Rollout Manual

26th Jun

I can’t stand it when people release open source software, expect people to use it, and don’t provide any sort of documentation. I’m not the sort of person who enjoys writing doco, but I do think it’s required.

So here, in it’s entirety: the Rollout Manual

Rollout

Introduction

Rollout is a system developed to manage UNIX servers. It is primarily
focused towards Linux, but could be adapted to Solaris, HP-UX, AIX, etc.

It is written purely in Perl, and the configuration is also a Perl source
file. Some Perl knowledge is required to edit the configuration, but
copy-and-paste will probably suffice.

Overview

System Administration can generally be reduced to a set of steps, which must
be completed in order. Some example steps include:

Copy files, create symlinks
Edit configuration files
Start / stop services
Add / modify users & groups
Install applications

The idea behind Rollout is to automate all these steps in a configurable
way. Rollout is by design indempotent - it can be run many times on a single
server and produce the same results.

Running Rollout

Rollout is self-installing on servers. The following command line will
install rollout for the first time:

URL=http://rollout.localdomain; wget -O- $URL/rollout | perl - -s -u $URL

After it’s installed, it can be run just by calling rollout.
You must however give a comment on the rollout command line. This should be a
short reason for running Rollout.

The first run uses the -s flag, which runs rollout in safe
mode. In this mode, all the steps are run but no changes are
actually made. This is used to check that nothing bad will happen when it’s run
for real.

After the safe mode run has been checked, it can be run again without the
-s flag, and all steps will be applied.

NOTE: The first run requires the Net::HTTP perl module
to already be installed. This is part of the libwww-perl package
in Debian based distributions.

Command-line Arguments

The following command line arguments are available:

Full	Short	Description
verbose	v	Increase verbosity
quiet	q	Don’t print anything except fatal errors
safe_mode	s	Show what will be changed, but don’t actually do anything
url	u	Set the base Rollout HTTP url. This defaults to `http://rollout.domain`. This option is saved in the rollout script, so only needs to be specified once.
skip_step	k	Specify a step to be skipped, may be specified multiple times. e.g. `-k network -k sysctl`
hostname	h	Rollout configuration for a different host. If `-f network` is provided, the hostname will be changed to match the host supplied
force	f	Force a dangerous step to be run. e.g. `-f network`

Logging

Every Rollout run that is run without the -s flag will be
logged by the 99-complete step. The default is to make a HTTP request to the
rollout server and pass it the log. The sample complete.php script
will receive the log and do nothing with it.

Configuration

The entire configuration for Rollout is stored in rollout.cfg.
This file is a Perl source file, so it can be checked for correctness by
running perl -c rollout.cfg.

A major design concept in the rollout configuration is inheritance.
Since many devices will have similar configurations, they should inherit as
much as possible using the ISA configuration item. Each class in
the ISA section is also specified in the same config, and they can
inherit from other classes. It’s even possible to have a device directly
inherit another device’s configuration, but this would include everything, even
network interfaces.

The only thing that needs to be changed in the file is the %m
hash, which contains configuration for everything. A sample device
configuration looks like this:

kickstart => {
  ISA => { RHEL4_i386 => 1, Web_Server => 1 }, # Inherit the RHEL4_i386 and Web_Server classes
  interfaces => {
    eth0 => {
      dhcp => 'kickstart',                     # eth0 gets its IP by DHCP
      mac => '00:50:8B:E8:A0:6D',
      primary => 1,
    },
    eth1 => {
      ip => '10.0.0.1',                        # eth1 is statically defined on its own network
      netmask => '255.255.255.0',
      mac => '00:D0:B7:E3:5A:F4',
    },
  },
  nfs_share => {
    "/kickstart" => {                          # Share the /kickstart directory by NFS
      "10.0.0.0/24" => "ro,no_root_squash",    # Allow the private LAN to access the nfs share
    },
  },
  firewall_allow => [;
    '# Rollout HTTP', # This comment is inserted directly into the rules list
    any => '8140',    # Allow any host to connect to tcp port 8140
    admin => '80',    # Allow the admin network to connect to tcp port 80
  ],
  packages => [;
    'dhcp',           # Make sure the dhcp and rpm-devel packages are installed
    'rpm-devel',
  ],
},

