1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
<chapter>
<title>Installing Bcfg2</title>
<sect1>
<title>Pre-requisites</title>
<para>
Bcfg2 is written in python using several modules not included
with most distributions. Element Tree, available from
http://www.effbot.org provides convenient XML handling.
</para>
<para>
The Bcfg2 server requires a few more packages. It uses either
FAM or Gamin to coherently cache repository files
and update them when they change. It also requires m2crypto to
use SSL functions.
</para>
<para>ElementTree can be downloaded from
http://www.effbot.org/downloads. It can be installed by running
the setup script against the python installation.
</para>
<programlisting>$ python setup.py build
running build
running build_py
creating build
creating build/lib
creating build/lib/elementtree
copying elementtree/ElementInclude.py -> build/lib/elementtree
copying elementtree/ElementPath.py -> build/lib/elementtree
copying elementtree/ElementTree.py -> build/lib/elementtree
copying elementtree/HTMLTreeBuilder.py -> build/lib/elementtree
copying elementtree/SgmlopXMLTreeBuilder.py -> build/lib/elementtree
copying elementtree/SimpleXMLTreeBuilder.py -> build/lib/elementtree
copying elementtree/SimpleXMLWriter.py -> build/lib/elementtree
copying elementtree/TidyHTMLTreeBuilder.py -> build/lib/elementtree
copying elementtree/TidyTools.py -> build/lib/elementtree
copying elementtree/XMLTreeBuilder.py -> build/lib/elementtree
copying elementtree/__init__.py -> build/lib/elementtree
$ python setup.py install
...
</programlisting>
<para>
The python fam binding can be downloaded from
python-fam.sourceforge.net. FAM (on several linux distributions)
has been depricated in favor of gamin. The Bcfg server will
autodetect which modules are available, and use appropriate file
caching logic.
</para>
</sect1>
<sect1>
<title>Bcfg2 Installation</title>
<para>
</para>
</sect1>
<sect1>
<title>Bcfg2 Initial Setup and Testing</title>
<para>Once the Bcfg2 software is installed, the configuration file
and repository must be created. The example configuration file in
<filename>bcfg2/examples/bcfg2.conf</filename> can be used, with
minor modifications.
</para>
<example>
<title>bcfg2.conf</title>
<programlisting>[server]
repository = /disks/bcfg2
structures = Bundler,Base
generators = SSHbase,Cfg,Pkgmgr,Svcmgr
metadata = /disks/bcfg2/etc
</programlisting>
</example>
<para>This configuration file sets the location of the
configuration repository. It also activates two structures, and
four generators. Structures are components that generate
abstract configuration fragments. These are the form of the
configuration. Generators provide client-specific values for
each configuration settings contained in all abstract
configuration fragments. Both of these are described in Section
???.</para>
</sect1>
<sect1>
<title>Daemon Configuration</title>
<para>Bcfg2 uses SSSlib, the
communication libraries from the Scalable Systems Software project
for communication abstraction. This library provides a unified
messaging interface on top of several wire protocols with
different authentication and encryption mechanisms. The default
protocol is "challenge" which is a challenge response protocol
with no data encryption. (SSL protection will be configured
later). SSSlib also includes service location functionality;
this allows software to locate components by name, regardless of
their respective network locations. This function is provided
with both static and dynamic implementations. Static component
location setup will be sufficient for most Bcfg2 deployments.
</para>
<para>
Static component lookups depend on the file
<filename>/etc/sss.conf</filename>. This file contains
information about static service locations. This file must be
the same on the server and all clients for communication to work
properly. A location definition for the bcfg2 component will
allow all clients to find and connect to it.
</para>
<example>
<title>/etc/sss.conf</title>
<programlisting>
<![CDATA[ <locations>
<location component="bcfg2" host="bcfgserver"
port="8052" protocol="challenge" schema_version="1.0" tier="1"/>
</locations>]]>
</programlisting>
</example>
<para>This allows SSSlib to locate the bcfg2 component on the
machine bcfgserver, port 8052, with the wire protocol "challenge".
</para>
</sect1>
<sect1>
<title>New-Style XML-RPC Deployments</title>
<para>
A new version of the Bcfg2 software is in testing that will
provide simplified and standards compliant communications
facilities. Instead of the use of SSSlib for communication, the
server and clients can use HTTPS XML-RPC instead. This has
required reimplementing the server and providing XML-RPC support
for the client, but provides drastically simplified setup for
new installs.
</para>
<para>
The prerequisite list now includes ElementTree, M2Crypto (for
SSL functions) and Python 2.2 or newer. ElementTree and M2Crypto
are both python modules that can be easily installed and are
already packaged for many Linux distributions.
</para>
<sect2>
<title>SSL Certificate Generation</title>
<para>SSL is used for channel-level data encryption. The
requisite SSL certificates must be generated on the server
side. The following command will generate a server key:
</para>
<programlisting>
openssl req -x509 -nodes -days 1000 -newkey rsa:1024 -out server.pem -keyout server.pem
</programlisting>
<para>This command will generate an SSL key including both an
RSA key and a certificate. This is suitable for use with the
Bcfg2 XML-RPC server.</para>
</sect2>
<sect2>
<title>Communication Bootstrapping</title>
<para>
The Bcfg2 client must be able to find the server's
location. This is accomplished through the use of the
communication settings in <filename>/etc/bcfg2.conf</filename>
Two settings for the this section are required: protocol and
server url.
</para>
<example>
<title>Bcfg2 XML-RPC Communication Settings</title>
<programlisting>
[communication]
protocol = xmlrpc/ssl
url = https://localhost:9443
</programlisting>
</example>
</sect2>
</sect1>
</chapter>
|
