Gestione di Configurazioni Centralizzate con cfengine
Configurazione parte Server
Installazione pacchetti
sudo apt-get install cfengine2
Verifica della configurazione DNS
Cfengine presuppone una configurazione della risoluzione DNS perfettamente funzionante.
Occorre quindi verificare la corretta risoluzione dei nomi dei client da gestire sul server.
Configurazione del Demone Locale
cat | sudo tee /etc/cfengine/cfservd.conf > /dev/null <<'EOFile' # # /etc/cfengine/cfservd.conf - for the server control: domain = ( galimberti.priv ) # Questo è il dominio DNS di base TrustKeysFrom = ( 192.168.0.0/16 ) # Per semplificare l'uso delle chiavi, diciamo che tutte le chiavi # viste la prima volta da questa rete sono ok AllowConnectionsFrom = ( 192.168.0.0/16 ) # Permette connessioni solo dalle LAN in VPN AllowUsers = ( root ) any:: IfElapsed = ( 0 ) # Permette di riconnettersi subito ExpireAfter = ( 15 ) MaxConnections = ( 50 ) MultipleConnections = ( true ) grant: # Grant access to all hosts in galimberti.priv /var/lib/cfengine2/masterfiles/inputs *.galimberti.priv EOFile
Configurazione degli hosts
Ora definiamo gli host client che intendiamo gestire:
sudoedit /etc/cfengine/cfrun.hosts domain = galimberti.priv # # Clients # cnserver.galimberti.priv
Preparazione file di configurazione base =
La configurazione da distribuire sui client è contenuta nel file
/var/lib/cfengine2/masterfiles/inputs/cfagent.conf
Questo file contiene
#
# /var/lib/cfengine2/masterfiles/input/cfagent.conf
#
# This is the master file of rules, and will be applied to all
# hosts we manage.
#
classes:
proxies = (
# Macchine punti vendita con squid standard
cnserver
coserver
cpserver
lmserver
mbserver
mpserver
msserver
saserver
srserver
ssserver
stserver
pvserver
vaserver
)
control:
IfElapsed = ( 0 )
# E' da mettere in cfservd.conf
# This will override the once-per-minute default time between repeating
# an action, which you don't need while testing.
any::
access = ( root )
cfrunCommand = ( "/usr/sbin/cfagent" )
maxage = ( 7 )
masterfiles = ( "/var/lib/cfengine2/masterfiles/inputs" )
actionsequence = (
# setta permission su files di supporto
files
# cancella vecchi files in /tmp
tidy
)
galmail::
#test
wan0_if = ( 'eth1' )
actionsequence = (
editfiles
)
proxies::
actionsequence = (
# copia files
copy
# Rinomina files
disable
# Crea links
links
# Crea configurazioni
editfiles
# sistema permission
files
# riavvia daemons
processes
)
#cnserver::
# networkAddress = ( '192.168.16' )
# revnetwAddress = ( '16.168.192' )
cnserver::
networkAddress = ( '192.168.16' )
revnetwAddress = ( '16.168.192' )
subdomain = ( 'cn' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
coserver::
networkAddress = ( '192.168.17' )
revnetwAddress = ( '17.168.192' )
subdomain = ( 'co' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
cpserver::
networkAddress = ( '192.168.21' )
revnetwAddress = ( '21.168.192' )
subdomain = ( 'cp' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
lmserver::
networkAddress = ( '192.168.10' )
revnetwAddress = ( '10.168.192' )
subdomain = ( 'lm' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
mbserver::
networkAddress = ( '192.168.18' )
revnetwAddress = ( '18.168.192' )
subdomain = ( 'mb' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
mpserver::
networkAddress = ( '192.168.13' )
revnetwAddress = ( '13.168.192' )
subdomain = ( 'mp' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
msserver::
networkAddress = ( '192.168.20' )
revnetwAddress = ( '20.168.192' )
subdomain = ( 'ms' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
pvserver::
networkAddress = ( '192.168.24' )
revnetwAddress = ( '24.168.192' )
