Rollout Manual
[ Up ]
Introduction
Rollout is a system developed to manage UNIX servers. It is primarily focused towards Linux, but could be adapted to Solaris, HP-UX, AIX, etc.
It is written purely in Perl, and the configuration is also a Perl source file. Some Perl knowledge is required to edit the configuration, but copy-and-paste will probably suffice.
Overview
System Administration can generally be reduced to a set of steps, which must be completed in order. Some example steps include:
- Copy files, create symlinks
- Edit configuration files
- Start / stop services
- Add / modify users & groups
- Install applications
The idea behind Rollout is to automate all these steps in a configurable way. Rollout is by design indempotent - it can be run many times on a single server and produce the same results.
Running Rollout
Rollout is self-installing on servers. The following command line will install rollout for the first time:
# URL=http://rollout.domain:port; wget -q -O- $URL/rollout | perl - -u $URL -o setupAfter it's installed, it can be run just by calling rollout. You must however give a comment on the rollout command line. This should be a short reason for running Rollout.
The first run uses the -s flag, which runs rollout in safe mode. In this mode, all the steps are run but no changes are actually made. This is used to check that nothing bad will happen when it's run for real.
After the safe mode run has been checked, it can be run again without the -s flag, and all steps will be applied.
NOTE: The first run requires the Error perl module to already be installed.
Command-line Arguments
The following command line arguments are available:
| Full | Short | Description |
|---|---|---|
verbose |
v | Increase verbosity |
quiet |
q | Don't print anything except fatal errors |
safe_mode |
s | Show what will be changed, but don't actually do anything |
url |
u | Set the base Rollout HTTP url. This defaults to http://rollout.domain:port. This option is saved in the rollout script, so only needs to be specified once. |
skip_step |
k | Specify a step to be skipped, may be specified multiple times. e.g. -k network -k sysctl |
hostname |
h | Rollout configuration for a different host. If -f network is provided, the hostname will be changed to match the host supplied |
force |
f | Force a dangerous step to be run. e.g. -f network |
step_help |
H | Get help for a particular step |
Logging
Every Rollout run that is run without the -s flag will be logged by the 999-complete step. The default is to make a HTTP request to the rollout server and pass it the log. The sample complete.php script will receive the log and do nothing with it.
Configuration
The configuration for Rollout is stored in rollout.cfg as well as other files in the fragments directory. These files are Perl source, so they can be checked for correctness by running perl -c rollout.cfg.
A major design concept in the rollout configuration is inheritance. Since many devices will have similar configurations, they should inherit as much as possible using the inherits() configuration item. Each class in the inherits() section is also specified in the same config, and they can inherit from other classes. It's even possible to have a device directly inherit another device's configuration, but this would include everything, even network interfaces.
Because a single file can be very unwieldy for large configurations, most of the configuration should be done in fragments files. You can put all the configuration in rollout.cfg if you wish, but you'll end up with a very large file that's hard to maintain. Each of the files in the fragments directory will be evaluated before Rollout starts making any changes. The source distrubtion includes a sample fragment file fragments/internal, which you can use as a template.
A sample device configuration looks like this:
device kickstart => {
inherits(RHEL4_i386, Web_Server), # Inherit the RHEL4_i386 and Web_Server classes
interfaces => {
eth0 => {
dhcp => 'kickstart', # eth0 gets its IP by DHCP
mac => '00:50:8B:E8:A0:6D',
primary => 1,
},
eth1 => {
ip => '10.0.0.1', # eth1 is statically defined on its own network
netmask => '255.255.255.0',
mac => '00:D0:B7:E3:5A:F4',
},
},
nfs_share => {
"/kickstart" => { # Share the /kickstart directory by NFS
"10.0.0.0/24" => "ro,no_root_squash", # Allow the private LAN to access the nfs share
},
},
firewall_allow => [
'# Rollout HTTP', # This comment is inserted directly into the rules list
any => '8140', # Allow any host to connect to tcp port 8140
admin => '80', # Allow the admin network to connect to tcp port 80
],
packages => [
'dhcp', # Make sure the dhcp and rpm-devel packages are installed
'rpm-devel',
],
};Configuration Items
The following items are available for use in rollout.cfg and other configuration fragments in the fragments directory:
| Item | Type | Description |
|---|---|---|
apt_base |
string | Specifies a URL that will be added to the APT sources.list for local packages |
crontab |
hash | A hash of cron.d files that will be created, with the entries for each file |
cvs |
