Both the CLI and the worker daemons require a rugged system user. Its purpose
is primarily to limit write access to TUF metadata, cached targets, logs and
related resources.
The rugged system user and group is created by convention with UID and GID 440 in
all environments. Ensuring the UID/GIDs match across environments is crucial to
ensure you don’t run into permissions problems trying to write files in the TUF
repository across networked filesystems.
For more details, see Ansible scripts that configure the Rugged user.
We build a custom RabbitMQ image using Packer and Ansible to create and persist RabbitMQ users.
We then deploy it using Docker Compose in our local-dev environment, along with a list of RabbitMQ plugins to enable.
We build a base image with Packer, that we then use as the basis for building our various worker images. The base image installs Python via a shell script.
Then, when we are installing the Rugged codebase with Ansible, we install a list of dependencies, including Python3-dev and Pipenv.
We maintain a list of all the directories used by various components in Rugged (along with their filesystem permissions), in our Ansible rugged.workers role. These are:
/var/rugged/tuf_repo: The directory in which TUF metadata is generated./var/rugged/signing_keys: The directory containing a sub-directory for each of the roles’ private keys. These are each mounted individually, as needed./var/rugged/signing_keys/root: The directory containing the root signing (private) key(s), only mounted into the root/admin environment./var/rugged/signing_keys/timestamp: The directory containing the timestamp signing (private) key, only mounted into the timestamp-worker./var/rugged/signing_keys/snapshot: The directory containing the snapshot signing (private) key, only mounted into the snapshot-worker./var/rugged/signing_keys/targets: The directory containing the targets signing (private) key, only mounted into the targets-worker./var/rugged/verification_keys: The directory in which can be found all verification (public) keys for the various roles./var/rugged/pkg_repo: A directory, used for testing, in which we generate Composer metadata using Satis/var/rugged/incoming_targets: The directory where Rugged’s targets-worker will look for new targets when triggered./opt/post_to_tuf: The directory where the monitor-worker will look for new targets on a recurring schedule.