diff options
Diffstat (limited to 'doc')
23 files changed, 428 insertions, 329 deletions
diff --git a/doc/_templates/indexsidebar.html b/doc/_templates/indexsidebar.html new file mode 100644 index 000000000..39916315d --- /dev/null +++ b/doc/_templates/indexsidebar.html @@ -0,0 +1,11 @@ +<!-- FIXME: Add download page with pdf/html/txt archives of these documents + <h3>Download</h3> + <p><a href="{{ pathto('download') }}">Download these documents</a></p> +--> + + <h3>Docs for other versions</h3> + <ul> + <li><a href="http://docs.bcfg2.org/1.1/">Bcfg2 1.1 (stable)</a></li> + <li><a href="http://docs.bcfg2.org/1.2/">Bcfg2 1.2 (stable)</a></li> + <li><a href="http://docs.bcfg2.org/dev/">Bcfg2 development documentation</a></li> + </ul> diff --git a/doc/appendix/guides/centos.txt b/doc/appendix/guides/centos.txt index a4be1a6d9..50334ccbc 100644 --- a/doc/appendix/guides/centos.txt +++ b/doc/appendix/guides/centos.txt @@ -4,43 +4,31 @@ .. _appendix-guides-centos: -=========================================== -CentOS, Scientific Linux, other RHEL clones -=========================================== +===================== +Quickstart for CentOS +===================== -This is a complete getting started guide for CentOS, Scientific Linux, other -Red Hat Enterprise Linux clones. With this document you should be able to -install and configure a Bcfg2 server and a Bcfg2 client. +This is a complete getting started guide for CentOS. With this document +you should be able to install a Bcfg2 server and a Bcfg2 client. Install Bcfg2 ============= -The fastest way to get Bcfg2 onto your system is to use Yum or your preferred -package management tool. In this quide the packages that are distributed -through EPEL_, but depending on your aversion to risk you could download an -RPM from other places as well. See -:ref:`getting_started-using_bcfg2-with-centos` for information about building -Bcfg2 from source and making your own packages. +The fastest way to get Bcfg2 onto your system is to use Yum or +your preferred package management tool. We'll be using the ones +that are distributed through EPEL_, but depending on your aversion +to risk you could download an RPM from other places as well. See +:ref:`getting_started-using_bcfg2-with-centos` for information about +building Bcfg2 from source and making your own packages. Using EPEL ---------- -.. warning:: - - EPEL has outdated versions of the server package for CentOS 5 and - earlier. This guide is intended to be used with versions 1.0.0 and - higher. Please consider building a newer RPM if you are following - this guide. - Make sure EPEL_ is a valid repository on your server. The `instructions <http://fedoraproject.org/wiki/EPEL/FAQ#howtouse>`_ on how to do this basically say:: -EPEL_ for 5.x :: - [root@config ~]# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm - -EPEL_ for 6.x :: - [root@config ~]# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm + [root@centos ~]# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm .. note:: @@ -49,7 +37,7 @@ EPEL_ for 6.x :: Install the bcfg2-server and bcfg2 RPMs:: - [root@config ~]# yum install bcfg2-server bcfg2 + [root@centos ~]# yum install bcfg2-server bcfg2 Your system should now have the necessary software to use Bcfg2. The next step is to set up your Bcfg2 :term:`repository`. @@ -65,8 +53,8 @@ is a tool which allows you to automate this:: Store bcfg2 configuration in [/etc/bcfg2.conf]: Location of bcfg2 repository [/var/lib/bcfg2]: Input password used for communication verification (without echoing; leave blank for a random): - What is the server's hostname: [config.your.network] - Input the server location [https://config.your.network:6789]: + What is the server's hostname: [centos] + Input the server location [https://centos:6789]: Input base Operating System for clients: 1: Redhat/Fedora/RHEL/RHAS/Centos 2: SUSE/SLES @@ -82,7 +70,7 @@ is a tool which allows you to automate this:: writing new private key to '/etc/bcfg2.key' ----- Signature ok - subject=/C=US=ST=Illinois/L=Argonne/CN=config.your.network + subject=/C=US=ST=Illinois/L=Argonne/CN=centos Getting Private key Repository created successfuly in /var/lib/bcfg2 @@ -114,20 +102,20 @@ Run bcfg2 to be sure you are able to communicate with the server:: Excluding Packages in global exclude list Finished Loaded tool drivers: - Action Chkconfig POSIX YUMng + Action Chkconfig POSIX YUMng Phase: initial - Correct entries: 0 - Incorrect entries: 0 - Total managed entries: 0 - Unmanaged entries: 208 + Correct entries: 0 + Incorrect entries: 0 + Total managed entries: 0 + Unmanaged entries: 208 Phase: final - Correct entries: 0 - Incorrect entries: 0 - Total managed entries: 0 - Unmanaged entries: 208 + Correct entries: 0 + Incorrect entries: 0 + Total managed entries: 0 + Unmanaged entries: 208 No ca is specified. Cannot authenticate the server with SSL. @@ -159,20 +147,20 @@ Now if you run the client, no more warning:: Excluding Packages in global exclude list Finished Loaded tool drivers: - Action Chkconfig POSIX YUMng + Action Chkconfig POSIX YUMng Phase: initial - Correct entries: 0 - Incorrect entries: 0 - Total managed entries: 0 - Unmanaged entries: 208 + Correct entries: 0 + Incorrect entries: 0 + Total managed entries: 0 + Unmanaged entries: 208 Phase: final - Correct entries: 0 - Incorrect entries: 0 - Total managed entries: 0 - Unmanaged entries: 208 + Correct entries: 0 + Incorrect entries: 0 + Total managed entries: 0 + Unmanaged entries: 208 Bring your first machine under Bcfg2 control ============================================ @@ -185,7 +173,7 @@ Setup the :ref:`server-plugins-generators-packages` plugin ---------------------------------------------------------- First, replace **Pkgmgr** with **Packages** in the plugins -line of ``bcfg2.conf``. Then create Packages layout (as per +line of ``bcfg2.conf``. Then create Packages layout (as per :ref:`packages-exampleusage`) in ``/var/lib/bcfg2`` .. note:: I am using the RawURL syntax here since we are using `mrepo`_ @@ -303,30 +291,30 @@ Now if we run the client, we can see what this has done for us.:: Excluding Packages in global exclude list Finished Loaded tool drivers: - Action Chkconfig POSIX YUMng + Action Chkconfig POSIX YUMng Package pam failed verification. Phase: initial - Correct entries: 94 - Incorrect entries: 1 - Total managed entries: 95 - Unmanaged entries: 113 + Correct entries: 94 + Incorrect entries: 1 + Total managed entries: 95 + Unmanaged entries: 113 In dryrun mode: suppressing entry installation for: Package:pam Phase: final - Correct entries: 94 - Incorrect entries: 1 + Correct entries: 94 + Incorrect entries: 1 Package:pam - Total managed entries: 95 - Unmanaged entries: 113 + Total managed entries: 95 + Unmanaged entries: 113 Interesting, our **pam** package failed verification. What does this mean? Let's have a look:: [root@centos ~]# rpm --verify pam - ....L... c /etc/pam.d/system-auth + ....L... c /etc/pam.d/system-auth Sigh, it looks like the default RPM install for pam fails to verify using its own verification process (trust me, it's not the only one). At @@ -348,23 +336,23 @@ entries?:: Excluding Packages in global exclude list Finished Loaded tool drivers: - Action Chkconfig POSIX YUMng + Action Chkconfig POSIX YUMng Extra Package openssh-clients 4.3p2-36.el5_4.4.x86_64. Extra Package libuser 0.54.7-2.1el5_4.1.x86_64. ... Phase: initial - Correct entries: 95 - Incorrect entries: 0 - Total managed entries: 95 - Unmanaged entries: 113 + Correct entries: 95 + Incorrect entries: 0 + Total managed entries: 95 + Unmanaged entries: 113 Phase: final - Correct entries: 95 - Incorrect entries: 0 - Total managed entries: 95 - Unmanaged entries: 113 + Correct entries: 95 + Incorrect entries: 0 + Total managed entries: 95 + Unmanaged entries: 113 Package:at Package:avahi Package:avahi-compat-libdns_sd @@ -406,22 +394,22 @@ package:: Excluding Packages in global exclude list Finished Loaded tool drivers: - Action Chkconfig POSIX YUMng + Action Chkconfig POSIX YUMng Extra Package gpg-pubkey e8562897-459f07a4.None. Extra Package gpg-pubkey 217521f6-45e8a532.None. Phase: initial - Correct entries: 187 - Incorrect entries: 0 - Total managed entries: 187 - Unmanaged entries: 16 + Correct entries: 187 + Incorrect entries: 0 + Total managed entries: 187 + Unmanaged entries: 16 Phase: final - Correct entries: 187 - Incorrect entries: 0 - Total managed entries: 187 - Unmanaged entries: 16 + Correct entries: 187 + Incorrect entries: 0 + Total managed entries: 187 + Unmanaged entries: 16 Package:gpg-pubkey Service:atd Service:avahi-daemon @@ -574,20 +562,20 @@ Now we run the client and see there are no more unmanaged entries!:: Excluding Packages in global exclude list Finished Loaded tool drivers: - Action Chkconfig POSIX YUMng + Action Chkconfig POSIX YUMng Phase: initial - Correct entries: 205 - Incorrect entries: 0 - Total managed entries: 205 - Unmanaged entries: 0 + Correct entries: 205 + Incorrect entries: 0 + Total managed entries: 205 + Unmanaged entries: 0 Phase: final - Correct entries: 205 - Incorrect entries: 0 - Total managed entries: 205 - Unmanaged entries: 0 + Correct entries: 205 + Incorrect entries: 0 + Total managed entries: 205 + Unmanaged entries: 0 .. warning:: diff --git a/doc/appendix/guides/fedora.txt b/doc/appendix/guides/fedora.txt index 9d11414ef..f8dea2192 100644 --- a/doc/appendix/guides/fedora.txt +++ b/doc/appendix/guides/fedora.txt @@ -155,8 +155,6 @@ The ``bcfg2.conf`` file contains only standard plugins so far. database_host = # Not used with sqlite3. database_port = - # Set to empty string for default. Not used with sqlite3. - web_debug = True [communication] protocol = xmlrpc/ssl diff --git a/doc/appendix/guides/gentoo.txt b/doc/appendix/guides/gentoo.txt index d635e310b..da4acef19 100644 --- a/doc/appendix/guides/gentoo.txt +++ b/doc/appendix/guides/gentoo.txt @@ -16,28 +16,38 @@ let the list know if you find errors or omissions. Installing Bcfg2 ================ -Early in July 2008, Bcfg2 was added to the Gentoo portage tree. So far -it's only keyworded for ~x86, but we hope to see it soon in the amd64 and -x64-solaris ports. If you're using Gentoo on some other architecture, it -should still work provided that you have a reasonably up to date Python; -try adding `app-admin/bcfg2 ~*` to your `/etc/portage/package.keywords` -file. +Early in July 2008, Bcfg2 was added to the Gentoo portage tree. If you don't use portage to install Bcfg2, you'll want to make sure you have all the prerequisites installed first. For a server, you'll need: -* ``app-admin/gamin`` or ``app-admin/fam`` +* ``dev-libs/libgamin[python]`` * ``dev-python/lxml`` Clients will need at least: * ``app-portage/gentoolkit`` +Portage installs from source +============================ + +.. versionadded:: 1.3.0 + +By default the client will run with the ``--gitbinpkgonly`` option. If +you want your client to install packages from source (rather than +having a binary build host as seen below), you can set the following in +``/etc/bcfg2.conf``.:: + + [Portage] + binpkgonly = false + Package Repository ================== +.. note: This is only necessary for using binary packages. + You’ll need (to make) at least one archive of binary packages. The -Portage driver calls ``emerge`` with the ``-getbinpkgonly`` option. See +Portage driver calls ``emerge`` with the ``--getbinpkgonly`` option. See :manpage:`make.conf(5)` and :manpage:`emerge(1)` manpages, specifically the :envvar:`PORTAGE_BINHOST` environment variable. @@ -109,60 +119,17 @@ Configuring Client Machines Set up ``/etc/bcfg2.conf`` the way you would for any other Bcfg2 client. In ``make.conf``, set *PORTAGE_BINHOST* to point to the URI of -your package repository. You may want to create versions of +your package repository. You may want to create versions of ``make.conf`` for each package repository you maintain, with appropriate *PORTAGE_BINHOST* URI's in each, and associated with that package archive's group under ``Cfg`` -- for example, we have -``Cfg/etc/make.conf/make.conf.G99_gentoo-200701-vmware``. If a client +``Cfg/etc/make.conf/make.conf.G99_gentoo-200701-vmware``. If a client host switches groups, and the new group needs a different set of packages, everything should just fall into place. Pitfalls ======== -Package Verification Issues ---------------------------- - -As of this writing (2007/01/31), we're aware of a number of packages -marked stable in the Gentoo x86 tree which, for one reason or another, -consistently fail to verify cleanly under ``equery check``. In some cases -(pam, openldap), files which don't (ever) exist on the system are -nonetheless recorded in the package database; in some (python, Bcfg2, -ahem), whole classes of files (.pyc and .pyo files) consistently fail -their md5sum checks; and in others, the problem appears to be a -discrepancy in the way that symlinks are created vs. the way they're -recorded in the database. For example, in the OpenSSH package, -/usr/bin/slogin is a symlink to ./ssh, but equery expects it to point to -an unadorned ssh. An analogous situation exists with their manpages, -leading to noise like this:: - - # equery check openssh - [ Checking net-misc/openssh-4.5_p1 ] - !!! /etc/ssh/sshd_config has incorrect md5sum - !!! /usr/bin/slogin does not point to ssh - !!! /usr/share/man/man1/slogin.1.gz does not point to ssh.1.gz - !!! /etc/ssh/ssh_config has incorrect md5sum - * 62 out of 66 files good - -We can ignore the lines for ``ssh_config`` and ``sshd_config``; those will -be caught by Bcfg2 as registered config files and handled appropriately. - -Because Bcfg2 relies on the client system's native package reporting -tool to judge the state of installed packages, complaints like these -about trivial or intractable verification failures can