1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
<chapter>
<title>Installing Bcfg2</title>
<sect1>
<title>Pre-requisites</title>
<para>
Bcfg2 is written in python using several modules not included
with most distributions. lxml provides convenient xml
handling.
</para>
<para>
The Bcfg2 server requires a few more packages. It uses either
FAM or Gamin to coherently cache repository files
and update them when they change. It also requires pyOpenSSL to
use SSL functions.
</para>
<para>lxml is required for xml parsing. It can be downloaded from
http://www.codespeak.net/lxml. It, in turn, requires libxml2,
libxslt, and pyrex.
</para>
<para>
The python fam binding can be downloaded from
python-fam.sourceforge.net. FAM (on several linux distributions)
has been depricated in favor of gamin. The Bcfg server will
autodetect which modules are available, and use appropriate file
caching logic. It can be installed by running the setup.py script.
</para>
<table>
<title>Bcfg2 Software Prerequisites</title>
<tgroup cols='3'>
<colspec colnum='1' colwidth='2*'/>
<colspec colnum='2' colwidth='5*'/>
<colspec colnum='3' colwidth='8*'/>
<thead>
<row><entry>Name</entry><entry>Description</entry><entry>URL</entry></row>
</thead>
<tbody>
<row><entry>lxml</entry><entry>XML
Processing</entry><entry><ulink
url="http://codespeak.net/lxml"/></entry></row>
<row><entry>pyrex</entry><entry>C to Python language
interoperability (needed for lxml)</entry><entry><ulink
url="http://www.cosc.canterbury.ac.nz/~greg/python/Pyrex"/></entry></row>
<row><entry>pyOpenSSL</entry>
<entry>OpenSSL bindings for Python</entry><entry><ulink
url="http://pyopenssl.sourceforge.net/"/></entry></row>
<row><entry>Fam</entry><entry>File Alteration
Monitor</entry><entry><ulink
url="http://oss.sgi.com"/></entry></row>
<row><entry>Gamin</entry><entry>Alternate File Alteration
Monitor</entry><entry><ulink
url="http://www.gnome.org/~veillard/gamin/"/></entry></row>
<row><entry>Python-fam</entry><entry>Python bindings for fam
(not needed with
gamin)</entry><entry><ulink url="http://python-fam.sourceforge.net"/></entry></row>
</tbody>
</tgroup>
</table>
</sect1>
<sect1>
<title>Bcfg2 Initial Setup and Testing</title>
<para>Once the Bcfg2 software is installed, the configuration file
and repository must be created. The example configuration file in
<filename>bcfg2/examples/bcfg2.conf</filename> can be used, with
minor modifications. This should be placed in
<filename>/etc/bcfg2.conf</filename>. If it is placed in another
location, each program takes a command line argument to specify
its alternate location.
</para>
<example>
<title>/etc/bcfg2.conf</title>
<programlisting>[server]
repository = /disks/bcfg2
structures = Bundler,Base
generators = SSHbase,Cfg,Pkgmgr,Svcmgr</programlisting>
</example>
<para>
This configuration file sets the top level location of the
configuration repository. It also activates two structures, and
four generators. Both structures and generators are instances of
Bcfg2 server plugins. Structures generate abstract configuration
fragments. These form the inventory of the
configuration. Generators provide client-specific literal values
for each configuration entity contained in the abstract
configuration.
</para>
</sect1>
<sect1>
<title>Daemon Configuration</title>
<para>
Bcfg2 uses XML-RPC over HTTPS for all communications.
All communications occur over this transport. HTTPS provides
data security, while an embedded username and password provide
authentication.
</para>
<sect2>
<title>SSL Certificate Generation</title>
<para>SSL is used for channel-level data encryption. The
requisite SSL certificates must be generated on the server
side. The following command will generate a server key:
</para>
<programlisting>
openssl req -x509 -nodes -days 1000 -newkey rsa:1024 \
-out bcfg2.key -keyout bcfg2.key
</programlisting>
<para>
This command will generate an SSL key including both an
RSA key and a certificate. This is suitable for use with the
Bcfg2 server. The path to this key should be put in the
bcfg2 configuration file in section communication, setting
key.
</para>
</sect2>
<sect2>
<title>Client Communication Setup</title>
<para>
The Bcfg2 client must be able to find the server's
location. This is accomplished through the use of the
communication settings in <filename>/etc/bcfg2.conf</filename>
Several settings must be included in this file: the server
url, a username and a password.
</para>
<example>
<title>/etc/bcfg2.conf</title>
<programlisting>[communication]
protocol = xmlrpc/ssl
password = pwd
user = root
[components]
bcfg2 = https://bcfg2server:8765</programlisting>
</example>
</sect2>
</sect1>
</chapter>
|
