Hockeypuck OpenPGP Public Keyserver

1. Deploying Hockeypuck with Juju

1.1. Prerequisites

Juju 1.23.2 or later is recommended to make full use of this charm's juju actions. Install juju with:

sudo apt-add-repository ppa:juju/stable
sudo apt-get update
sudo apt-get install juju-core

Also `apt-get install juju-local` if you'd like to use the local provider.

Familiarity with Juju and a bootstrapped environment is assumed. Read the Juju Documentation to get started.

1.2. Deploying Hockeypuck

Deploy a Hockeypuck service:

juju deploy cs:~hockeypuck/trusty/hockeypuck

Deploy MongoDB and relate it:

juju deploy mongodb
juju add-relation mongodb hockeypuck
juju expose hockeypuck

1.3. Accessing your new instance

Find the public-address of the Hockeypuck workload. For example:

$ juju status hockeypuck
environment: azure
machines:
  "15":
    agent-state: started
    agent-version: 1.23.2
    dns-name: juju-azure-dev-y9157oo521.cloudapp.net
    instance-id: juju-azure-dev-y9157oo521-jujuw0fh43evjcmace0ol1gsg0kltv5dh9b7bs8chm9gjj4gmp
    instance-state: ReadyRole
    series: trusty
    hardware: arch=amd64 cpu-cores=1 mem=1792M root-disk=130048M
services:
  hockeypuck:
    charm: local:trusty/hockeypuck-9
    exposed: true
    relations:
      mongodb:
      - mongodb
    units:
      hockeypuck/0:
        agent-state: started
        agent-version: 1.23.2
        machine: "15"
        open-ports:
        - 11370/tcp
        - 11371/tcp
        public-address: juju-azure-dev-y9157oo521.cloudapp.net

You should be able to access the keyserver at the listed public address, juju-azure-dev-y9157oo521.cloudapp.net:11371

1.4. HTTP reverse-proxy

Expose Hockeypuck on port 80 behind haproxy.

juju deploy haproxy
juju add-relation hockeypuck:website haproxy:reverseproxy
juju expose haproxy

Or behind squid for caching.

juju deploy squid-reverseproxy
juju add-relation hockeypuck:website squid-reverseproxy
juju set squid-reverseproxy port=11371
juju expose squid

2. Actions

The Hockeypuck charm provides several useful Juju actions for your new keyserver.

2.1. fetch-keyfiles

fetch-keyfiles downloads OpenPGP binary keyfiles from a remote location to a local directory on the keyserver.

2.1.1. Parameters

2.1.1.1. src

Required. The remote location to fetch keyfiles from. This is expected to be a directory containing concatenated OpenPGP public keys in RFC 4880 binary format. These are the files typically produced by an SKS dump, and should have a *.pgp file extension.

rsync://, http:// and ftp:// protocols are supported.

Please be mindful of the network activity that this action can place on the remote server hosting the files. Use sparingly on global pool dumps; otherwise mirror the files.

2.1.1.2. dest

Local directory where the files will be stored. /srv/hockeypuck/import is the default if not specified.

2.2. load-keyfiles

Stops the hockeypuck service and loads keyfiles into Hockeypuck.

2.2.1. Parameters

2.2.1.1. path

Local directory where files will be loaded from. /srv/hockeypuck/import is the default.

3. Peering

3.1. Peering with Relations

Assuming two Hockeypucks:

juju deploy cs:~hockeypuck/trusty/hockeypuck hkp1
juju deploy cs:~hockeypuck/trusty/hockeypuck hkp2

Enable gossip between them with:

juju add-relation hkp1:keymaster hkp2:gatekeeper

Destroy the relation to stop syncing keys:

juju destroy-relation hkp1:keymaster hkp2:gatekeeper

Regardless of which service is keymaster or gatekeeper, both services will initiate and serve connections.

3.2. Peering with Configuration

To peer with other keyservers (Hockeypuck or SKS servers) that aren't in your Juju environment, set the config option recon_partners. The format of this option is a space-delimited list of partners, where each partner is a comma-separated pair of HTTP and recon addresses. Like this:

juju set hockeypuck recon_partners="peer1:http,peer1:recon peer2:http,peer2:recon"

Note that you can specify a different host for the HTTP and recon addresses. This supports connecting to peers that expose these ports on different host addresses.

4. Example

juju-gui screenshot from a Hockeypuck deployment: two synchronizing Hockeypuck peers, using MongoDB for storage, reverse-proxied by haproxy.

Deploy it with this bundle:

envExport: 
  services: 
    "hkp1-hockeypuck": 
      charm: "cs:~hockeypuck/trusty/hockeypuck-8"
      num_units: 1
      annotations: 
        "gui-x": "523"
        "gui-y": "274.5"
    "hkp1-mongodb": 
      charm: "cs:trusty/mongodb-18"
      num_units: 1
      options: 
        dbpath: /mnt
      annotations: 
        "gui-x": "753.7806788511749"
        "gui-y": "274.5"
    "hkp1-haproxy": 
      charm: "cs:trusty/haproxy-6"
      num_units: 1
      expose: true
      annotations: 
        "gui-x": "638.3903394255875"
        "gui-y": "74.63806941226437"
    "hkp2-hockeypuck": 
      charm: "cs:~hockeypuck/trusty/hockeypuck-8"
      num_units: 1
      annotations: 
        "gui-x": "407.60966057441254"
        "gui-y": "74.63806941226437"
    "hkp2-mongodb": 
      charm: "cs:trusty/mongodb-18"
      num_units: 1
      options: 
        dbpath: /mnt
      annotations: 
        "gui-x": "292.2193211488251"
        "gui-y": "274.5"
    "hkp2-haproxy": 
      charm: "cs:trusty/haproxy-6"
      num_units: 1
      expose: true
      annotations: 
        "gui-x": "407.60966057441254"
        "gui-y": "474.3619305877356"
  relations: 
    - - "hkp1-mongodb:database"
      - "hkp1-hockeypuck:mongodb"
    - - "hkp1-haproxy:reverseproxy"
      - "hkp1-hockeypuck:website"
    - - "hkp2-mongodb:database"
      - "hkp2-hockeypuck:mongodb"
    - - "hkp2-haproxy:reverseproxy"
      - "hkp2-hockeypuck:website"
    - - "hkp1-hockeypuck:keymaster"
      - "hkp2-hockeypuck:gatekeeper"
  series: trusty

Authors

Casey Marshall