trigger unnecessary -bundle reinstalls when the Bcfg2 client runs. Bcfg2 will catch on after a -pass or two that the situation isn't getting any better with repeated -package installs, stop trying, and list those packages as "bad" in -the client system's statistics. - -Aside from filing bugs with the Gentoo package maintainers, your narrator -has been unable to come up with a good approach to this. Maybe write a -series of ``Rules`` definitions according to what the package database -thinks it should find, and/or stage copies of affected files under -``Cfg``, and associate those rules and files with the affected package in -a bundle? Annoying but possibly necessary if you want your stats file -to look good. - /boot ----- diff --git a/doc/appendix/guides/ubuntu.txt b/doc/appendix/guides/ubuntu.txt index fe5564d19..f72247220 100644 --- a/doc/appendix/guides/ubuntu.txt +++ b/doc/appendix/guides/ubuntu.txt @@ -133,8 +133,6 @@ Replace Pkgmgr with Packages in the plugins line of ``bcfg2.conf``:: database_host = # Not used with sqlite3. database_port = - # Set to empty string for default. Not used with sqlite3. - web_debug = True [communication] protocol = xmlrpc/ssl @@ -156,7 +154,7 @@ Create Packages layout (as per :ref:`packages-exampleusage`) in [global] root@lucid:~# cat /var/lib/bcfg2/Packages/sources.xml <Sources> - <Group name="lucid"> + <Group name="ubuntu-lucid"> <Source type="apt" url="http://archive.ubuntu.com/ubuntu" version="lucid"> <Component>main</Component> <Component>multiverse</Component> diff --git a/doc/appendix/guides/web-reports-install.txt b/doc/appendix/guides/web-reports-install.txt index 7ec7efb4e..f6a588692 100644 --- a/doc/appendix/guides/web-reports-install.txt +++ b/doc/appendix/guides/web-reports-install.txt @@ -176,8 +176,6 @@ then have something like this:: database_host = # Not used with sqlite3. database_port = - # Set to empty string for default. Not used with sqlite3. - web_debug = True Restart apache and point a browser to your Bcfg2 server. diff --git a/doc/client/tools/yumng.txt b/doc/client/tools/yumng.txt index c2e9161a1..54003aea1 100644 --- a/doc/client/tools/yumng.txt +++ b/doc/client/tools/yumng.txt @@ -142,7 +142,8 @@ To compile and install prelink, execute:: in the rpmtools directory. The elfutils-libelf-devel package is required for the compilation. -There are Centos x86_64 RPMs here ftp://ftp.mcs.anl.gov/pub/bcfg/redhat/ +There are Centos x86_64 RPMs here +ftp://ftp.mcs.anl.gov/pub/bcfg/archive/redhat/ Configuration and Usage ======================= diff --git a/doc/conf.py b/doc/conf.py index 96d2d715d..5903b009a 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -55,7 +55,7 @@ else: # The short X.Y version. version = '1.2' # The full version, including alpha/beta/rc tags. -release = '1.2.0' +release = '1.2.2' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -104,7 +104,9 @@ html_theme = 'default' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. -#html_theme_options = {} +html_theme_options = { + "collapsiblesidebar": "true" +} # Add any paths that contain custom themes here, relative to this directory. #html_theme_path = [] @@ -139,7 +141,9 @@ html_last_updated_fmt = '%b %d, %Y' #html_use_smartypants = True # Custom sidebar templates, maps document names to template names. -#html_sidebars = {} +html_sidebars = { + 'index': 'indexsidebar.html' +} # Additional templates that should be rendered to pages, maps page names to # template names. diff --git a/doc/development/index.txt b/doc/development/index.txt index 352000dc8..2a54bfad8 100644 --- a/doc/development/index.txt +++ b/doc/development/index.txt @@ -39,3 +39,4 @@ git access. Mail the :ref:`help-mailinglist` for details. testing documentation docstyleguide + unit-testing diff --git a/doc/development/plugins.txt b/doc/development/plugins.txt index 15b512365..b2b70f553 100644 --- a/doc/development/plugins.txt +++ b/doc/development/plugins.txt @@ -164,7 +164,6 @@ Example Connector Bcfg2.Server.Plugin.Connector): '''The Foo plugin is here to illustrate a barebones connector''' name = 'Foo' - version = '$Revision: $' experimental = True def __init__(self, core, datastore): @@ -195,13 +194,10 @@ do so. We will call our new plugin `MyMetadata`. .. code-block:: python - __revision__ = '$Revision$' - import Bcfg2.Server.Plugins.Metadata class MyMetadata(Bcfg2.Server.Plugins.Metadata.Metadata): '''This class contains data for bcfg2 server metadata''' - __version__ = '$Id$' __author__ = 'bcfg-dev@mcs.anl.gov' def __init__(self, core, datastore, watch_clients=True): diff --git a/doc/development/setup.txt b/doc/development/setup.txt index e9fc6e1e5..b04bce3fe 100644 --- a/doc/development/setup.txt +++ b/doc/development/setup.txt @@ -12,13 +12,8 @@ Checking Out a Copy of the Code git clone git://git.mcs.anl.gov/bcfg2.git -* Create link to :file:`src/lib`:: - - cd bcfg2 - ln -s src/lib Bcfg2 - * Add :file:`bcfg2/src/sbin` to your :envvar:`PATH` environment variable -* Add :file:`bcfg2` to your :envvar:`PYTHONPATH` environment variable +* Add :file:`bcfg2/src/lib` to your :envvar:`PYTHONPATH` environment variable Using a Virtual Environment for Development diff --git a/doc/development/unit-testing.txt b/doc/development/unit-testing.txt new file mode 100644 index 000000000..30217dcc5 --- /dev/null +++ b/doc/development/unit-testing.txt @@ -0,0 +1,25 @@ +.. -*- mode: rst -*- + +.. _development-unit-testing: + +================== +Bcfg2 unit testing +================== + +.. _Python Mock Module: http://python-mock.sourceforge.net/ +.. _Python Nose: http://readthedocs.org/docs/nose/en/latest/ + +You will first need to install the `Python Mock Module`_ and `Python +Nose`_ modules. You can then run the existing tests with the +following.:: + + cd testsuite + nosetests + +You should see output something like the following:: + + .................................................. + ---------------------------------------------------------------------- + Ran 50 tests in 0.121s + + OK diff --git a/doc/glossary.txt b/doc/glossary.txt index 5455e9ced..06f67dab9 100644 --- a/doc/glossary.txt +++ b/doc/glossary.txt @@ -33,8 +33,6 @@ Glossary profile A special type of group that a client is explicitly assigned to. - structure - repository A collection of folders and files that together define the configurations that Bcfg2 applies to clients. The repository diff --git a/doc/installation/source.txt b/doc/installation/source.txt index 3ea0404ad..1406a5ceb 100644 --- a/doc/installation/source.txt +++ b/doc/installation/source.txt @@ -2,6 +2,7 @@ .. _GPG1: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x75BF2C177F7D197E .. _GPG2: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x80B8492FA88FFF4B +.. _Download: http://trac.mcs.anl.gov/projects/bcfg2/wiki/Download .. _source: @@ -14,7 +15,7 @@ Download Tarball ^^^^^^^ -The Bcfg2 source tarball can be grabbed from the Download_ page. +The Bcfg2 source