Server-less Configuration Management
Introduction
Configuration Management Systems (CMS) are most often setup using a central server to distribution the management policies. Installing a central server is a non-trival task and adds to the server management load of the technical staff.
This document describes an alternate configuration without a central CMS server. Policies are distributed to the hosts by some method other method than the services provided by a central server. The policies are applied using the locally installed CMS software. The method described here assumes that the policies are publically accessible which means they cannot contain any secrets, e.g. passwords, secure tokens, or keytabs.
The example here is Linux based and uses the Puppet CMS. The general method should work for Chef Solo as well. In theory, Windows and Macintosh systems can be supported using this method, but that is completely untested.
The basic requirement for a serverless CMS deployment is that the CMS policies be available locally on every host under management. The delivery method is not critical to the operation of the CMS. The policies can be copied to the managed hosts or accessed using a networked file system. The method described here uses AFS to publish CMS policies.
Puppet Policy Structure
There are many ways to structure policies in Puppet. A simple structure is:
BASE_DIR
bin
puppet-apply
puppet-setbasepath
code
modules
<module 1>
<module 2>
...
<manifest id 1>
<manifest id 2>
...
BASE_DIR is the base for Puppet policies and supporting scripts. An example BASE_DIR is:
/afs/mycell.org/public/software/puppet-apply
bin is a directory that holds the shell scripts to setup the Puppet and to execute
puppet apply
.manifest id is used to form the file path to the manifest which is passed to
puppet apply
. While Manifest IDs can take any form, the examples here use the format:${BASE_DIR}/${MANIFEST_ID}.pp
code is the directory that holds the Pupppet manifests.
CMS Policy Access Methods
The access methods described here rely on using either kafs or an Auristor client.
Simple Authenticated Access
Simple authenticated access can use either kafs or an Auristor client. The basic requirements are:
- Create a Kerberos keytab to be used on the managed system that will be used to obtain AFS credentials.
- Create an AFS ID for the Kerberos principal.
- Grant the AFS ID access to the CMS policies.
It makes sense to create a PTS group, add the managed hosts to the group, and use the group to grant access to the CMS policies. Once the PTS group and ACLs are set then adding a host is a matter of creating a user for the new host and adding the host ID to the pts group.
The simplest way to apply the Puppet policy is to create a shell
script that obtains AFS credentials and executes puppet apply
.
Auristor Combined Authenticated Access
On managed systems where the Auristor client is installed then combined authentication ACLs and cache manger maintained AFS credentials can be used to simplify access to the CMS policies. The requirements are:
- Create a Kerberos keytab and make it available to the cache manager.
- Create an AFS ID for the Kerberos principal.
- Configure the cache manager to maintain the AFS credentials.
- Set a combined identity access control entry on the directories in the CMS policy directory tree.
Then to apply the Puppet policy someservice
the command is simply:
puppet apply /afs/@cell/service/puppet/someservice.pp
Anonymous Access
For closed environments where who has access to the CMS policies is not a concern then anonymous to the policies simplifies the application of the policies. For these environments only the AFS ACL be set to allow anonymous access. For example:
fs sa /afs/mycell.org/service/puppet anonymous read
Then applying the CMS policy is simply:
puppet apply /afs/@cell/service/puppet/someservice.pp
Examples
Setup Common to kafs and Auristor
Install puppet on the managed host and configure the base module path.
Install puppet.
Set the Puppet base path. Using bash directly the base path can be set with the following commands:
BASE_DIR='/afs/mycell.org/public/software/puppet-apply' ppath="${BASE_DIR}/code/modules" ppath+=':/etc/puppet/code/modules' ppath+=':/usr/share/puppet/modules' echo "basemodulepath = $ppath" > /etc/puppet/puppet.conf
On a host with pts installed, create the PTS group whose members will have access to the CMS policies.
pts creategroup -name puppet-hosts
Create a puppet manifest. For example:
# file: /afs/mycell.org/service/puppet/someservice.pp include util_base, sys_someservice
kafs Setup and Execution
All steps that use pts and fs commands need to be performed on a host that has Auristor or AFS installed. The fs command that set ACLs will likely need to be perform recursively. Recursive fs is available as the fsr script found in the afs-admin-tools package.
On a host with pts installed, create the PTS user for the host somehost and add the user to the PTS Group.
pts createuser -name rcmd.somehost -type machine pts adduser -group puppet-hosts -user rcmd.somehost
On a host with fs installed, set the ACL on the Puppet base directory. (Note: this ACL needs to be set on all directories in the base directory tree.)
fs sa /afs/mycell.org/service/puppet puppet-hosts read
Execute
puppet-apply
. The following script is sufficient:#!/bin/bash export AKLOG=/usr/bin/aklog-kafs /usr/bin/k5start -k /tmp/puppet.tgt -f /etc/krb5.keytab -U -t puppet apply /afs/mycell.org/service/puppet/host_service.pp
Auristor Setup and Execution
This example uses the cache manager maintained AFS credentials to access the Puppet policies. The fs command that set ACLs will likely need to be perform recursively. Recursive fs is available as the fsr script found in the afs-admin-tools package.
Configure the cache manager to maintain AFS credentials. Assuming the use of the host keytab, then in the
[afsd]
block of the /etc/yfs/yfs-client.conf file include the following line.keytab = /etc/krb5.keytab
Restart the cache manager.
Create the PTS user for the host somehost and add the user to the PTS Group.
pts createuser -name host.somehost.mycell.org -type machine pts adduser -group puppet-hosts -user host.somehost.mycell.org
Set a combined identity ACL on the Puppet policies directories. (Note: this ACL needs to be set on all directories in the base directory tree.)
fs sa /afs/mycell.org/service/puppet anonymous,puppet-hosts read
Execute
puppet-apply
. The following script is sufficient:puppet apply /afs/mycell.org/service/puppet/host_service.pp