mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-12 14:29:28 +00:00
Diskless and templating configuration examples
This commit is contained in:
parent
8a78a4d285
commit
3606882c22
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=43240
20
share/examples/diskless/209.157.86.12/README
Normal file
20
share/examples/diskless/209.157.86.12/README
Normal file
@ -0,0 +1,20 @@
|
||||
|
||||
kernel, rc.local, and xdm-config are typically softlinks. Plus other
|
||||
files, of course, depending on how you setup your system.
|
||||
|
||||
rc.local and xdm-config might be softlinks into HT.DISKLESS, allowing
|
||||
you to ease system administration when managing many diskless
|
||||
workstations. You can also play other tricks, such as I play in
|
||||
rc.conf.local by having it source ../HT.DISKLESS/rc.conf.local to get
|
||||
class-based defaults.
|
||||
|
||||
total 6
|
||||
drwxr-xr-x 3 root wheel 512 Jan 26 10:56 .
|
||||
drwxr-xr-x 7 root wheel 512 Jan 26 10:58 ..
|
||||
drwxr-xr-x 2 root wheel 512 Jan 26 10:56 CVS
|
||||
lrwxr-xr-x 1 root wheel 17 Jan 25 10:26 kernel -> /kernel.diskless2
|
||||
-rw-r--r-- 1 root wheel 146 Jan 25 01:21 rc.conf.local
|
||||
lrwxr-xr-x 1 root wheel 23 Jan 25 10:26 rc.local -> ../HT.DISKLESS/rc.local
|
||||
-rw------- 1 root wheel 539 Jan 17 15:29 ssh_host_key
|
||||
-rw-r--r-- 1 root wheel 343 Jan 17 15:29 ssh_host_key.pub
|
||||
lrwxr-xr-x 1 root wheel 25 Jan 25 10:26 xdm-config -> ../HT.DISKLESS/xdm-config
|
9
share/examples/diskless/209.157.86.12/rc.conf.local
Normal file
9
share/examples/diskless/209.157.86.12/rc.conf.local
Normal file
@ -0,0 +1,9 @@
|
||||
# DISKLESS RC.CONF.LOCAL
|
||||
#
|
||||
# Override system standard /etc/rc.conf
|
||||
|
||||
. /conf/HT.DISKLESS/rc.conf.local
|
||||
|
||||
hostname=test2.backplane.com
|
||||
start_xdm=NO
|
||||
|
BIN
share/examples/diskless/209.157.86.12/ssh_host_key
Normal file
BIN
share/examples/diskless/209.157.86.12/ssh_host_key
Normal file
Binary file not shown.
1
share/examples/diskless/209.157.86.12/ssh_host_key.pub
Normal file
1
share/examples/diskless/209.157.86.12/ssh_host_key.pub
Normal file
@ -0,0 +1 @@
|
||||
1024 33 131532587310298436102876167134780549224884868848048954510241288010381123823834489593599651234236801895942903979896941799980786675282403650831462626987993609590967535749256449810953893747928248417183421903403076895749793372279190481189373438759742396152779236777836204647146078686957945395785442097357022574693 root@apollo.backplane.com
|
85
share/examples/diskless/HT.DISKLESS/rc.conf.local
Normal file
85
share/examples/diskless/HT.DISKLESS/rc.conf.local
Normal file
@ -0,0 +1,85 @@
|
||||
# DISKLESS RC.CONF.LOCAL
|
||||
#
|
||||
# Override system standard /etc/rc.conf
|
||||
|
||||
ldconfig_paths="$ldconfig_paths /usr/krb5/lib"
|
||||
ldconfig_paths_aout="$ldconfig_paths_aout /usr/krb5/lib/aout"
|
||||
|
||||
syslogd_flags="-f /etc/syslog.diskless.conf"
|
||||
inetd_enable="NO"
|
||||
portmap_enable="NO"
|
||||
router_enable="NO"
|
||||
cron_enable="NO"
|
||||
sendmail_enable="NO"
|
||||
|
||||
# Enable additional services
|
||||
#
|
||||
|
||||
lpd_enable="YES"
|
||||
nfs_client_enable="YES"
|
||||
ntpdate_enable="YES"
|
||||
ntpdate_flags="apollo.backplane.com"
|
||||
xntpd_enable="YES"
|
||||
|
||||
if [ -f /etc/ipfw.conf ]; then
|
||||
firewall_enable="YES"
|
||||
firewall_type="/etc/ipfw.conf"
|
||||
firewall_quiet="NO"
|
||||
fi
|
||||
|
||||
|
||||
# Add customizations to the diskless mount function
|
||||
#
|
||||
|
||||
old_func=$diskless_mount_func
|
||||
diskless_mount_func=diskless_mount_user
|
||||
|
||||
diskless_mount_user() {
|
||||
$old_func
|
||||
|
||||
# Copy of ssh_host_key* files to where sshd
|
||||
# expects them, assuming you add to /usr/local/etc/sshd_config:
|
||||
#
|
||||
# HostKey /var/db/ssh_host_key
|
||||
#
|
||||
|
||||
if [ -f $conf_dir/ssh_host_key ]; then
|
||||
cp $conf_dir/ssh_host_key* /var/db
|
||||
else
|
||||
(cd /var/db; ssh-keygen -f ssh_host_key -P "")
|
||||
fi
|
||||
chmod 400 /var/db/ssh_host_key
|
||||
chmod 644 /var/db/ssh_host_key.pub
|
||||
|
||||
# Copy home directory so you can login
|
||||
#
|
||||
#
|
||||
|
||||
mount_mfs -s 65536 -T qp120at dummy /home
|
||||
|
||||
if [ -d /home.diskless ]; then
|
||||
cd /home.diskless
|
||||
for i in *; do
|
||||
if [ -f $i/home.tgz ]; then
|
||||
mkdir /home/$i
|
||||
chown $i /home/$i
|
||||
chmod 700 /home/$i
|
||||
(cd /home/$i; tar xvzpf /home.diskless/$i/home.tgz)
|
||||
homeok=1
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ "$homeok" = "0" ]; then
|
||||
echo "ERROR, NO /home.diskless DIRECTORY TO COPY TO /HOME"
