 |
» |
|
|
|
The following sections
provide detailed instructions for setting up a configuration synchronization
master server and its clients. The quickest way to get started is
to use the Configuration Synchronization Wizard (csync_wizard), described in the next section. Completely manual configurations
are also described. Configuring Synchronization Master
(csync master) Server in Cross-Subnet Cluster Environments In a cluster environment, if all the nodes are
within the same subnet, then you can configure a server within that
cluster environment as the csync master server. However, in a cross-subnet cluster environment,
the csync master server must be an external system, preferably a quorum
server, outside the cross-subnet cluster. A cross-subnet cluster can
be configured only as client, with an external system acting as the
cfengine master. After you configure an external system as the csync
master, you can configure the cross-subnet cluster nodes as cfengine managed clients. Using the Configuration Synchronization Wizard | |
The csync_wizard (see csync_wizard(1)) automates the task of setting a configuration synchronization
master server and its managed clients. It supports setting up a standalone
system or a Serviceguard cluster as the master server. The wizard
configures all managed clients to run a cfservd so that cfrun (see cfrun(8)) can
be used on the master server. When you run the csync_wizard on a cross-subnet cluster, the system displays a message indicating
that the csync master must be an external system outside the cross-subnet
cluster. Depending on whether the csync master is already configured,
one of the following is possible: If the csync master is
already configured outside the cross-subnet cluster, the system displays
the hostname or the IP address of the csync master. If the csync master is
not configured outside the cross-subnet cluster, then you must configure
an external system, preferably a quorum server, as the csync master
server and later proceed to run the csync_wizard on the cross-subnet cluster.
With the csync_wizard, you
perform the following tasks:
Manage keys for cfengine clients Display the current configuration
See the appropriate sections below for details. Table 2-1 lists the information you
will need to gather before running the csync_wizard to set up the master server. When running the wizard on a Serviceguard cluster,
the default is to set up cfengine as a highly available service (Serviceguard
package). The administrator must provision the storage environment
for the package and the required package IP address and DNS name registration.
The wizard supports LVM storage configurations. Non-LVM configurations
must be completed manually. The package information that the wizard
requires is given in Table 2-1. Table 2-1 Configuration Data for csync_wizard | Configuration Data | Example | Your Value |
|---|
LVM volume group | /dev/vgcsync | | Logical volume | /dev/vcgsync/lvol1 | | Filesystem mount point | /csync | | Mount options | -o rw, largefiles | | Filesystem type | vxfs | | Package IP Address (a registered
DNS name) | 192.10.25.12 | | Package subnet | 192.10.25.0 | |
Configuring a single node in a Serviceguard cluster
as a master server is not a highly available configuration and is
not recommended. The default configuration to create for a cluster
is to create a package for cfengine’s cfservd. (To rerun the wizard in a Serviceguard cluster and change your
configuration from one that is highly available to one that is not,
halt the existing csync package (use cmhaltpkg) and delete it before running the wizard.) Using the Wizard to Configure a Standalone Synchronization
ServerTo configure a synchronization server for a standalone system, run the csync_wizard(1) on the standalone
system you wish to configure as the master synchronization server: # /opt/dsau/sbin/csync_wizard The wizard displays the following introductory
screen: |
Querying the system local_hostname for current status, one moment...
This Configuration Synchronization Wizard (csync_wizard) helps you set
up the Configuration Engine (cfengine) environment. Cfengine is a powerful
tool for performing policy-based management for groups of systems and
cluster environments.
csync_wizard is a client/server based utility. With csync_wizard, the
user can configure a standalone system or Serviceguard cluster as the
cfengine “master”. The master contains the configuration description and
configuration files that will be used by all the clients. Clients copy the
configuration description from the master and apply it to themselves.
The configuration description supports a rich set of management actions
such as copying configuration files from the master to the client,
performing edits to files, checking file ownerships, permissions, and
checksums, executing shell commands, checking for processes, etc.
For a detailed description of the cfengine management actions,
please refer to the cfengine man page.
The csync wizard helps you set up this system as a cfengine master,
add or remove cfengine-managed clients, and perform the required
security setup.
Press “Enter” to continue... |
|
Press Enter to continue; choose item 1 from the
menu below to configure a master server: Configuration Synchronization Wizard Menu
=========================================
(1) Set up a cfengine master server
(2) Add a client
(3) Remove a client
(4) Manage keys for cfengine clients
(5) Display current configuration
(9) Exit
|
Enter choice: 1
The cfengine master server is being configured on:
local_hostname |
The wizard then asks if you would like to additionally
configure managed clients immediately after configuring the server.
For this example, answer no. Managed clients will be added later.
You can optionally specify additional remote clients to manage at this
time. If you are running in an HA environment, you do not need to specify the
cluster members.
Would you like to manage clients? [N]: n |
The wizard proceeds to configure the system as
a master server:
******* WARNING!!!! ********
To protect against possible corruption of sensitive configuration files,
control-c has been disabled for the remainder of this configuration.
Configuration of the cfengine master server is starting.
Configuration files have been saved at
/var/opt/dsau/cfengine/backups |
cfengine keys are being created...
cfengine keys have been created, now distributing....
Verifying that the master has an entry in the /etc/hosts file
on each client...
Starting cfengine on the master server and any managed clients. This may
take a few minutes.... |
When the configuration is completed, the wizard
displays the following summary screens which direct the administrator
to the main policy file, /var/opt/dsau/cfengine_master/inputs/cf.main, and the recorded answer file for this run of the wizard.