subdomain = ( 'pv' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
saserver::
networkAddress = ( '192.168.22' )
revnetwAddress = ( '22.168.192' )
subdomain = ( 'sa' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
srserver::
networkAddress = ( '192.168.12' )
revnetwAddress = ( '12.168.192' )
subdomain = ( 'sr' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
ssserver::
networkAddress = ( '192.168.19' )
revnetwAddress = ( '19.168.192' )
subdomain = ( 'ss' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
stserver::
networkAddress = ( '192.168.23' )
revnetwAddress = ( '23.168.192' )
subdomain = ( 'st' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
vaserver::
networkAddress = ( '192.168.11' )
revnetwAddress = ( '11.168.192' )
subdomain = ( 'va' )
domain = ( $(subdomain).galimberti.priv )
servername = ( $(subdomain)server )
copy:
proxies::
$(masterfiles)/etc/squid/ERR_ACCESS_DENIED.html server=galserver dest=/etc/squid/ERR_ACCESS_DENIED.html m=644 o=root g=mnt force=true
$(masterfiles)/etc/squid/siti_permessi server=galserver dest=/etc/squid/siti_permessi m=644 o=root g=mnt force=true
$(masterfiles)/etc/squid/dstip_permessi server=galserver dest=/etc/squid/dstip_permessi m=644 o=root g=mnt force=true
$(masterfiles)/etc/cron-apt/config server=galserver dest=/etc/cron-apt/config m=644 o=root g=root force=true
disable:
proxies::
/etc/squid/squid.conf dest=/etc/squid/squid.dpkg-old
/usr/share/squid/errors/Italian/ERR_ACCESS_DENIED dest=/usr/share/squid/errors/Italian/ERR_ACCESS_DENIED.dpkg-old
links:
proxies::
/usr/share/squid/errors/Italian/ERR_ACCESS_DENIED -> /etc/squid/ERR_ACCESS_DENIED.html type=symbolic
editfiles:
any::
# crea files di supporto
#{ /tmp/detectNetwork
# AutoCreate
# EmptyEntireFilePlease
# BeginGroupIfNoLineMatching "# TEST v1.00"
# Append "#!/bin/bash"
# Append "/sbin/ifconfig | /bin/grep -A1 eth0 | /usr/bin/tail -1 | /usr/bin/cut -d : -f 2 | /usr/bin/cut -f 1 -d \" \" | /usr/bin/cut -f 1-3 -d \".\""
# EndGroup
#}
proxies::
{ /tmp/named.conf.local
# Bind9 named.conf.local
AutoCreate
EmptyEntireFilePlease
BeginGroupIfNoLineMatching "# TEST v1.00"
Append '// MANAGED BY CFENGINE'
Append '// Do any local configuration here'
Append '//'
Append ''
Append '// Consider adding the 1918 zones here, if they are not used in your'
Append '// organization'
Append '//include "/etc/bind/zones.rfc1918";'
Append 'controls {'
Append ' inet 127.0.0.1 allow {localhost; } keys { "rndc-key"; };'
Append ' };'
Append ''
Append 'zone "$(domain)" {'
Append ' type master;'
Append ' file "/etc/bind/$(domain).hosts";'
Append ' allow-update { key "rndc-key"; };'
Append ' allow-transfer { 192.168.0.9; };'
Append ' notify yes;'
Append ' also-notify { 192.168.0.9; };'
Append ' };'
Append ''
Append 'zone "$(revnetwAddress).in-addr.arpa" {'
Append ' type master;'
Append ' file "/etc/bind/$(networkAddress).rev";'
Append ' allow-update { key "rndc-key"; };'
Append ' notify yes;'
Append ' };'
Append ''
Append 'zone "galimberti.priv" {'
Append ' type slave;'
Append ' file "/etc/bind/galimberti.priv.hosts";'
Append ' masters {'
Append ' 192.168.0.9;'
Append ' };'
Append ' };'
EndGroup
}
{ /etc/bind/named.conf.options
AutoCreate
EmptyEntireFilePlease
BeginGroupIfNoLineMatching "# TEST v1.00"
Append '// MANAGED BY CFENGINE'
Append 'options {'
Append ' directory "/var/cache/bind";'
Append ''
Append ' // If there is a firewall between you and nameservers you want'
Append ' // to talk to, you might need to uncomment the query-source'
Append ' // directive below. Previous versions of BIND always asked'
Append ' // questions using port 53, but BIND 8.1 and later use an unprivileged'
Append ' // port by default.'