tarball can be grabbed from the `Download`_ page. All tarballs are signed with GPG keys `7F7D197E <GPG1>`_ or `A88FFF4B <GPG2>`_. You can verify your download by importing the keys and running :: diff --git a/doc/reports/dynamic.txt b/doc/reports/dynamic.txt index 4c75cce32..07763922c 100644 --- a/doc/reports/dynamic.txt +++ b/doc/reports/dynamic.txt @@ -71,6 +71,15 @@ Apache configuration for web-based reports by adding a **web_prefix** setting in the [statistics] section of your ``bcfg2.conf``. +.. warning:: + + When running with SELINUX enabled, you can have potential problems + with the WSGISocketPrefix. One solution that works without too much + trouble is modifying your prefix so that it is located in a standard + location:: + + WSGISocketPrefix /var/run/httpd/wsgi + An example site config is included below:: <IfModule mod_wsgi.c> diff --git a/doc/server/plugins/connectors/templatehelper.txt b/doc/server/plugins/connectors/templatehelper.txt new file mode 100644 index 000000000..24d7f18b5 --- /dev/null +++ b/doc/server/plugins/connectors/templatehelper.txt @@ -0,0 +1,74 @@ +.. -*- mode: rst -*- + +.. _server-plugins-connectors-templatehelper: + +============== +TemplateHelper +============== + +The TemplateHelper plugin is a connector plugin that adds Python +classes and methods to client metadata instances for use in +templates. This allows you to easily reuse code that is common +amongst multiple templates and add convenience methods. + +Using TemplateHelper +==================== + +First, ``mkdir /var/lib/bcfg2/TemplateHelper`` and add +**TemplateHelper** to your ``plugins`` line in ``/etc/bcfg2.conf``. +Restart ``bcfg2-server``. + +Now, any ``.py`` file placed in ``/var/lib/bcfg2/TemplateHelper/`` +will be read and added to matching client metadata objects. See +:ref:`writing-templatehelpers` below for more information on how to +write TemplateHelper scripts. + +TemplateHelper supports group- and host-specific helpers, so you could +create, e.g., ``foo.py.G80_test`` to create a helper that only applied +to machines in the group ``test``. + +.. _writing-templatehelpers: + +Writing Helpers +=============== + +A helper module is just a Python module with three special conditions: + +* The filename must end with ``.py`` (before any specificity + strings, e.g., ``.G80_foo`` or ``.H_blah.example.com`` +* The module must have an attribute, ``__export__``, that lists all of + the classes, functions, variables, or other symbols you wish to + export from the module. +* ``data``, ``handle_event``, ``name``, and ``specific`` are reserved + names. You should not include symbols with a reserved name in + ``__export__``. Additionally, including symbols that start with an + underscore or double underscore is bad form, and may also produce + errors. + +See ``examples/TemplateHelper`` for examples of helper modules. + +Usage +===== + +Specific helpers can be referred to in +templates as ``metadata.TemplateHelper[<modulename>]``. That accesses +a HelperModule object will has, as attributes, all symbols listed in +``__export__``. For example, consider this helper module:: + + __export__ = ["hello"] + + def hello(metadata): + return "Hello, %s!" % metadata.hostname + +To use this in a TGenshi template, we could do:: + + ${metadata.TemplateHelper['hello'].hello(metadata)} + +The template would produce:: + + Hello, foo.example.com! + +Note that the client metadata object is not passed to a helper module +in any magical way; if you want to access the client metadata object +in a helper function or class, you must pass the object to the +function manually. diff --git a/doc/server/plugins/generators/packages.txt b/doc/server/plugins/generators/packages.txt index 555f7ac97..42efd35a1 100644 --- a/doc/server/plugins/generators/packages.txt +++ b/doc/server/plugins/generators/packages.txt @@ -8,11 +8,12 @@ Packages .. versionadded:: 1.0.0 -Packages is an alternative to :ref:`Pkgmgr <server-plugins-generators-pkgmgr>` - for specifying package entries for clients. Where Pkgmgr explicitly -specifies package entry information, Packages delegates control of package -version information to the underlying package manager, installing the latest -version available through those channels. +This page documents the Packages plugin. Packages is an alternative to +:ref:`Pkgmgr <server-plugins-generators-pkgmgr>` for specifying package +entries for clients. Where Pkgmgr explicitly specifies package entry +information, Packages delegates control of package version information to +the underlying package manager, installing the latest version available +through those channels. .. _server-plugins-generators-packages-magic-groups: @@ -33,29 +34,29 @@ member clients. +--------+----------+--------------+ | Source | OS Group | Architecture | +========+==========+==============+ -| Apt | debian | i386 | +| Apt | debian | i386 | +--------+----------+--------------+ -| Apt | ubuntu | amd64 | +| Apt | ubuntu | amd64 | +--------+----------+--------------+ -| Apt | nexenta | | +| Apt | nexenta | | +--------+----------+--------------+ -| Apt | apt | | +| Apt | apt | | +--------+----------+--------------+ -| Yum | redhat | i386 | +| Yum | redhat | i386 | +--------+----------+--------------+ -| Yum | centos | x86_64 | +| Yum | centos | x86_64 | +--------+----------+--------------+ -| Yum | fedora | | +| Yum | fedora | | +--------+----------+--------------+ -| Yum | yum | | +| Yum | yum | | +--------+----------+--------------+ -.. note:: +.. note:: .. versionadded:: 1.2.0 Magic OS groups can be disabled in Bcfg2 1.2 and greater by setting - ``magic_groups`` to ``0`` in ``Packages/packages.conf``. This may + ``magic_groups`` to ``0`` in ``Packages/packages.conf``. This may give you greater flexibility in determining which source types to use for which OSes. Magic architecture groups cannot be disabled. @@ -64,10 +65,10 @@ Limiting sources to groups ========================== ``Packages/sources.xml`` processes ``<Group>`` and ``<Client>`` tags -just like Bundles. In addition to any groups or clients specified +just like Bundles. In addition to any groups or clients specified that way, clients must be a member of the appropriate architecture group as specified in a -Source stanza. In total, in order for a source to be associated with +Source stanza. In total, in order for a source to be associated with a client, the client must be in one of the magic groups (debian, ubuntu, or nexenta), any explicit groups or clients specified in ``sources.xml``, and any specified architecture groups. @@ -129,12 +130,12 @@ Dependency resolution can be disabled by adding this to ``Packages/packages.conf`` in the ``global`` section:: [global] - resolver=disabled + resolver=0 All metadata processing can be disabled as well:: [global] - metadata=disabled + metadata=0 Blacklisting faulty dependencies -------------------------------- @@ -145,7 +146,7 @@ future