HP UX System Adstration manual Cfengine Master Server Deployment Models, Cfengine Overview

Page 15

Figure 2-1 cfengine Overview

cfrun

1

 

2

cfservd

cron

cfservd

cfron

 

 

 

3

cfagent

cfexecd

cfagent

cfexecd

 

 

 

4

 

 

 

 

 

Master Policy Files:

 

 

 

 

 

 

 

 

 

5

 

 

+/dir/cfengine_master/master_files/

 

 

 

 

 

 

-<reference files>

 

 

+ /var/opt/dsau/cfengine/inputs

+/dir/cfengine_master/inputs/

+ /var/opt/dsau/cfengine/inputs

-update.conf

-update.conf

-update.conf

-cfagent.conf

-cfagent.conf

-cfagent.conf

-cfservd.conf

-cfservd.conf

-cfservd.conf

-cfrun.hosts

-cfrun.hosts

-cfrun.hosts

 

 

 

Master Server

 

Client

1.The administrator is logged into the master configuration synchronization server and makes a change to be propagated out to the managed clients, using the cfrun command. cfrun checks the file cfrun.hosts for the list of managed clients. Note that the master server can be a client of itself. In this diagram, there are two clients, the master server and a remote client.

2.cfrun contacts cfservd on each managed client, which in turn invokes cfagent.

3.cfagent first checks the master server for an updated copy of theupdate.conf file and transfers it to the client if needed.

4.If a standalone system is the master server, by default the master copy of update.conf is located in /var/opt/dsau/cfengine_master/inputs/. The master copies of other configuration files such as cfagent.conf, cfservd.conf, cf.main, and cfrun.hosts are also located here. If the master server is a Serviceguard cluster, the master configuration files are located in the mount point associated with the package. For example, if this mount point is named csync, the path would be /csync/dsau/cfengine_master/inputs.

5.When copying the configuration files to the local system, cfagent places them in /var/ opt/dsau/cfengine/inputs for both standalone systems and clusters. cfagent first evaluates the contents of update.conf in order to update any changed cfengine binaries (if any) and gets the latest version of the policy files (cfagent.conf and related files).

cfagent then evaluates cfagent.conf to determine if the client is in the desired state. If there are deltas, cfagent performs the defined actions to correct the client’s configuration.

2.2cfengine Master Server Deployment Models

The cfengine master server can be a standalone HP-UX system servicing groups of distributed clients. The clients can themselves be standalone systems or members of a Serviceguard cluster. If you are already using a Systems Insight Manager central management server, this can be an ideal system to use as a cfengine master server. Master servers can also act as clients and the configuration synchronization tasks can be performed on these systems as well as the remote clients.

If you are managing Serviceguard clusters, cfengine can be deployed strictly for intra-cluster use to synchronize the members of a single cluster. In this configuration, cfservd is configured as a package for high availability but the only cfengine clients are the cluster members themselves. The package’s DNS name/IP address is the name for the cfengine master server.

In addition to providing configuration synchronization as an intra-cluster service, another Serviceguard configuration has the cluster providing the highly available configuration

