Configuration and change management with Bcfg2
Bundles can be broken down still further: Bcfg2 groups the configuration files and software packages belonging to a specific system service in a file below the Bundler directory. For example, the Bundler/motd.xml file defines the configuration bundle for the /etc/motd welcome message:
<Bundle name='motd' version='2.0'> <Package name='login' /> <ConfigFile name='/etc/motd' /> </Bundle>
Some nicely commented examples of bundles are available from the project's wiki . Bundles contain a number of configuration items, which Bcfg2 aptly refers to as entries.
The system defines six different entry types (see Table 1): The ConfigFile type manages a file and its content; the Directory, Permission, and SymLink types let administrators manage or monitor objects. The Package and Service types of entries have more in the way of artificial intelligence.
Bcfg2 abstracts the distribution-specific methods used to, for example, install a package on a client; that is, it will call aptitude on a Debian system and rpm or yum on an openSUSE system. The same principle applies to system services that are typically listed in /etc/init.d.
Installing the Server
The abstract structure that describes the client is managed entirely on the server side. Typing bcfg2-admin init initializes a new configuration.
First, you are prompted for the details of the repository path, an SSL certificate for secure communications with the clients, and an access password. The Bcfg2 admin script then goes on to create several files and directories and populate the /etc/bcfg2.conf configuration file with meaningful defaults. You might need to modify the entry in the [components] section to match the hostname, which your clients can resolve with DNS.
This name is also the perfect choice for the Common Name when you generate a certificate. bcfg2-admin might create the file with world-readable permissions, but you will want to change this because it contains the client access password.
Additionally, the tool sets up an empty configuration repository below /var/lib/bcfg2. Calling /etc/init.d/bcfg2-server start launches the server.
The only component you need to install on the client is the bcfg2 client package. Additionally, you need to store the configuration file in /etc/bcfg2.conf.
The next step is to add each Bcfg2 client to the Metadata/clients.xml file on the server (Listing 2). All specifications use the XML format. The administrator can later assign profiles to hosts by using this file.
01 01 <Clients> 02 02 <Client profile="desktop" 03 name="alpha.example.com" pingable="N"/> 04 03 <Client profile="desktop" 05 name="beta.example.com" pingable="Y"/> 06 04 <Client profile="webserver" 07 name="gamma.example.com" pingable="N"/> 08 05 <!-- .. --!> 09 06 </Clients>
Bcfg2 identifies clients by their DNS names, which makes it important to have a working DNS system. The example assigns the desktop profile to the hosts alpha and beta.example.com and webserver to gamma.example.com. Bcfg2 is now ready for action.
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.