The Configuration Synchronization Wizard has completed the
configuration of cfengine:
- The master configuration description template is here:
</csync/dsau/cfengine_master/inputs/cf.main>
This default template has examples of typical configuration
synchronization actions performed in a cluster. For example,
synchronizing critical files such as /etc/hosts, package
scripts, etc.
All the actions in the template are disabled by default
(commented out). Uncomment the lines corresponding to the desired
synchronization actions for the cluster. See the cfengine
reference documentation for a description of additional cfengine
features: /opt/dsau/doc/cfengine/
Press “Enter” to continue...
The cfengine environment consists of: |
Master server (policy host): |
Note that when configuring a master server but
not adding any managed clients during the server configuration, the
members entry (list of managed clients), is empty, as shown in the
above example.
A file containing the answers for this run of the Configuration
Synchronization Wizard is stored here...
/var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt
This configuration can be reestablished by issuing the following command:
/opt/dsau/sbin/csync_wizard \
-f /var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt |
Using the Wizard to Configure a Serviceguard Cluster Synchronization
ServerTo configure a synchronization server for a Serviceguard cluster,
there are two configuration choices: Create a Serviceguard
package for the configuration service to ensure high availability. Configure a single member
of the cluster as if it is a standalone system. The configuration
synchronization service will not be highly available, and this configuration
will also not work properly with the Serviceguard automation features
discussed in “Serviceguard Automation Features” and is not recommended.
This section focuses on using the wizard to configure
a highly available configuration synchronization service. | | | |  | NOTE: Before starting the wizard, all the current cluster
members should be up and running in the cluster. Make sure that this
cluster’s MAX_CONFIGURED_PACKAGES value can accommodate the
additional package. For more information on this setting, refer to
the Managing Serviceguard manual that is part
of the Serviceguard documentation set. | | | | |
Start by running the Configuration Synchronization
Wizard, csync_wizard(1) by issuing the following command: |
# /opt/dsau/sbin/csync_wizard
Querying the system local_hostname for current status, one moment...
This Configuration Synchronization Wizard (csync_wizard) helps you set
up the Configuration Engine (cfengine) environment. Cfengine is a powerful
tool used to perform policy-based management for groups of systems and
cluster environments.
csync_wizard is a client/server based utility. With csync_wizard, the
user can configure a standalone system or Serviceguard cluster as the
cfengine “master”. The master contains the configuration description and
configuration files that will be used by all the clients. Clients copy the
configuration description from the master and apply it to themselves.
The configuration description supports a rich set of management actions
such as copying configuration files from the master to the client,
performing edits to files, checking file ownerships, permissions, and
checksums, executing shell commands, checking for processes, etc.
For a detailed description of the cfengine management actions,
please refer to the cfengine man page.
The csync_wizard helps you set up this system as a cfengine master,
add or remove cfengine-managed clients, and perform the required
security setup. |
|
|
Press “Enter” to continue... |
Press Enter to continue and choose item 1 from
the menu below to configure a master server:
Configuration Synchronization Wizard Menu
=========================================
(1) Set up a cfengine master server
(2) Add a client
(3) Remove a client
(4) Manage keys for cfengine clients
(5) Display current configuration
(9) Exit
Enter choice: 1 |
After you choose 1 and press Enter, the wizard
displays the following text:
This system is a member of a Serviceguard cluster. The cfengine
configuration will be defined as a package for high availability
unless you answer no to the question below. If you answer no, for the
purposes of cfengine control, this machine will be treated as a single
machine without failover capability for cfengine.
If you accept the default answer of ‘HA’ to the question below,
cfengine will be configured as a highly available Serviceguard package.
This ensures that your cfengine master server is available as long
as one of the cluster members that can run the package is also available.
You will need a free IP address for this package and you must
configure storage for the package before proceeding. For details
on creating highly available file systems, please refer to the
Managing Serviceguard manual.
Will this master server be Highly Available (HA) [Y]: |
|
The wizard names the package name “csync”
for configuration synchronization. This specific package name is required.
The LVM storage configuration and
network configuration for the package must be set up before continuing
or before running the wizard. All the cluster members should also
be up and available. For details, refer to the Managing
Serviceguard manual, under “Building an HA Cluster
Configuration”, “Creating a Storage Infrastructure with
LVM.” The wizard prompts for the following, all of which
should have already been configured: LVM volume group name
(for example, /dev/vgcsync) Logical volume in the
volume group; must be the full path name of the logical volume (for
example, /dev/vgcsync/lvol1) The filesystem mount point
(for example, /csync) The filesystem mount options
(for example, -o rw,largefiles). The mount options are used verbatim in the Service package control
script’s FS_MOUNT_OPT[0] field. Note that the mount options
must agree with the filesystem you created on the logical volume. For example, if the filesystem was created with largefiles
support, the largefiles mount option should be specified. The filesystem type (for
example, vxfs) The package IP address. This should
also be a registered DNS name so the configuration synchronization
is easy to configure on client systems. The package subnet. (Use
netstat -i to determine the correct subnet.)
Once the storage infrastructure is configured
and the IP address obtained, press return to access the default answer
of ‘yes’ and proceed with creating the package. The
wizard now prompts for the package information:
Configuring the csync Serviceguard package for a
highly available cfengine master.
The cfengine master server is being configured as a
HA Serviceguard Package on this cluster.
