NAME
dphys-config - daily auto-install/update and/or remove config files
SYNOPSIS
dphys-config [-f filter] [-cqvD]
dphys-config -h
DESCRIPTION
dphys-config installs/updates and/or removes config files. It also
triggers commands after an new/updated config file is available or
before an existing config file will disappear. It can be run by hand,
from cron and/or from init.d.
Get an list of config files from an configuration server. For each file
in the list retrieve that file from the same server, and only install
it if it is new or changed relative to what is already here. If a file
is newly installed (or changed) then run an postinstall script, which
may trigger actions which are wanted to process the new config (such as
inserting data from an config file into an database). Also remove
unwanted files. If doing so first run an preremove script to tidy up
stuff.
This is part of the D-PHYS (ETH Zuerich, Departement of Physics)
automatic system operation and maintenance setup.
OPTIONS
-c configname: Use this set of config files instead of hostname
set. Useful for chroot or vhost installs, or for tests.
-f filter
filter: Only process lines which match the filter spec.
-q quiet: Don’t produce an running report of activities.
-v verbose: Give large volume output, where sensible.
-D Debug: Activate an debug option. See source for how to use this.
-h help: Output help text, and then abort operation.
CONFIG
The config files /etc/dphys-config (sitewide) and ~/.dphys-config
(personal) allow the admin and users to set up the working environment
for dphys-config.
These config files are sh script fragments full of assignments, which
are sourced, in above row, later config files assignments overriding
earlier ones. Standard sh syntax rules apply. Assignments are:
CONF_TMP_DIR
Sets the base directory in which all temporary files are stored.
It defaults to /var/tmp (for enough size and safe operation).
Some users may like to use /tmp for higher speed (tmpfs) or
automatic deletion at boot time. Standard sh syntax rules
apply. Assignments are:
CONF_BASEURL
Sets the base URL to which all */<hostname>/<filename>
combinations are added when wget-ing config files. This can be
an http: or ftp: or whatever other type of URL which wget
understands and can fetch an file from. Additionally it can be
an file: (this may be from an NFS server) URL, in which case
wget is bypassed and the files fetched directly using cp. It
defaults to the error message generating and aborting invalid
setting of
http://not-configured-server.example.net/not/configured/directory,
as there is no sensible default possible. You must set this to
where ever your config files should be taken from.
CONF_CONFNAME
Selects the name for which set of configuration files shall be
used for this host. Defaults to hostname.
CONF_LINEFILTER
Sets an regexp which selects which lines from the config file
list are processed. Defaults to .* (all).
CONF_LOG_DONE
Log to syslog that dphys-config has run. Good to see if cron
and/or init.d have done their job. Defaults to yes.
The config file list dphys-config.list, which is found via above
settings, and is downloaded to /etc/dphys-config.list or
~/.dphys-config.list, then allows the admin to list what config files
are to be fetched and installed/updated or removed, and what scripts to
run for them. These can be each given for the entire site (= all hosts)
and/or group and/or each host, or even merged from site+group+host
subsections.
FILES
/etc/dphys-config
site admin config
~/.dphys-config
users personal config
/etc/dphys-config.list
roots config file list gets stored here
~/.dphys-config.list
users config file list gets stored here
$CONF_BASEURL/‘hostname‘/dphys-config.list
site-global (all hosts) common (usually, or group-global or host
specific) config file list
$CONF_BASEURL/‘hostname‘/dphys-config.list.*
facultative host-specific (usually) or group-specific
include-able subsection(s) to be added to above config file list
dphys-config.list. We often use *.group (one per group of users)
and *.host (per host), sometimes also *.base (all host types)
and *.workstation (only workstation hosts) subsections
$CONF_BASEURL/‘hostname‘/<file-name> actual config files
referred to in config file list, common section (usually the
only section) $CONF_BASEURL/‘hostname‘/<file-name>.*
facultative host-specific (usually) or group-specific
include-able subsection(s) to be added to above config file
<file-name>
CONFIG FILE LIST
The config file list to be used for checking what files need to be
installed/updated or removed and its subsections included by #@include
lines are merged to one list file, analog to cpp #include.
