Distribution and Configuration System
Release 2.0

John P. Rouillard

January 2009

Contents

List of Tables

List of Figures

Chapter 1
DACS Introduction

• a host database
• a version control system
• an optional file generation system
• a file distribution and remote command execution mechanism

• a database of information about systems that can be queried
  • to generate configuration files. E.G. get the addresses of the local NTP servers from the database and automatically insert them in generated ntp.conf files to eliminate the manual maintenance of those files when the servers change.
  • to generate lists of computer wiring
  • to generate lists of assets
  • to select hosts running a particular OS version
• ability to track changes to the configuration system
  • Who did what change
  • When was the change made
  • What files were changed and how
  • Why was the change made
• the ability to generate files in response to configuration changes to keep them in sync with changes to the network
• the ability to quickly determine what services were lost if a host failed

1.1  Should you deploy DACS?

• Perl
• Bourne shell
• text file database tools
• svn or cvs
• gnu make
• filepp
• rdist

• the version control system can implement safety checks and refuse to allow the check-in of bad configurations or syntactically incorrect files or scripts.
• the build system can run verification checks as part of the distribution and will not push any changes if the verification fails.

• set up the top level NTP servers that all the rest will receive their time from
• generate the ntp.conf files for the top level servers
• generate the ntp.conf files for the hosts that will use the top level servers
• open firewall ports on the servers to allow NTP to pass

• the learning curve to use the system
• in CCM systems changes are generalized to allow them to apply to multiple systems rather than just one system. This makes deploying making large scale changes so much easier than logging into 200 individual systems and editing the same (well hopefully it's the same) config file on each system.
• wasted time while files are generated and pushed. While this may appear to be unproductive time, the time can be used to document the changes in the ticket or do something else while waiting. Compare this to editing 200 files which looks like work, but is really just busy work.

• fixes are implemented once and applied to a class of machines. Hence you aren't continually fixing the same problem wasting your time and the time of the people who need the fix to do their work. The effort is expended once per DACS installation and not once per machine.
• reduced impact due to changes. Standard configurations allow changes to be tested more thoroughly and the DACS database can be used to look for host configurations which may cause a problem allowing test prior to deployment on the edge cases.
• faster deployment of new/replacement systems. Because all the unique host info is in DACS, it can be pushed out to a new system to replace a broken one.
• reduced archeology - when making a change on manually managed systems, you often have to do a fair amount of digging and interpretation to understand how the system is set up and how it is supposed to operate before you make a change. If you have 100 systems it is possible you may have to do this 100 times prior to making a change. CCM systems by their nature have a tendency to reduce this variability (by using one file for multiple hosts). Also by gathering all the files together it is easier to compare them when there are multiple files. Also with a VCS system, the log messages supplied when the changes were done provides the context needed to understand the changes.

1.2  Why you should deploy DACS

• Accountability - the person responsible for each change to the system is recorded by the version control system.
• Automatic documentation - documentation in the form of a check-in log message is requested at the time the files are checked into the version control system. The version control system can require a trouble ticket identifier linking this check-in to the requirement.
  As a second form of documentation, using DACS as the ultimate authority of what should be running where, the documentation (in the form of database settings, files in the CCM system) and the systems are always in sync. DACS will warn you when the docs don't match reality.
• Quick repair - if a system is misbehaving, DACS can be used to verify that the system is running the proper configuration. If it is not DACS can be used to impose the proper configuration. This cuts down on the time to repair by fixing the problem, or eliminating possible causes.
  In addition the VCS underlying DACS can be used to search for operation impacting changes. So rather than looking through dozens of files on the misbehaving host, DACS can quickly narrow down the search to files that have changed recently. Even better, it can narrow down the field to specific changes within those files that caused the problem.
• Reduce complexity/variation - you can get reports on the number of files pushed to a machine and the number of tokens that defines configuration settings is directly proportional to the complexity of your environment. In the database you can see how complex your configurations are getting and how many variations of configurations you have. You can use these as metrics to try to reduce the amount of variation. E.G. you have six different copies of /etc/httpd/conf/httpd.conf being pushed. Why not see what the differences are and reduce it to three or even to one copy of the file. The goal is not to run 100 systems but to run 1 system 100 times as this leads to less documentation, training and confusion.
• Faster modifications - because all the files are identical or similar across all machines, it helps re-enforce best practices for setting up software. As a result there is:
  • one instruction manual/training set on how to do it
  • less time spent trying to understand some novel configuration before it is modified. The configuration is standard and hopefully documented, so changes can be accomplished quickly.
  • better testing as the database can identify different host configurations which should be used for testing. This should reduce deployment problems caused by the change allowing them to be discovered during testing.
  • less manual work by using templates and generating files rather than editing 200 files. Instead edit one template file and have the system build the 200 files. This frees you to have coffee, answer email or write documentation while the system is building the files. Plus it reduces variability as the files all follow the same template.
• Increase predictability - rolling out changes shouldn't result in surprises. By having a standard platform, unintended interactions are minimized and can be found during testing rather than after deployment.
• Oops recovery - since all changes to the configuration tree go through the version control system, you can always roll back a bad change and push the older (i.e. working) configuration. Then you can use the difference tool in the version control system to see what you changed and understand what actually went wrong.
• Why is it configured that way - have you ever looked at a configuration file and thought, "well that's wrong" and "fixed" it? Then three months later discovered it was right and you now have a week of repair/recovery. With a version control system enforcing the requirement to have ticket information in the check-in message, you can relate changes in the configuration to tickets and discover the cause for the change before you undo it.
• Delegation - finding a system administrator for every configuration change isn't always the way to go. Wouldn't it be nice to be able to allow a user to make changes in a controlled way? Using the version control and build systems you can delegate changes to others. If things break, you can see what changes were made. No more cries of "but I didn't change anything".
  Using the version control system you can delegate an entire file to one or more users to change, or you can have them edit a control file whose changes are validated and merged into other configuration files by the build system. Further details can be found in Delegation of access to a non-admin user section 4.4.4.

• what is the IP address for a host?
• what services does a host run? (Used to determine what files should be pushed, what firewall configuration settings should be enabled, what services should run on boot etc).
• what are the attributes of a host? (What patches does it receive, does it have a 3ware raid card so the control program for it should be loaded on the system etc.)

• how many unique configurations of systems do I have
• how many different configurations of this service do I have deployed
• how many hosts are running a particular OS
• what hosts are running services exposed to the Internet

1.3  The Components

• Database - defines properties and capabilities of the hosts. It is sort of a prototype configuration management database (CMDB) from ITIL.
• Source code control system (currently subversion with some support for the older CVS) tracks all changes to the database, build system and distributed files.
• File build mechanism based on gnu make(1). It can use database info via the dbreport command to extract IP addresses, host names and other host attributes to build custom files (perhaps using filepp(1)) for hosts. Using this is optional but recommended, as it reduces variation between files and allows for reuse of configurations between machines.
• File distribution/remote command execution mechanism based on rdist(8). A control file is provided to define labels: a set of files and remote commands to run as a unit.

• Rdist - main Perl script wrapper
  • updates, generates and pushes files to the managed systems
  • supports host verification before files are distributed. This makes sure the machine matches the database values (this is done by the HOSTVERIFY script). If the verification fails, the host not updated.
  • determines the default distribution targets by searching for labels in it's control file (Distfile) rather than from the list of top level directories (as in Config).
  • supports verification which doesn't change any operational files and is used for generating a report on what would be pushed if a normal distribution run was done.
  • allows specialized -verify targets to run which verify configurations that are not file based or can be dynamically reconfigured. For example firewalls or a windows registry.
  • optionally enforces distribution to a limited set of hosts (i.e. a test network) to prevent accidental installs of files on production hosts.
  • provides a mechanism for determining and distributing the Rdist command line to other systems. This is used to set up a hierarchy of Rdist servers to provide load balancing, redundancy etc.
  • permits supplemental targets to be defined via .targets files (target override).
• dbreport - a Perl script for querying and validating the database. (For those familiar with the Config system, this replaces class_gen.) It:
  • provides regular expression based host selection
  • allows host selection using any host property in the database
  • provides simple query/report formatting capabilities
  • is used to generate reports such as asset lists and wiring tables
  • provides data validation via regular expressions to detect typos in any field.
• cleangrep, cleanfind - allows searching of files under subversion control to identify files affected by config changes. They ignore files in the working tree not checked into subversion, including generated files.

• subversion or CVS - version control system
  • provides accountability for changes
  • provides authorization for users to change files. This allows the right to change a file to be delegated to particular users.
  • allows rollback of changes to a known good state.
  • implements safety checks on files to prevent broken files from being checked in.
  • records documentation on each change entered
  • optionally verifies each change message to make sure required elements are present (e.g. ticket numbers)
  • optionally distributes change messages via email or other mechanism to notify other and implement change review process.
• gnu make - acts as the build system for DACS
  • provides the ability to generate files from templates or other mechanism
  • sets ownership/permissions/group for files which need to be different from the default settings.
  • implements validation and verification checks which halt distribution if they fail.
• filepp - a macro pre-processor written in Perl. Similar to cpp but better and simpler to use than m4.
  • used with an extensive set of macros for rdist to make specifying common operations easier
    • saving of N copies of a file on the remote host
    • force execution of commands on remote hosts
    • rule to report the target (remote) file name
    • diff a remote file with the config copy
    • others (see the automatically generated macro documentation)
  • Can be obtained from http://www.cabaret.demon.co.uk/filepp.
• rdist - distribution program which is supplied by most Unix vendors. Version 6 of rdist (which is the current release at the time this was written) is preferred.
  • provides file distribution and remote command execution functionality
  • an intro to rdist and its syntax can be found at http://www.benedikt-stockebrand.de/rdist-intro\_e.html
• sed - a program used for file processing. The one installed on your operating system should work fine.
• sudo - used to provide elevated privileges while being able to track the actual user performing the execution via the SUDO_USER variable. This is technically optional and can be bypassed by using su and setting the SUDO_USER variable manually, but the use of sudo is strongly encouraged.
• robodoc (optional) - extracts specially formatted comments from source files into mtml, text and other forms of output. It is used to extract the documentation of filepp macros, makefiles, firewall rules etc.

1.4  DACS Documentation

• Basic introduction and concepts
• Training Docs
• Reference

1.4.1  Basic introduction and concepts

1.4.2  Training docs

1.4.3  Reference section

• DACS database section 3 - all you want to know about the database and generating reports from it.
• DACS version control section 4 - using a version control systems (primarily subversion) with DACS.
• DACS build section 5 - using the build system with DACS
• DACS distribution section 6 - distribution of files and commands with DACS

• Dacs Advanced section 8 - advanced topics

• DACS appendix section 9 - appendix

• DACS Glossary section 10 - glossary of terms

1.5  Getting Started

• Read this chapter
• Read Using Dacs section 2 to get a feel for how things fit together and the types of operations you will be doing.
• Install the required tools on your system (if you run Linux most of these will be prepackaged) listed in the third list of section 1.3.
• Then visit the Appendix section 9 for instructions on importing the repository for testing and creating a working copy.
• Add some hosts to Config/database/db as you read the "database" system section 3.
• Create a Config/distfile/distfile.base while reviewing Dacs distribution section 6 and use make files-report to see what files would be installed. Maybe even set it up to install a file in /tmp so you don't make any operational changes.
• Check in your changes and create a master repository at /config following the directions in Creating DACS CCM master trees section 9.4 (Use the file:/// access method is you haven't set up an ssh based repository.)
• Set up your client host(s) following one of the methods in Setting up ssh access from the master to clients section 9.2.
• Try distributing to a client.

1.6  Acknowledgments

• Rick Martin - Sysadmin Computer Science department at the University of Massachusetts who provided the basic idea and my editor for the original Config paper.
• Tom Bechard - System administrator where most of the initial development for Config occurred.
• Nerayan Desai - for some in-depth discussions of CM and how to improve performance.

• Darlene Choontanom
• Devdas Bhagat <devdas at dvb.homelinux.org>
• Nate McKervey

Chapter 2
Using DACS

2.1  Use case troubleshooting a problem

cd DACS/httpd
svn up
svn log -v |less

------------------------------------------------------------------------
r1034 | rouilj | 2008-12-13 18:54:31 -0500 (Sat, 13 Dec 2008) | 22 lines
Changed paths:
   M /repository/Config/work/httpd/conf.d/authenticate.conf

ticket:10233 Modifying to authenticate against the L3DAR ldap server
used for external authentication rather then the L1DFS ldap server.

1. change it back to what you think it should be (possibly breaking things in a different way).
2. start asking around to try to find out why authenticate.conf changed.
3. look at a backup of the file from last Thursday (the last day it was known to work). Maybe the change in the authenticate.conf file is correct and occurred before last Thursday.
4. look at the sudoers and su logs to see who may have changed the file between last Thursday and today.
5. shuffle the ticket off to somebody else.

yeah of course that was easy he documented in the log message all the info he needed. Most people never do that.

 ticket:10233

2.2  Use case recovering from a dead host

machine = box01.example.com
cluster = site_mia1 operations production
disk = WD5000YS(500B) WD5000YS(500GB) WD5000YS(500B) WD5000YS(500GB)
os = Centos 5.1
services = NTP1
services = APACHEINT SUGARCRM TWIKI_DEVELOPMENT
uses = RAID3WARE_8006

• Running one of the top level NTP servers (the name (NTP1) indicates that it has redundant backups at NTP2, NTP3. We can verify this by searching the database.)
• Run apache whch supplies
  • the Sugar CRM application used by sales
  • the TWiki instance used by development

sudo /config/Rdist -m box21.example.com

• install the Sugar CRM package
• push the apache configuration file needed to access Sugar
• install the configuration file for the Sugar software (that connects to the database ...)
• do the other fiddly bits needed to make it work: change dns for crm.example.com to point to box21.example.com etc.

2.3  Use case modifying a managed resolv.conf

svn checkout svn+ssh://dacsuser@dacsmaster/repo/Config/work DACS

   ticket:2345 brought up a new dns server for redundancy at the lax1
   site. Adding it to the site-wide resolv.conf so systems can use it.

 sudo /config/Rdist label

2.4  Use case setting up to manage sudoers file

• the file lives at /etc/sudoers, so somewhere under the etc directory makes sense.
• there is also a users directory with configuration files for particular users, and since sudoers configures users to do certain tasks with elevated privileges this may be a good spot.

svn add etc/sudoers
svn propset svn:unix-mode 400 etc/sudoers/sudoers
svn commit etc/sudoers

etc:
$C/etc/sudoers/sudoers -> ${ALL_HOSTS}
        SAVEINSTALL(/etc/sudoers, 3);

etc.sudoers:
etc:
$C/etc/sudoers/sudoers -> ${ALL_HOSTS}
        SAVEINSTALL(/etc/sudoers, 3);

• it pushes the file located at $C/etc/sudoers/sudoers, (i.e. the file you just created under the CCM that Rdist is running from. $C stands for the current configuration root).
• to (->) some hosts. In this case is pushes it to the predefined class ALL_HOSTS which includes all the DACS managed hosts.
• SAVEINSTALL installs the file at /etc/sudoers on each host saving the 3 prior copies of the file.

2.5  Use case set up to manage ntp.conf on all hosts from database

2.5.1  Planning the network time protocol setup

• the services a host supplies section 3.2.2

• services the host uses section 3.2.2

1. create a new directory ntp
2. in the ntp directory create a subdirectory dist that will hold the generated files that are to be distributed
3. create a Makefile that will query the database (using dbreport) and extract the IP addresses of the three NTPx servers to include in an ntp.conf file that is sent to the NTPCLIENT machines. This file will be located in dist/clients.conf.
4. manually create the files ntp_root.conf that will be used to generate the files: dist/ntp_root1.conf, dist/ntp_root2.conf, dist/ntp_root3.conf to be pushed to the three top level servers.
5. modify Config/distfile/distfile.base to push the three dist/ntp_rootX.conf files to the hosts in the NTP1_HOSTS, NTP2_HOSTS and NTP3_HOSTS classes. (Note: all services values generate classes ending in _HOSTS.)
6. modify Config/distfile/distfile.base to push the dist/clients.conf file generated by the Makefile to the hosts in the NTPCLIENT_SLAVES class. (Note: all uses values generate classes ending in _SLAVES.)