Please provide the following information for the package:
Enter the Volume group [/dev/vgcsync]:
Enter the Logical Volume [/dev/vgcsync/lvol1]:
Enter the Filesystem (Mount Point) [/csync]:
Enter the Mount Options [-o rw, largefiles]:
Enter the Filesystem Type [vxfs]:
Enter the IP address [192.10.25.12]:
Enter the Subnet [192.10.25.0]: |
The wizard now asks if you would like to manage
additional remote clients, that is, systems outside the cluster.
The wizard automatically configures the current members of the cluster. This is
why all members must be up and accessible when running the wizard.
In the example shown below, the administrator chose ‘no’
so only cluster members are configured as clients initially. Additional remote clients can easily be added
later using the wizard. When adding members to the cluster, it is
not necessary to run the wizard to specify the new members as new
client systems. They are automatically configured to participate in
the current cfengine configuration. Refer to “Serviceguard Automation Features” for details. You can optionally specify additional remote clients to manage at this
time. If you are running in an HA environment, you do not need to
specify the cluster members.
Would you like to manage clients? [N]: |
The wizard now has all the data it needs to configure
the cluster and proceeds to do so: ******* WARNING!!!! ********
To protect against possible corruption of sensitive configuration files,
control-c has been disabled for the remainder of this configuration.
Configuring the “csync” Serviceguard package.
Applying the “csync” Serviceguard package configuration file.
This will take a moment.
Starting the “csync” Serviceguard package. This will take a few moments...
The “csync” Serviceguard package has been started on local_hostname.
Configuration of the cfengine master server is starting.
Configuration files have been saved at:
/var/opt/dsau/cfengine/backups
cfengine keys are being created...
cfengine keys have been created, now distributing....
Verifying that the master has an entry in the /etc/hosts file
on each client...
Starting cfengine on the master server and any managed clients.
This may take a few minutes.... |
|
When the configuration is done, the wizard displays
the following summary screens which direct the administrator to the
main policy file, /mount_point/cfengine_master/inputs/cf.main, and the recorded answer
file for this run of the wizard. The policy file is located on the
newly configured filesystem associated with the package. In our example,
the administrator chose to mount the filesystem for the package as /csync. If the administrator had previously
configured cfengine, before overwriting any existing configuration files,
the wizard creates backups in the directory: /var/opt/dsau/cfengine/backups |
The top level files in this directory are the
most recent backup files. Any configurations before that are saved
in timestamped subdirectories
named v_timestamp. |
The Configuration Synchronization Wizard has completed the
configuration of cfengine:
- The master configuration description template is here:
</csync/dsau/cfengine_master/inputs/cf.main>
This default template has examples of typical configuration
synchronization actions performed in a cluster. For example,
synchronizing critical files such as /etc/hosts, package
scripts, etc.
All the actions in the template are disabled by default
(commented out).
Uncomment the lines corresponding to the desired
synchronization actions for this cluster. See the cfengine
reference documentation for a description of additional cfengine
features: /opt/dsau/doc/cfengine/
Press “Enter” to continue...
The cfengine environment consists of:
Master server (policy host): package_hostname
Master clients:
cluster_member_1, cluster_member_2, ...
A file containing the answers for this run of the Configuration
Synchronization Wizard is stored here:
/var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt
This configuration can be reestablished by issuing the following command:
/opt/dsau/sbin/csync_wizard \
-f /var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt |
|
Cluster Configuration Notes for cfengineThis section describes the details of a high availability
configuration of cfengine in a Serviceguard cluster. For more information
on the role of the various cfengine daemons and commands, refer to “cfengine Daemons and Commands”. The Serviceguard package
ensures that cfengine's cfservd daemon remains
highly available. The cfengine configuration files update.conf and cfagent.conf define the master configuration
synchronization server to be the registered DNS name
for the relocatable IP address of the package. When managed clients
run cfagent (see cfagent(8)), cfagent connects to cfservd on the package’s adoptive
node. Thus the cluster members themselves are all managed clients.
The member hosting the package additionally acts as the master server
for the policy files. When booting the cluster, each member will start
a client cfservd. This is the cfservd that responds to cfrun requests. When the package
starts on a member, that cfservd now has access
to the filesystem of the package and becomes the master cfservd that serves the policy files to all managed clients. This cfservd is monitored by the package. If cfservd fails, the package will attempt to restart on another member. That
member’s cfservd will then become the master cfservd. Halting the package does not stop the cfservd daemon on the adoptive member since the expectation
is that the daemon is present to respond to future cfrun requests. Also, unlike some other high availability services,
if the csync package is down or unavailable, remote
clients are not adversely impacted. The clients continue to run with
their currently defined configurations. The administrator would need
to make sure the package is up and running in order to distribute
any new configuration instructions to the managed clients. The wizard automates cfengine key distribution
to all cluster members. For a detailed description of key distribution
steps performed, refer to “Security Notes”. Serviceguard Automation FeaturesThe Distributed Systems Administration Utilities
require Serviceguard 11.17 or later. With Serviceguard 11.17 or later,
when members are added to or deleted from the cluster, the configuration
synchronization tools automatically take the appropriate configuration
actions. Specifically:
When adding a member to the cluster, the new member
is automatically configured to participate in configuration synchronization.
The following configuration actions occur automatically on the added
member: /etc/rc.config.d/cfservd is changed
to set CSYNC_CONFIGURED to 1. The appropriate cfengine public/private keys are created for the new
member and placed in the member's /var/opt/dsau/cfengine/ppkeys directory. The new keys for this member are also distributed to
the /var/opt/dsau/cfengine/ppkeys directories
on the other cluster members. The new member’s /var/opt/dsau/cfengine/inputs directory is populated. cfservd is started on the new member. The package files are copied to /etc/cmcluster/csync/ on
the new member. A cfagent synchronization run is
performed on the master to populate the master’s /var/opt/dsau/cfengine/inputs directory. A cfagent synchronization run is
performed on the newly added member.
