Bcfg2 Demo Commands
$ lines describe commands to be run -> describes user input Rest of this is commentary on the actions taken.
1. Initialize the bcfg2 repo
$ sudo bcfg2-admin init -> answer the questions appropriately for your server
After this step is completed, you will have a repository in /var/lib/bcfg2. This repository is a skeleton, containing empty directories for most plugins, and small configuration files for the Metadata plugin, which is required.
2. Start the bcfg2 server $ sudo /etc/init.d/bcfg2-server start
This step starts up the bcfg2 server. You will see a series of messages in syslog like: Dec 26 08:51:19 ubik bcfg2-server[6057]: Bound to port 6789 Dec 26 08:51:36 ubik bcfg2-server[6057]: Processed 121 gamin events in 0.309 seconds. 0 collapsed ...
3. Set the basic group to be public; this allows clients to freely associate themselves with it.
$ sudo vi /var/lib/bcfg2/Metadata/groups.xml -> Change basic group to public='true'
4. Run a client in dry run mode On a client $ sudo /usr/sbin/bcfg2 -q -v -d -n -p basic -x foobat -S https://server:6789
In order, these options will not perform checksum tests, run the client in both verbose and debug modes. -n specifies that Bcfg2 should not make any changes to the client. -p specifies that the client wants to associate itself with the profile group "basic". -x specifies the client password. Finally, -S provides a URL where the server can be contacted.
Notice that the client performs no changes. Also, notice the statistics printed at the end of the run, noting 0 correct entries (none are managed) and a number of unmanaged entries. These entries are probed by the Bcfg2 client and sent to the server. This information can be used later to incrementally manage more of the client's configuration.
-p only needs to be specified once; the server will store the profile group for the client. -x and -S are only needed because there is no bcfg2.conf file on the client (yet). Next, we will create one.
5. Begin to manage /etc/bcfg2.conf
In order to manage a configuration file, two steps must be performed. First, the entry must be included in the list of entries that need to be installed on the client. Then we need to add information about that entry so that it is properly configured on the client system.
5.1 Adding /etc/bcfg2.conf to the list of managed entries for the client.
First, create a new bundle that includes the entry <ConfigFile? name='/etc/bcfg2.conf'/>.
$ cat > /tmp/bcfg2.xml << EOF <Bundle revision='$Revision$' name='bcfg2' version='2.0' >
<ConfigFile? name='/etc/bcfg2.conf'/>
</Bundle> EOF $ sudo mv /tmp/bcfg2.xml /var/lib/bcfg2/Bundler
After this step, we have created a bundle that includes /etc/bcfg2.conf, but no clients will get that bundle.
5.2 Add the bundle bcfg2 to the basic group. $ vi /var/lib/bcfg2/Metadata/groups.xml -> add a client element: <Bundle name='bcfg2'/> to group basic
5.3 Create the literal configuration file to be installed on the client.
$ sudo mkdir -p /var/lib/bcfg2/Cfg/etc/bcfg2.conf
This creates a directory that the Cfg plugin uses to serve data for the config file /etc/bcfg2.conf. Now, we create a file that is the default version of bcfg2.conf that clients should get.
$ cat > /tmp/bcfg2.conf << EOF [communication] protocol = xmlrpc/ssl password = foobat
[components] bcfg2 = https://server:6789 EOF
$ sudo mv /tmp/bcfg2.conf /var/lib/bcfg2/Cfg/etc/bcfg2.conf
6. Run the client again to get the updates to /etc/bcfg2.conf
6.1 Verify the results before installing
$ sudo /usr/sbin/bcfg2 -q -v -d -n -x foobat -S https://server:6789 -> See that it now complains about 1 incorrect entry:
ConfigFile /etc/bcfg2.conf does not exist Failed to read /etc/bcfg2.conf: No such file or directory Phase: initial Correct entries: 0 Incorrect entries: 1 Total managed entries: 1 Unmanaged entries: 649 In dryrun mode: suppressing entry installation for: ConfigFile:/etc/bcfg2.conf Phase: final Correct entries: 0 Incorrect entries: 1 ConfigFile:/etc/bcfg2.conf Total managed entries: 1 Unmanaged entries: 649