• login to each machine and a manually edit the file
• run some remote command from a master machine that loops over all the hosts. Have the command edit the configuration on each machine. You hope the command script is robust enough to not get confused on some variant of the config file that leaves the system broken.

Chapter 3
The "database" system

• the database file
• the db_report command that verifies and quieries the database

3.1  What does the database provide

3.2  The database file

machine = host1.example.com   (*)
alias =  host1
arch =  i686
cluster = site_lax1 host_dev host_qa (*)
comment = this is an old machine and should go away
contact = steve@example.com
cpu = intel
disk = WD2500AB(250GB) WD5000YS(500GB)
enet = 00:00:34:02:00:ab
enet_card = forcedeth
enet_if = eth0
hostid = 667154
hub = switch1
hub_port = 10
ip = 192.168.4.3/24 (*)
location = LAX rack 105.4 U 23-26
maint_info = support contract A40560 till 12/01/2007
model = AS1445
os = CENTOS 5.2 (*)
patches = forecedeth
pmemory = 16G
purpose = generic dev/qa box
rdist = yes (*)
services = APACHE TOMCAT (*)
services = SSHD (*)
sn = 667154
tag = A0112
uses = 3WARE NTP (*)
wall_plug = cable  5

machine = host1.example.com
cluster = site_lax1 host_dev host_qa
ip = 192.168.4.3/24
os = CENTOS 5.2
rdist = yes
services = APACHE TOMCAT
services = SSHD
uses = 3WARE NTP

services = APACHE SSHD TOMCAT

• DACS should operate with minimal resources. It is possible to override most of the safety checks and distribute files even if things are very broken.
• For redundancy you can have multiple DACS master hosts. Each must be able to work independently. Using a real database would require multiple synchronized db setups and further raises the requirements.
• How do you version control a database? If somebody makes and commits a mistake in the database, how do you get back the prior configuration? The mysql database files aren't under version control, so what mechanism would allow a rollback to a known good configuration?
• Some file based mechanism like SQLite may work, but there is still the problem of defining a normalized schema.

3.2.1  Keyword definitions

• the keyword name
• whether the keyword can be used multiple times. If so then the values are concatenated.
• the format of the value
• a description of when it's used

subnetmask

specified with the ip keyword by using a CIDR or netmask format. For example 1.2.3.4/24. Be consistent and choose only one way of specifying the mask. Otherwise searching on the netmask will be a pain. No conversion between forms (CIDR/netmask) is done.

isbase

set to yes if the machine definition does not include the base keyword. Set to no otherwise. Note that the base keyword is always set section 3.2.3 even if base is not specified.

3.2.2  Further comments on the service, users, cluster and os keywords

services section 3.3.1.2

the list of services provided by this host. Usually involved running a daemon of some sort.

uses section 3.3.1.3

the list of services that a host uses or local configuration information about the system.

cluster section 3.3.1.1

Other info about a host such as site info, system role (production vs. development vs. test). Basically anything you want to classify that doesn't fit into the uses/service or os keywords.

os section 3.3.1.4

The os and version of the OS running on this machine.

1. If the system with this configuration value dies, will you need to replicate the configuration bound to the token on another host?
2. Is this something that describes the system hardware or software?
3. Is this an administrative or other external to system configuration item (e.g. location)?

• The configuration of an LDAP or NIS server is a service. You will need to bring up a replacement server/service if the host running it dies.
• If a host needs a particular script run to set up autoverify on its 3ware card, then the token identifying the system as running a 3ware controller belongs to the uses keyword.
• If the machine is located in Los Angeles and is used by development, these tokens are part of the cluster keyword.

3.2.3  Inheriting information from another host (creating child host)

Machine = tiger-if2.example.com
base = tiger.example.com
enet = 00:07:e9:e6:e4:85
hub = sc02_mht1
hub_port = 15
ip = 138.84.130.136/26
rdist = no
wall_plug = (cable unlabeled)

  machine = a.example.com
  ...
  [no base keyword is used]

  machine = a-if1.example.com
  ...
  base = a.example.com
 ...

  machine = a-if1-1.example.com
  ...
  base = a.if1.example.com

• use the dbreport option -s 'isbase:/no/'

• use the dbreport option -n 'isbase:/yes/'

dbreport -f base -s 'machine:/ftp.example.com/'

dbreport -f machine -s 'machine:/server.example.com/|isbase:/no/'

3.2.4  Representing multiple IP addresses for a host

Machine = tiger-if1.example.com
base = tiger.example.com
enet = 00:07:e9:e6:e3:85
hub = sc02
hub_port = 15
ip = 227.136.10.23/26
rdist = no
wall_plug = (cable unlabeled)

3.2.5  Using a unique IP address for a service (e.g. DNS)

1. Define the service DNS in dbreport
2. Add the service (e.g. services=SSHD ... DNS ...) to 'server.example.com', which will be the base host for 'dns'. 'server.example.com' will have 'rdist=yes' set in its database entry.
3. Define a new machine with a new name (e.g. 'dns.example.com') and set its ip parameter to the IP address for the service (e.g. 192.168.1.23). Set its base parameter to the base host (e.g. base=server.example.com) and set the single service it provides (e.g. services=DNS).

dbreport -l -s 'services:/DNS/|rdist:/yes/'

for host in `dbreport -l -s 'services:/DNS/|rdist:/yes/'`
do
  dbreport -f ip -s "base:/$host/|services:/DNS/' -n 'isbase:/yes/'
done

3.3  Database output (class definitions)

• intersection
• difference
• union

3.3.1  Class Types

1. clusters section 3.3.1.1 - groupings by location, device purpose (e.g. network, external)
2. services section 3.3.1.2 - configuration of the box that is meant to be used by other software/systems or users.
3. uses section 3.3.1.3 - a local configuration option for the system, or a service that is used by the host.
4. operating system section 3.3.1.4 - classes per operating system and version and optionally arch and kernel arch.

3.3.1.1  Clusters

3.3.1.2  Services

3.3.1.3  Uses

3.3.1.4  OS/Arch/Karch

  CENTOS_4.3
  CENTOS_4.X
  CENTOS_HOSTS

  CENTOS_Ax86_64_5.1 - 64 bit hosts running centos 5.1

  CENTOS_Ax86_64_5.2 - 64 bit hosts running centos 5.2

  CENTOS_Ax86_64_5.X - 64 bit hosts running any version of centos 5

  CENTOS_Ax86_64_HOSTS - 64 bit hosts running any version of centos

  FEDORA_Ai686_2.0 - 32 bit host running fedora 2.0

  SOLARIS_Ai86pc_5.10 - Solaris box running Solaris 5.10 (I assume 64 bit)

  CENTOS_5.1 - all hosts running Centos 5.1
  CENTOS_5.X - all hosts running any version of Centos 5
  CENTOS_HOSTS - all hosts running any version of Centos

  CENTOS_Ax86_64_5.1 - 64 bit hosts running Centos 5.1
  CENTOS_Ax86_64_5.X - 64 bit hosts running any version of Centos 5
  CENTOS_Ax86_64_HOSTS - 64 bit hosts running any version of Centos

  CENTOS_Kx86_64.opteron_5.1 - 64 bit hosts with karch of x86_64.opteron
                              (i.e. opteron processor) running centos 5.1
  CENTOS_Ki386.xeon_5.X - 32 bit hosts running xeon processor

3.4  dbreport

3.4.1  The command line

/config/Config/bin/dbreport: [-l | h | r | f field[:field]]
         [-d "string"] [-D "string"] [-GH]
         [-F "format"] [-[sn] <field>:/pattern/[|field:/pattern/]* ]
         [database_file(s)]

 Output type selectors
  r - rdist group style output (default)
  l - list of host names
  h - /etc/hosts style output.
  f - output the values for a list of colon separated fields.


 Output format selectors with -f flag.
  d - delimiter between fields in f style output
  D - delimiter at end of line for f style output
  F - format string with %f replaced by field name and %v replaced by value.
                E.G. '<tr><th>%f</th><td>%k</td></tr>' will create a single row in
                a HTML table.
  H - make first line a header line

 Misc
  G - enable debugging output

 Machine selectors
  n - select machines with field(s) not matching pattern(s).
  s - select machines with field(s) matching pattern(s).

 Patterns are Perl regular expressions. A | (alternation) can be used
 in a regexp provided it is not preceded with a /. If you need to
 match /| in a pattern use [/]| instead.  Multiple field:/pattern/
 pairs are and'ed together so the machine MUST have all patterns pass.

 Use -? to get this help.

3.4.2  Examples of dbreport usage

3.4.2.1  Query selection tips

  -s 'os:/(?i)centos\s+5/|cluster:/site_lax1/'

  -s 'cluster:/site_lax1/|cluster:/site_mia1/'

  -s 'cluster:/site_lax1|site_mia1/'

  -s 'os:/(?i)centos|solaris/'

  -s 'os:/(?i)centos|solaris/' -n 'os:/(?i)solaris\s+10/'

  -s 'os:/(?i)centos|solaris\s+9\./'

  ip:/2.21/|2.220/

  ip:/2.21[/]|2.220/

3.4.2.2  Get a list of all machines in database

• /config/Config/bin/dbreport -l

a.example.com androscoggin.example.com b.lax1.example.com ...

3.4.2.3  Get a list of all our machines in database

• /config/Config/bin/dbreport -l -s 'machine:/\.example\.com$/'

• /config/Config/bin/dbreport -l -n 'cluster:/external/'

3.4.2.4  List hosts with a particular OS

• /config/Config/bin/dbreport -l -s 'os:/(?i)centos\s+4\.5/'

dns.lax1.example.com s2-e1.lax1.example.com s2.lax1.example.com

3.4.2.5  Find all entries/interfaces/IP addresses for a given host

• /config/Config/bin/dbreport -f ip -s 'base:/s1.lax1.example.com/'

  192.168.2.1
  192.168.2.23
  192.0.2.72

 /config/Config/bin/dbreport -f ip:machine -d" " -s 'base:/s1.lax1.example.com/'</verbatim
to produce:
{\small \begin{verbatim}
  192.168.2.1 s1.lax1.example.com
  192.168.2.23 ldap.lax1.example.com
  192.0.2.72 ftp.example.com

• /config/Config/bin/dbreport -h -s 'base:/s1.lax1.example.com/'

  192.0.2.72    ftp.example.com         s1
  192.168.2.23     ldap.lax1.example.com   ldap.lax1
  192.168.2.1      s1.lax1.example.com     s1

3.4.2.6  Finding a host with a given Ethernet or ip address

• /config/Config/bin/dbreport -l -s 'ip:/192.0.2.72/'

• /config/Config/bin/dbreport -l -s 'enet:/^00:30:84/'

3.4.2.7  Getting only the primary machine name

% /config/Config/bin/dbreport -f machine -s 'os:/(?i)centos\s+5\.3/'
s2.lax1.example.com
dns.lax1.example.com
s2-e1.lax1.example.com

  rdist:/yes/

%/config/Config/bin/dbreport -l -s 'os:/(?i)centos\s+5\.3/|rdist:/yes/'
s2.lax1.example.com

% /config/Config/bin/dbreport -l -s 'os:/(?i)centos\s+5\.3/' -n "rdist:/no/"
s2.lax1.example.com

% /config/Config/bin/dbreport -l -s 'os:/(?i)centos\s+5\.3/|isbase:/yes/'
s2.lax1.example.com
% /config/Config/bin/dbreport -l -s 'os:/(?i)centos\s+5\.3/' -n "isbase:/no/"
s2.lax1.example.com

3.4.3  Changing dbreport

1. changes to the clusters, services, uses, patches or os value lists
2. changes to the keywords defined in the database

3.4.3.1  Adding/changing cluster, services etc

#****d* service_list/SSHDEXT
#* NAME
#* SSHDEXT - Runs ssh server with external interface
#* DESCRIPTION
#* Runs the ssh server and allows access from the Internet. Modifies
#* services list, firewall rules and ssh configurations.
#******
    'SSHDEXT' =>  '',

3.4.3.2  Adding a new keyword to the schema or change its verifier pattern

    'alias' => '0',

    'ip' => '1|[0-9.X]+(/[0-9]{1,2})?',

[0-9.X]+

Allow any sequence with one or more digits 0-9, periods and the letter X. So an ip could be 192.168.X.X, or 173.34.56.78. The regular expression could be better written as it also allows 123456789 and 999.999.999.999 which are obviously invalid but it catches most typos.

(/[0-9]1,2)?

Allow 0 or 1 copies (i.e. it's optional) of a '/' followed by 1 or 2 digits. Again this allows /44 which is invalid, but it catches most cases.

'rdist' =>  '1|yes|other|request|no'

    'enet_if' => '1|eth[0-9](?:[:.][0-9])?|nge[0-9]|lo:[0-9]+',
    # the name for the ethernet interface. eth0, eth1:1, lo:0 nge0 for Solaris.

    'enet_if' => '1|eth[0-9](?:[:.][0-9])?|nge[0-9]|lo:[0-9]+|eri[0-9]+',
    # the name for the ethernet interface. eth0, eth1:1, lo:0 nge0 for Solaris.

3.5  Special circumstances and configurations

3.5.1  Deploying multiple redundant servers

• NTP1_HOSTS intersected with site_lax1_C_HOSTS and
• NTP2_HOSTS intersected with site_lax1_C_HOSTS

3.6  Standard database reports: wiring, asset, labels

3.6.1  Obtain a report of all your assets in the database

assets - series of targets for generating asset reports
SYNOPSIS
  cd Config/database; make assets.csv assets.html assets.print
PURPOSE
This target generates asset listings in different
formats. For print, it generates latex that is converted
into postscript output suitable for sending to a
postscript printer. HTML output is in a tabular
format. CSV format can be imported into excel or other
spreadsheet program for analysis.

• Tag (inventory) number
• Name (sort field)
• Description
• Location

3.6.2  Print labels to apply to hosts

NAME
   label - a target for generating host labels.
SYNOPSIS
  cd Config/database; make labels.print
PURPOSE
This target generates labels for placing on equipment.
It generates latex that is converted into postscript
output suitable for sending to a postscript printer.

3.6.3  Obtain a report of the wiring layout for your systems

NAME
   wiring - series of targets for generating wiring reports
SYNOPSIS
  cd Config/database; make wiring.csv wiring.html wiring.print
PURPOSE
This target generates a wiring report in different
formats. For print, it generates latex that is converted
into postscript output suitable for sending to a
postscript printer. HTML output is in a tabular
format. CSV format can be imported into excel or other
spreadsheet program for analysis.

• machine name
• contact person
• location
• wall_plug
• hub
• hub_port

Chapter 4
The Version Control System (VCS)

4.1  What does the VCS provide

• recovery from bad configuration changes. Since it records every known state of the configuration tree, it is possible to roll back to a prior working state.
  While it is possible in an emergency to distribute a configuration tree that is not stored in the VCS, a number of features in the Rdist script have to be explicitly bypassed.
• validation of files before check-in. This helps prevent incorrect files, which would break working systems, from being checked into the VCS.
• collection and review of documentation on configuration changes. In addition the documentation (change log notes) can be validated. For example you can require a trouble ticket identifier to be included in the log to link the change back to the requirements that made the change necessary. It can forward the log message from a check-in messages into the associated ticket(s) to reduce the documentation burden. Also it can notify other admins by forwarding the log and and difference report to a mailing list. This allows post check-in peer review of changes.
• delegation of access to files in the VCS. Specific users can do their jobs more efficiently by having change access to specific files.