Append ''
Append ' // query-source address * port 53;'
Append ''
Append ' // If your ISP provided one or more IP addresses for stable '
Append ' // nameservers, you probably want to use them as forwarders. '
Append ' // Uncomment the following block, and insert the addresses replacing '
Append ' // the all-0\'s placeholder.'
Append ''
Append ' // forwarders {'
Append ' // 62.94.0.1;'
Append ' // 62.94.0.2;'
Append ' // };'
Append ''
Append ' auth-nxdomain no; # conform to RFC1035'
Append ' listen-on {'
Append ' $(networkAddress).254;'
Append ' 127.0.0.1;'
Append ' };'
Append ' // query-source address $(networkAddress).254;'
Append ' transfer-source $(networkAddress).254;'
Append '};'
Append ''
EndGroup
}
{ /tmp/$(domain).hosts
AutoCreate
BeginGroupIfNoLineMatching "dummy"
DeleteToLineMatching "; Record Personalizzati"
PrependIfNoSuchLine '; MANAGED BY CFENGINE'
DeleteNLines "1"
IncrementPointer "-1"
InsertLine '$ttl 38400'
InsertLine '$(domain). IN SOA $(servername).$(domain). gal-alert.rvmgroup.it. ('
InsertLine ' 1123857292'
InsertLine ' 10800'
InsertLine ' 3600'
InsertLine ' 604800'
InsertLine ' 38400 )'
InsertLine '$(domain). IN NS $(servername).$(domain).'
InsertLine '$(servername).$(domain). IN A $(networkAddress).254'
InsertLine 'fire$(subdomain).$(domain). IN A $(networkAddress).254'
InsertLine 'fire.$(domain). IN A
$(networkAddress).254'
InsertLine 'proxy.$(domain). IN A
$(networkAddress).254'
InsertLine 'wpad.$(domain). IN A
$(networkAddress).254'
InsertLine 'as400.$(domain). IN A
192.168.0.100'
InsertLine "; Record Personalizzati"
EndGroup
}
{ /tmp/$(networkAddress).rev
AutoCreate
BeginGroupIfNoLineMatching "dummy"
DeleteToLineMatching "; Record Personalizzati"
PrependIfNoSuchLine '; MANAGED BY CFENGINE'
DeleteNLines "1"
IncrementPointer "-1"
InsertLine '$(revnetwAddress).in-addr.arpa. IN SOA $(servername).$(domain). gal-alert.rvmgroup.it. ('
InsertLine ' 1123857320'
InsertLine ' 10800'
InsertLine ' 3600'
InsertLine ' 604800'
InsertLine ' 38400 )'
InsertLine '$(revnetwAddress).in-addr.arpa. IN NS $(servername).$(domain).'
InsertLine '254.$(revnetwAddress).in-addr.arpa. IN PTR $(servername).$(domain).'
InsertLine '; Record Personalizzati'
EndGroup
}
# crea squid.conf
# necessita di detectNetwork
{ /etc/squid/squid.conf
AutoCreate
EmptyEntireFilePlease
BeginGroupIfNoLineMatching "# TEST v1.00"
Append 'http_port 3128'
Append 'hierarchy_stoplist cgi-bin ?'
Append 'acl QUERY urlpath_regex cgi-bin \\?'