These are all fetched via wget (or cp for file:), adding their names to
the user-defined base URL in CONF_BASEURL, and then merged. So
CONF_BASEURL can be any URL that wget understands http: or ftp: or
whatever else, or file:.
The format of the resulting concatenated file must consist of lines,
one per config file, of following format:
file-name:place-on-target:command-to-trigger
Where the 3 fields have following meanings:
file-name
Name of the config file to be installed/updated. Must be
only the base part of the filename on the server, without
URL and hostname before it, and without any .* subsection
endings after it, as these are all auto-added whenever
they are needed. If this is set to - the line specifies
an config file to be removed
place-on-target
Full directory or full filename (directory+filename) of
where the file is to be placed on the target system. If
only an directory is given (any name that ends in /),
then the above file-name (inclusive any directories in
it) will be automatically added to it. For removing this
must be the full filename (or an directory name (without
an /) if an entire directory and its contents shall
disapper). An directory name ending with / is not
processed, to prevent incomplete edits (filename replaced
by -, but not added to directory) from killing entire
directories (such as say all of /etc/ :-))
command-to-trigger
Full command (directory+filename, with parameters) of an
command to be run, after this config file has been newly
installed or changed/updated, or before this config file
is removed. This can also be multiple commands separated
by ; separators. Useful for doing chown/chmod to files
that need it. If the marker {} appears in the command,
this will be substituted by the filename the config file
is going to be installed as. This is analog to find -exec
filename substitution
Lines which begin with an # are regarded as comments, and don’t have
any effect anything (Lines extended with one are chopped off at that
point). The same applies for empty lines.
PREPROCESSOR
If the first line of the config file list, or any config file fetched
on its behalf, has the special format #@dphys-config-preprocess
[action...] then this line will be stripped, and the rest of the file
will be preprocessed. Depending on the list of actions present and
their order (repeats are allowed) the file will be procesed. Valid
actions are:
backtick
Anything inside backticks (‘‘) will be executed as a
command, and its stdout will then be substituted for the
‘‘ expression. This is analog to sh backtick substitution
if For any line beginning with #@if the stuff between the
#@if and the first ; character will be executed as
command, and if it returns true, everything after the ;
will be left, else the entire line will be removed. This
is analog to shell if ... ; conditional execution
include
For any line beginning with #@include the rest of the
line is regarded as an subsection name, which will be
added to the base filename, and then the resulting
subsection file fetched (also by wget or cp) and
substituted for the line. This is analog to an C
preprocessor #include oder an shell . include
EXAMPLES
The following allows you to fetch all your config file lists from an
HTTP VirtualHost called www.admin.example.net under its subdirectory
dphys-config.
In file /etc/dphys-config, on every host, so it can find the config
file server:
# system will use ${CONF_BASEURL}/‘hostname‘/<file-name>*
CONF_BASEURL=http://www.admin.example.net/dphys-config
We advise using an subdirectory here, because other
/http://www.admin.example.net/* directories may already contain other
admin stuff you put on the same VirtualHost. Such as software packages,
site news, etc.
For dphys-config to be useful you then need to make config file lists
for it. And provide the actual config files that can be installed,
driven by the lists. This is the largest job, as it basically amounts
to extracting all your relevant config work from your site. Also known
as reengineering your site.
Assuming your VirtualHost on www.admin.example.net has as its
DocumentRoot /vhost/www.admin, you would then begin with an pseudo-host
Directory for site-global common stuff:
/vhost/www.admin/dphys-config/SITE/.
If your hosts are organised in groups with group-global common configs
(such as professors, students, staff), make an pseudo-host for each
group, such as: /vhost/www.admin/dphys-config/PROFS/ and */STUDENTS/
and */STAFF/.
Then for host specific stuff, assuming systems called prof1.example.com
to prof3.example.com, stud1 to stud20, staff1 to staff5, server1 and
server2, make for each its own directory:
/vhost/www.admin/dphys-config/prof1/ (and so on).