releases. In the meantime, you can work around this issue by blacklisting the offending Package in your Sources. The blacklist element should immediately follow the Component section of your source and should look like the following:: - .. code-block:: xml + <Blacklist>unwanted-packagename</Blacklist> If you use the built-in :ref:`Yum config generator @@ -157,10 +158,12 @@ Handling GPG Keys .. versionadded:: 1.2.0 -Packages can automatically handle GPG signing keys for Yum and Pulp -repositories. Simply specify the URL to the GPG key(s) for a -repository in ``sources.xml``:: - .. code-block:: xml +If you have yum libraries installed, Packages can automatically handle +GPG signing keys for Yum and Pulp repositories. (You do not need to +use the native yum resolver; if yum libraries are available, GPG +signing keys can be handled automatically.) Simply specify the URL to +the GPG key(s) for a repository in ``sources.xml``:: + <Source type="yum" rawurl="http://mirror.example.com/centos6-x86_64/RPMS.os"> <Arch>x86_64</Arch> @@ -182,11 +185,9 @@ REST API. Example usage ============= -APT ---- Create a ``sources.xml`` file in the Packages directory that looks something like this:: - .. code-block:: xml + <Sources> <Group name="ubuntu-intrepid"> <Source type="apt" @@ -204,24 +205,31 @@ something like this:: .. versionadded:: 1.1.0 - The default behavior of the Packages plugin is to not make - any assumptions about which packages you want to have added - automatically. For that reason, neither **Recommended** nor - **Suggested** packages are added as dependencies by default. You - will notice that the default behavior for apt is to add Recommended - packages as dependencies. You can configure the Packages plugin to - add recommended packages by adding the ``recommended`` attribute, - e.g.: + The default behavior of the Packages plugin is to not make any + assumptions about which packages you want to have added automatically + [#f1]_. For that reason, neither **Recommended** nor **Suggested** + packages are added as dependencies by default. You will notice + that the default behavior for apt is to add Recommended packages as + dependencies. You can configure the Packages plugin to add recommended + packages by adding the ``recommended`` attribute, e.g.: .. code-block:: xml <Source type="apt" recommended="true" ...> -YUM ---- + .. warning:: You must regenerate the Packages cache when adding or + removing the recommended attribute. + + .. [#f1] Bcfg2 will by default add **Essential** packages to the + client specification. You can disable this behavior by + setting the ``essential`` attribute to *false*: -Yum sources can be similarly specified:: .. code-block:: xml + + <Source type="apt" essential="false" ...> + +Yum sources can be similarly specified:: + <Sources> <Group name="centos-5.2"> <Source type="yum" @@ -240,13 +248,9 @@ Yum sources can be similarly specified:: For sources with a **URL** attribute, the **Version** attribute is also necessary. -Pulp ----- - :ref:``Pulp sources <pulp-source-support>`` are very simple to specify due to the amount of data that can be queried from Pulp itself:: - .. code-block:: xml <Sources> <Group name="centos-6-x86_64"> <Source type="yum" pulp_id="centos-6-x86_64-os"/> @@ -255,19 +259,18 @@ due to the amount of data that can be queried from Pulp itself:: </Group> </Sources> -Raw URLs --------- -For specifying sources that don't follow the conventional layout, the rawurl -attribute is useful:: +.. note:: There is also a rawurl attribute for specifying sources that + don't follow the conventional layout. - .. code-block:: xml - <Sources> - <Group name="centos5.4"> - <Source type="yum" - rawurl="http://mrepo.ices.utexas.edu/centos5-x86_64/RPMS.os"> - <Arch>x86_64</Arch> - </Source> - <Source type="yum" + .. code-block:: xml + + <Sources> + <Group name="centos5.4"> + <Source type="yum" + rawurl="http://mrepo.ices.utexas.edu/centos5-x86_64/RPMS.os"> + <Arch>x86_64</Arch> + </Source> + <Source type="yum" rawurl="http://mrepo.ices.utexas.edu/centos5-x86_64/RPMS.updates"> <Arch>x86_64</Arch> </Source> @@ -278,19 +281,20 @@ attribute is useful:: </Group> </Sources> - .. code-block:: xml - <Sources> - <Group name="ubuntu-lucid"> - <Source type="apt" - rawurl="http://hudson-ci.org/debian/binary"> - <Arch>amd64</Arch> - </Source> - <Source type="apt" - rawurl=http://hudson-ci.org/debian/binary"> - <Arch>i386</Arch> - </Source> - </Group> - </Sources> + .. code-block:: xml + + <Sources> + <Group name="ubuntu-lucid"> + <Source type="apt" + rawurl="http://hudson-ci.org/debian/binary"> + <Arch>amd64</Arch> + </Source> + <Source type="apt" + rawurl=http://hudson-ci.org/debian/binary"> + <Arch>i386</Arch> + </Source> + </Group> + </Sources> Configuration Updates ===================== @@ -338,7 +342,7 @@ updated. Availability ============ -Support for clients using yum and apt is currently available. Support for +Support for clients using yum and apt is currently available. Support for other package managers (Portage, Zypper, IPS, etc) remain to be added. Validation @@ -354,7 +358,7 @@ Limitations Packages does not do traditional caching as other plugins do. Modifying sources in the Packages ``sources.xml`` file requires a -server restart for the time being. You do not have to restart the +server restart for the time being. You do not have to restart the server after changing ``packages.conf`` or after adding new sources to ``sources.xml``. @@ -364,7 +368,6 @@ Package Checking and Verification In order to do disable per-package verification Pkgmgr style, you will need to use :ref:`BoundEntries <boundentries>`, e.g.:: - .. code-block:: xml <BoundPackage name="mem-agent" priority="1" version="auto" type="yum" verify="false"/> @@ -388,9 +391,9 @@ Then add the corresponding Path entry to your Yum bundle. .. versionadded:: 1.1.0 APT repository information can be generated automatically from -software sources using :doc:`./tgenshi/index` or :doc:`./tcheetah`. A +software sources using :doc:`./tgenshi/index` or :doc:`./tcheetah`. A list of source urls are exposed in the client's metadata as -``metadata.Packages.sources``. E.g.:: +``metadata.Packages.sources``. E.g.:: # bcfg2 maintained apt @@ -408,7 +411,7 @@ Using Native Yum Libraries By default, Bcfg2 uses an internal implementation of Yum's dependency resolution and other routines so that the Bcfg2 server can be run on a -host that does not support Yum itself. If you run the Bcfg2 server on +host that does not support Yum itself. If you run the Bcfg2 server on a machine that does have Yum libraries, however, you can enable use of those native libraries in Bcfg2 by setting ``use_yum_libraries`` to ``1`` in the ``[yum]`` section of ``Packages/packages.conf``. @@ -422,7 +425,7 @@ Benefits to this include: Drawbacks include: -* More disk I/O. In some cases, you may have to raise the open file +* More disk I/O. In some cases, you