If there are any errors when performing these automated actions,
messages are posted to syslog on the master
server. Use cmviewcl -p csync to determine which
member is currently the master server. Alternatively, if the cluster
is using consolidated logging, check for messages in the consolidated syslog. When deleting a member from a cluster, the public
key of the deleted member is deleted from the /var/opt/dsau/cfengine/ppkeys directory cluster-wide. The administrator can define cfengine groups or classes
that enumerate all the members of a particular Serviceguard cluster.
These class definitions are not updated automatically and the administrator must manually
update the cfagent.conf and related files for
cluster membership changes.
| | | | | NOTE: When adding members to a cluster, consider the
following:When adding a member to
a cluster that is configured as a highly available master server,
the csync package must be running when the member
is added. The add member processing task copies the configuration
data from the package’s mounted filesystem to the new member’s
/var/opt/dsau/cfengine directories. If the package
is not running, the filesystem will not be accessible and the new
member will not be properly configured. In that case, the administrator
can manually configure the new member as follows: Make sure that the csync package is running. If not, start it. Log in to the member running
the package. Execute the following
command exactly as shown: /opt/dsau/bin/csync_dispatcher
MEMBER_ADDED: member_hostname For example, if the new member’s
unqualified hostname is newhost, use the following
command: /opt/dsau/bin/csync_dispatcher MEMBER_ADDED: newhost
When adding a member to
the cluster that is configured as a highly available master server,
the cfengine security key of the new member is distributed cluster-wide.
This enables the new member to operate as an adoptive node. If the csync package fails over to the new member, the new member
will correctly handle cfagent requests from all
managed clients. However, a cfrun executed from the new member will fail when contacting the managed
clients. For cfrun to work properly, each managed
client must have a copy of each cluster member’s key. (This
is unlike cfagent on the managed client which needs
only the key that corresponds to the IP address of the csync package.) For the new member to issue cfrun requests, its key must be manually created on each managed client.
There are two ways to distribute the key: Use the csync_wizard “Manage
keys for cfengine clients” function, which regenerates keys
for all systems. All managed clients must be reachable for the regeneration
to complete. Copy existing member keys to the new member. This
approach takes advantage of the fact that the new member’s
key is identical to the keys for the other cluster members. On the
managed client, any of the existing cluster member’s keys can
be copied to the proper name for the newly added member. For example,
# cd /var/opt/dsau/cfengine/ppkeys
# cp root-existing_member_IP_address.pub \
root-new_member_IP_address.pub |
| | | | |
Using the Wizard to Configure a Synchronization ClientYou
can use the Configuration Synchronization Wizard to add managed clients to an existing
cfengine configuration. Run the wizard on the master server, not the client system. When a Serviceguard cluster is
the master server, run the wizard on the adoptive node for the csync package. When a Serviceguard cluster is configured
as a highly available master server, adding new members to the cluster
does not require using the wizard to configure those new members.
They will be configured automatically. For more information, see “Serviceguard Automation Features”. If the client is not a cluster member, to distribute cfengine
keys securely, the client must be configured for non-interactive ssh access by the root account of the master server.
The csshsetup tool (see csshsetup(1)) makes it easy to configure ssh access to a remote system. The csshsetup tool is used in the examples below. A remote Serviceguard cluster can be configured
as a managed client. However, each member must be configured individually.
Repeat the configuration tasks described below for each member of
the cluster. Start by logging in as root on the master server
and configure ssh access to the remote system: # csshsetup hostname_of_managed_client csshsetup first tests ssh access to the remote system. If it is not configured, ssh prompts for the managed client’s password. Run the Configuration Synchronization Wizard and
choose option 2 to add a new client: Configuration Synchronization Wizard Menu
=========================================
(1) Set up a cfengine master server
(2) Add a client
(3) Remove a client
(4) Manage keys for cfengine clients
(5) Display current configuration
(9) Exit
Enter choice: 2 |
When prompted, enter the name of the client to
add:
This option will configure additional clients to the cfengine domain.
Enter the name of the client to add: new_client |
The wizard then proceeds to configure the client
and report on its progress:
Verifying that the master has an entry in the /etc/hosts file on each client...
cfengine keys are being created...
cfengine keys have been created, now distributing....
The client new_client has been added to the cfengine domain |
The wizard configures each new client to run cfservd
so it can respond to cfrun requests and adds the
client to the master’s cfrun.hosts file. Manual Configuration | |
The following sections describe the steps required
to configure cfengine master configuration synchronization servers
or managed clients manually. Note that it is typically easier to start
by using the csync_wizard (see csync_wizard(1m)) and then modifying the resulting configuration
instead of starting from scratch. This is especially true in a Serviceguard
cluster where the wizard helps
set up the package and takes care of propagating the correct configuration
files to all members of the cluster. When performing manual configurations, it is possible
to create configurations that cannot subsequently be managed by the csync_wizard. Here are two examples: The wizard requires that all managed clients have ssh configured so that cfengine’s security keys can be initially distributed
or subsequently changed. The wizard places all managed clients in the cfrun.hosts file. This list of managed clients is used
to identify systems for operations such as regenerating cfengine’s
keys on all machines. cfrun.hosts is an optional
cfengine configuration file used by the cfrun command.