|
||||
homeok=0
|
||||
sleep 10
|
||||
fi
|
||||
|
||||
# Firewall helper - if we configure the firewall to let through
|
||||
# ports > 4000, we need to configure the machines as such.
|
||||
#
|
||||
|
||||
sysctl -w net.inet.ip.portrange.first=4000
|
||||
}
|
||||
|
19
share/examples/diskless/HT.DISKLESS/rc.local
Executable file
19
share/examples/diskless/HT.DISKLESS/rc.local
Executable file
@ -0,0 +1,19 @@
|
||||
#!/bin/sh
|
||||
|
||||
. /etc/rc.conf
|
||||
|
||||
cat >> /var/spool/lpd/ljet4.ps << EOF
|
||||
#!/bin/sh
|
||||
#
|
||||
|
||||
gs -q -dSAFER -dNOPAUSE -sDEVICE=ljet4 -r600x600 -dBitsPerPixel=1 \
|
||||
-sOutputFile=- -
|
||||
EOF
|
||||
chmod 755 /var/spool/lpd/ljet4.ps
|
||||
mkdir /var/spool/ljet4
|
||||
chown daemon /var/spool/ljet4
|
||||
|
||||
if [ "X$start_xdm" = "XYES" ]; then
|
||||
( sleep 10; xdm -config $conf_dir/xdm-config ) > /dev/null 2>&1 &
|
||||
fi
|
||||
|
15
share/examples/diskless/HT.DISKLESS/xdm-config
Normal file
15
share/examples/diskless/HT.DISKLESS/xdm-config
Normal file
@ -0,0 +1,15 @@
|
||||
! $XConsortium: xdm-conf.cpp,v 1.2 93/09/28 14:30:32 gildea Exp $
|
||||
DisplayManager.errorLogFile: /var/run/xdm-errors
|
||||
DisplayManager.pidFile: /var/run/xdm-pid
|
||||
DisplayManager.servers: /usr/X11R6/lib/X11/xdm/Xservers-1
|
||||
DisplayManager.keyFile: /usr/X11R6/lib/X11/xdm/xdm-keys
|
||||
DisplayManager.servers: /usr/X11R6/lib/X11/xdm/Xservers
|
||||
DisplayManager.accessFile: /usr/X11R6/lib/X11/xdm/Xaccess
|
||||
DisplayManager._0.authorize: true
|
||||
DisplayManager._0.setup: /usr/X11R6/lib/X11/xdm/Xsetup_0
|
||||
DisplayManager._0.startup: /usr/X11R6/lib/X11/xdm/GiveConsole
|
||||
DisplayManager._0.reset: /usr/X11R6/lib/X11/xdm/TakeConsole
|
||||
DisplayManager*resources: /usr/X11R6/lib/X11/xdm/Xresources
|
||||
DisplayManager*session: /usr/X11R6/lib/X11/xdm/Xsession
|
||||
DisplayManager*authComplain: false
|
||||
|
30
share/examples/diskless/HT.STD/aliases
Normal file
30
share/examples/diskless/HT.STD/aliases
Normal file
@ -0,0 +1,30 @@
|
||||
#
|
||||
# @(#)aliases 5.3 (Berkeley) 5/24/90
|
||||
#
|
||||
# Aliases in this file will NOT be expanded in the header from
|
||||
# Mail, but WILL be visible over networks or from /bin/mail.
|
||||
#
|
||||
# >>>>>>>>>> The program "newaliases" must be run after
|
||||
# >> NOTE >> this file is updated for any changes to
|
||||
# >>>>>>>>>> show through to sendmail.
|
||||
#
|
||||
|
||||
# Basic system aliases -- these MUST be present
|
||||
MAILER-DAEMON: postmaster
|
||||
postmaster: root
|
||||
|
||||
# General redirections for pseudo accounts
|
||||
bin: root
|
||||
daemon: root
|
||||
games: root
|
||||
ingres: root
|
||||
nobody: root
|
||||
system: root
|
||||
toor: root
|
||||
uucp: root
|
||||
usenet: root
|
||||
root: root@backplane.com
|
||||
|
||||
diablo: dillon
|
||||
diablo-bugs: dillon
|
||||
|
6
share/examples/diskless/HT.STD/forward.map
Normal file
6
share/examples/diskless/HT.STD/forward.map
Normal file
@ -0,0 +1,6 @@
|
||||
# @(#)forward.map 1.1 1/17/95
|
||||
#
|
||||
# Put addresses to be forwarded here. Example:
|
||||
#
|
||||
# garyw@mojosoft.com charliex@best.com
|
||||
#
|
11
share/examples/diskless/HT.STD/ndomain.map
Normal file
11
share/examples/diskless/HT.STD/ndomain.map
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# example:
