DebConf Video Relay Network
Table of Contents
1 DebConf Video Relay Network and its Setup
This is the DebConf Video Relay Network toolset. It is meant as a central place for the setup of video mirrors and whatever is required for them.
Stuff that still needs to be done:
- Generate video.debconf.org DNS entries
- Generate the DNS entries for zones
- Have the video.debconf.org zone pointed to krusty, so it can easily integrate the files generated here.
- Munin plugin(s) run from krusty, to get some stats
2 Config for video relays
Lets start with the more important stuff, a document for everyone who wants to provide a "videomirror", called relay.
We require that you use the icecast version that is in current Debian stable, at the time of this writing (Debian – Details of package icecast2 in squeeze.
) this is 2.3.2, seeWe also need a user that can receive SSH connections. This user needs to have our SSH Key put into the authorizedkeys file, so we get access. The key will be restricted to only be able to execute one script we provide, so we do not get shell access.
The user you provide also must be able to execute a few commands as root, so it needs sudo allowed. The rights are as limited as possible and should not allow anything except for replacing the icecast config and restarting the icecast server. See below for more information.
Obviously you should allow access to port 8000 from anywhere, otherwise this whole game makes no sense.
- We need icecast version 2.4 or later, so wheezy backports or jessie.
cubemap needs jessie or the following archive for wheezy
deb http://db.debconf.org/dc-admin/archive/ wheezy/amd64/ deb http://db.debconf.org/dc-admin/archive/ wheezy/all/
icecast2, cubemap
apt-get install icecast2 cubemap sed -ibak -e 's/ENABLE=false/ENABLE=true/' /etc/default/icecast2
A user to receive pushes for config changes/icecast restarts which needs sudo rights
adduser --disabled-password --disabled-login --shell /bin/bash --gecos "DebConf video relay" vidpush
The script and ssh key for this
cd ~vidpush curl http://vidmaster.debconf.org/dist/dcvideomirror -o dcvideomirror curl http://vidmaster.debconf.org/dist/sshkey -o sshkey curl http://vidmaster.debconf.org/dist/sshkey.sig -o sshkey.sig chmod +x ~vidpush/dcvideomirror chown vidpush: ~vidpush/{dcvideomirror,sshkey{,.sig}}
Verify the sshkey is the right one. It is signed with the key
pub 4096R/B12525C4 2009-05-10 uid Joerg Jaspert <joerg@debian.org> uid Joerg Jaspert <joerg@ganneff.de> uid Joerg Jaspert <joerg@spi-inc.org> uid Joerg Jaspert <joerg@debconf.org> sub 4096R/E075ECFF 2009-05-10
gpg --keyserver keys.gnupg.net --recv-keys B12525C4 gpg --verify sshkey.sig sshkey
Install the ssh key
mkdir -p ~vidpush/.ssh chmod 0700 ~vidpush/.ssh if [ -f ~vidpush/sshkey ]; then cat ~vidpush/sshkey >> ~vidpush/.ssh/authorized_keys else echo "Did you forget to do a step earlier to download the sshkey?" fi chown vidpush: ~vidpush/.ssh/authorized_keys chown vidpush: ~vidpush/.ssh
Allow sudo (this assumes you have the line "#includedir /etc/sudoers.d" in /etc/sudoers
cat >/etc/sudoers.d/99-debconf <<EOF vidpush ALL=(root) NOPASSWD: /bin/chown icecast2\:icecast /etc/icecast2/icecast.xml vidpush ALL=(root) NOPASSWD: /usr/sbin/service icecast2 restart vidpush ALL=(root) NOPASSWD: /usr/sbin/service icecast2 stop vidpush ALL=(root) NOPASSWD: /usr/sbin/service icecast2 start vidpush ALL=(root) NOPASSWD: /usr/sbin/service cubemap restart vidpush ALL=(root) NOPASSWD: /usr/sbin/service cubemap start vidpush ALL=(root) NOPASSWD: /usr/sbin/service cubemap stop vidpush ALL=(root) NOPASSWD: /usr/bin/sha256sum /etc/icecast2/icecast.xml vidpush ALL=(root) NOPASSWD: /usr/bin/sha256sum /etc/cubemap.config vidpush ALL=(root) NOPASSWD: /bin/mv /tmp/icecast.config.new /etc/icecast2/icecast.xml vidpush ALL=(root) NOPASSWD: /bin/mv /tmp/cubemap.config.new /etc/cubemap.config EOF chmod 0440 /etc/sudoers.d/99-debconf
- You are done. That is, if you haven't told us about the mirror, you should do this, otherwise this work was for nothing. You can contact Joerg Jaspert <joerg@debian.org>