• separate production and work trees to enforce a process for deploying changes. This prevents un-reviewed changes from being pushed to production.
• tracking changes to vendor supplied files. This makes upgrading to new OS releases or newer versions of software easier and less prone to error.

4.2  Which VCS

• subversion
  • makes moving directories and other restructuring of the CCM tree easier as it also preserves history.
  • is currently tested and deployed in a working DACS installation
  • is more secure access model using ssh
  • allows easy replication of ssh repository for redundancy (using svnsync with svn 1.4 and newer)
  • is a newer VCS and is still under active development
  • makes a split test/production tree a little more difficult to implement. This is still an area where work is being done in DACS.
  • makes tracking vendor copies of files different (some say more difficult) than in CVS.
• CVS (concurrent versions system)
  • makes implementing a split work/production tree is easier and allows easy access to a full history of changes.
  • provides better support for tracking releases of vendor files
  • is a mature VCS that has been heavily used
  • makes it difficult to move directories and preserve history.
  • is currently untested in DACS
  • has a less secure access model
  • has no direct support for maintaining redundant repositories

4.3  VCS anatomy

repository

the directory where the VCS stores it's files. These files have a special format that allows the VCS to locate prior revisions of a file and track changes to the file structure.

working copy

when you modify a file, you create a copy of the files in the repository as they exist at some point in time. Usually this time is the present. This copy of the files is called a working copy and is where you will perform your changes and testing before checking the changes into the repository. The CCM working copy is subdirectory of the repository tree. The working copy is a copy of the /Config/work tree hierarchy in the repository.

revision

the recorded copy of a file or files at a given time

check-in

the act of telling the VCS to store a copy of changed file(s) in your working copy as a new revision of the file(s) in the repository.

hook scripts

these are scripts that are run by the VCS in response to user actions such as file check-in. They can validate changes to files (e.g. verify syntax), make sure that the log message has the proper information in it (e.g. a reference to a ticket) and other tasks.

4.4  VCS setup

4.4.1  Repository file structure

svn_root/Config/work -+- Distfile 
                      +- Rdist (link to Config/bin/Rdist)
                      +- Config +- bin - Rdist, dbreport, filepp
                                +- database (replaces Database in Config)
                                +- distfile (replaces Dist in Config)
                                +- lib/config/* - support files

svn_root/Config/production - same structure as work. This is actually
                             a branch of the work tree that is used to
                             push tested and reviewed files to
                             production.

svn_root/Config/vendor/vendor_dir - each vendor_dir has a similar
                         format to the work tree. This tree is used to
                         enter new vendor copies of files into config
                         with a history. E.G. we need to change
                         =/etc/rc.d/init.d/sendmail=. We define a path
                         in work to hold this file
                         (=work/rc/sendmail=). Then we define the same
                         path under the vendor branch for that release
                         (=vendor/centos_4.2/rc/sendmail=) for example
                         and check-in the unmodified vendor file. Then
                         when a 4.3 release of the file is installed,
                         we check the 4.3 version into
                         =vendor/centos_4.3/rc/sendmail= and then
                         merger the changes between 4.2 and 4.3 into
                         the work copy. (See subversion docs for
                         more information on vendor branches.)

svn_root/SVN  - a directory containing hook and conf files for the
                DACS repository. Once the hook scripts are deployed,
                they will be automatically updated upon subsequent
                check-ins to this directory.

• rollback of changes to a prior working state
• testing changes in a working copy before check-in
• multiple independent copies of the DACS system for redundancy and load balancing

config_bin

scripts used by the DACS system

cron

sample cron scripts for various purposes

etc

build system for individual host files, other assorted files

firewalls

system to build an iptables based firewall system

ntp

system to build ntp configurations for all hosts

pkgs

system for software installation in a yum environment

services

system for building a services auditing and enabling under Linux

ssh

system for recording ssh keys and generating known_hosts file for distribution

users

files for managing files associated with users

4.4.2  Sample SVN configuration and hook files

• a pre-commit script that
  • allows access if the check is a replication request
  • checks to see if the repository is locked from commits
  • checks to verify a non-blank commit comment that includes a reference to an RT ticket number (specified as RT:3452)
  • checks to verify the syntax of the users/sudoers/sudoers config file
  • checks to verify the syntax of executable scripts
• post-commit script to perform actions on the newly checked in files that:
  • updates the subversion control files for the repository (which are maintained under svn) and installs a new authorized_keys file for the repository owner/account from the subversion update
  • saves a commit log entry in the commit-log
  • exits the script if this check-in was due to a replication request
  • sends email about the commit to users
  • synchronizes the repository to its replicas if it is run on a master repository
• pre-revprop files that controls values of meta information (e.g. author, date) assigned to a check-in that
  • allows the change if it was called as a result of replication
  • allows addition of new values, but prevents changing of old values
• post-revprop file that handles completed value changes that
  • records property changes in the commit-log
  • synchronizes the repository to its replicas if it is run on a master repository

• conf/authzfile that defines default access rights compatible with DACS and includes authorization for the dacsuser repository owner.

• slave_urls - contains the urls (svn+ssh://...) to one or more subversion repositories that should be kept in sync with the master repository
• authorized_keys - this is a copy of the authorized_keys file for the owner of the repository. The hook scripts will install this file in ~/.ssh/authorized_keys so you can track changes to this file. The distributed copy of this file has invalid sanitized public keys, but it demonstrates the basic format and settings for the file.

4.4.3  SVN Access controls

[groups]
admins = you
others = somebodyelse

[/]
@others = 
@admins = rw

[/Config]
root = r
@admins = rw

[/Config/work/mail/address]
others = rw

 admins = you

 admins = you, me

4.4.4  Delegation of access to a non-admin user

# allow fred access to modify the hosts file
# note that this is a directory with a single file (hosts) in it
# that is validated by the build system and merged into hosts files.
[/Config/work/etc/hosts/fredchanges]
fred = rw

4.4.5  Setting owners, groups and permissions

• svn:owner
• svn:group
• svn:unix-mode

4.5  Workflow under the two VCS

• perform a checkout of the portion (or whole) CCM work tree.
• update the files using the editor
• verify your update
• check the files into the VCS with a log message
• run Rdist to pull the changes from the work tree and distribute

work

this tree is where all the changes occur. When it is checked out to make a master tree, the Rdist command recognizes the location and will restrict the hosts that can be updated from the tree. This is also called the test tree as it is used for testing changes to the configuration.

production

this tree gets copies of files taken from the work tree that have passed some validation mechanism/process to be promoted to production status. The Rdist command recognizes this tree and permits it to update all the hosts that are defined.

4.5.1  Workflow in a split work/production implementation

• update the test distribution tree
• generate new copies of any files needed by the target hosts
• push the changes to the test hosts

• the person who checked the changes into the work/test tree can not promote the changes to the production tree
• only a subset of people can promote files to the production tree

4.5.2  Promoting from work to production

• a CCM working tree (/config) that is stuck (a ßticky tag") to the PRODUCTION tag (cvs co -r PRODUCTION configtree)

• tag the files in the work tree that are to go into production with two tags (using cvs rtag):
  PRODUCTION and PRODUCTION_uniqueid
  where uniqueid may be a datestamp or some other unique identifier.
• note that this tagging occurs in the repository with no working copy. So there is no way of getting a file that wasn't checked into the work tree. Hence you should always be able to revert production to a known prior tested state.
• then a cvs update (done by Rdist) of the production tree will install the newly tagged PRODUCTION files and distribute them.

• a history of all the files/changes moved into production identified by the PRODUCTION_uniqueid tag on the files.
• the ability to see the entire history of the current files in production by using cvs log on the file in the checked out production tree.
• the ability to rollback a change by finding the prior PRODUCTION_uniqueid tag and re-tagging that revision with the PRODUCTION tag.

4.5.2.1  Promoting from work to production (svn method 1)

• a CCM tree checked out that is stuck to the most recent (HEAD) of the PRODUCTION copy of the files (svn co svn+ssh://dacsuser@dacsmaster/repo/Config/production rather than the work tree located at: svn co svn+ssh://dacsuser@dacsmaster/repo/Config/work)

• deleting the current copy of the file in the production tree and coping in a replacement file from the development tree that you want to promote to production. Note that all these operations are strictly in the repository
  • svn rm svn+ssh://dacsuser@dacsmaster/repo/Config/production/example/file
  • svn cp \ svn+ssh://dacsuser@dacsmaster/repo/Config/work/example/file@version \ svn+ssh://dacsuser@dacsmaster/repo/Config/production/example/file
  • this creates two separate revisions in the repository (one remove and one copy) unless you use a tool such as mucc to make it into a single atomic revision/transaction.
  • since these operations are all in the repository, there is no way to promote a file that wasn't recorded in the repository, which is a good thing.

svn list -v svn+ssh://dacsuser@dacsmaster:/repo/Config/work/users/sudoers/sudoers
         628 rouilj               28299 Jun 01 18:35 sudoers

svn rm svn+ssh://dacsuser@dacsmaster:/repo/Config/production/users/sudoers/sudoers

svn copy svn+ssh://dacsuser@dacsmaster:/repo/Config/work/users/sudoers/sudoers@628 \
 svn+ssh://dacsuser@dacsmaster:/repo/Config/production/users/sudoers/sudoers

• svnlook changed --copy info to find the source path and version of the files in the work tree
• svnlook history source_file to find the revision the source file was changed in prior to the copy operation
• svnlook author revision to find the author of the last change

[groups]
admins = you, somebody
promoters = boss, you

[/]
@others = 
@admins = rw

[/Config]
root = r
@admins =

[/Config/work]
@admins = rw

[/Config/production]
@promoters = rw

4.5.2.2  Promoting from work to production (svn method 2)

• check out a local working copy of the production tree
• perform an svn merge from the revisions on the work tree to get the changes between the version in the production tree and the version you want to promote to production.
• check-in the new file version to the production tree.

4.5.3  Tracking vendor releases

• the vendor branch/tag would live in vendor/centos_4.3/etc/file
• the distribution copy would live in work/etc/file

• changes from the vendor/centos_4/etc/file
• changes from the vendor/centos_5/etc/file
• changes from the vendor/solaris_10/etc/file

Chapter 5
The Build System

5.1  What does the Build System provide

• Once in the DACS database where it drives the distribution system
• In one or more configuration files

• generate new copies of these files with the new DNS server assignments or
• verify that these files still have valid DNS information

• generates configuration files for hosts using information from the database or information from other configuration files contained in the DACS CCM tree to generate correct and consistent operation.
• validates configuration files against other files in the DACS CCM tree to verify that the information is correct.
• provides a mechanism for generating individual configuration files for every host based on the attributes of that host. E.G. iptables files can be generated that allow access to port 80 only if the host is running the Apache web server.
• provides a mechanism to generate output files from input files that have change rights delegated to non-admin users. This allows non-admin users to modify portions of a larger configuration file.
• sets owner, group and mode of files in the DACS CCM tree so that they are installed on remote machines with proper settings.

5.2  Build system setup

5.3  Makefile template

all: [default_files_to_generate]
verify: all

.PHONY: all verify

5.4  Setting modes, owner and groups

all: security

security:
	chmod 755 file1
	chgrp 123 file1
	chown 456 file1
	chown bin file2
        ...

.PHONY: security

• svn:owner
• svn:group
• svn:unix-mode

   svn propset svn:unix-mode 600 <file/directory>

# define location of root of the config tree.
RELATIVE_TOPDIR=..

# include this makefile to define:
# security target that will set owner/group/perms from svn properties.
# also individual modes, user and group targets
include $(RELATIVE_TOPDIR)/Config/lib/config/Makefile.permissions.include

all: security

verify: all

• make .set_modes - to set just the modes of the files
• make .set_group - to set just the groups of the files
• make .set_owner - to set just the owners of the files

5.4.1  Implementation notes

5.5  Reducing dbreport invocations (using a per host cache)

dist/%: ../Config/database/db Makefile
	some commands

# define location of root of the config tree.
RELATIVE_TOPDIR=..

# define this makefile for dependencies below.
# this can be modified by included makefiles to
# be a list of all makefiles 
ALL_MAKEFILES:=$(word $(words $(MAKEFILE_LIST)),$(MAKEFILE_LIST))

# override the default selector given to dbreport.
# VALID_HOSTS for this makefile are hosts that do not have the NOFIREWALL
#	uses clause and do not have rdist set to no.
DBREPORT_SELECTOR:=-n 'rdist:/no/|uses:/\bNOFIREWALL\b/'

# include this makefile to define:
# VALID_HOSTS, default value of SPEC_HOSTS and rules needed to create
# .sum files and cached info files.
include $(RELATIVE_TOPDIR)/Config/lib/config/Makefile.md5cache.include

# Create the list of files to be created. Select elements of the
# (optionally) defined SPEC_HOSTS macro which defaults to all VALID_HOSTS.
per_host_files:=$(addprefix dist/,$(filter $(SPEC_HOSTS), $(VALID_HOSTS)))

# Define the default targets
all: $(per_host_files)

verify: all

dist/%: $(ALL_MAKEFILES) .sum/% <other files, templates ...>
	build commands using the per host database cache files
	located at $(HOST_CACHE)/$* for each host

RELATIVE_TOPDIR

the location of the root of the DACS CCM tree relative to the Makefile

ALL_MAKEFILES

this setting should be copied verbatim and includes the paths to all the makefiles involved in generating the files.

DBREPORT_SELECTOR

the setting of DBREPORT_SELECTOR is optional and by default includes all the hosts in the DACS database that do not have their rdist value set to no). It is passed to the dbreport command (see DacsDatabase) to refine the list of hosts that are generated. In the example above it removes hosts not under DACS control and that do have the uses  ... NOFIREWALL ...= value set indicating that they do not use a unique firewall from DACS.

5.5.1  VCS Interaction

5.5.2  Adding new data to the host caches

# if the host provides FTP service, capture that external IP address
# and record it.
FTPEXTSVCIP="`${DBREPORT} -f ip -s "base:/^${HOST}\$/|services:/\bFTPEXT\b/" \
     -n 'isbase:/no/' ${DB}`"
if [ -n "$FTPEXTSVCIP" ]; then
echo "#define FTPEXTSVCIP $FTPEXTSVCIP" >> ${CACHEFILE}.$$.tmp
fi

#ifdef FTPEXTSVCIP
  #if FTPEXTSERVICE ne ""
-A IN -d FTPEXTSVCIP -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT 
  #else
  #undef FTPEXTSVCIP
  #error HOSTNAME has a null value for FTPEXTSVCIP
  #endif
#endif

-A IN -d 192.0.2.72 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT 

If a system provides the FTPEXT service, it must have a unique IP address for that service, and only ftp requests to that IP address will be accepted.

5.5.3  The internals

        dist/A.file -------+
                           +--- database
        dist/B.file -------+

        dist/A.file --- A.report ---+
                                    +--- database
        dist/B.file --- B.report ---+

report.%: database

        dist/A.file --- .sum/A.md5 --- A.report ---+
                                                   +--- database
        dist/B.file --- .sum/B.md5 --- B.report ---+

5.5.4  Performance of caching

• the firewall configuration template is processed for every host (approx 90) to produce the output file.
• The database cache files are used by filepp to process the template

• In 'update database host A' a change was made to the IP address of one of the 90 hosts. Then make was run.
• In 'update template' the firewall configuration template was changed. Then make was run.
• In 'update with no change' make was run and it has to run no commands.

5.6  Using templates and other file processing tasks

• It reduces the number of files that require hand editing. For example, the hosts file for every host has it's own name and IP address in it. At one site I worked at we also included the DNS server and LDAP server information. The dns servers and ldap servers were defined in a separate file (the database) and the per host files were generated using this info. So to change a DNS server, required editing one file and the build system generated the 100 individual hosts files.
• It also reduces the change of errors from fatigue while editing all the files.
• The files generated from templates show less variation than manually maintained files. This makes developing programs to do changes to them, or audit them easier since there are fewer error conditions to consider.
• It reuses information in the database rather than embedding it into a configuration file. When the database is changed, the configuration file automatically gets the update.