may have to raise the open file limit for the user who runs your Bcfg2 server process, particularly if you have a lot of repositories. * Resolution of package dependencies is slower in some cases, @@ -437,8 +440,8 @@ Configuring the Yum Helper Due to poor memory management by the Yum API, the long-lived bcfg2-server process uses an external short-lived helper, ``bcfg2-yum-helper``, to do the actual Yum API calls for native yum -library support. By default, Bcfg2 looks for this helper at -``/usr/sbin/bcfg2-yum-helper``. If you have installed the helper +library support. By default, Bcfg2 looks for this helper at +``/usr/sbin/bcfg2-yum-helper``. If you have installed the helper elsewhere, you will need to configure that location with the ``helper`` option in the ``[yum]`` section, e.g.:: @@ -452,11 +455,11 @@ Setting Yum Options In ``Packages/packages.conf``, any options you set in the ``[yum]`` section other than ``use_yum_libraries`` and ``helper`` will be passed along verbatim to the configuration of the Yum objects used in the -Bcfg2 server. The following options are set by default, and should +Bcfg2 server. The following options are set by default, and should not generally be overridden: * ``cachedir`` is set to a hashed value unique to each distinct Yum - configuration. Don't set this unless you know what you're doing. + configuration. Don't set this unless you know what you're doing. * ``keepcache`` is set to ``0``; there is no benefit to changing this. * ``sslverify`` is set to ``0``; change this if you know what you're doing. @@ -466,18 +469,18 @@ not generally be overridden: Package Groups -------------- -Yum package groups are supported by the native Yum libraries. To +Yum package groups are supported by the native Yum libraries. To include a package group, use the ``group`` attribute of the -``Package`` tag. You can use either the short group ID or the long +``Package`` tag. You can use either the short group ID or the long group name:: - .. code-block:: xml + <Package group="SNMP Support"/> <Package group="system-management-snmp"/> By default, only those packages considered the "default" packages in a -group will be installed. You can change this behavior using the +group will be installed. You can change this behavior using the "type" attribute:: - .. code-block:: xml + <Package group="development" type="optional"/> <Package group="Administration Tools" type="mandatory"/> @@ -489,7 +492,7 @@ Valid values of "type" are: including mandatory, default, and optional packages. You can view the packages in a group by category with the ``yum -groupinfo`` command. More information about the different levels can +groupinfo`` command. More information about the different levels can be found at http://fedoraproject.org/wiki/How_to_use_and_edit_comps.xml_for_package_groups#Installation @@ -501,10 +504,10 @@ Pulp Support .. versionadded:: 1.2.0 Bcfg2 contains explicit support for repositories managed by Pulp -(http://pulpproject.org/). Due to the amount of data about a +(http://pulpproject.org/). Due to the amount of data about a repository that can be retrieved directly from Pulp, the only thing necessary to configure a Pulp repo is the repo ID:: - .. code-block:: xml + <Sources> <Group name="centos-6-x86_64"> <Source type="yum" pulp_id="centos-6-x86_64-os"/> @@ -513,7 +516,7 @@ necessary to configure a Pulp repo is the repo ID:: </Group> </Sources> -Pulp sources require some additional configuration. First, the Bcfg2 +Pulp sources require some additional configuration. First, the Bcfg2 server must have a valid ``/etc/pulp/consumer/consumer.conf`` that is readable by the user your Bcfg2 server runs as; the Pulp server, URLs, and so on, are determined from this. @@ -523,7 +526,7 @@ options in the ``[pulp]`` section: * ``username`` and ``password``: The username and password of a Pulp user that will be used to register new clients and bind them to - repositories. Membership in the default ``consumer-users`` role is + repositories. Membership in the default ``consumer-users`` role is sufficient. Bcfg2 clients using Pulp sources will be registered to the Pulp server @@ -532,50 +535,50 @@ as consumers, and will be bound to the appropriate repositories. Debugging unexpected behavior ============================= +.. versionadded:: 1.2.1 + Using bcfg2-info ---------------- The dependency resolver used in Packages can be run in debug mode:: - - $ bcfg2-info + $ bcfg2-info packageresolve foo.example.com bcfg2-server zlib ... - Handled 20 events in 0.004s - > debug - dropping to python interpreter; press ^D to resume - ... - (debug_shell) - >>> m = self.build_metadata('ubik3') - >>> self.plugins['Packages'].complete(m, ['ssh'], debug=True) - Package ssh: adding new deps ['openssh-client', 'openssh-server'] - Package openssh-server: adding new deps ['libc6', 'libcomerr2', 'libkrb53', 'libpam0g', 'libselinux1', 'libssl0.9.8 - ', 'libwrap0', 'zlib1g', 'debconf', 'libpam-runtime', 'libpam-modules', 'adduser', 'dpkg', 'lsb-base'] - Package debconf: adding new deps ['debconf-i18n'] - Package libpam-modules: adding new deps ['libdb4.7'] - Package openssh-client: adding new deps ['libedit2', 'libncurses5', 'passwd'] - Package lsb-base: adding new deps ['sed', 'ncurses-bin'] - Package adduser: adding new deps ['perl-base'] - Package debconf-i18n: adding new deps ['liblocale-gettext-perl', 'libtext-iconv-perl', 'libtext-wrapi18n-perl', 'libtext-charwidth-perl'] - Package passwd: adding new deps ['debianutils'] - Package libtext-charwidth-perl: adding new deps ['perlapi-5.10.0'] - VPackage perlapi-5.10.0: got provides ['perl-base'] - Package libkrb53: adding new deps ['libkeyutils1'] - Package libtext-iconv-perl: adding new deps ['perlapi-5.10.0'] - Package libc6: adding new deps ['libgcc1', 'findutils'] - Package libgcc1: adding new deps ['gcc-4.3-base'] - (set(['debconf', 'libgcc1', 'lsb-base', 'libtext-wrapi18n-perl', 'libtext-iconv-perl', 'sed', 'passwd', 'findutils', 'libpam0g', 'openssh-client', 'debconf-i18n', 'libselinux1', 'zlib1g', 'adduser', 'libwrap0', 'ncurses-bin', 'libssl0.9.8', 'liblocale-gettext-perl', 'libkeyutils1', 'libpam-runtime', 'libpam-modules', 'openssh-server', 'libkrb53', 'ssh', 'libncurses5', 'libc6', 'libedit2', 'libcomerr2', 'dpkg', 'perl-base', 'libdb4.7', 'libtext-charwidth-perl', 'gcc-4.3-base', 'debianutils']), set([]), 'deb') + 2 initial packages + bcfg2-server + zlib + 54 new packages added + sqlite + less + libxml2 + expat + ... + 1 unknown packages + libglib-2.0.so.0()(64bit) This will show why the resolver is acting as it is. Replace -``"ubik3"`` and ``['ssh']`` with a client name and list of packages, -respectively. Also, a more polished interface to this functionality is -coming as well. +``foo.example.com`` and ``bcfg2-server`` with a client name and list +of packages, respectively. + +Note that resolving a partial package list (as above) may result in +more