Manual configurations need not use this file but the wizard requires
it.
| | | | | NOTE: You can use csshsetup to configure
a trust relationship between the master server and the managed clients.
This will allow you to use command fanout commands such as cexec and ccp (see cexec(1) and ccp(1)). Using these commands can
simplify the configuration steps described below when files need to
be distributed to managed clients. | | | | |
Manually Configuring a Standalone Synchronization ServerPerform the following one-time steps to configure
a standalone system as a cfengine master server: Start by creating the
master copies of the cfengine configuration files. These files are
placed in a well known directory and are distributed to each managed
client. The default directory is /var/opt/dsau/cfengine_master/inputs, referenced in the default templates. Start by creating the directory: # mkdir -p /var/opt/dsau/cfengine_master/inputs Copy the default template
files to the following directories: # cd /var/opt/dsau/cfengine_master/inputs
# cp /opt/dsau/share/cfengine/templates/cf.main.template cf.main
# cp /opt/dsau/share/cfengine/templates/update.conf.template update.conf
# cp /opt/dsau/share/cfengine/templates/cfagent.conf.template cfagent.conf
# cp /opt/dsau/share/cfengine/templates/cfrun.hosts.template cfrun.hosts
# cp /opt/dsau/share/cfengine/templates/cfservd.conf.template cfservd.conf |
Next, edit update.conf. This file has a format similar to cfengine’s main configuration
file cfagent.conf. It is used to transfer
and update cfengine binaries and any updated configuration definitions
files (for example, cfagent.conf) to the managed
clients. It is critical to keep this file very simple and avoid errors.
Errors in this file will require manually copying a new version to
each managed client. The file contains tokens
in the form <%token-name%> that are
replaced by the csync_wizard with the administrator’s
answers to questions. Replace the tokens as follows: Replace the <%POLICYHOST_NAME%> token with the fully
qualified domain name of the master server. Note that it is critical
that this be a fully qualified domain name. This file is copied to
and evaluated on the managed clients. If a managed client is in a
different DNS domain from the master server, the client will be unable
to communicate with the master server if the hostname is not fully
qualified. Note that the cfengine
domain variable is set as follows: domain = ( ExecResult(/bin/sh -c ${dblquote}nslookup
‘hostname‘| awk ${quote}/Name:/ {print
$2}${quote} | cut -d . -f 2-${dblquote}) ) The domain variable is used by cfagent’s
“resolve” action. The ExecResult command above assumes
that the client’s /etc/resolve.conf and /etc/nsswitch.conf are already appropriately configured. The command expects to get
a fully qualified hostname when using nslookup of the client’s
own hostname. If this assumption is not appropriate for your environment,
other techniques for setting the domain are possible. For example,
the client’s domain could be determined based on the client’s
IP address or subnet, as follows: classes:
# host in these ip address ranges
xyz_domain = ( IPRange(10.0.0.1-15) )
abc_domain = ( IPRange(192.0.0.1-254) )
control:
xyz_domain::
domain = ( “xyz.example.com” )
abc_domain::
domain = ( “abc.example.com”) |
Use the cfagent -p (or --parse-only)
flag to verify the syntax of update.conf.
Distribute the master update.conf to
each managed client. This step is described in “Configuring a Synchronization Managed Client”. Create the master server’s security keys. cfengine uses a public/private
key exchange to authenticate remote clients. A public/private key
pair is generated on the master server and all managed clients. The
public key for each managed client is copied to the master server
and from the master server to the managed clients. It is important
to exchange keys securely using a tool like secure copy, (see scp(1)) or using tape or CD-ROM. Start by generating the
keys for the master server: # /opt/dsau/sbin/cfkey # /var/opt/dsau/cfengine/ppkeys This creates the files localhost.pub and localhost.priv. Copy the public key to root-master_server_IP_address.pub. For example,
assuming this system’s IP address is 10.0.0.5, use this command: # cp localhost.pub root-10.0.0.5.pub See “Configuring a Synchronization Managed Client” for details on copying the client
keys to this master server. On the master server,
configure the cfservd daemon to start at system
startup. Edit /etc/rc.config.d/cfservd and change
the line CSYNC_CONFIGURED=0 to CSYNC_CONFIGURED=1. Optionally, if you want to be
able to push changes out to the managed clients using cfrun, replicate this change on all of the managed clients. cfrun requires that the managed clients be listed in the file cfrun.hosts. In the default configuration, this file is
located in /var/opt/dsau/cfengine_master/inputs. Edit it and add the hostnames of each managed client, one per line.
It is simplest to make sure that all the host names are fully qualified.
When using fully qualified hostnames, the "domain = " line is not required and can be deleted. If using unqualified hostnames,
find the line "domain = " variables and replace the token with the DNS domain of the master system.
This restricts all of the unqualified clients to be members of that
single domain. The file /var/opt/dsau/cfengine_master/inputs/cfagent.conf is the master policy file. The default cfagent.conf includes the default cf.main template file
with examples of common synchronization actions for both standalone
systems and Serviceguard clusters. cf.main contains
the POLICY HOST_NAME and “domain = “ variables. Perform the same edits described in Step 3 above. Note that this default cf.main file
performs no management actions. All the action lines are commented
out. This is a starting point for creating a custom set of cfengine
policies and actions for your managed clients. The cfengine reference
manual that documents the syntax and all the management actions defined
in this file is located in /opt/dsau/doc/cfengine. Other example cfengine configuration files that are included with
the open source cfengine distribution are located in /opt/dsau/share/cfengine/examples. The file /var/opt/dsau/cfengine_master/inputs/cfservd.conf controls which managed clients have access to the files served by cfservd on the master. Make the following edits to cfservd.conf: On the master server,
start cfservd: # /sbin/init.d/cfservd start Repeat this for each managed client. Test the configuration
by performing the following steps: On a managed client, use
the command: # cfagent
--no-lock --verbose --no-splay The verbose output will display the client checking
for updated copies of the master policy files, copying them down to /var/opt/cfengine/inputs if needed, and then executing
the contents of cfagent.conf/cf.main. On the master server,
test the cfrun command: # cfrun -- --inform The --inform syntax instructs
the remote cfagent to use the --inform flag which will produce messages for all changes cfengine performs
on the system. For additional information, the --verbose can also be helpful: # cfrun -v -- --verbose The -v instructs cfrun itself to be more verbose and the --verbose is
passed on to the remote cfagent.