• It takes time to generate the files. If you only need three files, it may be faster to manually maintain them. Although you increase the risk of having out of date information in those files.
• The time spent implementing the file generation could be better used elsewhere.

5.6.1  Using filepp

• macro expansion
• foreach loops
• conditionals
• and other processing (including set manipulation)

5.6.1.1  Macros

#define MACRO REPLACEMENT
MACRO

5.6.1.2  Conditionals

#ifdef MACRO
macro is set
#else
macro is not set
#endif

#if MACRO !~ /REPLACEMENT/
...
#endif

#if "MACRO" eq "REPLACEMENT"
...
#endif

5.6.1.3  Foreach loops

#foreachdelim /\s+/
#define arguments a b, c d

#foreach THING arguments
the current element is THING
#endforeach

the current element is a
the current element is b,
the current element is c
the current element is d

5.6.1.4  Include statements

#include "test.fpp"

5.6.2  Basic directive/command examples

#pragma filepp UseModule foreach.pm
#foreachdelim /\s+/

#include "filepp.classes"

• FILEPP_SSHD_HOSTS - hosts running (the service) sshd
• FILEPP_CENTOS_4.X_HOSTS - hosts running some variant of the Centos 4 operating system

#if "LOCALNET" !~ /^[0-9.]+\/[0-9.]+$/
  #error LOCALNET not properly defined should be ip/netmask is 'LOCALNET'
#endif

## ssh firewall rules
#if "SERVICES" =~ /\bSSHDEXT\b/
# allow all ssh traffic
-A IN -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
#else
  #if "SERVICES" =~ /\bSSHD\b/
# allow internal ssh traffic only
    #if "OS" =~ /FEDORA_2/
-A IN -s 192.168.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
    #else
-A IN -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
    #endif
  #endif
#endif

-A IN -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 

#foreach SNMP_IP SNMP_COLLECTOR_IPS
-A IN -s SNMP_IP -p udp -m udp --dport 161 -j ACCEPT 
#endforeach

#define SNMP_COLLECTOR_IPS 192.168.1.1 192.168.3.1 192.168.5.1

-A IN -s 192.168.1.1 -p udp -m udp --dport 161 -j ACCEPT 
-A IN -s 192.168.3.1 -p udp -m udp --dport 161 -j ACCEPT 
-A IN -s 192.168.5.1 -p udp -m udp --dport 161 -j ACCEPT 

5.6.3  Performing set operations with host classes

• difference
• intersection
• union (straight addition)

#pragma filepp UseModule foreach.pm
#pragma filepp UseModule predefine.pm
#pragma filepp UseModule predefplus.pm
#foreachdelim /\s+/

5.6.3.1  Difference (FILEPP_SET_A - FILEPP_SET_B)

#define FILEPP_SET_A bar baz bax bam
#define FILEPP_SET_B baz bam

#foreach HOST FILEPP_SET_A
  #if " FILEPP_SET_B " !~ / HOST /
put stuff here that should occur for hosts/items in FILEPP_SET_A but
not in FILEPP_SET_B.
  #endif
#endforeach

#define FILEPP_SET_A bar baz bax bam
#define FILEPP_SET_B baz bam foo

#foreach HOST FILEPP_SET_A
  #if " FILEPP_SET_B " !~ / HOST /
#predefplus DIFF_SETS_A_B HOST
  #endif
#endforeach

DIFF_SETS_A_B

5.6.3.2  Intersection (FILEPP_SET_A & FILEPP_SET_B)

#define FILEPP_SET_A bar baz bax bam
#define FILEPP_SET_B baz bam

#foreach HOST FILEPP_SET_A
  #if " FILEPP_SET_B " =~ / HOST /
put stuff here that should occur for hosts/items in FILEPP_SET_A that
are also in FILEPP_SET_B.
  #endif
#endforeach

5.6.3.3  Union (FILEPP_SET_A + FILEPP_SET_B)

#define FILEPP_SET_A bar baz bax bam
#define FILEPP_SET_B baz bam

#foreach HOST FILEPP_SET_A FILEPP_SET_B
  put stuff here that should occur for hosts/items in FILEPP_SET_A and
  FILEPP_SET_B. Note that some things may be processed multiple times
  for the same host if the host is in both sets.
#endforeach

5.6.3.4  Unique Union (FILEPP_SET_A + FILEPP_SET_B) with duplicates removed

I've written a couple of new modules that replace macros when defined, so you can do what you wanted. The modules are included with this e-mail, just copy them to your modules directory.

To do what you wanted, use #predefplus and a Perl regular expression if statement:

#pragma filepp UseModule foreach.pm
#pragma filepp UseModule predefplus.pm
#foreachdelim /\s+/

#define FOO bar baz bax bam
#define BAR baz bam blah

#foreach HOST FOO BAR
  #if "DEF" !~ /\bHOST\b/
HOST
#predefplus DEF HOST
  #endif
#endforeach

The two new modules provide the following keywords:

	#predefine macro defn
	  The  #predefine  macro  works  the  same  as the #define keyword
	  except any macros in defn are replaced at the time of the
	  definition, rather than waiting until the macro is used.

	#predefplus macro defn
	  The  #predefplus  macro  works  the same as the #defplus keyword
	  except any macros in defn are replaced at the time of the
	  definition, rather than waiting until the macro is used.

Chapter 6
Distribution of files

• owner
• group
• mode
• and contents

6.1  What does the distribution system provide

• updating files on remote systems based on file contents or modification times.
• running commands remotely when a file changes
• backing up a user definable number of prior copies of a updated file. This makes it possible to undo changes or compare prior and current files on a system without having to go through DACS. This speeds problem diagnosis and resolution when investigating a problem after an update.
  • the files can be backed up to a different directory from the installation directory. This is used when pushing files to a config directory (e.g. /etc/cron.d), where any file in the directory is considered a command file. By moving the backup to a different directory you prevent the prior copy of the file from being used.
• three types of distribution commands:
  • pre commands - runs before a file is distributed. It can be used to set up the environment to receive the distributed file, determines the state of dynamically changeable services etc.
  • installation commands - installs a file and runs commands (if needed).
  • post commands - runs after an installation command is run to verify state changes, perform cleanup, notify of pending manual actions etc.
• grouped post commands - if you have 5 files to distribute and changing any one of them requires a restart a program. This allows you to only do one restart even if all 5 files are updated (which normally would result in 5 restarts of the program).
• forcing a command to run every time it is invoked. By default commands are only run when a file is updated.
• report the file destination (on the remote machine) in addition to the source file name.
• verification targets that run when Rdist is in verify mode and allows programs to run that can verify state. Normal verification only reports file differences, this can perform arbitrary commands to determine if things are in a sane state.
• reporting differences between two files (useful for verification targets that report what will change before you distribute files)
• logging of file updates to systems

• rdist can distribute to multiple systems in parallel
• rdist can do set operations on space delimited lists of hosts
• rdist can run over ssh rather than rsh

6.2  Running Rdist

• Locks the CCM tree from simultaneous updates.
• Updates the DACS mechanisms under the Config subdirectory (including itself) from the VCS.
• Generates a Distfile from Config/distfile/distfile.base and the DACS database in Config/database/db. This adds variables to the Distfile that contain hostnames meeting some criteria. It also expands any DACS macros/syntax in distfile.base into standard rdist(1) command stanzas.
• Runs a host verify step that verifies information in the database (host name, os type and version, architecture ...) against the host. This makes sure that dns mappings are correct and that the host that Rdist thinks it's talking to is the host defined in the database.
• Determines the list of labels that are to be distributed. The label list is either given on the command line or is determined by scanning for the the automatic labels (defined below) in the Distfile.
• Determines the list of machines to be updated. These are either given on the command line with the -m machine.name flag or excluded from the default list using --exclude machine.name. The default list is generated from the DACS database by looking for machines that have the rdist keyword set to 'yes'.
• Does an VCS update of the directory corresponding to the labels it's processing to get new files and modifications.
• Invokes the build mechanism for each directory corresponding to a label it is processing if the directory has a Makefile in it.
• Invokes rdist(1) using the machine list and labels determined above to distribute the files.

• the VCS server is unavailable
• the update finds files that aren't supposed to be present and aren't marked as ignorable
• the update discovers any changed files in the tree (don't forget the DACS distribution tree should consist only of exact copies of files in the repository and files derived from them. Otherwise you can't roll back the configuration.)

6.2.1  Other Rdist options

s5.example.com s7.example.com
    /config/etc/hosts: need to update
    /config/sshd/known_hosts: need to update

s5.example.com: /config/etc/hosts: need to update
s5.example.com: /config/sshd/known_hosts: need to update

s7.example.com: /config/etc/hosts: need to update
s7.example.com: /config/sshd/known_hosts: need to update

6.2.2  Host selection and verification

• the host's name (returned by hostname) matches the one in the database
• the host is running the same os release as is specified in the database
• the host has the same architecture as specified in the database. (If no architecture is specified in the database, this check is skipped.)

6.3  Target Overrides and Rdist fragments

1. The directory is locked against other Rdist updates by creating a .locked directory with a file locker containing the username@host and process id (pid) info. The lock directory is recorded to allow deletion after Rdist exits.
2. The directory is updated from SVN.
3. If a Makefile exists in the directory, "make .targets" is executed if run in distribution mode, or "make .targets-verify" in verify mode. Note that .targets-verify is a phony target and the file should not be made. The verify target should be updated.
4. If a .targets file exists, the specified target is replaced by the contents of the .target file with a $$ in the .target file replaced by the original target. This can be used with pre/post targets to explicitly order a sequence of steps. Path targets can be used to map the target into a deep directory structure. Also the file can be empty if you use a .push file to specify an alternate distribution mechanism.
5. for each element of the target list (if a .target was found), it is updated from SVN if the target exists in the file system.
6. if a Makefile exists in the directory, make is run with no arguments in distribution mode, or a verify target in verify mode. Before running the verify target, the Makefile is scanned for the verify target to prevent it from running is there is nothing to do. If make exits with an error, the Rdist is stopped in distribute mode, but is ignored in verify mode.
7. if the .targets file was empty and a .push file exists, it is queued up for future execution.
8. if a file .rdist exists, it is appended to the master distfile. Note that targets defined in the .rdist file will not be automatically found, so a .targets file must exists if a new target is defined in that .rdist file.

6.4  Controlling Rdist: the Distfile

6.4.1  The anatomy of a Distfile entry

label:
source/file(s)/or/directories -> ( host(s) )
            install -ooptions target/file_or_directory_location/on/host;
            cmdspecial "shell command run on remote system if something changes";

NTPCLIENT_SLAVES

a list of hosts in the DACS database that have the line uses=NTPCLIENT ....  in their definition.

SSHD_HOSTS

a list of hosts running the ssh (secure shell) daemon that have service=SSHD ...  in their definition.

• perform a binary file compare rather then just checking the modification time of the file
• create a backup of the original file before it's overwritten
• ignore owner, mode or group differences
• for all the options see the rdist(1) man page.

6.4.2  Distfile Label Types and Special Purpose Labels

automatic

Specification

Automatic labels start with a lower case letter and consist of letters (upper/lower case), numbers and underscores.

Purpose

these targets are used by default when Rdist is invoked without any explicit labels. So they are automatically run if no labels are specified. They are also sometimes referred to as normal labels.

Associated Directory

the name of the automatic label is expected to be a top level directory in the DACS tree. This directory will be updated from the VCS automatically and it will be searched for a Makefile to trigger a build process.

Notes

none

verify

Specification

Verify labels are automatic labels that end in -verify.

Purpose

Verify labels are used in addition to automatic labels when Rdist -v (verify mode) is run with no labels. The rdist(1) verify mode just compares the files in the repository against the files on the host. It does not execute any commands and does not change any files. In some cases this is insufficient to actually verify that things are up to date.
For example a managed file may need local post processing to be activated/installed, so you have to undo the post-processing to see if the proper rules are in place. Rdist running in verify mode runs the '-verify' labels in distribution (not verify) mode using rdist(1). This allows file updates and commands to execute. Hence it can push files and call scripts. It can verify that an installed firewall rule set matches the spec file for the firewall rules. It can also run monitoring programs although a tool like nagios would be better suited for active monitoring.

Associated Directory

The directory update operations use the name of the label without the '-verify' suffix. So a "firewall-verify" label would update/build the firewalls top level directory. When the build occurs in verify mode, the makefile command "make ... verify" is used so you can build different things in a verify compared to a distribution run.

Notes

Verify labels should not make operational changes to the remote system. This is not enforced but unexpected and bad things can happen if this rule is violated.

partial

Specification

Partial labels have a period '.' in their names.

Purpose

Partial labels are meant to allow pushing a subset of the files under a directory. E.G. you may have an ntp target, but you can also define a target (ntp.toplevel) that pushes configuration files for only the top level ntp hosts. Or you can have a target etc.sudoers that pushes only the sudoers file among all the files under the etc directory.
It is expected that stanza's labeled with a partial label are also duplicated with an automatic label so that the files are automatically maintained.

Associated Directory

The directory update operations use the name of the label preceding the first period '.'. So a ëtc.sudoers" label would update/build in the etc top level directory.

Notes

A partial target is an automatic target with a period and trailing text. So you can not create a partial path label.

manual

Specification

Manual targets have -manual appended to them.

Purpose

Manual targets are never automatically run and must be specified manually (hence the name) on the Rdist command line in order to be pushed. These are useful for one time changes (e.g. commands to run only on initial system setup) or other temporary changes (e.g. pushing an alternate configuration that blocks Internet access) that need to be imposed.
The files managed by a manual label may be but are not expected to be managed by any other label

Associated Directory

The directory update operations use the directory preceding the -manual suffix. So "postgres_upgrade-manual" would update the postgres_upgrade directory.

Notes

none

path

Notes

This is kind of useless in it's current state unless you are using target overrides or distfile fragments. Best you forget about it.

Specification

Uses forward slashes '/' between components

Purpose

path targets are used to bridge the gap between a deep directory structure and a shallow target name space. By default target names are expected to map to directories that will have various operations performed on them. Path targets are just regular targets with '/' characters separating to components. Note they do not start with a /. Verify and other types also apply to path targets, but they are not automatically selected and must be explicitly specified.

Associated Directory: None. No build or VCS updates are done for these items.

distribute

Notes

Consider this deprecated. However if you are using it from Config let me know and I will add support for it.

Specification

Distribution targets have -dist appended to them.

Purpose

Distribute targets are invoked only in distribution mode and not in verify mode. Note that this mode is not yet implemented in DACS Rdist although it did work in Config's Rdist. I don't think I ever got any reports of people using these, but a possible use case would be with a firewalls update where the stanzas associated with the '-verify' label are the only useful operation and the verification provided by running the automatic label in rdist's verify mode is useless. So you could create a firewalls-dist rule that runs only when distributing files and never when verifying to save time.

Associated Directory

The directory update operations use the directory preceding the -dist suffix.

pre

a pre label is any one of the 4 standard label types that is run before another stanza. It can set up conditions for the other stanza to work (e.g. by updating/pushing commands used by a cmdspecial, or by creating a file needed by another stanza). Basically it is a helper to a stanza that actually does something useful. It has no special markup and shares the same label as it's associated command. However it must occur before the associated command in the distfile so that it runs prior to the associated command. See "Configuring dynamically reconfigurable services" section 7.10 in DacsExamples for an example of pre label use.
There is a second variant of this that is useful in very complex environment where the Distfile is built in pieces and allows explicit execution order independent of the order of the stanzas in the distfile. If you need this read on otherwise stop now (unless your health plan has very good psychiatric services). If you use the target override methods and rdist fragments it is possible to explicitly specify the execution order. You can't use the implicit order of the stanzas in the distfile as the rdist fragments are appended to the resulting Distfile. In this case, the pre label is an automatic label followed with '-pre'. Numbers may be appended to the -pre suffix to permit multiple ordering levels independent of the order in the distfile (e.g. -pre1, -pre2 etc.). No automatic directory update or builds occur with a pre target. (Slight lie, the suffix isn't stripped so a directory of mumble-pre would have to exist to be updated, but this is probably not a useful function.)

post

a post label is exactly like the pre label except that it occurs after it's associated target. It can verify correct update, send notification emails etc. They aren't used much since most of this can be done with special and cmdspecial directives in the associated stanza, but it may be useful in some cases (e.g. such as managing network devices via proxy, or always running a command even if no files were updated (which prevents the cmdspecial and special command in an automatic label from running)).
Again this is a place you probably don't want to be reading. But if you are among the sites using rdist fragments or target/label overrides a post label is identified by the suffix -post on the label name. As with pre targets, numbers may be appended to the -post suffix to permit multiple ordering levels. No automatic directory update occurs with a post target. (Slight lie, the suffix isn't stripped so a directory of mumble-post would have to exist to be updated.)