Configuration Items

The following items are available for use in rollout.cfg:

Item	Type	Description
apt_base	string	Specifies a URL that will be added to the APT sources.list for local packages
crontab	hash	A hash of cron.d files that will be created, with the entries for each file
cvs	cvs	Specifies which modules will be checked out of CVS, and where
deb_options	list	Allows preconfiguring deb packages before they are installed. Expert Option
dir_check	list	Creates directories and forces ownership & permissions
file_append	list	Appends lines to text files, replacing any lines that match. Can also run a command if the file is changed
file_attr	hash	Modifies owner, group and permissions on files
file_extract	hash	Downloads a tarball and extracts it to a directory
file_install	hash	Downloads a file and places it somewhere. Can also run a command if the file is changed
file_modify	list	Modifies existing files by applying regular expressions. Can also run a command if the file is changed
firewall_allow	list	Allows incoming ports in the firewall
firewall_append	list	Appends verbatim lines to the iptables configuration file
firewall_deny	list	Denies incoming ports in the firewall
group	hash	Ensures a system group exists
hosts_append	list	Appends a given line to the `/etc/hosts` file
immutable_file	list	Marks a certain file as immutable. This file will never be touched by any other steps
interfaces	hash	Defines configuration for the network interfaces
ISA	hash	Specifies a list of classes that this device or class inherits configuration from
nameservers	list	Specifies the default nameservers in `/etc/resolv.conf`
network	string	Marks the device or class as part of a network, for the purposes of firewalls and host files
nfs_mount	hash	Mounts a NFS share locally
nfs_share	hash	Shares a local directory by NFS
packages	list	Provides a list of packages to be installed. These can be debs or rpms
port_check	list	Adds elements to `/etc/services`
service	hash	Ensures that system services are running/stopped and should be started/stopped on boot
skip_steps	list	Mark a list of steps that will never be executed for this device
sudo	hash	Allow users to run commands with sudo
ssh_keys_add	list	Adds the list of keys to root’s `authorized_keys` file
symlink_check	hash	Ensures a symlink exists and its destination is correct
sysctl	hash	Adds the items to `/etc/sysctl.conf` and applies them. These are for kernel configuration
user	string	Ensures each user exists, has the correct password and is in the correct groups

Sample Run

The following is pasted directly from the terminal after running Rollout on freemantle:

01-setup
02-network
  Installing /etc/network/interfaces from text
  Modified /etc/resolv.conf by appending options timeout:5 attempts:2
  Network config is considered dangerous, changes won't be applied unless you specify the "-f network" argument.
03-hosts
  Modified /etc/hosts by appending 172.16.40.54 mulberry
  Modified /etc/hosts by appending 172.16.40.184 kickstart
05-users
06-ssh_keys
  Installing /root/.ssh/authorized_keys from text
  Changing mode of /root/.ssh/authorized_keys to 644
15-packages
  Installing packages lshw
16-gpg
20-sysctl
  Modified /etc/sysctl.conf by appending net.ipv4.conf.all.log_martians = 1
  Modified /etc/sysctl.conf by appending net.ipv4.conf.all.accept_redirects = 0
  Modified /etc/sysctl.conf by appending net.ipv4.conf.all.send_redirects = 0
  Modified /etc/sysctl.conf by appending net.ipv4.conf.all.rp_filter = 1
  Modified /etc/sysctl.conf by appending net.ipv4.icmp_echo_ignore_broadcasts = 0
  Modified /etc/sysctl.conf by appending net.ipv4.tcp_syncookies = 1
  Modified /etc/sysctl.conf by appending net.ipv4.conf.all.accept_source_route = 0
21-cvs
24-dir_check
24-file_extract
25-file_install
  Installing /etc/pam_ldap.conf from http://rollout.domain/conf/pam_ldap.conf
  Installing /etc/libnss-ldap.conf from http://rollout.domain/conf/libnss-ldap.conf
  Changing mode of /etc/libnss-ldap.conf to 600
  Installing /etc/ntp.conf from http://rollout.domain/conf/ntp.conf
  Installing /etc/resolv.conf from http://rollout.domain/conf/resolv.conf
  Changing target of symlink /usr/local/bin/vis to /usr/local/bin/viw
27-port_check
70-nfs
80-file_append
80-file_modify
  Modified /etc/nsswitch.conf with s/^passwd:.*/passwd:  compat ldap/, s/^group:.*/group:  compat ldap/
80-file_uncomment
85-cron
90-services
99-complete