|
||||
# fofs.com markl@shellx.best.com
|
||||
#
|
||||
# NOTE: FORWARD.MAP can be used to override NDOMAIN.MAP for specific
|
||||
# users. NDOMAIN.MAP would then act as a catch-all
|
||||
#
|
||||
# NOTE: NDOMAIN.MAP only works to two levels. I.E. if you have an
|
||||
# entry for fubar.com, then user@fubar.com will work and
|
||||
# user@host.fubar.com will work, but NOT user@host.dom.fubar.com
|
||||
#
|
4
share/examples/diskless/ME
Normal file
4
share/examples/diskless/ME
Normal file
@ -0,0 +1,4 @@
|
||||
|
||||
( When templating, ME is typically a softlink to the appropriate host
|
||||
subdirectory )
|
||||
|
151
share/examples/diskless/README.BOOTP
Normal file
151
share/examples/diskless/README.BOOTP
Normal file
@ -0,0 +1,151 @@
|
||||
|
||||
BOOTP configuration mechanism
|
||||
|
||||
Matthew Dillon
|
||||
dillon@backplane.com
|
||||
|
||||
BOOTP kernels automatically configure the machine's IP address, netmask,
|
||||
optional NFS based swap, and NFS based root mount. The NFS server will
|
||||
typically export a shared read-only /, /usr, and /var to any number of
|
||||
workstations. The shared read-only root is typically either the server's
|
||||
own root or, if you are more security concious, a contrived root.
|
||||
|
||||
The key issue with starting up a BOOTP kernel is that you typically want
|
||||
to export read-only NFS partitions from the server, yet still be able to
|
||||
customize each workstation ( or not ).
|
||||
|
||||
The current /etc/rc.diskless file takes over the function of mounting
|
||||
'disks' and retargets rc.conf.local and rc.local from /etc
|
||||
to /conf/$IP_OF_WORKSTATION. The typical automatic configuration and
|
||||
mounting of disks in /etc/rc is bypassed, but most if not all rc.conf
|
||||
style options are left intact.
|
||||
|
||||
In the BOOTP workstation /conf/$IP/rc.conf.local, you must typically
|
||||
turn *OFF* most of the system option defaults in /etc/rc.conf as well
|
||||
as do additional custom configuration of your environment
|
||||
|
||||
The /usr/src/share/examples/diskless directory contains a typical
|
||||
X session / sshd based workstation configuration. The directories
|
||||
involved are HT.DISKLESS/ and 192.157.86.12/.
|
||||
|
||||
Essentially, the $IP/ directory ( which rc.diskless looks for in
|
||||
/conf/$IP/ ) contains all the junk. The HT.DISKLESS directory exists
|
||||
to hold common elements of your custom configuration so you do not have
|
||||
to repeat those elements for each workstation. The example /conf
|
||||
structure included here shows how to create a working sshd setup ( so
|
||||
you can sshd into the diskless workstation ), retarget xdm's pid and error
|
||||
files to R+W directories if /usr is mounted read-only, and retarget
|
||||
syslogd and other programs. This example is not designed to run out of
|
||||
the box and some modifications are required.
|
||||
|
||||
Typically you should start with a clean slate by tar-copying this example
|
||||
directory to /conf and then hack on it in /conf rather then in
|
||||
/usr/share/examples/diskless.
|
||||
|
||||
BOOTP CLIENT SETUP
|
||||
|
||||
Here is a typical kernel configuration. If you have only one ethernet
|
||||
interface you do not need to wire BOOTP to a specific interface name.