"HOST-VERIFY"

is a special label that is run to verify basic facts about a host. If the remote host fails to verify, Rdist removes the host from the list of hosts to update.

"POSTINSTALL-ACTIONS"

is a special label that is at the end of the generated distfile so it executes after all other targets. It is used to execute any final commands that need to be done. It is primarily meant to trigger the restart of programs like httpd when any one of it's configuration files changes. The example "Triggering one service restart for multiple files" below describes it's use.

6.4.3  Distfile Macros

6.4.4  Distfile set operations

NON_CENTOS_HOSTS=${ALL_HOSTS} - ${CENTOS_HOSTS}

JUST_CENTOS_HOSTS=${ALL_HOSTS} & ${CENTOS_HOSTS}

JUST_SOLARIS_AND_CENTOS_HOSTS=${SOLARIS_HOSTS} + ${CENTOS_HOSTS}

ONLY_CENTOS_4_1237_HOSTS_1= ${CENTOS_4.1_HOSTS} + ${CENTOS_4.2_HOSTS}
ONLY_CENTOS_4_1237_HOSTS_2= ${CENTOS_4.3_HOSTS} + ${CENTOS_4.7_HOSTS}
ONLY_CENTOS_4_1237_HOSTS = ${ONLY_CENTOS_4_1237_HOSTS_1} + ${ONLY_CENTOS_4_1237_HOSTS_2}

ONLY_CENTOS_4_1237_HOSTS_1= ${CENTOS_4.1_HOSTS} + ${CENTOS_4.2_HOSTS}
ONLY_CENTOS_4_1237_HOSTS_2= ${ONLY_CENTOS_4_1237_HOSTS_1} + ${CENTOS_4.3_HOSTS}
ONLY_CENTOS_4_1237_HOSTS =  ${ONLY_CENTOS_4_1237_HOSTS_2} + ${CENTOS_4.7_HOSTS}

6.4.5  Distfile.base Examples

Note: the command lines in the examples below may be too long to display. So they are wrapped using a \ at the end of the prior line. In distfile.base these continued lines must all be on a single line and the \ indicating the configuration must be removed.

6.4.5.1  Establishing a standard time on all systems

# the localtime file can not be a link into /usr/share/zoneinfo because
# timezone is needed when system is booting before the /usr partition
# is mounted.
etc:
$C/etc/localtime/UTC.linux -> ${TZUTC_SLAVES} & ${LINUX_HOSTS}
        SAVEINSTALL(/etc/localtime,2);

LINUX_HOSTS=${FEDORA_HOSTS} + ${CENTOS_HOSTS}

LINUX_HOSTS1=${FEDORA_HOSTS} + ${CENTOS_HOSTS}
LINUX_HOSTS=${LINUX_HOSTS1} + ${DEBIAN_HOSTS}

LINUX_HOSTS=${FEDORA_HOSTS} + ${CENTOS_HOSTS} + ${DEBIAN_HOSTS}

1. the destination location for the file(s) on the host
2. the number of backups copies of prior versions of the file(s) to keep
3. any options to pass to the install command (e.g. compare). The third parameter is optional and is missing in this example.

6.4.5.2  Pushing unique /etc/hosts files for each host

#foreach HOST FILEPP_CENTOS_HOSTS FILEPP_FEDORA_HOSTS
etc:
$C/etc/hosts/dist/HOST -> ( HOST ) - ${OLD_HOSTS}
        install -osavetargets,compare /etc/hosts ;
        BACKUP(10);
#endforeach

etc:
$C/etc/hosts/dist/a.example.com -> ( a.example.com ) - ${OLD_HOSTS}
        install -osavetargets,compare /etc/hosts ;
        BACKUP(10);

#foreach HOST FILEPP_CENTOS_HOSTS FILEPP_FEDORA_HOSTS
etc:
$C/etc/hosts/dist/HOST -> ( HOST ) - ${OLD_HOSTS}
        SAVEINSTALL(/etc/hosts, 10 , compare );
#endforeach

etc:
$C/etc/hosts/combined_hosts_file -> ${LINUX_HOSTS} - ${OLD_HOSTS}
        install -osavetargets,compare /etc/hosts ;
        BACKUP(10);

6.4.5.3  Pushing a daily cron job to backup mysql

# Backup mysql databases on all hosts running mysql.
cron:
$C/cron/cron.d/mysql_dump -> ${MYSQL_HOSTS}
        SAVEINSTALL(/etc/cron.d/mysql_dump, 2, compare) ;
        cmdspecial "if ! test -e /var/bak/mysql.all_databases.dump; \
             then touch /var/bak/mysql.all_databases.dump; fi \
             RDIST_SPECIAL_FILTER";
        BACKUPTO(/etc/cron.d.backup, 5);

cron-verify:
$C/cron/cron.d/mysql_dump -> ${ALL_HOSTS} - ${MYSQL_HOSTS}
        FORCERUN;
        cmdspecial "if [ -r /etc/cron.d/mysql_dump ]; then echo \
        \"ERROR: /etc/cron.d/mysql_dump exists on a machine that is \
        not a MYSQL server. Please remove.\"; fi \
        RDIST_SPECIAL_FILTER";

• push the file cron/cron.d/mysql_dump to
• all hosts in the MYSQL_HOSTS class (a host with service  ... MYSQL ...= in it's definition)
• install the file (if the target is different) as /etc/cron.d/mysql_dump and create a backup
• it will compare the file and not just use the date of the file
• if the file is updated, it will make sure the directory used by the cron job exists and creates it if it does not exist. The command will not be displayed to the user by default.
• the backup file will be moved to the /etc/cron.d.backup and 5 copies of the file will be kept.

• for the set of hosts in ALL_HOSTS that are not in MYSQL_HOSTS (i.e. it does a difference of the two sets).
• push the file cron/cron.d/mysql_dump to some random location. This will always succeed in updating the file which will trigger:
• a command that verifies that there is no /etc/cron.d/mysql_dump file on the machine.
• It will complain if the /etc/cron.d/mysql_dump file is found since mysql isn't supposed to be running on that host.

• errors from those commands can be confusing if the command is not shown
• if the operator needs to perform the same operation by hand, it is easy to see what commands should be run to update/reload the service.

• don't filter "/etc/init.d/httpd graceful"
• do filter "cp /etc/http/conf.d/proxy1.cfg /etc/http/conf.d/proxy1.cfg.bak"

1. the directory the backup file should be moved to. If the directory doesn't exist it is created mode 700 owned by root.
2. the number of backups to keep.

6.4.5.4  Excluding files in a directory from being pushed

# install files needed to support DACS
config:
$C/config/dist -> ${ALL_HOSTS}
        install /etc/config/. ;
        except_pat ( \\.svn ) ;
        except_pat ( Makefile ) ;
        except_pat ( empty ) ;
        except_pat ( \\.locked ) ;
        REPORTTARGET;

6.4.5.5  Duplicating stanza's with automatic and partial labels

#foreach LABEL users users.sudo
LABEL:
$C/etc/sudoers/sudoers.site -> ${LINUX_HOSTS}
        SAVEINSTALL(/etc/sudoers, 3, nochkmode);
        special "chmod 440 /etc/sudoers";

LABEL:
$C/etc/sudoers/sudoers.site -> ${SOLARIS_HOSTS}
        SAVEINSTALL(/etc/sudoers, 3, nochkmode);
        special "chmod 440 /etc/sudoers";
#endforeach

6.4.5.6  Triggering one service restart for multiple files

httpd:
$C/httpd/httpd.conf -> ${APACHE_HOSTS}
    SAVEINSTALL(/etc/httpd/conf/httpd.conf, 3);
    cmdspecial "/etc/init.d/httpd restart";

httpd:
$C/httpd/conf.d/*.conf -> ${APACHE_HOSTS}
    SAVEINSTALL(/etc/httpd/conf.d/., 3);
    cmdspecial "/etc/init.d/httpd restart";

httpd:
$C/httpd/httpd.conf -> ${APACHE_HOSTS}
    SAVEINSTALL(/etc/httpd/conf/httpd.conf, 3);
    POSTACTION(httpd_restart);
httpd:
$C/httpd/conf.d/*.conf -> ${APACHE_HOSTS}
    SAVEINSTALL(/etc/httpd/conf.d/., 3);
    POSTACTION(httpd_restart);

# and at the end of distfile.base

POSTINSTALL-ACTIONS:
$C/.empty_file -> ${APACHE_HOSTS}
        FORCERUN ;
        cmdspecial "IFPOSTACTION(httpd_restart); /etc/init.d/httpd restart";

6.4.5.7  Diffing remote files without update

etc-manual:
$C/etc/services/services -> ${ALL_HOSTS}
   VERIFYFILE(/etc/services);

6.5  Supporting Legacy hosts that have part of their configuration unmanaged

LEGACY_FIREWALLS = (
fred.example.com
bar.example.com
baz.example.com
)
...
firewalls:
$C/firewalls/minimal -> ${LINUX_HOSTS} - ${LEGACY_FIREWALLS}
   SAVEINSTALL....;

LEGACY_FIREWALLS = (
fred.example.com
bar.example.com
baz.example.com
)
...
firewalls:
$C/firewalls/minimal -> ${LEGACY_FIREWALLS}
   SAVEINSTALL....;

6.5.1  Why you shouldn't do this

• all config info is defined in one place, the database.

firewalls:
$C/firewalls/minimal -> ${LINUX_HOSTS} - ${LEGACY_FIREWALL_SLAVES}
   SAVEINSTALL....;

6.6  Troubleshooting distribution errors

6.6.1  Rdist/distfile errors

localhost: LOCAL ERROR: Error in distfile: line 903:
  /config/httpd/conf.d/host1.example.com/: No such file or directory 
localhost: LOCAL ERROR: Error in distfile: line 905: Bad distfile
  options "savetargets".
localhost: LOCAL ERROR: Error in distfile: line 911: Bad distfile
  options "savetargets".
localhost: LOCAL ERROR: Error in distfile: line 915:
  /config/httpd/conf.d/host2.example.com/: No such file or directory
localhost: LOCAL ERROR: Error in distfile: line 917: Bad distfile
  options "savetargets".
localhost: LOCAL ERROR: Error in distfile: line 923: Bad distfile
  options "savetargets".

6.6.1.1  Errors with 'label not defined in the distfile'

1. the label you specify is in the distfile
   • grep for '^label:' in the distfile to make sure there aren't weird non-printable characters in the label.
2. a label is defined only if it's applied to a host, so make sure that at least one host in the stanza is valid. It is not an error for the list of hosts to evaluate to the null set, and that label will be removed from the parsed result.

6.6.1.2  Other 'unexplainable' errors

6.7  Distribution Reports

6.7.1  Host-target report

etc:
$C/etc/sysconfig/nfs -> ${LINUX_NFSSERV_HOSTS} - ( store.example.com )
        SAVEINSTALL(/etc/sysconfig/nfs, 2);
        cmdspecial "echo 'WARNING: some portions of the NFS subsystem
        must be stopped/restarted to get the effects of the changes to
        /etc/sysconfig/nfs. You must do this MANUALLY.' RDIST_SPECIAL_FILTER";

6.7.2  Files-report report

a.example.com: /etc/log.d/conf/logwatch.conf <- /config/etc/logwatch/logwatch.conf/logwatch.conf
a.example.com: /etc/log.d/conf/logfiles/. <- /config/etc/logwatch/conf/logfiles/yum.conf/yum.conf
a.example.com: /etc/man.config <- /config/etc/man.config/man.config.through_centos4
a.example.com: /etc/nscd.conf <- /config/etc/nscd/nscd.conf
a.example.com: /etc/hosts <- /config/etc/hosts/dist/a.example.com
...

• locate the source of a file if you know the location of the file on the target system
• identify files on the target system that are DACS managed (to exclude from a tripwire or AIDE scan for example)
• identify where the source files are distributed to (to verify distfile rules for example)

6.7.3  Files audit report

   s       nsswitch/
   b               nsswitch/nsswitch.conf.ldap
   b               nsswitch/nsswitch.conf.noldap
   s       ntp/
   b               ntp/clients.conf
   d ntp/dist/ntp_root1.conf
   d ntp/dist/ntp_root2.conf
   d ntp/dist/ntp_root3.conf
   s       ntp/hosts/
   b               ntp/hosts/a.example.com.ntp.conf
   b               ntp/hosts/b.example.com.ntp.conf
   s       ntp/ntp_root.conf

Chapter 7
Examples

1. Identify what files to manage
2. Decide where to locate them in DACS
3. Decide how to create/manage the content of the files
4. Decide were the files should be distributed
5. Find out if the new files work
6. Commit the changes
7. Test the distribution
8. Deploy to all hosts

1. Identify the files you want to maintain on the client hosts. The biggest bang for the buck are files that are changed on almost every host, especially if changes to those files are frequent, or if bad changes to those files has caused downtime, loss of revenue or unneeded expense.
   These may be ntp configurations, hosts files, resolv.conf, public key certificate files, ssh configurations that are common across a bunch of hosts. They may also be files that are unique (currently) but that need to be valid in order to properly supply services. E.G. Apache configuration files for the main web site.
2. Figure out where these files will live in the DACS CCM tree. Fortunately with subversion this is easier to change should the initial decision be incorrect, but it is worth a little time to consider: where would other people using DACS expect it to be located. What makes sense for a DACS user.
   1. Optionally you may want to check the vendor supplied original copy of the file into a vendor branch to have a reference when a newer copy of the file is released by the vendor.
3. How are the files to be maintained, and how many files will there be? Often you don't have just one configuration of a file, you may have two, three or more than one hundred. You can maintain these copies manually, or generate them from a master copy. Once you have more than 5 or 10 configurations, it usually makes more sense to maintain them automatically by generating them from a template, especially if the file changes often or is highly complex. The generation process can simply the file so that the manually maintained file is simpler and removes options from the admin to maintain standards.
   1. If you are going to manually maintain the files, create and the check in the master copy/copies of the file(s) It is a good idea at this point to try to reconcile the files so that they are as identical as possible in structure. This reduces the amount of documentation and training needed for people who will change the file and reduces the effort required to troubleshoot issues caused by changes.
   2. If you are going to generate the files, there are more options available. First set up the directory structure with a dist subdirectory for the generated (and distributed) files. Then create the manually maintained input files and the build machinery.
4. Decide where the files should be distributed (what hosts should receive the file and what file location e.g. /etc/hosts, /etc/inet/host) and set up the rules to distribute the files from the CCM tree to the hosts.
   1. Identify the hosts that need a particular file
      1. does a class with these hosts in it already exist?
      2. can you use a set operation among existing classes to identify the hosts?
      3. do you need to define a new service, cluster or uses attribute to define a new class of hosts that fulfills number 1 or 2?
   2. Set up an automatic labeled stanza that pushes the file(s) to the hosts using class variables.
   3. Does each host need a unique file?
      1. If so wrap the stanza in a filepp foreach clause to generate rules for each host to install that host specific file.
5. Test the new files
   1. If the files are generated or you need to change permissions, run a make to build files/set permissions and manually inspect them to see if they are correct.
   2. Use the Makefile target files-report in the distfile directory to generate the distribution list. This list shows the map from files in the DACS tree to files on the managed hosts. Verify that the files you added are properly listed.
   3. Manually copy (generated or manually maintained) files from the DACS tree to client systems and deploy them to verify proper operation.
6. Commit the changes to DACS
   1. Add all newly created files and directories to subversion svn add
   2. Assign permissions to files using svn propset with the svn:owner, svn:group and svn:unix-mode properties if the defaults of root, root and 755 (for executables) or 644 (for other files) are not suitable. Run make to verify that the proper permissions are set.
   3. Set up ignore lists for work directories like .sum and dist using svn propset on the svn:ignore property
   4. Audit files using svn status making sure no files that you need have an unknown status (?), are in a conflicted state (C) etc.
   5. Check-in the changes with comments using svn ci [list of files].
7. Test the distribution
   1. Run Rdist -v [label] and verify that you see the expected files being pushed.
   2. Run Rdist -m host label and verify that the file is installed, activated, and operates properly on a test host. You may want to run this a few times for different hosts or classes of hosts so you can test multiple configurations. This is an automatic version of the steps you performed in item 5.
8. Run Rdist label to push the files to all hosts.