6.2 Run the bcfg2 client in interactive mode
$ sudo /usr/sbin/bcfg2 -q -v -d -I -x foobat -S https://server:6789 -> answer 'y' when it asks if you want to install /etc/bcfg2.conf
Now, it reports one correct entry:
Phase: final Correct entries: 1 Incorrect entries: 0 Total managed entries: 1 Unmanaged entries: 649
Now, we can run bcfg2 without some of the command line cruft: $ sudo /usr/sbin/bcfg2 -q -v -d -n
and we see that everything is copacetic
7. Managing ssh host keys
7.1 Add bundle for ssh
$ cat > /tmp/ssh.xml << EOF <Bundle revision='$Revision$' name='ssh' version='2.0'
origin='https://svn.mcs.anl.gov/repos/bcfg/trunk/repository/Bundler/ssh.xml'>
<ConfigFile? name='/etc/ssh/ssh_host_dsa_key'/> <ConfigFile? name='/etc/ssh/ssh_host_rsa_key'/> <ConfigFile? name='/etc/ssh/ssh_host_dsa_key.pub'/> <ConfigFile? name='/etc/ssh/ssh_host_rsa_key.pub'/> <ConfigFile? name='/etc/ssh/ssh_host_key'/> <ConfigFile? name='/etc/ssh/ssh_host_key.pub'/> <ConfigFile? name='/etc/ssh/ssh_known_hosts'/>
</Bundle>
$ sudo mv /tmp/ssh.xml /var/lib/bcfg2/Bundler
Add ssh bundle into basic group $ sudo vi /var/lib/bcfg2/Metadata/groups.xml -> add <Bundle name='ssh'/> to the basic group
7.2 Validate the repository each time you change an XML file sudo /usr/sbin/bcfg2-repo-validate -v
7.3 Run bcfg2 on the client $ sudo /usr/sbin/bcfg2 -q -v -n
We see incorrect entries for ssh files
Phase: initial Correct entries: 1 Incorrect entries: 7 Total managed entries: 8 Unmanaged entries: 649 In dryrun mode: suppressing entry installation for: ConfigFile:/etc/ssh/ssh_host_dsa_key ConfigFile:/etc/ssh/ssh_host_rsa_key ConfigFile:/etc/ssh/ssh_host_dsa_key.pub ConfigFile:/etc/ssh/ssh_host_rsa_key.pub ConfigFile:/etc/ssh/ssh_host_key ConfigFile:/etc/ssh/ssh_known_hosts ConfigFile:/etc/ssh/ssh_host_key.pub Phase: final Correct entries: 1 Incorrect entries: 7 ConfigFile:/etc/ssh/ssh_host_dsa_key ConfigFile:/etc/ssh/ssh_host_rsa_key ConfigFile:/etc/ssh/ssh_host_dsa_key.pub ConfigFile:/etc/ssh/ssh_host_rsa_key.pub ConfigFile:/etc/ssh/ssh_host_key ConfigFile:/etc/ssh/ssh_known_hosts ConfigFile:/etc/ssh/ssh_host_key.pub Total managed entries: 8 Unmanaged entries: 649
7.4 Install client keys into the Bcfg2 repository Now, we pull the ssh host key data for the client out of the uploaded stats and insert it as host-specific copies of these files in /var/lib/bcfg2/SSHBase
$ for key in ssh_host_dsa_key ssh_host_key; do
sudo bcfg2-admin pull <clientname> ConfigFile? /etc/ssh/$key sudo bcfg2-admin pull <clientname> ConfigFile? /etc/ssh/${key}.pub
done
This for loop pulls data that was collected by the bcfg2 client out of the statistics file and installs it into the repository. This means that the client will keep the same ssh keys and the bcfg2 server can start generating a correct ssh_known_hosts file for the client.
7.5 Run bcfg2 on the client again $ sudo /usr/sbin/bcfg2 -q -v -n
This time, we will only see 1 incorrect entry.
Phase: initial Correct entries: 7 Incorrect entries: 1 Total managed entries: 8 Unmanaged entries: 649 In dryrun mode: suppressing entry installation for: ConfigFile:/etc/ssh/ssh_known_hosts Phase: final Correct entries: 7 Incorrect entries: 1 ConfigFile:/etc/ssh/ssh_known_hosts Total managed entries: 8 Unmanaged entries: 649
Now, the only wrong entries is the ssh_known_hosts file!, so let's get it $ sudo /usr/sbin/bcfg2 -q -v -I -> Answer 'y' to the "install /etc/ssh/ssh_known_hosts" question
Phase: final Correct entries: 8 Incorrect entries: 0 Total managed entries: 8 Unmanaged entries: 649
7.6 show /etc/ssh/ssh_known_hosts It includes
- all local system keys
- localhost keys (for the local system)
- all systems with keys in bcfg2.
Extra stuff.
- blow away file, or corrupt it, and it gets fixed.
- add a second version of bcfg2.conf for the server (with a host-specific file)