|
||||
BOOTP requires NFS and NFS_ROOT, and our boot scripts require MFS. If
|
||||
your /tmp is *not* a softlink to /var/tmp, the scripts also require NULLFS
|
||||
|
||||
# BootP
|
||||
#
|
||||
options BOOTP # Use BOOTP to obtain IP address/hostname
|
||||
options BOOTP_NFSROOT # NFS mount root filesystem using BOOTP info
|
||||
options "BOOTP_NFSV3" # Use NFS v3 to NFS mount rootoptions
|
||||
options BOOTP_COMPAT # Workaround for broken bootp daemons.
|
||||
#options "BOOTP_WIRED_TO=de0"
|
||||
|
||||
options MFS # Memory File System
|
||||
options NFS # Network Filesystem
|
||||
options NFS_ROOT # Nfs can be root
|
||||
options NULLFS # nullfs to map /var/tmp to /tmp
|
||||
|
||||
BOOTP SERVER SETUP
|
||||
|
||||
The BOOTP server must be running on the same logical LAN as the the
|
||||
BOOTP client(s). You need to setup two things:
|
||||
|
||||
(1) You need to NFS-export /, /usr, and /var.
|
||||
|
||||
(2) You need to run a BOOTP server. DHCPD can do this.
|
||||
|
||||
|
||||
NFS Export:
|
||||
|
||||
Here is an example "/etc/exports" file.
|
||||
|
||||
/ -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192
|
||||
/usr -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192
|
||||
/var -ro -maproot=root: -network 192.157.86.0 -mask 255.255.255.192
|
||||
|
||||
In order to be an NFS server, the server must run portmap, mountd,
|
||||
nfsd, and rpc.statd. The standard NFS server options in /etc/rc.conf
|
||||
will work ( you should put your overrides in /etc/rc.conf.local on the
|
||||
server and not edit the distribution /etc/rc.conf, though ).
|
||||
|
||||
BOOTP Server:
|
||||
|
||||
This configuration file "/etc/dhcpd.conf" example is for
|
||||
the '/usr/ports/net/isc-dhcp' dhcpd port.
|
||||
|
||||
subnet 192.157.86.0 netmask 255.255.255.192 {
|
||||
# range if you want to run the core dhcpd service of
|
||||
# dynamic IP assignment, but it is not used with BOOTP
|
||||
# workstations
|
||||
range 192.157.86.32 192.157.86.62;
|
||||
|
||||
# misc configuration.
|
||||
#
|
||||
option routers 192.157.86.2;
|
||||
option domain-name-servers 192.157.86.2;
|
||||
|
||||
server-name "apollo.fubar.com";
|
||||
option subnet-mask 255.255.255.192;
|
||||
option domain-name-servers 192.157.86.2;
|
||||
option domain-name "fubar.com";
|
||||
option broadcast-address 192.157.86.63;
|
||||
option routers 192.157.86.2;
|
||||
}
|
||||
|
||||
host test1 {
|
||||
hardware ethernet 00:a0:c9:d3:38:25;
|
||||
fixed-address 192.157.86.11;
|
||||
option root-path "192.157.86.2:/";
|
||||
option option-128 "192.157.86.2:/images/swap";
|
||||
}
|
||||
|
||||
host test2 {
|
||||
# hardware ethernet 00:e0:29:1d:16:09;
|
||||
hardware ethernet 00:10:5a:a8:94:0e;
|
||||
fixed-address 192.157.86.12;
|
||||
option root-path "192.157.86.2:/";
|
||||
option option-128 "192.157.86.2:/images/swap";
|
||||
}
|
||||
|
||||
SWAP. This example includes options to automatically BOOTP configure
|
||||
NFS swap on each workstation. In order to use this capabilities you
|
||||
need to NFS-export a swap directory READ+WRITE to the workstations.
|
||||
|
||||
You must then create a swap directory for each workstation you wish to
|
||||
assign swap to. In this example I created a dummy user 'lander' and
|
||||
did an NFS export of /images/swap enforcing a UID of 'lander' for
|
||||
all accesses.
|
||||
|
||||
apollo:/usr/ports/net# ls -la /images/swap
|
||||
total 491786
|
||||
drwxr-xr-x 2 root wheel 512 Dec 28 07:00 .
|
||||
drwxr-xr-x 8 root wheel 512 Jan 20 10:54 ..
