From fc94644e28f0af3ce765ec3f87138b264125dee0 Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@redhat.com>
Date: Wed, 18 Mar 2009 13:30:31 -0400
Subject: [certmaster] Documentation and cleanup for minion-to-minion

* Add man page for certmaster-sync
* Symlink certmaster-sync into triggers for post-sign and post-clean
  (doesn't execute by default)
* Add sync_certs setting to default certmaster.conf
* Create the empty /var/lib/certmaster/peers directory
---
 Makefile                 |  1 +
 certmaster.spec          |  4 ++++
 docs/certmaster-sync.pod | 44 ++++++++++++++++++++++++++++++++++++++++++++
 etc/certmaster.conf      |  2 +-
 setup.py                 |  2 ++
 5 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 docs/certmaster-sync.pod

diff --git a/Makefile b/Makefile
index 01b915d..91456f2 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,7 @@ manpage:
 	pod2man --center="certmaster-request" --release="" ./docs/certmaster-request.pod | gzip -c > ./docs/certmaster-request.1.gz
 	pod2man --center="certmaster" --release="" ./docs/certmaster.pod | gzip -c > ./docs/certmaster.1.gz
 	pod2man --center="certmaster-ca" --release="" ./docs/certmaster-ca.pod | gzip -c > ./docs/certmaster-ca.1.gz
+	pod2man --center="certmaster-sync" --release="" ./docs/certmaster-sync.pod | gzip -c > ./docs/certmaster-sync.1.gz
 
 messages: certmaster/*.py
 	touch $(MESSAGESPOT)
diff --git a/certmaster.spec b/certmaster.spec
index f7fa30c..e50be18 100644
--- a/certmaster.spec
+++ b/certmaster.spec
@@ -62,6 +62,8 @@ certmaster is a easy mechanism for distributing SSL certificates
 %install
 test "x$RPM_BUILD_ROOT" != "x" && rm -rf $RPM_BUILD_ROOT
 %{__python} setup.py install --prefix=/usr --root=$RPM_BUILD_ROOT
+ln -s %{_bindir}/certmaster-sync $RPM_BUILD_ROOT/var/lib/certmaster/triggers/sign/post/certmaster-sync
+ln -s %{_bindir}/certmaster-sync $RPM_BUILD_ROOT/var/lib/certmaster/triggers/remove/post/certmaster-sync
 
 %clean
 rm -fr $RPM_BUILD_ROOT
@@ -96,6 +98,8 @@ rm -fr $RPM_BUILD_ROOT
 %dir /var/lib/certmaster/triggers/remove/
 %dir /var/lib/certmaster/triggers/remove/pre
 %dir /var/lib/certmaster/triggers/remove/post
+/var/lib/certmaster/triggers/sign/post/certmaster-sync
+/var/lib/certmaster/triggers/remove/post/certmaster-sync
 %doc AUTHORS README LICENSE
 %{_mandir}/man1/*.1.gz
 
diff --git a/docs/certmaster-sync.pod b/docs/certmaster-sync.pod
new file mode 100644
index 0000000..1519387
--- /dev/null
+++ b/docs/certmaster-sync.pod
@@ -0,0 +1,44 @@
+=head1 NAME
+
+certmaster-sync -- syncronize client certificates with Func.
+
+=head1 SYNOPSIS
+
+certmaster-sync [-f|--force]
+
+=head1 DESCRIPTION
+
+certmaster-sync syncronizes client certificates amongst certmaster clients via Func.  It is assumed that the hosts who have requested certificates are reachable via Func for syncronization operations.
+
+certmaster-sync by default is called as a post-sign and post-clean trigger.  In order to enable syncronization you must set B<sync_certs> to B<True>, see B<CONFIGURATION VALUES> below.
+
+The syncronization occurs by querying remote Func methods in B<certmastermod> on the minion hosts.  This will gather information, copy any new certificates, and remove any certificates that have been cleaned.
+
+=head1 OPTIONS
+
+=over
+
+=item -f, --force
+
+Override the configuration value for B<sync_certs> in F</etc/certmaster/certmaster.conf>
+
+=back
+
+=head1 CONFIGURATION VALUES
+
+=over
+
+=item sync_certs
+
+B<sync_certs> determines whether or not the script will actually syncronize or if it will exit with no operation.  You can use -f|--force to override this configuration value.  (Default: False)
+
+=back
+
+=head1 ADDITONAL RESOURCES
+
+See https://fedorahosted.org/certmaster.  It's a Wiki.
+See also https://fedorahosted.org/func
+
+=head1 AUTHOR
+
+John Eckersberg <jeckersb@redhat.com>
diff --git a/etc/certmaster.conf b/etc/certmaster.conf
index 7664376..cfdca9d 100644
--- a/etc/certmaster.conf
+++ b/etc/certmaster.conf
@@ -9,4 +9,4 @@ cert_dir = /etc/pki/certmaster
 certroot = /var/lib/certmaster/certmaster/certs
 csrroot = /var/lib/certmaster/certmaster/csrs
 cert_extension = cert
-
+sync_certs = False
diff --git a/setup.py b/setup.py
index 8cf70eb..2a1fcdf 100644
--- a/setup.py
+++ b/setup.py
@@ -44,12 +44,14 @@ if __name__ == "__main__":
                               (manpath,  ["docs/certmaster.1.gz"]),
                               (manpath,  ["docs/certmaster-request.1.gz"]),
                               (manpath,  ["docs/certmaster-ca.1.gz"]),
+                              (manpath,  ["docs/certmaster-sync.1.gz"]),
 			      (rotpath,  ['etc/certmaster_rotate']),
                               (logpath,  []),
 			      (certdir,  []),
 			      (etcpath,  []),
 			      (pkipath,  []),
 			      (aclpath,  []),
+                              ("%s/peers"         % certdir,  []),
 			      ("%s/sign/pre/"     % trigpath, []),
                               ("%s/sign/post/"    % trigpath, []),
                               ("%s/remove/pre/"   % trigpath, []),
-- 
cgit