7.1  Changing a managed file

1. Identify what files to manage
2. Decide where to locate them in DACS
3. * Decide how to create/manage the content of the files
4. Decide were the files should be distributed
5. * Find out if the new files work
6. * Commit the changes
7. * Test the distribution
8. * Deploy to all hosts

• Perform an svn up in the directory to get any new changes that may have been committed by others.
• Change the file.

7.2  Adding a new file (simple case)

• you know what file you want to manage (basic step 1)
• already have a suitable directory under the DACS tree for the file (basic step 2)
• a class is already set up with the list of hosts that should receive the file (basic step 4)

7.2.1  File installation (basic step 3)

7.2.2  Distfile.base setup (basic step 4)

ssh:
$C/ssh/sshd_config/sshd_config.centos -> ${CENTOS_HOSTS}
   SAVEINSTALL(/etc/ssh/sshd_config, 3);
   cmdspecial "/etc/init.d/sshd restart";

7.2.3  The finish (basic step 5, 6, 7, 8)

a.example.com b.example.com c.example.com
d.example.com s3.example.com
    /config/sshd/sshd_config/sshd_config.centos: need to update
    cmdspecial "/etc/init.d/sshd restart"

a.example.com b.example.com c.example.com
d.example.com s3.example.com
    /config/sshd/sshd_config/sshd_config.centos: updating
    Starting sshd: [  OK  ]
    Stopping sshd: [  OK  ]
    cmdspecial "/etc/init.d/sshd restart"

• Investigate to find out why an unauthorized change occurred or
• Remember that a planned experimental change is still in effect and may result in different sshd operation on that host or
• Revert the change and re-establish standard operation

7.2.4  Some Variations

ssh:
$C/ssh/sshd_config/sshd_config.centos4 -> ${CENTOS_4.X_HOSTS}
   SAVEINSTALL(/etc/ssh/sshd_config, 3);
   cmdspecial "/etc/init.d/sshd restart";

ssh:
$C/ssh/sshd_config/sshd_config.centos5 -> ${CENTOS_HOSTS} - ${CENTOS_4.X_HOSTS}
   SAVEINSTALL(/etc/ssh/sshd_config, 3);
   cmdspecial "/etc/init.d/sshd restart";

7.3  Adding a new host

        Machine =
        cluster = 
        enet =
        enet_if =
        ip =
        os =
        rdist = yes
        services =
        uses =

machine = newhost-newip.example.com
aliases =
ip =
enet = 
enet_if =
rdist = no
base = newhost.example.com

7.3.1  Managing the ssh keys

• deploy the keys to the host and
• update all the hosts so they will recognize the new host.

7.3.2  Updating the host

7.4  Setting up location specific timezone files

A etc/timezone
A etc/timezone/timezone.EST5EDT
A etc/timezone/timezone.PST8PDT

etc:
$C/etc/timezone/timezone.EST5EDT -> ${site_mia1_C_HOSTS}
    SAVEINSTALL(/etc/timezone, 2);

etc:
$C/etc/timezone/timezone.PST5PDT -> ${site_lax1_C_HOSTS}
    SAVEINSTALL(/etc/timezone, 2);

     cmdspecial "/etc/shutdown -r";

     cmdspecial "echo 'WARNING: a reboot may be needed to fully \
          implement the timezone change.' RDIST_SPECIAL_FILTER";

   POSTACTION(reboot_needed, timezone);

etc:
$C/.empty_file -> ${site_mia1_C_HOSTS} +  ${site_lax1_C_HOSTS}
        FORCERUN ;
        cmdspecial "IFPOSTACTION(reboot_needed, timezone); echo
        'WARNING: pending reboot needed due to timezone change. \
              Run \"Rdist -m this.host reboot-manual\" for this host.'";

reboot-manual:
$C/.empty_file ->  ${site_mia1_C_HOSTS} +  ${site_lax1_C_HOSTS}
        FORCERUN ;
        cmdspecial "IFPOSTACTION(reboot_needed); /etc/shutdown -r \
                +1min \"going down for reboot\"";

7.5  Setting up a database driven ntp configuration (new top level directory)

• Edit the database and move the NTPx service from the old host to the new host.
• Run 'Rdist -m newhost ntp firewalls'
• Run 'Rdist ntp'

7.5.1  Files and services

• ntp_root.conf
• client.conf

mkdir ntp
mkdir ntp/dist
touch ntp/ntp_root.conf
touch ntp/client.conf
touch ntp/Makefile
svn add ntp
svn propset svn:ignore '*' ntp/dist

A      ntp/ntp_root.conf
A      ntp/client.conf
A      ntp/dist
A      ntp/Makefile

7.5.2  Database changes

• three top level NTP server hosts
• the single list of clients that use those servers

Machine = s2.example.com
ip = 192.168.9.33/24
os = Centos 5.2
rdist = yes
services = SSHD NTP2

NTP2_HOSTS=( s2.example.com )

Machine = a1.example.com
ip = 192.168.9.12/24
os = Centos 5.0
rdist = yes
services = SSHD
uses = NTPCLIENT

NTPCLIENT_SLAVES=( a1.example.com a2.example.com ...)

7.5.3  The build system and file generation

all verify: dist/ntp_root1.conf dist/ntp_root2.conf dist/ntp_root3.conf dist/clients.conf

7.5.3.1  Gathering data from the database

• the host names of each of the 3 NTP top level hosts
• the IP address of each of these 3 hosts (yes we could do without these and just use host names everywhere but that wouldn't be any fun)

HOST1:=$(shell $(DBREPORT) -l -s 'services:/NTP1/|isbase:/yes/' $(DB))
HOST2:=$(shell $(DBREPORT) -l -s 'services:/NTP2/|isbase:/yes/' $(DB))
HOST3:=$(shell $(DBREPORT) -l -s 'services:/NTP3/|isbase:/yes/' $(DB))

NTPIP1:=$(shell $(DBREPORT) -f ip -s 'machine:/$(HOST1)/|ip:/^192.168/' $(DB))
NTPIP2:=$(shell $(DBREPORT) -f ip -s 'machine:/$(HOST2)/|ip:/^192.168/' $(DB))
NTPIP3:=$(shell $(DBREPORT) -f ip -s 'machine:/$(HOST3)/|ip:/^192.168/' $(DB))

7.5.3.2  Generating the client config

dist/clients.conf: clients.conf Makefile $(DB)
        filepp  -D "Host1=$(HOST1)" -D "Host2=$(HOST2)" \
            -D "Host3=$(HOST3)" -D "NtpIp1=$(NTPIP1)" \
            -D "NtpIp2=$(NTPIP2)" -D "NtpIp3=$(NTPIP3)" \
            clients.conf -o $@.out
        mv $@.out $@

• the maintained clients.conf file changes
• the Makefile that builds clients.conf changes
• the database where the NTP server information is stored changes

  # Host1 NTP1
server NtpIp1 iburst
  # Host2 NTP2
server NtpIp2 iburst
  # Host3 NTP3
server NtpIp3 iburst

  # box1.example.com NTP1
server 192.168.1.1 iburst
  # s2.example.com NTP2
server 192.168.9.33 iburst
  # box10.example.com NTP3
server 192.168.5.1 iburst

7.5.3.3  Generating the three server configuration files

FPPDEFS=-D "Host1=$(HOST1)" -D "Host2=$(HOST2)" -D "Host3=$(HOST3)"

dist/ntp_root1.conf: 
        filepp -D NTP1 $(FPPDEFS) ntp_root.conf -o $@.out
        mv $@.out $@

#comment make sure host defines are not empty.
#if ! "Host1"
#error Host Host1 not defined or empty
#endif

#ifdef NTP1
#
# clock.redhat.org
#
restrict 66.187.233.4 mask 255.255.255.255 nomodify notrap noquery
server  66.187.233.4 iburst
#endif

#ifdef NTP2
# NL ntp0.nl.net (193.67.79.202)
# Location: NLnet, Amsterdam, The Netherlands
# Synchronization: NTP primary (GPS), Sun/Unix SunOS 4.1.3
# Service Area: The Netherlands/Europe
# Access Policy: open access
# Contact: beheer@nl.net 
restrict 193.67.79.202 mask 255.255.255.255 nomodify notrap noquery
server 193.67.79.202 iburst
#endif

#ifndef NTP1
#
# Host1
#
restrict Host1 mask 255.255.255.255 nomodify notrap noquery
peer  Host1 iburst
#endif

#ifndef NTP2
#
# Host2
#
restrict Host2 mask 255.255.255.255 nomodify notrap noquery
peer  Host2 iburst
#endif

#
# s2.example.com
#
restrict s2.example.com mask 255.255.255.255 nomodify notrap noquery
peer  s2.example.com iburst

7.5.4  Distributing the generated files

• NTPCLIENT_SLAVES - for the clients
• NTP1_HOSTS - for the 1 NTP1 server
• NTP2_HOSTS - for the 1 NTP2 server
• NTP3_HOSTS - for the 1 NTP3 server

ntp:
$C/ntp/dist/clients.conf -> ${NTPCLIENT_SLAVES} & ${LINUX_HOSTS}
        SAVEINSTALL(/etc/ntp.conf, 10, compare ) ;
        cmdspecial "/etc/rc.d/init.d/ntpd restart" ;

ntp:
$C/ntp/dist/clients.conf.solaris -> ${NTPCLIENT_SLAVES} & ${SOLARIS_HOSTS}
        SAVEINSTALL(/etc/inet/ntp.conf, 10, compare ) ;
        cmdspecial "svcadm restart ntp:default" ;

uses= ... NTPCLIENT ...

## top level NTP servers for our systems
ntp:
$C/ntp/dist/ntp_root1.conf -> ${NTP1_HOSTS} & ${LINUX_HOSTS}
        SAVEINSTALL(/etc/ntp.conf, 10, compare ) ;
        cmdspecial "/etc/rc.d/init.d/ntpd restart" ;

ntp:
$C/ntp/dist/ntp_root2.conf -> ${NTP2_HOSTS} & ${LINUX_HOSTS}
        SAVEINSTALL(/etc/ntp.conf, 10, compare ) ;
        cmdspecial "/etc/rc.d/init.d/ntpd restart" ;

ntp:
$C/ntp/dist/ntp_root3.conf -> ${NTP3_HOSTS} & ${LINUX_HOSTS}
        SAVEINSTALL(/etc/ntp.conf, 10, compare ) ;
        cmdspecial "/etc/rc.d/init.d/ntpd restart" ;

7.5.5  Testing

7.5.6  Check in the changes

A      ntp/ntp_root.conf
A      ntp/client.conf
A      ntp/dist
A      ntp/Makefile
M      Config/bin/dbreport
M      Config/distfile/distfile.base

?      ntp/dist/client.conf
?      ntp/dist/ntp_root1.conf
?      ntp/dist/ntp_root2.conf
?      ntp/dist/ntp_root3.conf

7.5.7  Update the master tree with a new top level directory

cd /config
sudo env -i /usr/bin/svn up ntp

7.5.8  Update the hosts

7.6  Integrating external tools into DACS

• openvpn - to permit only allowed individuals to access the network
• the corporate web server - where people external to the company can verify that s-mime certificates are still valid.
• web servers - when client certificates are used to authenticate users

[/Config/work/etc/crl]
CA = rw

mv CRL CRL.orig
export SVN_SSH="/usr/bin/ssh -i /usr/lib/CA/id_rsa"
svn co svn+ssh://dacsuser@dacsmaster:/repo/Config/work/etc/crl CRL
cp CRL.orig/crl.pem CRL
svn add CRL/crl.pem
svn ci -m "initial check-in of CRL" CRL

export SVN_SSH="/usr/bin/ssh -i /usr/lib/CA/id_rsa"
svn ci -m "CRL update" CRL

etc:
$C/etc/crl/crl.pem -> ${VPNOPEN_HOSTS}
   SAVEINSTALL(/etc/openvpn/crl.pem, 3 );

etc:
$C/etc/crl/crl.pem -> ${HTTP_HOSTS}
   SAVEINSTALL(/etc/httpd/crl.pem, 3 );

etc:
$C/etc/crl/crl.pem -> ${WWWMAIN_HOSTS}
   SAVEINSTALL(/var/www/htdocs/crl.pem, 3 );

etc.crl:
$C/etc/crl/crl.pem -> ${VPNOPEN_HOSTS}
   SAVEINSTALL(/etc/openvpn/crl.pem, 3 );

etc.crl:
$C/etc/crl/crl.pem -> ${HTTP_HOSTS}
   SAVEINSTALL(/etc/httpd/crl.pem, 3 );

etc.crl:
$C/etc/crl/crl.pem -> ${WWWMAIN_HOSTS}
   SAVEINSTALL(/var/www/htdocs/crl.pem, 3 );

• openvpn security
• httpd security
• publishing to the public

7.7  Adding new file or files (complex case)

1. Identify what files to manage section 7.7.1
2. Decide where to locate them in DACS section 7.7.2
3. Decide how to create/manage the content of the files section 7.7.3
4. Decide were the files should be distributed section 7.7.5
5. Find out if the new files work section 7.7.6
6. Commit the changes section 7.7.7
7. Test the distribution section 7.7.8
8. Deploy to all hosts section 7.7.8

7.7.1  Identifying the file(s)

7.7.1.1  How many files exist

• different versions of the software (e.g. the /etc/ssh/sshd_config files on Centos 2 systems are different from those on Centos 4 systems because the new ssh version added some keywords to activate new functionality.)
• different role of the host. E.G. the aliases file on a mail delivery host has more aliases and different aliases since it is the end delivery point for email. Alias files on hosts that just forward to the central mail host have a much more stripped down version of the aliases file.
• site specific changes. E.G. if you have multiple sites with local dns resolvers, you may have a site specific /etc/resolv.conf that lists the local site's dns resolvers first. So for each site the ordering (and therefore contents) of resolv.conf are different. But they are the same within a site.
• entropy - especially when hand editing files, spacing, line order, etc can change making auditing of these files difficult. You will often discover misconfigurations in files this way. However you need to try to figure out if the standard file you are putting in will be compatible with the one you are replacing.

for i in `Config/bin/dbreport -l -s 'rdist:/yes/|isbase:/yes/' Config/database/db`
do
scp $i:/path/to/file file.$i
done

      2 17474    338 services.solaris1.example.com
     10 34762    334 services.s1.example.com
      1 35185    422 services.s3.example.com

7.7.2  Where should the files live in the DACS CCM tree

1. when I configure or change this service in the future do I have one file or multiple files to change?
2. how likely is it that multiple people will be changing the same files (i.e. how static is the configuration).