|
||||
-rw-r--r-- 1 lander wheel 33554432 Dec 23 14:35 swap.192.157.86.11
|
||||
-rw-r--r-- 1 lander wheel 335544320 Jan 24 16:55 swap.192.157.86.12
|
||||
-rw-r--r-- 1 lander wheel 134217728 Jan 21 17:19 swap.192.157.86.6
|
||||
|
||||
A swap file is best created with dd:
|
||||
|
||||
# create a 32MB swap file for a BOOTP workstation
|
||||
dd if=/dev/zero of=swap.IPADDRESS bs=1m count=32
|
||||
|
||||
It is generally a good idea to give your workstations some swap space,
|
||||
but not a requirement if they have a lot of memory.
|
||||
|
281
share/examples/diskless/README.TEMPLATING
Normal file
281
share/examples/diskless/README.TEMPLATING
Normal file
@ -0,0 +1,281 @@
|
||||
|
||||
TEMPLATING machine configurations
|
||||
|
||||
Matthew Dillon
|
||||
dillon@backplane.com
|
||||
|
||||
This document describes a general mechanism by which you can template
|
||||
/ and /usr. That is, to keep a 'master template' of / and /usr on a
|
||||
separate machine which is then used to update the rest of your machines.
|
||||
|
||||
Generally speaking, you can't simply mirror /. You might be able to
|
||||
get away with mirroring /usr. There are two main problems involved with
|
||||
templating:
|
||||
|
||||
(1) Avoiding overwriting run-time generated files
|
||||
|
||||
By default, the system maintains a number of files in the root
|
||||
partition. For example, sendmail will dbm /etc/aliases into
|
||||
/etc/aliases.db. vipw or chpass or other password related routines
|
||||
will regenerate the password dbm's /etc/spwd.db, /etc/pwd.db, and
|
||||
passwd. /etc/namedb/s might contain generated secondaries. And
|
||||
so forth.
|
||||
|
||||
The templating mechanism must avoid copying over such files.
|
||||
|
||||
(2) Customizing machines.
|
||||
|
||||
Customizing machines is actually considerably simpler. You create
|
||||
a configuration hierarchy and convert the configuration files that
|
||||
have to be customized into softlinks that run through a special
|
||||
softlink in the configuration directory. This will work for every
|
||||
configuration file except possibly /etc/master.passwd
|
||||
|
||||
For example, /etc/resolv.conf would be turned into a softlink to
|
||||
/conf/ME/resolv.conf, and /conf/ME itself would be a softlink to
|
||||
/conf/<HOSTNAME>. The actual resolv.conf configuration file
|
||||
would reside in /conf/<HOSTNAME>.
|
||||
|
||||
If you have a lot of hosts, some configuration files may be commonly
|
||||
classified. For example, all your shell machines might have the
|
||||
same /etc/resolv.conf. The solution is to make
|
||||
/conf/<HOSTNAME>/resolv.conf a softlink to a common directory, say
|
||||
/conf/HT.SHELL/resolv.conf. It may sound a little messy, but this
|
||||
sort of categorization actually makes the sysadmins job much, much
|
||||
easier.
|
||||
|
||||
The /conf/ directory hierarchy is stored on the template and
|
||||
distributed to all the machines along with the rest of the root
|
||||
partition.
|
||||
|
||||
This type of customization is taken from my direct experience
|
||||
instituting such a system at BEST. At the time, BEST had over 45
|
||||
machines managed from a single template.
|
||||
|
||||
RUN-TIME GENERATED OR MODIFIED FILES IN / or /USR
|
||||
|
||||
/etc/aliases.db
|
||||
/etc/master.passwd
|
||||
/etc/spwd.db
|
||||
/etc/pwd.db
|
||||
/etc/passwd
|
||||
/etc/namedb/s
|
||||
/root/.history
|
||||
/root/.ssh/identity
|
||||
/root/.ssh/identity.pub
|
||||
/root/.ssh/random_seed
|
||||
/root/.ssh/known_hosts
|
||||
/conf/ME
|
||||
/kernel* ( note 2 )
|
||||
/dev ( note 3 )
|
||||
/var ( note 4 )
|
||||
/home ( note 4 )
|
||||
/lost+found
|
||||
|
||||
/usr/lost+found
|
||||
/usr/home ( note 4 )
|
||||
/usr/crash ( note 5 )
|
||||
/usr/obj ( note 5 )
|
||||
/usr/ports ( note 5 )
|
||||
/usr/src ( note 5 )
|
||||
/usr/local/crack ( note 5 )
|
||||
/usr/X11R6/lib/X11/xdm/xdm-errors ( note 6 )
|
||||
/usr/X11R6/lib/X11/xdm/xdm-pid ( note 6 )
|
||||
/usr/local/etc/ssh_host_key ( note 6 )
|
||||
/usr/local/etc/ssh_host_key.pub ( note 6 )
|
||||
/usr/local/etc/ssh_random_seed ( note 6 )
|
||||
|
||||
/conf/ME ( note 7 )
|
||||
|
||||
note 2: You typically want to update kernels manually and *NOT*
|
||||
template them as a safety measure. This also allows you to run
|
||||
different kernels on different machines or.