unknown entries than you'd have otherwise; some of the package +drivers (Yum in particular) consider the full package list when +resolving multiple providers, and will not be able to properly resolve +some dependencies without a full package list. -Each line starting with Package: <name> describes a set of new -prerequisites pulled in by a package. Lines starting with VPackage <vname> -describe provides entries and their mappings to required names. The last -line describes the overall results of the resolver, with three fields: -a list of packages that should be installed, a list of unresolved -requirements, and a type for these packages. +You can also view the sources applicable to a client:: + + $ bcfg2-info packagesources foo.example.com + ... + Name: centos-6-x86_64-updates + Type: yum + URL: http://mirror.example.com/centos-6-x86_64-updates + GPG Key(s): http://mirror.example.com/centos-6-x86_64-updates/RPM-GPG-KEY-CentOS-6 + + Name: centos-6-x86_64-os + Type: yum + URL: http://mirror.example.com/centos-6-x86_64-os + GPG Key(s): http://mirror.example.com/centos-6-x86_64-os/RPM-GPG-KEY-CentOS-6 Using bcfg2-server ------------------ @@ -584,6 +587,13 @@ Once the server is started, enable debugging via bcfg2-admin:: $ bcfg2-admin xcmd Packages.toggle_debug +TODO list +========= + +* Zypper support +* Portage support +* Explicit version pinning (a la Pkgmgr) + Developing for Packages ======================= @@ -637,37 +647,36 @@ packages.conf ============= ``packages.conf`` contains miscellaneous configuration options for the -Packages plugin. It understands the following directives: +Packages plugin. Any booleans in the config file accept the values +"1", "yes", "true", and "on" for True, and "0", "no", "false", and +"off" for False + +It understands the following directives: [global] section ---------------- -* ``resolver``: Disable dependency resolution. Default is "enabled". -* ``metadata``: Disable metadata processing. Default is "enabled". -* ``yum_config``: The path at which to generate Yum configs. No +* ``resolver``: Enable dependency resolution. Default is ``1`` + (true). For historical reasons, this also accepts "enabled" and + "disabled". +* ``metadata``: Enable metadata processing. Default is ``1`` + (true). For historical reasons, this also accepts "enabled" and + "disabled". +* ``yum_config``: The path at which to generate Yum configs. No default. -* ``apt_config``: The path at which to generate APT configs. No +* ``apt_config``: The path at which to generate APT configs. No default. * ``gpg_keypath``: The path on the client RPM GPG keys will be copied - to before they are imported on the client. Default is + to before they are imported on the client. Default is "/etc/pki/rpm-gpg". -* ``import_gpg_keys``: The RPM release of an RPM GPG key cannot be - reliably and automatically determined without importing the key into - the server's key chain. If ``import_gpg_keys`` is "false" (the - default), the release of automatically-generated RPM GPG key entries - in the specification will be set to "any", which disables - verification of the release. (Version will still be verified.) In - practice, this is unlikely to be an issue, as the RPM version of a - GPG key is the key's fingerprint, and collisions are rare. If you - do encounter a GPG key version collision, you will need to set this - to "true", whereupon Packages will import the keys into the server's - key chain. Python RPM libraries must be installed for this to work. +* ``version``: Set the version attribute used when binding + Packages. Default is ``auto``. [yum] section ------------- * ``use_yum_libraries``: Whether or not to use the :ref:`native yum - library support <native-yum-libraries>`. Default is ``0`` (false). + library support <native-yum-libraries>`. Default is ``0`` (false). All other options in the ``[yum]`` section will be passed along verbatim to the Yum configuration if you are using the native Yum @@ -678,5 +687,5 @@ library support. * ``username`` and ``password``: The username and password of a Pulp user that will be used to register new clients and bind them to - repositories. Membership in the default ``consumer-users`` role is + repositories. Membership in the default ``consumer-users`` role is sufficient. diff --git a/doc/server/plugins/generators/rules.txt b/doc/server/plugins/generators/rules.txt index 925ee6419..c084c5681 100644 --- a/doc/server/plugins/generators/rules.txt +++ b/doc/server/plugins/generators/rules.txt @@ -68,7 +68,7 @@ The Rules Group Tag may have the following attributes: +========+=========================+==============+ | name | Group Name | String | +--------+-------------------------+--------------+ -| negate | Negate group membership | (True|False) | +| negate | Negate group membership | (true|false) | | | (is not a member of) | | +--------+-------------------------+--------------+ @@ -195,7 +195,7 @@ The Client Tag may have the following attributes: +========+=========================+==============+ | name | Client Name | String | +--------+-------------------------+--------------+ -| negate | Negate client selection | (True|False) | +| negate | Negate client selection | (true|false) | | | (if not client name) | | +--------+-------------------------+--------------+ @@ -354,8 +354,18 @@ how to assign Rules to a host's literal configuration. Using Regular Expressions in Rules ================================== -The ``name`` attribute in Rules supports the use of regular -expressions to match multiple abstract configuration entries. +If you wish, you can configure the Rules plugin to support regular +expressions. This entails a small performance and memory usage +penalty. To do so, create a file, "Rules/rules.conf", and add the +following text:: + + [rules] + regex = yes + +You will have to restart the Bcfg2 server after making that change. + +With regular expressions enabled, you can use a regex in the ``name`` +attribute to match multiple abstract configuration entries. Regular expressions are anchored at both ends, so ``<Service name="bcfg2".../>`` will *not* match a Service named ``bcfg2-server``; diff --git a/doc/server/plugins/generators/tgenshi/index.txt b/doc/server/plugins/generators/tgenshi/index.txt index c5392dcc4..21ef8f17f 100644 --- a/doc/server/plugins/generators/tgenshi/index.txt +++ b/doc/server/plugins/generators/tgenshi/index.txt @@ -130,7 +130,7 @@ Then, run:: setup = Bcfg2.Options.OptionParser({'repo': Bcfg2.Options.SERVER_REPOSITORY}) setup.parse('--') - template = TemplateLoader().load(set['repo'] + path, cls=NewTextTemplate) + template = TemplateLoader().load(setup['repo'] + path, cls=NewTextTemplate) print template.generate(metadata=metadata, path=path, name=name).render() This gives you more fine-grained control over how your template is diff --git a/doc/server/plugins/generators/tgenshi/iptables.txt b/doc/server/plugins/generators/tgenshi/iptables.txt