CBAIS User Guide

• Introduction
• Supported Platforms
• Installing
• Running the Examples
• Configuration
  • Directory Layout
  • Classes
  • Host Specifier Engine
  • Grouing Classes
• Where to next?
• License
• Future Enhancements
• Feedback
• Support
• About CBAIS

The Class Based Auto Install System or CBAIS is a tool for installing and managing the ongoing configuration of unix hosts across a network. Amongst other features it provides

hands free reproducable installation and configuration of unix workstations and servers.

This results in a substantial reduction in the time and effort to manage multiple hosts. For example, imagine you want to define a standard host installation. Once that configuration has been defined and checked into the CBAIS config tree, each host can be built automatically (with little or no) administrator effort. Ongoing management of local hosts, alterations or changes can be pushed to all machines at the same time.

If the operating system release is changed, once the new OS release been tested on a single host, all hosts with that configuration can be upgraded. Networks of hundreds or thousands of machines can be upgraded/installed in hours (if your network is up to it!).

removal of human error factor from machine installs.

Machines are built without human intervention - in fact the CBAIS paradigm prevents it. An administrator can be sure that machines built using a common configuration will be "identical!".

ability to reuse configuration componenents

This can be especially useful (and time saving) when reusing complex machine configurations. For example, once a firewall configuration has been produced in CBAIS, any number of firewall machines may be built, with the only work required being the customisation of the services on each host.

In the case of a firewall this ability to reuse configuration logic is a huge win. If the initial firewall host was certified by independent auditors, all subsequent firewalls can be built in the knowledge that the base configuration is sound, with the administrators effort focused on the services that are different across the hosts.

This also reduces the amount of time an administrator is required to spend performing repetitious installs and configuration changes.

ability to operate in untrusted environments

The ongoing configuration management of firewalls and DMZ hosts has always been tedious, especially when data and configs are under version control. CBAIS allows administrators to push configuration actions to hosts over ssh, and for untrusted clients to spool these actions to disk, for checking before execution. Support for public key signing of these actions is an upcoming feature - further enhancing the ability of CBAIS to operate in untrusted environmnets.

complete audit trails of machine installation and ongoing configuration changes

All CBAIS configuration and data is stored under version control. this enables versions of files and configs to be tagged at install time, and the details of any ongoing changes to be logged. Hosts can be checked against the CBAIS configuration repository for changes.

disaster recovery services

Disaster recovery is simply a matter of duplicating the CBAIS install tree to your disaster recovery site. All configs and data are available. In the case of a host failure, it is simply a matter of connecting a replacement machine and installing it.

CBAIS-V1_0a is an alpha release. It has been tested on RedHat Linux 7 and 7.1, and Solaris 5.7 and 5.8. It should run on any unix system (with perl installed). See the support section below for more information or help in using CBAIS on other unix platforms.

1. Obtain the CBAIS distribution and example configs. The current release of CBAIS is cbais-1.0b. You can get it here.
2. Obtain the required perl libraries (which are not part of the standard perl toolkit). Currently this is the MIME-Base64 and Perl-RPM, both are available on CPAN. You can get solaris and RedHat versions here, otherwise dowload them form CPAN and compile them yourself. Other cbais versions and downloads are located on the CBAIS downloads page.
   
   
3. Create a cbais root directory and unpack unpack the distribution.

   [mos@avalon mos]$ mkdir cbais
   [mos@avalon mos]$ cd cbais
   [mos@avalon cbais]$ tar -zxf ../latest.tar.gz 
   [mos@avalon cbais]$ tar -zxf ../perl-libs.tar.gz 
   [mos@avalon cbais]$ ll
   total 36
   drwxrwxr-x    7 mos      mos          4096 Jun 21 13:08 .
   drwxr-xr-x   20 mos      mos          4096 Jun 21 13:08 ..
   -rw-rw-r--    1 mos      mos           795 Jul 21 14:51 .example_env
   -rw-r--r--    1 mos      mos          1455 Jun 20 16:01 LICENSE
   drwxrwxr-x    5 mos      mos          4096 Jun 14 14:55 RedHat
   drwxrwxr-x    5 mos      mos          4096 Jun 14 14:55 Solaris
   drwxr-xr-x    5 mos      mos          4096 Jun 15 11:14 cbais-1.0b
   drwxrwxr-x    2 mos      mos          4096 Jun 20 14:41 conf
   lrwxrwxrwx    1 mos      mos            12 Jun 21 13:08 current -> cbais-1.0a
   drwxr-xr-x    8 mos      mos          4096 Jun 20 12:05 example
   -rw-rw-r--    1 mos      mos           188 Jun 20 14:54 .example_env
   
     

   
   
4. If you don't want to run the examples as root, edit the file conf/UIDCache.conf, and add a dummy user id for root as indicated. This should be your user id.
   
   
5. source the environment file .example_env. You can now run the cbais engine and take a look at the example configurations.