|
||||
|
||||
note 3: /dev must be updated manually. Some devices, such as tty's and
|
||||
pty's, use the access and/or modify time and/or user/group
|
||||
operationally and regenerating the devices on the fly would be
|
||||
bad.
|
||||
|
||||
note 4: /var and /home are usually separately mounted partitions and
|
||||
thus would not fall under the template, but as a safety measure
|
||||
the template copier refuse to copy directories named 'home'.
|
||||
|
||||
note 5: These are directories that are as often created directly on
|
||||
/usr as they are separately-mounted partitions. You typically
|
||||
do not want to template such directories.
|
||||
|
||||
note 6: Note that you can solve the problem of xdm and sshd creating
|
||||
files in /usr. With xdm, edit /usr/X11R6/lib/xdm/xdm-config
|
||||
and change the errorLogFile and pidFile config lines.
|
||||
|
||||
With sshd, add 'HostKey' and 'RandomSeed' directives to specify
|
||||
/var/db for the location of the host key and run-time sshd
|
||||
random seed:
|
||||
|
||||
HostKey /var/db/ssh_host_key
|
||||
RandomSeed /var/db/ssh_random_seed
|
||||
|
||||
note 7: In this example, /conf/ME is the machine customizer and must
|
||||
be pointed to the /conf/<full-host-name>/ directory, which is
|
||||
different for each machine. Thus, the /conf/ME softlink
|
||||
should never be overwritten by the templating copy.
|
||||
|
||||
|
||||
TYPICAL CUSTOMIZED CONFIGRATION SOFTLINKS
|
||||
|
||||
The following files typically need to be turned into softlinks
|
||||
to /conf/ME/<filename>:
|
||||
|
||||
/etc/ccd.conf -> /conf/ME/ccd.conf
|
||||
/etc/ipfw.conf ...
|
||||
/etc/fstab
|
||||
/etc/motd
|
||||
/etc/resolv.conf
|
||||
/etc/aliases
|
||||
/etc/sendmail.cw
|
||||
/etc/organization
|
||||
/etc/named.conf
|
||||
/etc/rc.conf.local
|
||||
/etc/printcap
|
||||
/etc/inetd.conf
|
||||
/etc/login.conf
|
||||
/etc/gettytab
|
||||
/etc/ntp.conf
|
||||
/etc/exports
|
||||
/root/.k5login -> /conf/ME/root/.k5login
|
||||
|
||||
And, of course, /conf/ME is usually a softlink to the appropriate
|
||||
/conf/<full-host-name>/. Depending on your system configuration,
|
||||
there may be other files not listed above that you have to worry about.
|
||||
|
||||
DELETION OF FILES
|
||||
|
||||
Any file found on the template destination that does not exist in the
|
||||
source and is not listed as an exception by the source should be deleted.
|
||||
However, deletion can be dangerous and cpdup will ask for confirmation
|
||||
by default. Once you know you aren't going to blow things up, you can
|
||||
turn this feature off and update your systems automatically from cron.
|
||||
|
||||
By formalizing the delete operation, you can be 100% sure that it is
|
||||
possible to recreate / and /usr on any machine with only the original
|
||||
template and a backup of the ( relatively few ) explicitly-excepted
|
||||
files. The most common mistake a sysop makes is to make a change to a
|
||||
file in / or /usr on a target machine instead of the template machine.
|
||||
If the target machine is updated once a night from cron, the sysop
|
||||
quickly learns not to do this ( because his changes get overwritten
|
||||
overnight ). With a manual update, these sorts of mistakes can propogate
|
||||
for weeks or months before they are caught.
|
||||
|
||||
TEMPLATE COPYING AND SAFETY
|
||||
THE CPDUP PROGRAM
|
||||
|
||||
The 'cpdup' program is a program which efficiently duplicates a directory
|
||||
tree. The program copies source to destination, duplicating devices,
|
||||
softlinks, hardlinks, files, modification times, uid, gid, flags, perms,
|
||||
and so forth. The program incorporates several major features:
|
||||
|
||||
* The program refuses, absolutely, to cross partition boundries.
|
||||
i.e. if you were copying the template /usr from an NFS mount to
|
||||
your /usr, and you had a mount point called /usr/home, the
|
||||
template copying program would *NOT* descend into /usr/home on
|
||||
the destination.
|
||||
|
||||
This is a safety.
|
||||
|
||||
* The program accesses a file called .cpignore in each directory
|
||||
it descending into on the source to obtain a list of exceptions
|
||||
for that directory -- that is, files not to copy or mess with.
|
||||
|
||||
This is a templating function.
|
||||
|
||||
* The program refuses to delete a directory on the destination
|
||||
being replaced by a softlink or file on the source.
