPORTS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
Slaughter fetches policies, and optionally files, from a remote server.
The remote server might be :
* An rsync server.
* HTTP/HTTPS server.
* Remote git/mercurial/subversion repository.
Additionally there is a NOP-transport which fetches files from the local
filesystem, and requires no central server. This is the "local" transport.
To specify which of these transports is used the slaughter client needs to be
configured with two things:
* The method by which to fetch the files (HTTP-get, rsync clone, etc).
* The location of the files.
The former is the "transport", the latter is the "server-prefix".
local transport
---------------
The local-transport allows you to test against policies upon the local disk,
without any remote fetching at all. This is sufficient for testing purposes
and to allow you to get your feet wet.
Assuming you have the layout:
/root/tmp/
/root/slaughter/
/root/slaughter/files/
/root/slaughter/policies/
/root/slaughter/policies/default.policy
You may execute the policy by running:
# slaughter --transport=local --prefix=/root/slaughter/
http transport
--------------
The HTTP-transport is the simplest of those transports that fetches files
from a remote location. All files are retrieved over basic HTTP.
Given this directory tree:
/var/www/slaughter/
/var/www/slaughter/files/
/var/www/slaughter/policies/
/var/www/slaughter/policies/default.policy
Then the client will be invoked like this:
slaughter --transport=http --prefix=http://example.com/slaughter/
Here the prefix is the URL which contains the sub-directories "files" and "policies".
You can test the transfer by running a command such as this:
curl http://example.com/slaughter/policies/default.policy
rsync transport
---------------
rsync is an efficient protocol for transferring files, coping well with incremental
fetches.
Assuming the files are stored on the disk like this:
/srv/slaughter/
/srv/slaughter/files/
/srv/slaughter/policies/
/srv/slaughter/policies/default.policy
The following rsync configuration file would be a sensible starting point, note
especially how it uses an ACL to prevent fetches from unknown machines:
[slaughter]
path = /srv/slaughter/
comment = slaughter policy files
read only = true
hosts allow = 1.2.3.0/24 *.example.com
The client will be invoked as follows:
slaughter --transport=rsync --prefix=rsync://example.com/slaughter/
You can test the transfer by running a command such as this:
rsync -qazr rsync://example.com/slaughter /tmp/foo
Additional arguments may be passed to rsync via the "--transport-args" flag.
hg transport
------------
Create a repository which contains the top-level directories "files/" and
"policies/". Host this repository somewhere that mercurial can pull it from,
ideally via http/https.
The client will be invoked like so:
slaughter --transport=hg --prefix=http://example.com/path/to/repo.hg
The client will invoke something similar to this, which may be used to test
the path is correct.
hg clone http://example.com/path/to/repo.hg /tmp/foo
Additional arguments may be passed to mercurial via the "--transport-args" flag.
git transport
-------------
Create a repository which contains the top-level directories "files/" and
"policies/". Host this repository somewhere that git can pull it from,
ideally via http/https.
The client will be invoked:
slaughter --transport=git --prefix=http://example.com/path/to/repo.git
The client will invoke something similar to this, which may be used to
test the path is correct:
git clone http://example.com/path/to/repo.hg /tmp/foo
Additional arguments may be passed to the git command line via the "--transport-args" flag.