For additional troubleshooting information, refer
to “cfengine Troubleshooting”.
Manually Configuring a Serviceguard Cluster Synchronization
ServerConfiguring cfengine for high availability in a Serviceguard cluster is similar to configuring it for a standalone machine,
which is described in the section “Using the Wizard to Configure a Standalone Synchronization
Server”. The primary differences are the
creation of the Serviceguard package and the mechanism used to distribute
cfengine’s security keys. Follow all the steps described below. Initial Serviceguard Package Preparation Start by obtaining an IP address for the package.
This address is typically registered in DNS to simplify management
of remote clients. If you are using cfengine for intra-cluster use
only, it is sufficient to make sure the address is added to each member’s /etc/hosts file. Next, create the storage infrastructure required for
a new package. The instructions for doing this are documented in the Managing Serviceguard manual, under “Building an
HA Cluster Configuration”, “Creating a Storage Infrastructure.” For example, if using an LVM storage infrastructure, that would
include the following steps: Create the LVM volume group (VG) and logical volumes
(LV) (for example, /dev/vgcsync/lvol1). Exporting/importing the volume group cluster-wide. Setting up a filesystem on the logical volumes. Creating the filesystem’s mount point (for
example, /csync) cluster-wide.
The default templates assume you are using
LVM-based storage. To use VxVM or other cluster-wide storage and filesystems,
make the appropriate changes to the package templates described below.
Also note that the Disks and Filesystems Tool (fsweb), available from the System Management Homepage, can help simplify
volume group and filesystem setup. Make sure the filesystem for the package is mounted
on the current member. For example, if using LVM do the following: # vgchange -a e /dev/vgcsync # mount -o rw,largefiles
/dev/vgcsync/lvol1 /csync
Initial Policy File Customization Create a subdirectory
for the master policy files and reference files. For example: # mkdir -p /csync/dsau/cfengine_master/master_files These example directories are those used by the
csync_wizard. Copy the default templates
into the master inputs directory: # cd /csync/dsau/cfengine_master/inputs
# cp /opt/dsau/share/cfengine/templates/cf.main.template cf.main
# cp /opt/dsau/share/cfengine/templates/update.conf.template update.conf
# cp /opt/dsau/share/cfengine/templates/cfagent.conf.template cfagent.conf
# cp /opt/dsau/share/cfengine/templates/cfrun.hosts.template cfrun.hosts
# cp /opt/dsau/share/cfengine/templates/cfservd.conf.template cfservd.conf |
Edit update.conf. This file has a format similar to cfengine’s main
configuration file cfagent.conf.
It is used to transfer and update cfengine binaries and any updated
configuration definitions files (for example, cfagent.conf) to the managed clients. It is critical to keep this file very simple
and avoid errors. Errors in this file will require manually copying
a new version to each managed client. The
file contains tokens in the form <%token-name%> which are replaced by the csync_wizard with
the administrator’s answers to questions. Replace the tokens
as follows: Replace the <%POLICYHOST_NAME%>
token with the fully qualified domain name of the Serviceguard csync
package. For example: policyhost
= ( “csync.abc.xyz.com” ) Refer to “Manually Configuring a Standalone Synchronization Server” for a discussion
on setting the cfagent domain variable, which
is used by cfagent’s resolve action.
List Managed Clients in cfrun.hosts cfrun requires that all managed clients be listed
in the file cfrun.hosts. Since each cluster member
is considered a client, make sure each member is listed in /csync/dsau/cfengine_master/inputs/cfrun.hosts. Edit it and add the hostnames of each member,
one per line. It is simplest to make sure that all the host names
are fully qualified. When using fully qualified hostnames, the “domain
=“ line is not required and can be deleted. This domain specification
is concatenated on any unqualified hostnames. If using unqualified
hostnames, replace the “<%DEFAULT_CLIENT_DNS_DOMAIN%>” token with the simple domain name. For example: domain = xyz.abc.com Note that the csync_wizard will always write fully
qualified hostnames when adding managed clients to this file. Edit the Master Policy File The file /var/opt/dsau/cfengine_master/inputs/cfagent.conf is the master policy file. The default cfagent.conf includes the default template cf.main which
is a commented template file with examples of common synchronization
actions for both standalone systems and Serviceguard clusters. Edit cf.main to replace the <%POLICYHOST_NAME%> token as described in a previous list bullet “Initial Policy File Customization.” The “domain
=” declaration used by the resolve action
is also discussed in the same section. Note that this default template performs no management
actions. All the action lines are commented out. It does contain many
examples specific to synchronizing files in a Serviceguard cluster.