|
||||
|
||||
This is a safety mechanism
|
||||
|
||||
* The program is capable of maintaing MD5 check cache files and
|
||||
doing an MD5 check between source and destination during the
|
||||
scan.
|
||||
|
||||
* The program is capable of deleting files/directories on the
|
||||
destination that do not exist on the source, but asks for
|
||||
confirmation by default.
|
||||
|
||||
This is a templating and a safety mechanism.
|
||||
|
||||
* The program uses a copy-to-tmp-and-rename methodology allowing
|
||||
it to be used to update live filesystems.
|
||||
|
||||
This is a templating mechanism.
|
||||
|
||||
* The program, by default, tries to determine if a copy is required
|
||||
by checking modify times, file size, perms, and other stat
|
||||
elements. If the elements match, it does not bother to copy
|
||||
( unless an MD5 check is being made, in which case it must read
|
||||
the destination file ).
|
||||
|
||||
You typically run cpdup on the target machine. The target machine
|
||||
temporarily mounts the template machine's / and /usr via NFS, read-only,
|
||||
and runs cpdup to update / and /usr. If you use this methodology note
|
||||
that THERE ARE SECURITY CONSIDERATIONS! See 'SECURITY CONSIDERATIONS WITH
|
||||
NFS' below.
|
||||
|
||||
Whatever script you use that does the NFS mounts should ensure that the
|
||||
mount succeeded before continuing with the cpdup.
|
||||
|
||||
You should create .cpignore files in the appropriate directories on the
|
||||
template machine's / and /usr partitions so as not to overwrite active
|
||||
files on the target. The most critical .cpignore files should be
|
||||
protected with 'chflags schg .cpignore'. Specifically, the ones in /
|
||||
and /etc, but possibly others as well. For example, the .cpignore
|
||||
hierarchy for protect /root is:
|
||||
|
||||
# /root/.cpignore contains
|
||||
.history
|
||||
|
||||
# /root/.ssh/.cpignore contains
|
||||
random_seed
|
||||
known_hosts
|
||||
authorized_keys
|
||||
identity
|
||||
identity.pub
|
||||
|
||||
WHEN INITIALLY CONVERTING A TARGET MACHINE TO USE TEMPLATING, ALWAYS
|
||||
MAKE A FULL BACKUP OF THE TARGET MACHINE FIRST! You may accidently delete
|
||||
files on the target during the conversion due to forgetting to enter
|
||||
items into appropriate .cpignore files on the source.
|
||||
|
||||
SECURITY CONSIDERATIONS WITH NFS ROOT EXPORT FROM TEMPLATE MACHINE
|
||||
SECURITY CONSIDERATIONS WITH NFS USR EXPORT FROM TEMPLATE MACHINE
|
||||
|
||||
There are some serious security considerations that must be taken into
|
||||
account when exporting / and /usr on the template machine.
|
||||
|
||||
* only export read-only
|
||||
|
||||
* the password file ( aka vipw ) may not contain any crypted passwords
|
||||
at all. You MUST use ssh or kerberos to access the template machine.
|
||||
|
||||
You can get away with giving only root a crypted password, but only
|
||||
if you disallow network root logins and only allow direct root
|
||||
logins on the console.
|
||||
|
||||
* The machine's private ssh_host_key usually resides in /usr/local/etc.
|
||||
You must move this key to /var/db. You can softlink link so no
|
||||
modification of sshd_config is required.
|
||||
|
||||
* The machine's private ~root/.ssh/identity file is also exposed by
|
||||
the NFS export, you should move this file to /var/db as well and
|
||||
put a softlink in ~root/.ssh.
|
||||
|
||||
* DON'T EXPORT /var ! Either that, or don't put the private keys
|
||||
in /var/db ... put them somewhere else.
|
||||
|
||||
* You may want to redirect the location of the random_seed file, which
|
||||
can be done by editing ~root/.ssh/sshd_config and
|
||||
/usr/local/etc/sshd_config so it is not exposed either.
|
||||
|
||||
-Matt
|
||||
Matthew Dillon
|
||||
dillon@backplane.com
|
||||
|
19
share/examples/diskless/archive.backplane.com/README
Normal file
19
share/examples/diskless/archive.backplane.com/README
Normal file
@ -0,0 +1,19 @@
|
||||
|
||||
aliases, forward.map, and ndomain.map are typically softlinks to some
|
||||
other common directory such as HT.STD.
|
||||
|
||||
You can create machine classifications, which I call 'HT.XXX' directories,
|
||||
to hold common files for a particular functional machine class.
|
||||
|
||||
total 8
|
||||
drwxr-xr-x 3 root wheel 512 Jan 26 10:56 .
|
||||
drwxr-xr-x 7 root wheel 512 Jan 26 10:58 ..