Note that we suggest using CAPITALS for pseudo-hosts and lowercase for
actual hosts. This avoids name space collisions. You can also use loops
like for host in [a-z]* ; do ... ; done to work (say generating
symlinks to an new config file in all hosts). Well at least you can do
this so long no one goes and sets LANGUAGE= or similar junk, then bash
(or libc?) will hapily screw up case sensitivity and produce random
lossage (yes, it was painfull).
After this add to /vhost/www.admin/dphys-config/SITE/, the actual
config files as far as they are not host specific, or at least have an
common section to all hosts. Example this would be /etc/hosts for all,
an common section for /etc/motd, common or all for sendmail.cf, common
for inetd.conf, nothing for the ssh hostkeys.
Then add, to an group, say /vhost/www.admin/dphys-config/STUDENTS/,
whatever is specific to that group. Example this may be an entire
special motd for the many changing users, or just an motd.group to
#@include into the common one.
Then for each host in its /vhost/www.admin/dphys-config/prof1/ (or so)
add all that is specific to it. Such as its ssh key files. And its own
motd.host, it it needs one. Same its inetd.conf.host if it is going to
offer special stuff. An configs for services only this host has such as
httpd.conf.
Then for each host add symlinks to the SITE or group versions that it
is to use for common stuff, like on
/vhost/www.admin/dphys-config/stud1/:
.../dphys-config/stud1/dphys-config.list -> ../SITE/dphys-config.list
.../dphys-config/stud1/hosts -> ../SITE/hosts
.../dphys-config/stud1/inetd.conf -> ../SITE/inetd.conf
.../dphys-config/stud1/motd -> ../SITE/motd
.../dphys-config/stud1/motd.group -> GROUP/motd
.../dphys-config/stud1/GROUP -> ../STUDENTS
.../dphys-config/stud1/sendmail.cf -> ../SITE/sendmail.cf
In the /vhost/www.admin/dphys-config/SITE/ directory place the
site-global common dphys-config.list for all your hosts, containing
stuff like this:
# SITE dphys-config.list - just example stuff, for our exemplaric site
# basics
hosts:/etc/ # simply works, no command
motd:/etc/ # this will be assembled group specific
inetd.conf:/etc/:/etc/init.d/inetd restart # needs an command to reload
sendmail.cf:/etc/mail/:/etc/init.d/sendmail restart # not in /etc
# ssh restart only after last file, and ensure file modes for each file
ssh_host_key:/etc/ssh/:chown root:root {}; chmod 600 {}
ssh_host_rsa_key:/etc/ssh/:chown root:root {}; chmod 600 {}
ssh_host_dsa_key:/etc/ssh/:chown root:root {}; chmod 600 {}; /etc/init.d/sshd restart
# load stuff into an existing database file
seed.debconf:/etc/:debconf-set-selections {}
# other stuff
daemon1-conf:/etc/daemon1/conf # rename so names can differ on server
daemon2-conf:/etc/daemon2/conf
daemon1/conf:/etc/ # same as above, but with directories on server
daemon2/conf:/etc/
testing:/etc/ # put something in there for an test
# delete some stuff
-:/etc/testing # change to above test to get rid of it again
-:/etc/ # you will get a warning if you leave this
#-:/etc # you would reinstall your system after the resulting rm -rf /etc :-)
# and some errors
#only-an-name # you would get an error: no place on target
#only-an-name: # you would get an error: no place on target
#:only-an-place # you would get an error: no file to install
For special services add an dphys-config.list.host on each host that
has special config files not present on others, such as on
/vhost/www.admin/dphys-config/server2/:
# server2 dphys-config.list.host - only used on our web server
httpd.conf:/etc/apache/httpd.conf:/etc/init.d/apache restart
You can also use dphys-config to run arbitrary commands, whenever
config files are installed/updated or removed, to modify existing
config files, or more likely modify complex config databases which can
not be provided as files, but where one can provide edit info as files.
dphys-config can even install scripts to use as above commands (or even
just to run scripts while installing), such as into /usr/local/sbin/.