This is a starting point for creating a custom set of cfengine policies
and actions for your cluster and other managed clients. The cfengine reference manual which documents
the syntax and all the possible management actions defined in this
file is located in /opt/dsau/doc/cfengine/. Other example cfengine configuration files which
are included with the open source cfengine distribution are located
in /opt/dsau/share/cfengine/examples. Edit the cfservd.conf File The
file /var/opt/dsau/cfengine_master/inputs/cfservd.conf controls which managed clients have access to the files served by cfservd on the master. Make the following edits to cfservd.conf: This example allows all hosts in the listed domains
to access files on the master server. You can also specify lists of specific host, IP
address ranges, and so on. Refer to the cfengine reference manual
for additional information. Distribute the Master update.conf to Each Cluster
Member Use the following commands: # cd /var/opt/dsau/cfengine_master/inputs # ccp update.conf /var/opt/dsau/cfengine/inputs/ cfengine itself will take care of distributing
the remaining files both cluster-wide and to all managed clients. Distribute the cfengine Security Keys Since cfengine uses a public/private key exchange model to validate
the authenticity of managed clients, a key must be configured that
is associated with the relocatable IP address of the package. That
address is the one that remote clients see as the master server. Since
any cluster member can become the adoptive node, this key must be
identical across all cluster members. cfengine’s cfkey generates
a public/private key pair for the current system. cfkey creates the files localhost.priv and localhost.pub. cfengine expects keys to be named using the following
convention: username-IP_address.pub For example, root-10.0.0.3.pub The administrator copies the localhost.pub key
to the correct name based on the system’s IP address. For the
case of a cluster, the keys for the current member are used to generate
the keys cluster-wide using the following steps: Use cfkey to create the public and private key pair for this cluster member: # /opt/dsau/sbin/cfkey This will create keys named localhost.priv and
localhost.pub in the directory /var/opt/dsau/cfengine/ppkeys. The public key, localhost.pub is then copied to root-package IP address.pub. For example, # cp localhost.pub root-192.10.25.12.pub where 192.10.25.12 is the relocatable IP address
of the csync package. This member’s localhost.pub is then used to create the member-specific
keys for each member: # cp localhost.pub root-member1 IP address.pub # cp localhost.pub root-member2 IP address.pub # cp localhost.pub root-member3 IP address.pub … # cp localhost.pub root-memberN IP address.pub Finally, all the keys
are copied to each member. # ccp * /var/opt/dsau/cfengine/ppkeys | | | | | NOTE: ccp, a command-fanout command,
performs a cluster copy, copying a command to all cluster members. | | | | |
Configure and start cfservd Configure the cfservd daemon to start at system startup. Edit /etc/rc.config.d/cfservd and change the line CSYNC_CONFIGURED=0 to CSYNC_CONFIGURED=1. Propagate this change
cluster-wide: # ccp
/etc/rc.config.d/cfservd /etc/rc.config.d/cfservd On the master server,
start cfservd: # /sbin/init.d/cfservd start Repeat for the remaining
cluster members. If you have configured the cluster for use with the
DSAU command fanout tools, use the following command to start the
daemons cluster-wide: # cexec /sbin/init.d/cfservd start
Create the csync Package To
create the configuration synchronization package, modify the default package template files
as appropriate for your Serviceguard environment. Note that the package
must be called csync. Failure to do so will
cause the Serviceguard automated operations to fail. For more information,
refer to the section “Serviceguard Automation Features”. Start by making the following changes: Create the package directory
cluster-wide: # cexec mkdir /etc/cmcluster/csync Copy the template package
ASCII file and package control script to the /etc/cmcluster/csync directory
on the current member: | # cd /etc/cmcluster/csync | | # cp /opt/dsau/share/serviceguard/templates/csync.conf.template
csync.conf | | # cp /dsau/share/serviceguard/templates/csync.script.template
csync | | # chmod +x csync |
Edit the csync.conf package ASCII configuration file to replace the placeholder tokens
with the appropriate values. The tokens are in the form <%token-name%>. Find the line "SUBNET <%SG_PKG_SUBNET%>" |
and replace the token with the subnet for the csync package. Use netstat -i to help identify the
subnet.Edit the package control
script, and substitute appropriate values for the placeholder tokens. | | | | | NOTE: The default script template
assumes you are using an LVM-based storage configuration. If you are
using VxVM or CFS, refer to the Managing
Serviceguard documentation for more information on configuring
packages using those technologies. You will have to comment out the
LVM parts of the template described below and substitute the appropriate
VxVM or CFS stanzas. | | | | |
Find the line "VG[0]="<%SG_PKG_VOL_GRP%>"" and replace the token with the name of the LVM volume group for
the package. For example, VG[0]=“/dev/vgcsync”. Find the line "LV[0]=“<%SG_PKG_LOG_VOL%>”" and replace the token with the full name of the logical volume.
For example, LV[0]=“/dev/vgcsync/lvol1”. Find the line "FS[0]=“<%SG_PKG_FS%>”" and replace the token with the name of the filesystem mount point
created for this package. For example, FS[0]=“/csync”. Note that this mount point should have been created
on each cluster member as part of the storage configuration described
above. Find the line "FS_MOUNT_OPT[0]=“<%SG_PKG_MNT_OPT%>”" and replace the token with the filesystem’s mount options.