|
||||
drwxr-xr-x 2 root wheel 512 Jan 26 10:56 CVS
|
||||
lrwxr-xr-x 1 root wheel 17 Jan 25 10:27 aliases -> ../HT.STD/aliases
|
||||
lrwxr-xr-x 1 root wheel 21 Jan 25 10:27 forward.map -> ../HT.STD/forward.map
|
||||
-rw-r--r-- 1 root wheel 263 Jan 24 18:27 fstab
|
||||
-rw-r--r-- 1 root wheel 750 Jan 24 18:29 ipfw.conf
|
||||
-rw-r--r-- 1 root wheel 100 Jan 24 18:35 motd
|
||||
lrwxr-xr-x 1 root wheel 21 Jan 25 10:27 ndomain.map -> ../HT.STD/ndomain.map
|
||||
-rw------- 1 root wheel 464 Jan 25 13:53 rc.conf.local
|
||||
-rw-r--r-- 1 root wheel 283 Jan 24 18:33 resolv.conf
|
8
share/examples/diskless/archive.backplane.com/fstab
Normal file
8
share/examples/diskless/archive.backplane.com/fstab
Normal file
@ -0,0 +1,8 @@
|
||||
# Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/sd0a / ufs rw 1 1
|
||||
/dev/sd0b none swap sw 0 0
|
||||
/dev/sd0d /var ufs rw 1 1
|
||||
/dev/sd0e /usr ufs rw 1 1
|
||||
/dev/wd0d /cvs ufs rw 2 2
|
||||
209.157.86.2:/FreeBSD /FreeBSD nfs ro 0 3
|
||||
proc /proc procfs rw 0 0
|
31
share/examples/diskless/archive.backplane.com/ipfw.conf
Normal file
31
share/examples/diskless/archive.backplane.com/ipfw.conf
Normal file
@ -0,0 +1,31 @@
|
||||
# /etc/ipfw.conf
|
||||
#
|
||||
# allow local nets, dialup specials
|
||||
#
|
||||
add 00010 allow all from 127.0.0.1 to 127.0.0.1 via lo0
|
||||
add 00020 allow ip from 209.157.86.0/26 to 209.157.86.0/26
|
||||
#add 00030 allow ip from any to any via sl0
|
||||
|
||||
# Allow all outgoing
|
||||
#
|
||||
add 00040 allow all from 209.157.86.0/26 to any
|
||||
|
||||
# incoming TCP
|
||||
#
|
||||
add 01000 allow tcp from any to any established
|
||||
add 01010 allow tcp from any to any ssh,smtp,domain,finger,ntalk,http,auth,kerberos
|
||||
add 01020 reset log tcp from any to any
|
||||
|
||||
# incoming UDP
|
||||
#
|
||||
add 02000 allow udp from any to any 4000-65535,domain,ntp,kerberos,ntalk
|
||||
add 02010 unreach filter-prohib log udp from any to any
|
||||
|
||||
# incoming ICMP
|
||||
#
|
||||
add 03000 allow icmp from any to any
|
||||
|
||||
# Deny the rest and log
|
||||
#
|
||||
add 65534 deny log all from any to any
|
||||
|
4
share/examples/diskless/archive.backplane.com/motd
Normal file
4
share/examples/diskless/archive.backplane.com/motd
Normal file
@ -0,0 +1,4 @@
|
||||
FreeBSD 3.0-CURRENT (ARCHIVE) #54: Sat Jan 2 12:18:57 PST 1999
|
||||
|
||||
Welcome to archive.backplane.com!
|
||||
|
19
share/examples/diskless/archive.backplane.com/rc.conf.local
Normal file
19
share/examples/diskless/archive.backplane.com/rc.conf.local
Normal file
@ -0,0 +1,19 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
|
||||
network_interfaces="lo0 ed1"
|
||||
ifconfig_ed1="inet 192.157.86.7 netmask 255.255.255.192"
|
||||
|
||||
# use external resolver
|
||||
#
|
||||
named_enable="NO"
|
||||
portmap_enable="NO"
|
||||
|
||||
##############################################################
|
||||
### Miscellaneous administrative options ###################
|
||||
##############################################################
|
||||
|
||||
sendmail_enable="YES"
|
||||
sendmail_flags="-q5m"
|
||||
dumpdev="/dev/sd0b" # Device name to crashdump to (if enabled).
|
||||
|
@ -0,0 +1,9 @@
|
||||
search backplane.com best.com best.net
|
||||
#search best.com. best.net. backplane.com.
|
||||
# workstations use this file too, and do not run named themselves
|
||||
#
|
||||
# so lander can use this file too
|
||||
nameserver 209.157.86.2
|
||||
#nameserver 127.0.0.1
|
||||
#nameserver 204.156.128.1
|
||||
#nameserver 204.156.128.20
|
Loading…
Reference in New Issue
Block a user