For this make an ../SITE/local/sbin/ directory, place the scripts in
there (such as ../SITE/local/sbin/dphys-config-<whatever>), and symlink
local to ../SITE/local on each host, and then add config lines for the
scripts, with the command to trigger them, giving something like this:
local/sbin/dphys-config-<whatever>:/usr/:chmod 755 {}; {} # chmod and run
It this script processes an config file your will want it to be run if
either the script or the config file is updated, so add the script to
the laters line as well:
dphys-config-<whatever>:/etc/:if [ -x /usr/local/sbin/dphys-config-<whatever> ] ; then /usr/local/sbin/dphys-config-<whatever> ; fi # run also here
Finally, new hosts can then later simply be added, by making the new
hosts directory and copying all files and symlinks from an existing
host of the same group. Such as by doing:
mkdir student21
tar -cf - -C student1 . | tar xpf - -C student21
To then run dphys-config by hand (say for tests), type on the host:
dphys-config
But usually you will want to run dphys-config automatically, every
night (or if a machine was/is switched off, at every boot), to keep
your configs up to date.
For nightly updates the best thing is to use an cron job on every host.
03:00 to 03:59 is most likely idle time. Use an line like this one,
with the cron option to avoid an load peak on the config file server,
by random delaying the run by 0..3599 seconds, and with stdout and
strerr thrown away to avoid getting an mail from every host, as error
messages are also allways sent to syslog:
0 3 * * * root dphys-config cron > /dev/null 2>&1
To catch machines switched off over night, with no cron run on them,
also run an init.d script. Use an script like this one, also with
stdout and stderr thrown away to avoid cluttering your boot console
output:
#!/bin/sh
# /etc/init.d/dphys-config - boot time automatic config updates, if no cron
case "$1" in
start)
dphys-config init > /dev/null 2>&1
;;
esac
exit 0
SECURITY
If dphys-config is to be used to distribute all config files, this will
also include files which are security relevant, such as ssh private
keys (host key or (root) user authentification), SSL certificates,
passwd and shadow, lilo.conf, software license keys, etc.
As all files are most likely fetched from an http: URL, measures must
be taken to secure the config website from other people downloading
them. We here use an restriction to only IP addresses registered as
hosts in our NIS server, and additionally run identd on all allowed
hosts, and require the wget process opening the HTTP connection to be
running by user root, and so also require dphys-config to run as root.
To avoid sniffing it is recommended to give wget an https: URL.
GOTCHAS
Config files are read by wget from an webserver, so they lose their
owners and modes. So the commands triggered on their lines must be used
to chown/chmod them to proper values.
When used together with dphys-admin, dphys-config should run as first
(earlier cron and init.d entries). This is needed to provide configs
before new packages are installed, so dphys-admin can pretend that the
packages were already once installed (and then non-purge removed), and
so prevent questions on install, which is required for unattended
installs. [Note that this pretending does not go as far as setting
debconf up. Broken packages that ignore config files and only look at
debconf will still ask questions.]
As result of this, when installing for the first time on an new system
(such as installing Debian by the dphys3 end2stage feature, which
installs first dphys-config and then dphys-admin), any scripts
installed by packages by dphys-admin, to be called on config file
install/update will still be missing, and so not runnable. Either
ignore the warnings, or better call the scripts by something like this:
file:place:if [ -x script ]; then script; fi
Note that in this case, trying to run dphys-config for a second time
after dphys-admin has installed packages and scripts, will not
automatically mend this, as the config files have not changed, and so
dphys-config will not (re-)run their scripts. Therefore packages
containing such scripts must also, as part of their postinst (or init.d
which is called by postinst), check for existing config files and then
run their scripts. This is the normal behaviour of quite a few packages
anyway. Of course this requires the scripts to be idempotent, which is
official Debian policy anyway.
AUTHOR
neil@franklin.ch, http://neil.franklin.ch/