For example, FS_MOUNT_OPT[0]=“-o
rw,largefiles”. Find the line "FS_TYPE[0]=“<%SG_PKG_FS_TYPE%>”" and replace the token with the filesystem type. For example, FS_TYPE[0]=“vxfs”. Find the line "FS_UMOUNT_OPT[0]=“<%SG_PKG_FS_UMOUNT_OPT%>”" and replace the token with any filesystem umount options. The token can be removed and this option left blank if
there are no special umount options. For example, FS_UMOUNT_OPT[0]=“”. Find the line "FS_FSCK_OPT[0]=“<%SG_PKG_FS_FSCK_OPT%>”" and replace the token with any filesystem specific fsck options. As above, the token can be deleted and this option left
blank. For example, FS_FSCK_OPT[0]=“”. Find the line IP[0]=“<%SG_PKG_IP%>” and replace the token with the IP address of the csync package. For example, IP[0]= 123.456.789.3. Find the line "SUBNET[0]=“<%SG_PKG_SUBNET%>”" and replace the token with the subnet for the package’s IP
address. Use netstat -i to help determine the subnet.
For example, SUBNET[0]= 123.456.789.0.
Distribute the package control script and package ASCII configuration files cluster-wide: # ccp csync
csync.conf /etc/cmcluster/csync/ Apply the package and
start it: | # cmapplyconf -P csync.conf | | # cmmodpkg -e csync |
Test the csync Package Configuration Test the configuration by performing the following steps: On a managed client, use the command: # cfagent --no-lock --verbose --no-splay The verbose output will display the client, checking for updated
copies of the master policy files, copying them into /var/opt/dsau/cfengine/inputs if needed, and then executing
the contents of cfagent.conf/cf.main. On the master server, test the cfrun command: # cfrun -- --inform --inform instructs the remote cfagent to use the --inform flag which will produce messages
for all changes cfengine performs on the system. For additional information,
the --verbose command can also be helpful: # cfrun -v -- --verbose The -v instructs cfrun itself to be more
verbose and the --verbose is passed on to the remote cfagent. For additional troubleshooting information, refer to “cfengine Troubleshooting”.
Configuring a Synchronization Managed ClientWhen manually configuring managed clients, the
basic steps are: Exchanging security keys. This establishes
the trust relationship between the managed client and master server. Copying update.conf from the master server to the managed client. Setting a schedule for
which cfagent will perform synchronization operations.
For a Serviceguard cluster, each member must be
individually configured as a cfengine client. After configuring each
member, if you add new members to the cluster, you must manually configure
each new member as well. Repeat the configuration tasks described
below on each cluster member. For all other newly managed clients, start by configuring
the trust relationship between the client and the master server. The
master and client systems exchange security keys to authenticate each
other. The master server’s public key needs to be copied to
the client and the client’s public key is copied to the master
server:
As root, use cfkey to create the public and private
key pair for this cluster member: # /opt/dsau/sbin/cfkey This creates keys named localhost.priv and localhost.pub in
the directory /var/opt/dsau/cfengine/ppkeys. Copy this client’s key to the master server.
The master server uses the following naming convention for the client
keys: username-client_IP_address.pub. Using this naming convention, push the client’s public key
to the master server’s ppkeys directory
using the following naming convention: # scp localhost.pub master_server:\ /var/opt/cfengine/ppkeys/root-client_IP_address.pub It is important to use a utility such as secure copy (see scp(1)) when transferring the key
in order to protect its integrity. Finally, copy the master server’s key to this
managed client: # scp master_server:/var/opt/cfengine_master/ppkeys/localhost.pub ∖ root-master_IP_address.pub Next, copy the master server update.conf to the
managed client: | # mkdir -p /var/opt/dsau/cfengine/inputs | | # cd /var/opt/dsau/cfengine/inputs | | # scp master_server:/var/opt/dsau/cfengine/inputs/update.conf
./update.conf |
To allow this client to accept cfrun requests, do the following:
Edit /etc/rc.config.d/cfservd and
set the CSYNC_CONFIGURED variable to "1" -- this will start cfservd at system boot time. Start cfservd: # /sbin/init.d/cfservd start Test the configuration with cfagent (see cfagent(8)): # cfagent --no-lock --verbose --no-splay The verbose output will display the client, checking for updated
copies of the master policy files, copying them down to /var/opt/cfengine/inputs if needed, and then executing
the contents of cfagent.conf/cf.main.
For additional troubleshooting information, refer
to the section “cfengine Troubleshooting”. Choosing a Synchronization Invocation MethodAs the administrator, you can push changes out
to managed clients by using the cfrun command
(see cfrun(8)). cfrun contacts
the cfservd daemon on each managed client and cfservd invokes cfagent which does the
actual synchronization work. You can also choose to have cfagent run at intervals on the client. There are two approaches: Run cfagent from a cron job. When running cfagent from cron, invoke it using cfexecd -F. An example crontab entry is shown below: 0 * * * * /var/opt/dsau/cfengine/bin/cfexecd
-F This crontab entry will cause cfagent to be run every hour. In this example, cfexecd (see cfexecd(8)) acts a wrapper for cfagent and
collects any output and places it in /var/opt/dsau/cfengine/outputs. cfexecd can also cause mail to be sent to the
administrator if specified in the cfagent.conf file. For details, refer to the cfengine reference manual in /opt/dsau/doc/cfengine. Note that the default cf.main has an example
for automatically adding the above line to the crontab file of each managed client. Run cfexecd in daemon
mode. cfexecd has cron-like features based on cfengine’s time classes and can be
used instead of cron to run cfagent. cfexecd defaults to running cfengine every hour.
When first getting started with cfengine, it is probably easiest to
use cron for scheduling client side synchronization.
For details on using cfexecd in daemon-mode, refer
to the cfengine tutorial located in /opt/dsau/doc/cfengine/.
|
Printable version