Append 'no_cache deny QUERY'
Append 'cache_dir ufs /var/spool/squid 3000 16 256'
Append 'cache_access_log /var/log/squid/access.log'
Append 'hosts_file /etc/hosts'
Append 'refresh_pattern ^ftp: 1440 20% 10080'
Append 'refresh_pattern ^gopher: 1440 0% 1440'
Append 'refresh_pattern . 0 20% 4320'
Append 'refresh_pattern windowsupdate.com/.*\\.(cab|exe) 4320 100% 43200 reload-into-ims'
Append 'refresh_pattern download.microsoft.com/.*\\.(cab|exe) 4320 100% 43200 reload-into-ims'
Append 'refresh_pattern download.windowsupdate.com/.*\\.(cab|exe|psf) 4320 100% 43200 reload-into-ims'
Append 'refresh_pattern nai.com/.*\\.(tar|zip|cab|exe) 4320 100% 43200 reload-into-ims'
Append 'acl all src 0.0.0.0/0.0.0.0'
Append 'acl manager proto cache_object'
Append 'acl localhost src 127.0.0.1/255.255.255.255'
Append 'acl to_localhost dst 127.0.0.0/8'
Append 'acl SSL_ports port 443 563 # https, snews'
Append 'acl SSL_ports port 9443 # Sky'
Append 'acl SSL_ports port 873 # rsync'
Append 'acl Safe_ports port 80 # http'
Append 'acl Safe_ports port 8088 # http x Samnsung'
Append 'acl Safe_ports port 21 # ftp'
Append 'acl Safe_ports port 443 563 # https, snews'
Append 'acl Safe_ports port 9443 # Sky'
Append 'acl Safe_ports port 70 # gopher'
Append 'acl Safe_ports port 210 # wais'
Append 'acl Safe_ports port 1025-65535 # unregistered ports'
Append 'acl Safe_ports port 280 # http-mgmt'
Append 'acl Safe_ports port 488 # gss-http'
Append 'acl Safe_ports port 591 # filemaker'
Append 'acl Safe_ports port 777 # multiling http'
Append 'acl Safe_ports port 631 # cups'
Append 'acl Safe_ports port 873 # rsync'
Append 'acl Safe_ports port 901 # SWAT'
Append 'acl purge method PURGE'
Append 'acl CONNECT method CONNECT'
Append 'acl wuagent browser Windows Update Control'
Append 'acl wuagent browser Microsoft WU Client/2.0'
Append 'acl wuagent browser Microsoft BITS/6.6'
Append 'acl wuagent browser Industry Update Control'
Append 'acl wu dstdomain .microsoft.com .windowsupdate.com .windows.com .public-trust.com'
Append 'acl naiagent browser McAfee AutoUpdate'
Append 'acl nai dstdomain .nai.com'
Append 'acl java_jvm browser Java/1.4'
Append 'acl java_jvm browser Java/1.5'
Append 'acl Lan src $(networkAddress).0/255.255.255.0'
Append '#acl PC_Sbloccati src 192.168.10.239 192.168.10.36 192.168.10.38'
Append 'acl Siti_Permessi dstdomain "/etc/squid/siti_permessi"'
Append 'acl Ip_Permessi dst "/etc/squid/dstip_permessi"'
Append 'http_access allow manager localhost'
Append 'http_access deny manager'
Append 'http_access allow purge localhost'
Append 'http_access deny purge'
Append 'http_access deny !Safe_ports'
Append 'http_access deny CONNECT !SSL_ports'
Append 'http_access allow localhost'
Append 'http_access allow wuagent wu'
Append 'http_access allow naiagent nai'
Append 'http_access allow java_jvm'
Append 'http_access allow Lan Siti_Permessi'
Append 'http_access allow Lan Ip_Permessi'
Append '#http_access allow PC_Sbloccati'
Append 'http_access deny all'
Append 'http_reply_access allow all'
Append 'icp_access allow all'
Append 'visible_hostname proxy.$(domain)'
Append 'error_directory /usr/share/squid/errors/Italian'
Append 'coredump_dir /var/spool/squid'
EndGroup
}
#
# Fix some basic file permissions.
#
files:
any::
# testa permission sudoers
/etc/sudoers mode=440 owner=root group=root action=fixall
proxies::