   [mos@avalon cbais]$ . .example_env 
   [mos@avalon cbais]$ cbais show example_host
   Loaded example_class config (4) actions)
   Loaded local_accounts config (5) actions)
   Loaded auto_mounter config (5) actions)
   Class example_class ===================================================
   append /home/mos/cbais/example/append/example_class/etc/system -> /tmp/etc/system
   cd /tmp/etc; tar -zxf /home/mos/cbais/example/pkgs/example_class/tarball.tar.gz 
   cchmod /tmp/etc/tarball/file* you.you 0644
   Class local_accounts ===================================================
   mkdir /tmp/etc root.root 0755
   copy /home/mos/cbais/example/copy/local_accounts/etc/passwd /tmp/etc/passwd root.root 0644
   copy /home/mos/cbais/example/copy/local_accounts/etc/group /tmp/etc/group root.root 0644
   copy /home/mos/cbais/example/copy/local_accounts/etc/shadow /tmp/etc/shadow root.root 0600
   Class auto_mounter ===================================================
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.master /tmp/etc/auto.master root.root 0644
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.misc /tmp/etc/auto.misc root.root 0644
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.home /tmp/etc/auto.home root.root 0600
   automount -v
   
     

   Now you can execute the cbais configuration for host example_host. Note that because we have the environment variable CBAIS_INSTALL_ROOT (look in the .example_env file) set to /tmp, all operations will effectively be chrooted i.e. not be performed on your host in place.

   [mos@avalon cbais]$ cbais execute example_host
   Loaded local_accounts config (5) actions)
   Loaded example_class config (4) actions)
   Loaded auto_mounter config (5) actions)
   Processing Class local_accounts ===================================================
   mkdir /tmp/etc root.root 0755 succeeded
   copy /home/mos/cbais/example/copy/local_accounts/etc/passwd /tmp/etc/passwd root.root 0644 succeeded
   copy //home/mos/cbais/example/copy/local_accounts/etc/group /tmp/etc/group root.root 0644 succeeded
   copy /home/mos/cbais/example/copy/local_accounts/etc/shadow /tmp/etc/shadow root.root 0600 succeeded
   Processing Class example_class ===================================================
   append /home/mos/cbais/example/append/example_class/etc/system -> /tmp/etc/system succeeded
   cd /tmp/etc; tar -zxf /home/mos/cbais/example/pkgs/example_class/tarball.tar.gz  succeeded
   cchmod /tmp/etc/tarball/file1,/tmp/etc/tarball/file2 you.you 0644 succeeded
   Processing Class auto_mounter ===================================================
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.master /tmp/etc/auto.master root.root 0644 succeeded
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.misc /tmp/etc/auto.misc root.root 0644 succeeded
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.home /tmp/etc/auto.home root.root 0600 succeeded
   Linux automount version 3.1.7
   automount -v succeeded
   

6. verify the actions. The verify example below demonstrates the how to control the actions and classes for which an operation is performed with the -c and -a options.

   [mos@avalon cbais]$ cbais -c  auto_mounter -acopy verify  example_host
   Loaded auto_mounter config (4) actions)
   Class auto_mounter ===================================================
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.master /tmp/etc/auto.master root.root 0644 OK
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.misc /tmp/etc/auto.misc root.root 0644 OK
   copy /home/mos/cbais/example/copy/auto_mounter/etc/auto.home /tmp/etc/auto.home root.root 0600 OK
   [mos@avalon cbais]$ 
   
   

   If a file has been editted directly on a host the verify operation will report the differences.

   [mos@avalon cbais]$ cbais -c  auto_mounter -M auto.master verify  example_host
   Loaded auto_mounter config (2) actions)
   Class auto_mounter ===================================================
   Files /export/home/mos/cbais/example/copy/auto_mounter/etc/auto.master /tmp/etc/auto.master differ:
           1a2
           > some one editted this file directly!
   diff returned : 1
   [mos@avalon cbais]$ 
   

CBAIS is only as good as the configurations it is implementing. Understanding the configuration setup and the things you can do with it is fundamental to getting the most out of CBAIS.

The primary aim is to reuse units of configuration logic. These are encapsulated in a class. Classes are applied to a machine, or more usually machines. Classes may be grouped together, to form higher levels of configuration logic. The ability to specialise instances of classes (by host and architecture specific data files, and project search paths) allows CBAIS to provide automation, reuse, and audit capability for machines across networks, while reducing the workload on the administrator.

The directory layout of a CBAIS project config and data tree is as follows.

Individual hosts can be configured to search through multiple directory trees (i.e. projects).

A class is a collection of actions, grouped together (hopefully) in a unit of configuration logic (e.g. set up local automounter maps). Actions can be one of any listed on the CBAIS.conf file (L), and can be extended by local administrators if desired.

On its own, the ability to reuse Classes by applying them to multiple machines would not be of great use. CBAIS provides a mechanism which allows the logic of a class to be reused with instance specific data. The Host Specifier Engine allows specific versions of files (both config and data) to be loaded based on the operating system (type and version), architecture, hostname (and aliases), domainname (DNS, nis, ...) and network of a host.