index 2655e7b2d..310f9ffab 100644 --- a/doc/server/plugins/generators/tgenshi/iptables.txt +++ b/doc/server/plugins/generators/tgenshi/iptables.txt @@ -83,13 +83,14 @@ iptables -A NO-SMTP -j DROP # Allow SSH Access - -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH - -A SSH -s 192.0.0.0/255.0.0.0 -j ACCEPT + :SSH - [0:0] + -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH + -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT # Allow Ganglia Access -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT # Gmetad access to gmond - -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT # Gmond UDP multicast -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT @@ -205,8 +206,8 @@ iptables :: :MYSQL - [0:0] - -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL - -A MYSQL -s 192.168.0.0/255.0.0.0 -j ACCEPT + -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL + -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT For a host that is in the mysql-server group you get an iptables file that looks like the following:: @@ -244,20 +245,20 @@ that looks like the following:: # Allow SSH Access :SSH - [0:0] - -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH - -A SSH -s 192.168.0.0/255.0.0.0 -j ACCEPT + -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH + -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT # Allow Ganglia Access -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT #Gmetad access to gmond - -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT #Gmond UDP multicast -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT # group custom FILTER rules: :MYSQL - [0:0] - -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL - -A MYSQL -s 192.168.0.0/255.0.0.0 -j ACCEPT + -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL + -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT # host-specific FILTER rules: diff --git a/doc/server/plugins/grouping/metadata.txt b/doc/server/plugins/grouping/metadata.txt index c52ac7612..305857578 100644 --- a/doc/server/plugins/grouping/metadata.txt +++ b/doc/server/plugins/grouping/metadata.txt @@ -276,22 +276,37 @@ A special client metadata class is available to the MetadataQuery ------------- -This class provides query routines for the servers Metadata. +This class provides query methods for the metadata of all clients +known to the Bcfg2 server. Note that ``*by_groups()`` and +``*by_profiles()`` behave differently; for a client to be included in +the return value of a ``by_groups()`` method, it must be a member of +*all* groups listed in the argument; for a client to be included in +the return value of a ``by_profiles()`` method, it must have any group +listed as its profile group. +------------------------------+------------------------------------------------+-------------------+ | Method | Description | Value | +==============================+================================================+===================+ | by_name(client) | Get ClientMetadata object for 'client' | ClientMetadata | +------------------------------+------------------------------------------------+-------------------+ -| names_by_groups(groups) | All client names in the list of 'groups' | List | +| by_groups(groups) | Get ClientMetadata object for clients in all | List of | +| | listed groups | ClientMetadata | +------------------------------+------------------------------------------------+-------------------+ -| names_by_profiles(profiles) | All client names in the list of 'profiles' | List | +| by_profiles(client) | Get ClientMetadata objects for clients whose | List of | +| | profile matches any listed profile group | ClientMetadata | +------------------------------+------------------------------------------------+-------------------+ -| all_clients() | All known client hostnames | List | +| names_by_groups(groups) | Get the names of all clients in all listed | List of strings | +| | groups | | +------------------------------+------------------------------------------------+-------------------+ -| all_groups() | All known group names | List | +| names_by_profiles(profiles) | Get the names of clients whose profile matches | List of strings | +| | any listed profile group | | +------------------------------+------------------------------------------------+-------------------+ -| all_groups_in_category(cat) | All groups in category 'cat' | List | +| all_clients() | All known client hostnames | List of strings | +------------------------------+------------------------------------------------+-------------------+ -| all() | Get ClientMetadata for all clients | List | +| all_groups() | All known group names | List of strings | ++------------------------------+------------------------------------------------+-------------------+ +| all_groups_in_category(cat) | The names of all groups in category 'cat' | List of strings | ++------------------------------+------------------------------------------------+-------------------+ +| all() | Get ClientMetadata for all clients | List of | +| | | ClientMetadata | +------------------------------+------------------------------------------------+-------------------+ diff --git a/doc/server/plugins/probes/group.txt b/doc/server/plugins/probes/group.txt index dfe64cc60..03c13db42 100644 --- a/doc/server/plugins/probes/group.txt +++ b/doc/server/plugins/probes/group.txt @@ -52,10 +52,10 @@ Probe used to dynamically set client groups based on OS/distro. # redhat based if [ -x /bin/rpm ]; then OUTPUT="${OUTPUT}\ngroup:rpm" - OS_GROUP=`/bin/rpm -q --qf "%{NAME}" --whatprovides redhat-release | sed 's/-release.*//' | tr '[A-Z]' '[a-z]'` + OS_GROUP=`/bin/rpm -q --qf "%{NAME}" --whatprovides redhat-release | grep -vi 'freeing read locks for locker' | sed 's/-release.*//' | tr '[A-Z]' '[a-z]'` REDHAT_VERSION=`/bin/rpm -q --qf "%{VERSION}" --whatprovides redhat-release` case "$OS_GROUP" in - "centos" | "fedora") + "centos" | "fedora" | "sl") OUTPUT="${OUTPUT}\ngroup:${OS_GROUP}" OUTPUT="${OUTPUT}\ngroup:${OS_GROUP}-${REDHAT_VERSION}" ;; @@ -88,7 +88,7 @@ Probe used to dynamically set client groups based on OS/distro. ARCH=`uname -m` case "$ARCH" in "x86_64") - if [ "$OS_GROUP" == 'centos' -o "$OS_GROUP" == 'redhat' ]; then + if [ "$OS_GROUP" == 'centos' -o "$OS_GROUP" == 'sl' -o "$OS_GROUP" == 'redhat' ]; then OUTPUT="$OUTPUT\ngroup:${ARCH}" else OUTPUT="$OUTPUT\ngroup:amd64" diff --git a/doc/server/plugins/probes/index.txt b/doc/server/plugins/probes/index.txt index f22f405c1..95aa2d0ce 100644 --- a/doc/server/plugins/probes/index.txt +++ b/doc/server/plugins/probes/index.txt @@ -208,7 +208,7 @@ look something like: <FileProbes> <FileProbe name="/etc/foo.conf"/> <Group name="blah-servers"> - <FileProbe name="/etc/blah.conf" update="true" + <FileProbe name="/etc/blah.conf" update="true"/> </Group> <Client name="bar.example.com"> <FileProbe name="/var/lib/bar.gz" base64="true"/> |