/tmp/named.conf.local mode=644 owner=root group=bind action=fixall
/etc/bind/named.conf.options mode=644 owner=root group=bind action=fixall
/tmp/$(domain).hosts mode=666 owner=root group=bind action=fixall
/tmp/squid.conf mode=644 owner=root group=mnt action=fixall
# rende eseguibili file di support
#/tmp/detectNetwork mode=755 owner=root group=root action=fixall
# /etc/passwd mode=644 owner=root group=root action=fixall
# /etc/shadow mode=640 owner=root group=shadow action=fixall
# /etc/gshadow mode=640 owner=root group=shadow action=fixall
#
# Clean out *ALL* files older than $(maxage) days from /tmp.
#
# Clean out files older than $(maxage) which match the pattern *~
# inside user home directories.
#
tidy:
any::
# svuota tmp
/tmp pattern=* age=$(maxage) recurse=inf
# /home pattern=*~ age=$(maxage) recurse=inf
directories:
any::
#sistema permission di /tmp
/tmp mode=1777 owner=root group=root
processes:
proxies::
"/usr/sbin/squid" restart "/etc/init.d/squid restart" signal=15
"/usr/sbin/named" restart "/etc/init.d/bind9 restart" signal=15
Riavviare cfengine
sudo /etc/init.d/cfengine2 restart
Configurazione dei Client
Verifica della configurazione DNS
- Impostare l'hostname correttamente
sudoedit /etc/hosts
127.0.0.1 localhost.localdomain localhost 127.0.1.1 firecn.cn.galimberti.priv firecn 192.168.16.254 cnserver cnserver.cn.galimberti.priv ...
- Verificare l'impostazione corretta del search per il domain name:
sudoedit /etc/resolv.conf search cn.galimberti.priv galimberti.priv
- Verificare la corretta risoluzione del nome del server dal client:
ping galserver
Installazione del Pacchetto
sudo apt-get install cfengine2
Configurazione del client
- Configurare l'avvio dei demoni:
cat | sudo tee /etc/default/cfengine2 > /dev/null <<'EOFile' # Cfengine2 defaults configuration -*- sh -*- # Set variable to 1 to start the daemon; 0 otherwise. # Note that cfservd will only run if you have put a file into # /etc/cfengine/cfservd.conf, even if you set RUN_CFSERVD. RUN_CFSERVD=1 RUN_CFEXECD=1 RUN_CFENVD=1 CFSERVD_ARGS="" #CFSERVD_ARGS="--multithread" EOFile
- Configurare il demone locale:
cat | sudo tee /etc/cfengine/cfservd.conf > /dev/null <<EOFile # # /etc/cfengine/cfservd.conf for the CLIENTS control: domain = ( galimberti.priv ) AllowConnectionsFrom = ( 192.168.0.0/16 ) TrustKeysFrom = ( 192.168.0.0/16 ) cfrunCommand = ( "/usr/sbin/cfagent" ) AllowUsers = ( root ) LogAllConnections = ( true ) IfElapsed = ( 0 ) ExpireAfter = ( 15 ) MaxConnections = ( 50 ) MultipleConnections = ( true ) grant: /usr/sbin/cfagent *.galimberti.priv EOFile
- Creare il file di configurazione per il prelievo degli aggiornamenti:
ATTENZIONE: CAMBIARE L'INDIRIZZO IP INSERENDO QUELLO CORRETTO
cat | sudo tee /etc/cfengine/update.conf > /dev/null <<'EOFile'
#
# /etc/cfengine/update.conf - for the clients
#
control:
actionsequence = ( copy )
domain = ( galimberti.priv )
policyhost = ( galserver.galimberti.priv )
BindToInterface = ( 192.168.19.254 )
# smtpserver = ( smtp.domain.com )
# sysadm = ( address@bogus.example.com )
master_cfinput = ( /var/lib/cfengine2/masterfiles/inputs )
repository = ( /var/lib/cfengine2/outputs )
#
# Download the most recent 'cfagent.conf' file from the
# server, and install it to /etc/cfengine
#
copy:
$(master_cfinput)/cfagent.conf dest=/etc/cfengine/cfagent.conf
mode=600
server=$(policyhost)
force=true
trustkey=true
EOFile
ATTENZIONE: CAMBIARE L'INDIRIZZO IP INSERENDO QUELLO CORRETTO
sudoedit /etc/cfengine/update.conf
- Riavviare cfengine
sudo /etc/init.d/cfengine2 restart
Test di collegamento
Dal client, impostare le chiavi e fare il primo collegamento:
sudo cfagent -q
Aggiornamento forzato da Server
Per forzare l'aggiornamento di un client particolare:
sudo cfrun cnserver.galimberti.priv