The host specifier engine allows specifi versions of files to be loaded using a a directory tree and file suffix based search path. An example is probably the best way to start.

Whenever B is looking for a file, it can be configured to locate a host specific version of that file (See the cbais.conf man page). This allows an administrator to setup a class which performs some configuration task, and have individual instances of some (or all) data files for different hosts.

Say we have a class I, which configures the passwd, shadow and F files in /etc. We have 4 machines, lenny, larry, bobby and bart. We want the same versions of all files on all machines except bart. We would set up our class file as follows:

#
# local_accounts.cf
return [
        {
                action => 'copy',
                owner  => 'root',
                group  => 'root',
                mode   => '0644',
                file   => '/etc/passwd',
                dont_remove => 'yes',
        },
        {
                action => 'copy',
                owner  => 'root',
                group  => 'root',
                mode   => '0600',
                file   => '/etc/shadow',
                dont_remove => 'yes',
        },
        {
                action => 'copy',
                owner  => 'root',
                group  => 'root',
                mode   => '0644',
                file   => '/etc/group',
                dont_remove => 'yes',
        },
];

Our data tree would look like this

local_accounts/etc/passwd
local_accounts/etc/passwd.bart
local_accounts/etc/shadow
local_accounts/etc/shadow.bart
local_accounts/etc/group
local_accounts/etc/group.bart

with the filename.bart files containing the versions for host bart. Now when a cbais show is done on bart we see

[root@bart /cbais]# cbais -M passwd show
copy /cbais/default/copy/local_accounts/etc/passwd.bart /etc/passwd root.root 0644

whereas on larry (or lenny or bobby) we see

[root@bart /cbais]# cbais -M passwd show
copy /cbais/default/copy/local_accounts/etc/passwd /etc/passwd root.root 0644

Managing multipe machine configurations can be further streamlined by grouping class configs together. The suggestion for this is to have a Classes.cf file which defines lists of classes which are reused. For example

#
# Classes.cf

@Local_Client = ("automounter", "local_accounts", "mail_client", "print_client"  );

@Firewall     = ("local_accounts", "fw", "mail_bastion", );

Now in our host config file we just require the Classes.conf file.

[mos@newtown conf]$ cat larry.conf 
# -*- perl -*-

require 'Classes.conf';

# return
{
    ethernet            => '00:00:21:FF:27:21',
    ip_address          => '192.168.0.100',
    kickstart_file      => '/cbais/RedHat/ks/larry,
    classes             => [ @Local_Client, ],
};

[mos@newtown conf]$ cat lenny.conf 
# -*- perl -*-

require 'Classes.conf';

# return
{
    ethernet            => '00:00:21:FF:27:25',
    ip_address          => '192.168.0.100',
    kickstart_file      => '/cbais/RedHat/ks/lenny,
    classes             => [ @Local_Client, ],
};

If you have run the demonstration configs and are thinking about using CBAIS in earnest, its time to look at some of the reference documentation. The manual pages can be viewed online here.

Copyright (c) 2001,  i3SP Pty Ltd (ABN 40 092 302 237) All rights reserved.

Redistribution and use, with or without modification, are permitted
provided that the following conditions are met:

1. Redistributions must retain the above copyright notice, this list
   of conditions and the following disclaimer.

2. All advertising materials mentioning features or use of this software
   must display the following acknowledgement:
   This product includes software developed by i3SP Pty Ltd 
   and its contributors.

3. Neither the name of the i3SP Pty Ltd nor the names
   of its contributors may be used to endorse or promote products 
   derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY i3SP  Pty Ltd AND
CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL i3SP Pty Ltd OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

cbais-1_0b is an beta release. It has been tested on RedHat Linux 7 and 7.1. Future releases will add a number of features including

• Solaris jumpstart and better RedHat Linux integration glue (next release).
• Configuration and data file dependency generation.
• host audit report generation services
• Enhanced logging services (including syslog integration).
• support for public/private key signing of actions before being pushed to hosts.
• Integrated Meta disk device configuration support (for solaris disksuite and linux raidtools packages).
• web based configuration viewer.
• utilities for further streamlining individual host file reuse.
• XML config file format and generation tools (with XML schema definitions).
• CVS wrappers to enable checking in data files directly from client hosts (rather than pushing out from cbais server).
• more doco :-).

If you woud like to provide feedback, submit bugs, feature requests or ideas for CBAIS, send email to cbais@i3sp.com.

If you would like to purchase support or obtain help in setting up a CBAIS deployment, please contact i3sp.

CBAIS is a result of

• consulting experiences at major financial institutions and telcos.
• Ideas from the AutoInstall paper given at AUUG in 1998.
• Casper Dik's "original" jumpstart package.
• Suggestions, ideas, and testing help from Pauline Van Winsen, Glenn Satchell, and John Warburton.

Finally, with ongoing management being as important a feature as hands free installation CBAIS should probably have another M for management in its name but if you do a search for CBAIMS you'll see why it doesn't.