• put all the files under the top level etc assuming they will be set up once and not changed
• put them in an top level ldap directory so the changes can be pushed independent of other files
• put them in separate top level directory trees:
  • openldap - for the client configuration needed for the software application
  • etc/pam.d - for the client configuration files that allow login and other authentication to occur
  • software/schemas - for changes to the openldap database schemas
  • servers/ldap - for the files that configure the ldap servers (as opposed to client configurations)

cd etc
mkdir services
svn add services
cd services

7.7.3  Automatic or manual file maintenance

mv services.merged services
svn add services
svn ci services

7.7.4  Add the unmodified file to the vendor tree

  svn switch svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.3/etc/services

• install a new operating system
• check out a copy of the vendor tree
• for every file in the vendor tree copy the corresponding file from the new system on top of the orginal copy
• perform an svn diff to see what changes have occurred.
• see if any of the changes should be applied to the CCM working tree.

7.7.4.1  Make the vendor directory

 svn mkdir -m "checkin of services file from centos 4.3 box" \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.3
 svn mkdir -m "checkin of services file from centos 4.3 box" \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.3/etc
 svn mkdir -m "checkin of services file from centos 4.3 box" \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.3/etc/services

 svn mkdir -m "checkin of services file from solaris 10.2 box" \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/solaris_10.2
 svn mkdir -m "checkin of services file from solaris 10.2 box" \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/solaris_10.2/etc
 svn mkdir -m "checkin of services file from solaris 10.2 box" \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/solaris_10.2/etc/services
{\small \begin{verbatim}

(Note newer versions of =svn mkdir= have the =--parents= option that
will create all needed intermediate directories like =mkdir -p=
does. But for earlier versions you need to run all the commands to
create the tree hierarchy.)

---++++ Import the unmodified vendor file(s)

Now we switch our working directory to the newly created service
directories. Because none of the "services.*" files has been checked
in they will still be present after the switch. So run the commands:
{\small \begin{verbatim}
  svn switch svn+ssh://dacsuser@dacsmaster:\
       /repo/Config/vendor/centos_4.3/etc/services

  cp services.centos services

  svn add services

  svn ci -m "original /etc/services file for centos 4.3"

  >svn switch svn+ssh://dacsuser@dacsmaster:\
       /repo/Config/vendor/solaris_10.2/etc/services
  D    services
  Updated to revision 53.
  > cp services.solaris services
  > svn add services
  > svn ci -m "original /etc/inet/services file for solaris 10.2"

7.7.4.2  Create and edit new file in working directory

  > svn switch \
  svn+ssh://dacsuser@dacsmaster:/repo/Config/work/etc/services
  D    services
  Updated to revision 54.

  > svn cp svn+ssh://dacsuser@dacsmaster/repo/Config\
         /vendor/centos_4.3/etc/services/services .
  A         services
  > svn ci -m "RT:2345 adding base revision"
  Adding         services/services
  Committed revision 55.
  > cp services.merged services
  > svn ci -m "RT:2345 adding merged revision"
  Adding         services/services
  Committed revision 56.
  > svn log -v 
  r56 | rouilj | 2008-12-28 15:07:38 -0500 (Sun, 28 Dec 2008) | 1 line
  Changed paths:
     M /repository/Config/work/etc/services/services

  RT:2345 adding merged revision
  ------------------------------------------------------------------------
  r55 | rouilj | 2008-12-28 14:52:12 -0500 (Sun, 28 Dec 2008) | 1 line
  Changed paths:
     R /repo/Config/work/etc/services/services (from
          /repo/Config/vendor/centos_4.3/etc/services/services:56)
  
  RT:2345 adding base revision

7.7.4.3  Future maintenance using vendor trees

svn co svn+ssh://dacsuser@dacsmaster/repo/Config/vendor/centos_4.3

svn cp /path/to/working svn+ssh://dacsuser@dacsmaster/repo/Config/\
     vendor/centos_4.7

  > svn merge svn+ssh://dacsuser@dacsmaster:/repo/Config/\
         vendor/centos_4.3/etc/services/services \
         svn+ssh://dacsuser@dacsmaster:/repo/Config/\
         vendor/centos_4.7/etc/services/services
  --- Merging differences between repository URLs into 'services':
  U    services

svn diff svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.3/\
      etc/services/services \
    svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.7/\
      etc/services/services | \
 patch

  > svn merge svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.3/\
          etc/services/services \
        svn+ssh://dacsuser@dacsmaster:/repo/Config/vendor/centos_4.7/\
          etc/services/services services.centos 
  --- Merging differences between repository URLs into 'services.centos':
  U    services.centos

7.7.5  Distribute from the CCM tree to the hosts

7.7.5.1  Identification of hosts

$C/cron/root/sshdexternal.root -> ( a.example.com c.example.com)
                  install -ocompare /var/spool/cron/root ;
                  special "EDITOR=/bin/touch crontab -u root -e" ;

etc:
$C/etc/services/services -> ${CENTOS_HOSTS}
  SAVEINSTALL(/etc/services, 3);

$C/etc/services/services -> ${SOLARIS_HOSTS}
  SAVEINSTALL(/etc/inet/services, 3);

7.7.6  Testing the files

7.7.7  Commiting the changes

7.7.7.1  Dealing with commit failures

Sending        Config/distfile/distfile.base
Transmitting file data .svn: Commit failed (details follow):
svn: Out of date: '/Config/work/Config/distfile/distfile.base' in transaction '10018-1'

G    Config/distfile/distfile.base
Updated to revision 10018.

7.7.8  Pushing the files

7.8  Configuring Solaris Zones or VMware guest OS

• a cluster value: global_zone_s1_example_com or vmware_s1_example_com for all the child zones or guest hosts that run on the host s1.example.com.
• or linked service/uses keys

7.9  Configuring MASTER/STANDBY services

7.9.1  Conditions

7.9.2  Implementation: single master, disabled standby

• COPYME_MASTER
• COPYME_STANDBY

#if "SERVICES" =~ /\bCOPYME_MASTER\b/
copyme                   service
#endif

7.9.3  Enabled, but idled standby

#if "SERVICES" =~ /\bCOPYME_/
copyme                   service
#endif

• push a different file based on whether the server is in MASTER or STANDBY mode.
• create/delete a file based on whether the server is in MASTER or STANDBY mode.

  $C/.../masterfile -> ${COPYME_MASTER_HOSTS}
         SAVEINSTALL(/file/location,...);

 $C/.../standbyfile -> ${COPYME_STANDBY_HOSTS}
        SAVEINSTALL(/file/location,...);

  masterfile -> ${COPYME_MASTER_HOSTS}
         SAVEINSTALL(/file/location,...);

 standbyfile -> ${COPYME_STANDBY_HOSTS}
        FORCERUN;
        cmdspecial "rm -f /file/location";

 standbyfile -> ${ALL_HOSTS}
        FORCERUN;
        cmdspecial "rm -f /file/location";

7.9.4  Multi-master variant

• COPYME_MASTER1 (for the Miami master)
• COPYME_MASTER2 (for the LA master)
• ... (if you had a third site)

• COPYME_STANDBY1 (for the Miami standbys)
• COPYME_STANDBY2 (for the LA standbys)
• ... (if you had a third site)

• miamifile -> ${COPYME_MASTER1_HOSTS} + ${COPYME_STANDBY1_HOSTS}
  pushes miamifile to both sets of hosts.

• miamifile -> ${COPYME_HOSTS} + ${miami_C_HOSTS}
  push to any COPYME host but just members of the Miami cluster.

7.9.4.1  Advantages

1. Move the COPYME_MASTER from box1 to box4 in the database
2. Manually disable the service on box1 if desired
3. Rdist to box4 to bring its service on line
4. Rdist to all other systems except box1 to set up any client side changes that need to be done for the MASTER changeover
5. Rdist to box1 to disable and unconfigure its COPY_MASTER service

7.10  Configuring dynamically reconfigurable services (firewalls, routing,...)

1. Create or use an existing file that has a standard format to record the running configuration and that can be used to load the configuration on reboot.
2. Generate in DACS a copy of the file(s) in 1 from your managed configuration files using the build system
3. Run a pre-command from DACS/Rdist that dumps the current state of the service to the file(s) in 1.
4. Set up a DACS rule to compare your generated file (in 2) to the file that was updated in 3. If the compare fails, the file will be overwritten and a command can be executed to implement the new configuration.

7.10.1  Implementing the file update rules

7.10.1.1  Identify Configuration File

7.10.1.2  Generate a copy of the configuration file in DACS

• Makefile - drives the build mechanism
• template.fpp - processed once for each host to generate the per host firewall rules.
• geniptables-save - a shell script that is used to generate the startup firewall rules file from the running configuration preserving local table modifications.
• local-firewall-restore - a shell script that restores the local modifications to a running firewall.

• dist - to store the generated firewall files
• .sum - a work directory for the caching mechanism. See the DacsBuild caching section for more information.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

#if "SERVICES" =~ /SSHDEXT/
:BLACKLIST - [0:0]
#endif

:IN - [0:0]

...
## ssh rules for ssh blacklist
#if "SERVICES" =~ /SSHDEXT/
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j BLACKLIST 
#endif

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

:BLACKLIST - [0:0]

:IN - [0:0]

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j BLACKLIST 

• test the rule on a host
• run iptables-save to output the canonical form for the rule
• paste the canonical form for the rule in the proper place in template.fpp and
• optionally setting up a filepp conditional around the line that controls when the rule is imposed.

#####P* iptables/snmp, iptables/port/161
### POLICY
### Access list for snmp servers
### APPLIES TO
### all hosts
### SYNOPSIS
### Allow access to snmp servers from cacti and nagios servers.
### DESCRIPTION
### Allow access to port 161 from cacti and nagios servers.
#####
#foreach SNMP_IP SNMP_COLLECTOR_IPS
-A IN -s SNMP_IP -p udp -m udp --dport 161 -j ACCEPT 
#endforeach

#include "filepp.classes"

• a list of the IP's of all the DNS servers
• a list of the IP's of all the SNMP monitoring hosts

# create filepp.classes by concatenating the contents of each
# explicitly named cache file, using the cache file name as the macro
# name to be defined.
filepp.classes: $(per_cache_sum_files) $(ALL_MAKEFILES)
        @[ -n "$$MAKE_DEBUG" ] && set -xv; set -e; \
        for i in $(CACHE_FILES); do \
            echo -n "#define `basename $$i` " >> $@.tmp; \
            tr '\n' ' ' < $$i >> $@.tmp; \
            echo >> $@.tmp; \
          done
        mv $@.tmp $@

# make.sum/filepp.classes build filepp.classes
.sum/filepp.classes: filepp.classes
        @$(UPDATESUM) $@ $?

s1.example.com
s2.example.com
s4.example.com

#define SNMP_COLLECTOR_IPS s1.example.com s2.example.com s4.example.com

.sum/SNMP_COLLECTOR_IPS: .cache/SNMP_COLLECTOR_IPS
        @$(UPDATESUM) $@ $?

.cache/SNMP_COLLECTOR_IPS: $(DB) $(ALL_MAKEFILES)
        $(DBREPORT) -f ip \
           -s 'rdist:/yes/|services:/\bCACTI|NAGIOS[0-9]\b/|isbase:/yes/' \
           $(DB) > $@

dist/%: template.fpp $(ALL_MAKEFILES) .sum/% .sum/filepp.classes
        @echo Building iptables list for $*
        @umask 077; [ -n "$$MAKE_DEBUG" ] && set -xv ; set -e; \
          filepp -w -o $@.tmp -m foreach.pm $(HOST_CACHE)/$* template.fpp && \
          sed -f cleanup.sed  $@.tmp > $@.tmp2
        @mv $@.tmp2 $@
        @rm -f $@.tmp $@.tmp2

• the output file (dist/% for some hostname replaced with %) depends on .sum/filepp.classes.
• .sum/filepp.classes depends on filepp.classes (from the prior makefile snippet)
• filepp.classes depends on .cache/SNMP_COLLECTOR_IPS (indirectly via .sum/SNMP_COLLECTOR_IPS)
• the file .cache/SNMP_COLLECTOR_IPS depends on the database and makefiles.

• allow snmp data collection
• allow dns packets to pass through

7.10.1.3  Collect the Currently Running Config Using DACS/rdist

#foreach HOST FILEPP_FEDORA_HOSTS FILEPP_CENTOS_HOSTS
  # update the iptables file from current kernel config.
firewalls:
$C/.empty_file -> ( HOST ) - ${NOFIREWALL_SLAVES}
        FORCERUN;
        cmdspecial "/etc/config/bin/geniptables-save > \
           /etc/sysconfig/iptables RDIST_SPECIAL_FILTER";

firewalls:
$C/.empty_file -> ( a.example.com ) - ${NOFIREWALL_SLAVES}
        FORCERUN;
        cmdspecial "/etc/config/bin/geniptables-save > \
            /etc/sysconfig/iptables RDIST_SPECIAL_FILTER";

7.10.1.4  Push the DACS configuration file to the remote system/reload service

firewalls:
$C/firewalls/dist/HOST -> ( HOST ) - ${NOFIREWALL_SLAVES}
        SAVEINSTALL(/etc/sysconfig/iptables, 3, compare);
        BACKUP(3);
        cmdspecial "/etc/init.d/iptables restart";
        cmdspecial "/etc/config/bin/local-firewall-restore";
#endforeach

firewalls:
$C/firewalls/dist/a.example.com -> ( a.example.com ) - ${NOFIREWALL_SLAVES}
        SAVEINSTALL(/etc/sysconfig/iptables, 3, compare);
        cmdspecial "/etc/init.d/iptables restart";
        cmdspecial "/etc/config/bin/local-firewall-restore";

• DACS controlled (in /etc/sysconfig/iptables)
• locally controlled (in /etc/sysconfig/iptables.local_rules)

7.10.1.5  Test/Check in the changes

cd /config
sudo env -i /usr/bin/svn up firewalls

7.10.2  Implement file verification rules

• the DACS file is installed in: /tmp/iptables.config rather than /etc/sysconfig/iptables
• then currently running config is dumped to /tmp/iptables.current.

firewalls-verify:
$C/firewalls/dist/host.example.com -> ( host.example.com ) - ${MANUAL_FIREWALL}
                  FORCERUN;
                  install -ocompare /tmp/iptables.config;
                  cmdspecial "umask 077; /etc/config/bin/geniptables-save > \
                         /tmp/iptables.current RDIST_SPECIAL_FILTER";
                  cmdspecial "diff -u /tmp/iptables.current \
                       /tmp/iptables.config; \
                       if [ $? -eq 2 ]; then exit 2; \
                       fi RDIST_SPECIAL_FILTER";

1. push $C/firewalls/dist/host.example.com -> some random file. This is always pushed.
2. push $C/firewalls/dist/host.example.com to /tmp/iptables.config if the files are different. This will push the file only if the client file is different.
3. execute cmdspecial to dump the running config to /etc/sysconfig/iptables.current (and filter this command from the report due to the addition of RDIST_SPECIAL_FILTER). This will always occur due to 1.
4. execute diff. If there are differences, diff exits with exit code 1. Suppress the non-zero exit code unless it exits with exit code 2 (something went wrong, missing file, permissions error etc.)

a.example.com: --- /tmp/iptables.current 2008-12-04 19:46:59.941823400 -0500
a.example.com: +++ /tmp/iptables.config 2008-12-04 19:44:16.904700900 -0500
a.example.com: @@ -30,11 +28,11 @@
a.example.com: -A IN -m state --state RELATED,ESTABLISHED -j ACCEPT 
a.example.com: -A IN -i lo -j ACCEPT 
a.example.com: -A IN -p icmp -m icmp --icmp-type any -j ACCEPT 
a.example.com:--A IN -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
a.example.com:+-A IN -s 192.168.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
a.example.com: -A IN -s 192.168.12.13 -p udp -m udp --dport 161 -j ACCEPT 
a.example.com: -A IN -s 192.168.9.20 -p udp -m udp --dport 161 -j ACCEPT

7.11  DACS Invocation tips

• the values to the cluster keyword
• the values to the service keyword
• the values to the uses keyword

bysite () 
{   # select by site value in the cluster keyword
    SITE=$1;
    shift;
    HOSTS=`dbreport -l -s "rdist:/yes/|cluster:/${SITE}/" "$@"`;
    if [ -z "$HOSTS" ]; then
        echo "no hosts";
        return 1;
    else
        echo $HOSTS;
    fi
}
bysrv () 
{   # select by service value in the services keyword
    SERVICE=$1;
    shift;
    HOSTS=`dbreport -l -s "rdist:/yes/|services:/${SERVICE}/" "$@"`;
    if [ -z "$HOSTS" ]; then
        echo "no hosts";
        return 1;
    else
        echo $HOSTS;
    fi
}
byuse () 
{   # select by uses value in uses keyword
    USES=$1;
    shift;
    HOSTS=`dbreport -l -s "rdist:/yes/|uses:/${USES}/" "$@"`;
    if [ -z "$HOSTS" ]; then
        echo "no hosts";
        return 1;
    else
        echo $HOSTS;
    fi
}

/config/Rdist ... -m "`bysrv APACHE`" ....