cvs | Specifies which modules will be checked out of CVS, and where |
deb_options |
list | Allows preconfiguring deb packages before they are installed. Expert Option |
dir_check |
list | Creates directories and forces ownership & permissions |
file_append |
list | Appends lines to text files, replacing any lines that match. Can also run a command if the file is changed |
file_attr |
hash | Modifies owner, group and permissions on files |
file_extract |
hash | Downloads a tarball and extracts it to a directory |
file_install |
hash | Downloads a file and places it somewhere. Can also run a command if the file is changed |
file_modify |
list | Modifies existing files by applying regular expressions. Can also run a command if the file is changed |
firewall_allow |
list | Allows incoming ports in the firewall |
firewall_append |
list | Appends verbatim lines to the iptables configuration file |
firewall_deny |
list | Denies incoming ports in the firewall |
group |
hash | Ensures a system group exists |
hosts_append |
list | Appends a given line to the /etc/hosts file |
immutable_file |
list | Marks a certain file as immutable. This file will never be touched by any other steps |
interfaces |
hash | Defines configuration for the network interfaces |
inherits |
list | Specifies a list of classes that this device or class inherits configuration from |
nameservers |
list | Specifies the default nameservers in /etc/resolv.conf |
network |
string | Marks the device or class as part of a network, for the purposes of firewalls and host files |
nfs_mount |
hash | Mounts a NFS share locally |
nfs_share |
hash | Shares a local directory by NFS |
packages |
list | Provides a list of packages to be installed. These can be debs or rpms |
port_check |
list | Adds elements to /etc/services |
service |
hash | Ensures that system services are running/stopped and should be started/stopped on boot |
skip_steps |
list | Mark a list of steps that will never be executed for this device |
sudo |
hash | Allow users to run commands with sudo |
ssh_keys_add |
list | Adds the list of keys to root's authorized_keys file |
symlink |
hash | Ensures a symlink exists and its destination is correct |
sysctl |
hash | Adds the items to /etc/sysctl.conf and applies them. These are for kernel configuration |
user |
string | Ensures each user exists, has the correct password and is in the correct groups |
Sample Run
The following is pasted directly from the terminal after running Rollout:
# rollout
001-setup
020-network
Installing /etc/network/interfaces from text
Modified /etc/resolv.conf by appending options timeout:5 attempts:2
Network config is considered dangerous, changes won''t be applied unless you specify the "-f network" argument.
030-hosts
Modified /etc/hosts by appending 172.16.40.54 mulberry
Modified /etc/hosts by appending 172.16.40.184 kickstart
050-users
060-ssh_keys
Installing /root/.ssh/authorized_keys from text
Changing mode of /root/.ssh/authorized_keys to 644
150-packages
Installing packages lshw
200-sysctl
Modified /etc/sysctl.conf by appending net.ipv4.conf.all.log_martians = 1
Modified /etc/sysctl.conf by appending net.ipv4.conf.all.accept_redirects = 0
Modified /etc/sysctl.conf by appending net.ipv4.conf.all.send_redirects = 0
Modified /etc/sysctl.conf by appending net.ipv4.conf.all.rp_filter = 1
Modified /etc/sysctl.conf by appending net.ipv4.icmp_echo_ignore_broadcasts = 0
Modified /etc/sysctl.conf by appending net.ipv4.tcp_syncookies = 1
Modified /etc/sysctl.conf by appending net.ipv4.conf.all.accept_source_route = 0
210-cvs
211-svn
240-dir_check
240-file_extract
250-file_install
Installing /etc/pam_ldap.conf from http://rollout.domain/conf/pam_ldap.conf
Installing /etc/libnss-ldap.conf from http://rollout.domain/conf/libnss-ldap.conf
Changing mode of /etc/libnss-ldap.conf to 600
Installing /etc/ntp.conf from http://rollout.domain/conf/ntp.conf
Installing /etc/resolv.conf from http://rollout.domain/conf/resolv.conf
Changing target of symlink /usr/local/bin/vis to /usr/local/bin/viw
270-port_check
300-logrotate
400-ulimit
450-python
600-sudo
700-nfs
800-file_append
801-file_comment
802-file_modify
Modified /etc/nsswitch.conf with s/^passwd:.*/passwd: compat ldap/, s/^group:.*/group: compat ldap/
810-file_attr
820-smart
830-snmp
850-cron
900-services
970-motd
980-queued
999-completeSteps
Every step has built-in help, which you can get on a client with:
# rollout -H timezone
NAME
070-timezone
DESCRIPTION
Set the timezone of the machine.
EXAMPLE
device sample => {
timezone => "Australia/Sydney",
};
OPTIONS
timezone
This should be a file or a directory that exists in
"/usr/share/zoneinfo" or "/usr/share/lib/zoneinfo".
COPYRIGHT
Copyright 2010 David ParrishOn the rollout server, you can get the same help using:
# perldoc /usr/local/rollout/steps/070-timezone
NAME
070-timezone
DESCRIPTION
Set the timezone of the machine.
EXAMPLE
device sample => {
timezone => "Australia/Sydney",
};
OPTIONS
timezone
This should be a file or a directory that exists in "/usr/share/zoneinfo" or "/usr/share/lib/zoneinfo".
COPYRIGHT
Copyright 2010 David Parrish