Steps

Step	Description
01-setup	Installs rollout locally Downloads and parses the `rollout.cfg` configuration file
02-network	Checks the `interfaces` configuration item This is a dangerous step and will always be run in safe mode unless `-f network` is specified On RedHat: Creates a file called /etc/sysconfig/network-interfaces/ifcfg-* for each interface. On Debian / Ubuntu: Creates the single file /etc/network/interfaces containing configuration for every interface. Sets the device’s hostname if `-h _hostname_` is specified Applies the `skip_steps` configuration item
03-hosts	Adds addresses to `/etc/hosts` for every device in this device’s network. Uses the `hosts_append` and `network` configuration items.
05-users	Creates and modifies users and groups. Uses the `user` and `group` configuration items. This will set a user’s password on creation, but will not reset it if changed locally.
06-ssh_keys	Creates and updates `~/.ssh/authorized_keys` for every user, including root. Adds ssh keys for each user based on the `user => { ssh_keys => [] }` configuration item. Adds ssh keys for root based on the `ssh_keys_add` configuration item. The ssh keys are taken from the `rollout:conf/authorized_keys` file based on comment.
15-packages	Installs and removes packages as specified in the `packages` config item. Applies deb configuration items as specified in the `deb_options` config item. Adds `apt_base` items to the apt sources.list
16-gpg	Adds required ssh public keys to root’s public keyring
20-sysctl	Adds all items in `sysctl` the config item to `/etc/sysctl.conf` and applies them.
21-cvs	Checks out any cvs modules as specified in the `cvs` config item. If the directory already exists, it is checked for CVS files. If they don’t exist already, it is a fatal error. If the directory is an existing checkout, the directory will be updated by cvs.
24-dir_check	Creates any directories as specified in the `dir_check` config item. Each directory is checked for owner and permissions.
24-file_extract	Extracts any tarballs given in the `file_extract` config item.
25-file_install	Installs individual files specified in the `file_install` config item. Optionally runs a command if the file has changed. Creates symlinks specified in the `symlink_check` config item and ensures the destination is correct.
27-port_check	Adds items in the `port_check` configuration item to `/etc/services`
60-sudo	Creates /etc/sudoers allowing users to run commands as root, with the configuration in the `sudo` item.
70-nfs	Configures both nfs client and server, as specified in the `nfs_mount` and `nfs_share` config items. Forces the required packages to be installed to support a nfs client and/or server. Creates directories for any nfs client mountpoints. Configures nfs, portmap, sunrpc, etc to run on predefined ports.
80-file_append	Appends lines to existing configuration files as specified in the `file_append` config item. Optionally runs a command if the file has been changed.
80-file_modify	Applies regular expression changes to files given in the `file_modify` config item. Optionally runs a command if the file has been changed.
80-file_uncomment	Uncomments out lines in a configuration files matching regular expressions in the `file_uncomment` config item. Lines are uncommented by removing a leading “#”
81-file_attr	Change the owner, group and permissions of files as controlled by the `file_attr` config item.
85-cron	Creates a cron.d file for each item specified in the `crontab` config item. The created file will contain only the items specified in the config.
90-services	Starts and stops services specified in the `services` config item.
95-iptables	Creates the iptables configuration file. The location of this file varies from system to system. The format of the file is what is required by `iptables-restore`. The file is made up of default rules, `firewall_deny` rules, `firewall_append` lines and `firewall_allow` rules, in that order. If the config file has changed, runs `iptables-restore` on it to load the new rules.
99-complete	Log the run in `/var/log/rollout.log` Send a copy of the log to the rollout web server.

This entry was posted on Tuesday, June 26th, 2007 at 5:06 pm and is filed under projects, rollout. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.

Social Web
E-mail

-->

dparrish.com