/config/Rdist ... -m "`bysite site_lax1`" ....

/config/Rdist ... -m "`byuse LDAP`" ....

for host in `bysrv SSHD`
do
  ssh $host some command
done

7.12  Renumbering a network and a caution about automation

  [Config Master]  -> [router] -> [client host]

• roll back the configuration in the VCS and put the router back to the way it was before the update to establish connectivity to the client host. Then roll forward the configuration so that the Config master now has the new client configuration to use to update the client host.
• manually reconfigure (which required a trip to a remote site) the client host to re-establish enough connectivity to allow DACS to push a full update.
• manually reconfigure the router (which should still be accessible from the DACS master host I hope) to re-establish connectivity.

• the ability to explicitly order configuration changes
• the ability to stage intermediate configurations
• the ability to verify invalid updates and not apply them

• preserves the high degree of automation without the planning burden associated with having to find an explicit ordering for the updates
• reduces the risk of having incorrect/incomplete configurations caused by lack of automation and storing duplicate information in multiple locations
• eliminates the effort required to write/test/execute validation mechanisms for each individual configuration file and file option before applying them

Chapter 8
Advanced Topics

8.1  Using multiple DACS master trees

• Split production/work
• Redundancy
• Load Distribution
• Test trees (per admin trees)

8.1.1  Split production/work CCM master trees

8.1.2  Redundancy

#if "THISHOST" eq "FILEPP_DACS1_HOSTS"
POSTINSTALL-ACTIONS:
$C/.empty_file -> ${DACS1_HOSTS}
        FORCERUN;
        cmdspecial "for host in FILEPP_DACS2_HOSTS; do \
             rsync -a --delete --delete-excluded --exclude .locked/ \
                -v /config/. $host:/config/. 2>&1; \
             ssh $host touch /config/Config/database/db; done";
#endif

#if "THISHOST" eq "FILEPP_DACS1_HOSTS"
POSTINSTALL-ACTIONS:
$C -> ${DACS2_HOSTS}
   install -o numchowner,numchkgroup,remove,quiet /config;
   except_pat ( .locked )
   cmdspecial "touch /config/Config/database/db";
#endif

• root's  /.ssh/authorized_hosts file
• hosts files

• password and group files
• installed software (filepp, make ...)

POSTINSTALL-ACTIONS:
$C -> ${DACS2_HOSTS}
   FORCERUN;
   cmdspecial "svn up /config";

#if "THISHOST" eq "FILEPP_DACS1_HOSTS"
POSTINSTALL-ACTIONS:
$C/.empty_file -> ( masterhost )
        FORCERUN;
        cmdspecial "for host in FILEPP_DACS2_HOSTS; do \
           rsync -a --delete --delete-excluded --exclude .locked/ \
                 -v /config/. $host:/config/. 2>&1; \
           ssh $host touch /config/Config/database/db; done";
#endif

8.1.3  Load distribution (work in progress)

Distribute:
/tmp/rdistargs -> ${DACSDIST_HOSTS}
   install /tmp/rdistargs;

Distribute:
$C -> ${DACSDIST_HOSTS} & ${site_lax1_C_HOSTS}
   install -o numchowner,numchkgroup,quiet /config.lax1/. ;
   cmdspecial "SUDO_USER=${SUDO_USER}; export SUDO_USER; \
         /config.lax1/Rdist `cat /tmp/rdistargs`";

Distribute:
$C -> ${DACSDIST_HOSTS} & ${site_mia1_C_HOSTS}
   install -o numchowner,numchkgroup,quiet /config.mia1/. ;
   cmdspecial "SUDO_USER=${SUDO_USER}; export SUDO_USER; \
         /config.mia1/Rdist `cat /tmp/rdistargs`";

Distribute:
$C -> ${DACSDIST_HOSTS} & ${DACSMASTER_HOSTS}
   FORCERUN;
   cmdspecial "SUDO_USER=${SUDO_USER}; export SUDO_USER; \
        /config/Rdist `cat /tmp/rdistargs`";

 '^/config.mia1$' => '|cluster:/site_mia1/',

 '^/config$' => '|cluster:/site_nyc1/|cluster:/site_bos1/',

8.1.4  Test trees

    '^/var/DACS/test\$'   => '|services:/TESTHOST/',

		     'the_default'   => '|machine:/NoSuchHost/',

8.2  Handling network devices

1. Have the device create a file with a standard format that records the running configuration and that can be used to load the configuration on reboot.
2. Generate in DACS a copy of the file(s) in 1 from your managed configuration files and build system
3. Run a pre-command from DACS/Rdist that dumps the current state of the service to the file(s) in 1.
4. Set up a DACS rule to compare your generated file (in 2) to the file that was updated in 3. If the compare fails, the file will be overwritten and a command can be executed to implement the new configuration.

127.0.0.1 ciscortr01.example.com.proxy

Machine = ciscortr01.example.com
ip = 192.168.9.1/24
os = IOS 12.3.6
rdist = yes
services = ROUTER
uses = PROXY

• ROUTER_HOSTS
• PROXY_SLAVES
• IOS_HOSTS
• IOS_12.X_HOSTS
• IOS_12.X_HOSTS
• IOS_12.3.X_HOSTS
• IOS_12.3.6_HOSTS

#foreach CISCO FILEPP_PROXY_SLAVES
  #if " FILEPP_IOS_HOSTS " =~ / CISCO / &&  \
      " FILEPP_ROUTER_HOSTS " =~ / CISCO /
  # only applied for PROXY_SLAVES that run IOS and are routers
  #  (i.e. are Cisco routers)
  # pre command to dump the running config
cisco:
$C/cisco/CISCO -> ( CISCO.proxy )
	FORCERUN;
	cmdspecial "/etc/config/bin/cisco-access getrunning \
             /dist/cisco/CISCO.config";
  # if the running config is different from the one in DACS push the
  # DACS version and update the cisco.
cisco:
$C/cisco/CISCO -> ( CISCO.proxy )
	SAVEINSTALL(/dist/cisco/CISCO.config, 10, compare);
        cmdspecial "/etc/config/bin/cisco-access setrunning \
               /dist/cisco/CISCO.config";
        cmdspecial "/etc/config/bin/cisco-access setstartup \
               /dist/cisco/CISCO.config";

  # pre command to dump the running config to some alternate location
cisco-verify:
$C/cisco/CISCO -> ( CISCO.proxy )
	FORCERUN;
	cmdspecial "/etc/config/bin/cisco-access getrunning \
               /dist/cisco/CISCO.config.verify";

  # diff the two Cisco configs if they are different. The version
  # dumped  from the router is in the SAVED file.
cisco-verify:
$C/cisco/CISCO -> ( CISCO.proxy )
	SAVEINSTALL(/dist/cisco/CISCO.config, 10, compare);
        cmdspecial "diff -u
	    /dist/cisco/CISCO.config.verify.SAVED \
            /dist/cisco/CISCO.config.verify";
  #endif
#endforeach

get

gets the configuration in standard form and saves to a file

set

takes the configuration in standard form and loads to the

activate

a command to activate what was installed by the set command if set doesn't activate it immediately.

verify

takes some external information about the device (IOS version, hostname etc) generated from the database and verifies that it is valid.

1. in the database add the keyword proxyhost which will hold the proxy hostname (and it can validate the proxy hostname againt a valid host).
2. change Rdist to substitue for the real hostname the proxyhost name, so it would change Rist -m ciscortr01.example.com to rdist -m ciscortr01.example.com.proxy when it calls rdist(1) internally.

Machine = ciscortr01.example.com.proxy
ip = 127.0.0.1/32
os = NS 4.2
rdist = no
services = PROXY

Chapter 9
Appendices

• inital setup and importation of the DACS distribution
• setting up ssh access between hosts
• creating working trees and CCM master trees
• setting up replication
• links to other documentation

9.1  Importing the DACS repository tree

• services under linux and solaris
• firewalls under linux
• ntp files
• root id_rsa and id_rsa.pub keys
• some additional files

svnadmin create /place/for/repository
cd repository
svn import -m "DACS 2.0 import" file:///place/for/repository

9.1.1  Subversion hook scripts

cd ~dacsuser/repo
rm -rf hooks
svn co file:///home/dacsuser/repo/SVN/hooks .

rm -rf conf
svn co file:///home/dacsuser/repo/SVN/conf .

9.1.2  Finish svn setup

no-agent-forwarding,no-X11-forwarding,no-port-forwarding,
command="/usr/bin/svnserve -t -r ~user --tunnel-user=fred"
ssh-rsa AAAA... ssh public key for fred ...== user_comment

no-agent-forwarding,no-X11-forwarding,no-port-forwarding,
command="/usr/bin/svnserve -t -r ~user --tunnel-user=admin"
ssh-rsa AAAA... ssh public key for admin ...== user_comment

ssh-rsa AAAA... ssh public key for fred ...== user_comment

9.2  Setting up ssh access from the master to clients

9.2.1  Somewhat less secure

• set up each sshd_config file to permit only public key authentication but allow any command to be run.
• set up  root/.ssh/authorized_keys to accept the public key from a limited set of hosts

PermitRootLogin = without-password

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,
from="192.168.10.5,dacs.example.com,localhost,127.0.0.1"
ssh-rsa AAA... ssh public key ...==  root@dacsmaster

1. the connecting ssh client must have the access to the private key that corresponds to the ssh public key.
2. the connection must come from one of the addresses in the from section

9.2.2  Most secure setup

• set up the sshd_config file to permit root authentication via public key that runs a forced command (the rdist client program). This prevents the running of arbitrary commands as root.
• set up  root/.ssh/authorized_keys to accept the public key from a limited set of hosts and run the rdist client as a forced command.

   PermitRootLogin = forced-commands-only

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,
from="192.168.10.5,dacs.example.com,localhost,127.0.0.1",
command="/usr/bin/rdistd -S"
ssh-rsa AAA... ssh public key ...==  root@dacsmaster

1. the connecting ssh client must have access to the private key that corresponds to the ssh public key.
2. the connection must come from one of the addresses in the from section
3. the client must speak the rdist protocol to perform an update or remote command.

9.3  Creating DACS working trees

9.4  Creating DACS CCM master trees

svn co svn+ssh://dacsuser@dacsmaster:/repo/Config/work DACS

sudo svn co svn+ssh://dacsuser@dacsmaster:/repo/Config/work /config

sudo svn co svn+ssh://dacsuser@dacsmaster:/repo/Config/production
/config

sudo svn co svn+ssh://dacsuser@dacsmaster:/repo/Config/work /config.test

 sudo svn co -n svn+ssh://dacsuser@dacsmaster:/repo/Config/work /partial.tree
 sudo svn up  /partial.tree/Config
 sudo svn up /partial.tree/other_dir

9.5  Replicating (synchronizing) DACS svn master repository

• add SVNDACS_STANDBY to the host(s) running the replicas and check-in the change

• manually or using DACS set up the dacsuser account
• copy the existing  dacsuser/.ssh/* files on the master to the replicas  dacsuser/.ssh/ directory
• chown -R dacsuser  dacsuser on the replicas

• svnadmin dump  dacsuser/repo -r 0 > uuid

• svnadmin create  dacsuser/repo
• svnadmin load  dacsuser/repo < uuid
  where uuid is the file generated above.
• chmod 700  dacsuser
  to protect the information in the repository
• ln -s /bin/true  dacsuser/repo/hooks/pre-revprop-change
  this permits the sync operations from the master to work. It will be replaced with the normal hook scripts when the inital synchronization is done. The normal hook scripts could be used but they make the initial synchronization take longer.

• sudo -u dacsuser env -i /usr/bin/svnsync init -non-interactive
  svn+ssh://dacsuser@replica1/repo
  file:///home/dacsuser/repo

• sudo -u dacsuser env -i /usr/bin/svnsync sync -non-interactive
  svn+ssh://dacsuser@replica1/repo

• rm -rf  dacsuser/repo/conf
• rm -rf  dacsuser/repo/hooks
• svn co file:///home/dacsuser/repo/SVN/conf
  /home/dacsuser/repo/conf
• svn co file:///home/dacsuser/repo/SVN/hooks
  /home/dacsuser/repo/hooks

echo "repository is replica" | sudo tee ~dacsuser/repo/conf/LOCKED

9.5.1  Configuring the replicas in SVN

9.5.2  Using replication

9.5.2.1  Switching masters (replica becomes a master)

 sudo env -i /usr/bin/svn switch --relocate \ 
     svn+ssh://dacsuser@dacsmaster svn+ssh://dacsuser@replica1

9.5.2.2  Moving masters

9.6  Other documentation

Chapter 10
Glossary

CCM

acronym for Computer Configuration Management cf. SCM

CNCM

acronym for Computer and Network Configuration Management. Another name for CCM cf. SCM

CCM (repository) tree

see master tree or repository tree.

class

see class variable (rdist) or class macro (filepp)

class variable (rdist)

This is just a normal rdist variable that has contents generated by the DACS class mechanism. It is a space separated list of hostnames that all match some specific criteria.

class macro (filepp)

A space separated list of hostnames all matching some criteria. The naming matches that for "class varibles (rdist)" but with FILEPP_ prepended to the rdist class name.

client

see client host

client host

a system that has files or services managed by DACS.

CMDB

configuration management database

DACS CCM tree

see master tree or repository tree.

DACS server

the system or systems that are allowed root access to a client host to update and manage files on the client.

dacsmaster

a hypothetical host that has the dacsuser account and provides access via ssh to the DACS subversion repository.

dacsuser

a hypothetical account that provides access via ssh to the subversion repository for DACS.

implementer

person responsible for defining new system configurations in DACS. This person defines new tokens in the database and maps files to those configurations.

label

a mechanism to allow selection of rdist stanzas in a Distfile. It is specified on the rdist or Rdist command line: Rdist label1 label2...

master repository

a VCS repository that allows commits from users and is used to update a master tree.

master tree

a copy of the VCS tree done as root that will not have any local modifications done to it. It will not be used for checkins to the VCS. It is used as the master tree from which files are distributed to client machines. Compare to 'working copy'.

replica repository

a VCS repository that receives updates from a master repository and can be used as a master repository if the master repository dies.

repository tree

a generic term for the set of files in a working copy or master tree.

slave repository

see replica repository

SCM

software configuration management cf. CCM

svn

the command used to invoke the subversion VCS. Also used as an abbreviation for subversion.

ticket

trouble ticket/work order/change request ...

target

see target (make) or labels if you are discussing rdist

target (make)

the item that is to be made by the make system. It is specified on the make command line: make target.

VCS

version control system. Either CVS (concurrent versioning system) or subversion.

user

a person who interacts with DACS by running dbreport, Rdist and changing the files that exist under DACS control.

working copy

a copy of the VCS repository checked out as a local user and created for the purpose of performing updates to files and checking those changes into the VCS.

Index

Index (showing section)