2.2 cfengine Master Server Deployment Models

15

Page 14 Page 16
Image 15
Page 14 Page 16
Contents Distributed Systems Administration Utilities Users Guide Copyright 2009 Hewlett-Packard Development Company, L.P Table of Contents HP-Supported Open Source pdsh Options Index List of Figures Syslog-ngLog-Forwarding ConfigurationConsolidated Logging Commands Target Node Error MessagesList of Tables Related Information About this DocumentIntended Audience Typographic ConventionsProduct Support HP Encourages Your Comments Introduction Command Fanout Commands Distributed Systems Administration Utilities CommandsConfiguration Synchronization Command Consolidated Logging CommandsOpen Source Components Utility Setup CommandOpen Source cfengine Commands Open Source pdsh CommandsDistributed Systems Administration Utilities Manual Pages Open Source syslog-ng CommandDsau Manual Page Sections Cfengine Overview Configuration SynchronizationConfiguration Synchronization Cfengine Daemons and CommandsCfengine Overview Cfengine Master Server Deployment ModelsUsing the Configuration Synchronization Wizard Configuring cfengineConfiguration Data for csyncwizard # /opt/dsau/sbin/csyncwizardWizard displays the following introductory screen Wizard proceeds to configure the system as a master server # /opt/dsau/sbin/csyncwizard Configuration Synchronization Configuring cfengine Would you like to manage clients? N Serviceguard Automation Features Cluster Configuration Notes for cfengineVar/opt/dsau/cfengine/inputs directory Opt/dsau/bin/csyncdispatcher Memberadded newhost Using the Wizard to Configure a Synchronization ClientWhen prompted, enter the name of the client to add Manual ConfigurationManually Configuring a Standalone Synchronization Server Start by creating the directory# mkdir -p /var/opt/dsau/cfenginemaster/inputs # cp localhost.pub root-10.0.0.5.pub # /opt/dsau/sbin/cfkey # /var/opt/dsau/cfengine/ppkeys# cfrun -v -- --verbose # /sbin/init.d/cfservd start# cfagent --no-lock --verbose --no-splay # cfrun -- --inform# mkdir -p /csync/dsau/cfenginemaster/masterfiles Initial Serviceguard Package PreparationList Managed Clients in cfrun.hosts Policyhost = csync.abc.xyz.com# /opt/dsau/sbin/cfkey Edit the cfservd.conf File# cexec /sbin/init.d/cfservd start # ccp /etc/rc.config.d/cfservd /etc/rc.config.d/cfservd# cp localhost.pub root-192.10.25.12.pub # ccp * /var/opt/dsau/cfengine/ppkeys# cmapplyconf -P csync.conf # cmmodpkg -e csync Test the configuration by performing the following steps# ccp csync csync.conf /etc/cmcluster/csync Apply the package and start itOn a managed client, use the command Configuring a Synchronization Managed ClientChoosing a Synchronization Invocation Method Security NotesEncryption Checksum alerts Key ExchangeCsync Network Port Usage Encryption# /sbin/init.d/cfservd stop Disabling Use of cfengineLogging Options Checksum AlertsUnable to connect to a cfengine client or master Cfengine TroubleshootingSyntax error due to missing or superfluous spaces #cfagent -KCfagent -d, -d1, -d2, or -d3 cfservd Cfrun 2describes syslog Facilities Messages Consolidated LoggingIntroduction to syslog Syslog Message FormatLog Consolidation Overview Message FilteringImproved Log Consolidation Syslog Co-existence Etc/cmcluster/package-name/package-name.log Syslog-ng Log Consolidator Configuration Log Consolidation ConfigurationUsing the Log Consolidation Wizard Configuration Data for clogwizardOpt/dsau/sbin/clogwizard Where N is the expected number of clients Answer yes y or press Enter. The next question isAnswer yes y. The wizard then prompts If these choices are correct, continue Next prompt is Log files that reside on this cluster can be consolidated Consolidated package logs would be located here Cluster Configuration Notes for clog Minimizing Message Loss During Failover Or press Enter. The next question is Configuring a Log Forwarding Client Using clogwizardEnter the ssh port to be used for port forwarding Manually Configuring a Standalone Log Consolidation Server Manually Configuring Log Consolidation# /sbin/init.d/syslogd stop # /sbin/init.d/syslogd start Replace the %UDPLOOPBACKLOG% token withFor example, for TCP Add the following lines Create the following symbolic linkChange the Clogconfigured line to If using the TCP protocol, addLog Consolidation Configuration SYSLOGDOPTS=-D -N KEEPALIVE% tokens with appropriate values UDPLOOPBACKSOURCE% and %UDPLOOPBACKLOG% tokens Creating the clog Package If consolidating package logs of this cluster, addIf using VxVM, comment out the LVM Volume Group line Testing and Starting the clog Package Distribute it cluster-wideThen use cmviewcl to make sure it is running Manually Configuring Log Forwarding Clients Using VxVM Instead of LVMManually Configuring a Standalone Log Forwarding Client Ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf # /sbin/init.d/syslog-ng start # cpp /etc/rc.config.d/syslogd /etc/rc.config.d Destination dsyslog%TYPE% %TYPE%%IP%port%PORT% Create the following symbolic link on each cluster member If using the TCP protocol, add the following linesIf using ssh port forwarding, add Otherwise, if using the UDP protocol, addForwarding Ascii Log Data Start syslog-ngon all cluster members usingFor the filter line For the destination lineFor the log line Consolidating Package Logs on the Log Consolidation Server#/sbin/init.d/syslogd stop Perform the following steps to disable log consolidationDisabling Log Consolidation Disabling a Standalone Log Consolidation System# /sbin/init.d/syslog-ng stop Disabling a Serviceguard Cluster Log Consolidation SystemDisabling a Standalone Log Forwarding Client #/sbin/init.d/syslogd start#/sbin/init.d/syslogd stop #/sbin/init.d/syslogd start Disabling a Serviceguard Cluster Log Forwarding ClientSecuring Consolidated Logs Log File ProtectionsSsh Port Forwarding Using Bastille to Harden the System Clog Network Port Usage# cd /opt/ssh/etc # ccp sshhost* /opt/ssh/etc To log in to the System Management Homepage, navigate to Using the System and Consolidated Log ViewerViewing System and Consolidated Logs Starting System Management HomepageViewing System and Consolidated Logs Page Parallel Distributed Shell Command FanoutCwall displays a wall1M broadcast message on multiple hosts Pdsh Utility WrappersAll nodes Systems# csshsetup -r -f memberslist.txt Security ConfigurationRemote Shell Security Setup Ssh Security SetupTarget Node Error Messages Command Fanout TroubleshootingSsh Command Messages Rsh Command MessagesHP-Supported Open Source pdsh Options Page Cfanouthosts IndexLVM UDP
Top Page Image Contents