Sigul uses a CA to generate SSL certs for the server, bridge, and clients to authenticate and encrypt communications. The server itself provides GPG keys for signing packages. In this case, I am going to setup a separate CA for sigul with respect to the CA we use for koji. The reasoning here is that koji's CA is used often, to create end user certs for access into koji. That means it's exposed often to an admin, either directly via the cli or indirectly via a webapp or other utility, when user certs are created.
The sigul CA should be kept fairly isolated in my opinion, since it's only used to add new server, bridge, and client instances. These additions should be fairly rare. Exposing the sigul CA often, as when a new end user cert is being created, opens up opportunities to create new certs that could be used to get rogue sigul clients the ability to get unauthorized rpms signed with our keys.
The bridge setup is pretty much spot on from the Seneca Sigul Setup link above. One thing you may have to do is change the sigul user's default shell in order to create the db as the sigul user using the defaults from the Fedora install of the packages.
usermod -s /bin/bash sigulNext for the server setup. First problem I need to resolve is that the server we're using for the sigul is an EL5 system. Python's sqlalchemy module that ships with EL5 is 0.3.11. There is an updated version in EPEL that also has a slightly different name - python-sqlalchemy0.5-0.5.8. Not sure if this is what's causing this error, I suspect so:
# sigul_server_create_db Traceback (most recent call last): File "/usr/share/sigul/server_create_db.py", line 21, in ? import server_common File "/usr/share/sigul/server_common.py", line 107, in ? sa.Column('name', sa.Text, nullable=False, AttributeError: 'module' object has no attribute 'Text'I've installed the EPEL python-sqlalchemy and just doing that did not solve the issue. I also cannot un-install the python-sqlalchemy provided with the OS. I am pretty sure that the issue here is that version of sqlalchemy on the OS is missing the functionality that we need for sigul tools.
To be continued...