Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP Servers and Workstations: Managing Systems and Workgroups > Chapter 3 Configuring a System

Using Distributed Systems Administration Utilities
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You can use Distributed Systems Administration Utilities (DSAU) tools to send files and commands to designated systems in your cluster or network. The DSAU tools provide the following:

  • Configuration synchronization

  • Consolidated logging

  • Command fanout

With configuration synchronization, you can have confidence that systems in your cluster or network are maintained to a standard you adopt. As you make changes on your configuration master, those changes are propagated to all your client systems.

With consolidated logging, you can examine a single log that contains entries from all systems in your configuration, in order of their time stamps, so you can find a specific entry easily.

With command fanout, you can send the same command from one designated system to all the systems in your defined configuration. This eliminates visiting all systems in the configuration and many manual operations.

Introduction to Configuration Synchronization

Managing the configuration and configuration drift of a set of distributed systems is a constant challenge for system administrators. There are a variety of tools available to help manage various aspects of multi-system configuration management. For example, for account management, standard solutions include the Network Information System (NIS) and Lightweight Directory Access Protocol (LDAP). For file level synchronization, tools like rdist ( see the rdist(1) manpage) and rsync are available. HP’s System Insight Manager helps to discover, monitor and manage groups of systems.

A new tool in this toolkit is Configuration Engine (cfengine). cfengine is a popular open source tool for configuration synchronization. It allows policy-based or goal-based configuration management that allows the administrator to define the management actions to be applied to groups of systems so those systems reach a desired state.

cfengine is a client/server based tool. A central configuration master system or policy server hosts a configuration policy file which defines the management actions to be performed on each managed client. The configuration master also hosts the “golden image” files, or reference copies of files that should be distributed to the clients. The administrator can use cfengine to perform tasks such as:

  • Ensure that client systems are using a correct set of configuration files by copying over reference files or directories.

  • Disable inappropriately configured files on the client.

  • Check file permissions, ownership, and track checksum changes.

  • Edit files.

  • Execute specified shell commands on each client.

  • Check for processes or signal processes.

  • Check for specific filesystem mounts.

A Configuration Synchronization Wizard (csync_wizard) is available to help the administrator quickly configure cfengine for managing a set of distributed systems or configuring it as a highly available service in a Serviceguard cluster.

cfengine Overview

The administrator starts by defining a central system or Serviceguard cluster to act as the master configuration server or policy server. The Configuration Synchronization Wizard (csync_wizard) is a user-friendly front-end to the initial configuration process. This central system will house the master policy files (for example, cfagent.conf) which define the desired configuration policies, and also reference copies or master copies of files that should be distributed to the managed clients.

Each managed client copies down the master copies of the policy files from the central configuration server and evaluates its current state versus the desired state defined by the policy file. Any differences cause configurations rules to run in order to resynchronize the client. The administrator can initiate synchronization operations on the managed clients in two ways, using either a push or a pull operation.

  • Using the cfrun command (see the cfrun(1) manpage for more information) from the master configuration server, the administrator can push changes. cfrun reads the file cfrun.hosts to determine the list of managed clients. It then invokes the cfagent command on each managed client to perform a synchronization run. Thus, push operations are really requests to the managed clients to perform an immediate pull.

  • Pull operations are performed using cron or cfengine’s own cron-like cfexecd daemon. Either technique invokes the cfagent command at fixed intervals in order to perform client-initiated configuration synchronization. The administrator defines what interval is appropriate for each group of managed clients. For example, every five minutes, once an hour, or once a day. The administrator can also invoke cfagent directly for on-demand synchronization runs.

cfengine Daemons and Commands

cfengine employs several daemons and commands to perform configuration synchronization operations. The following list describes the primary cfengine components.

  • cfagent -- the cfagent command is cfengine’s workhorse. It runs on each managed client, and bootstraps itself using the file update.conf, which describes the set of files to transfer from the master server to the local managed client. The files transferred include the main policy file, cfagent.conf, and any related policy files. In the DSAU implementation, cfagent.conf imports the file cf.main which has examples of many cfengine features.

    After the configuration files are transferred, cfagent evaluates the configuration instructions in these files. If the client system’s current configuration deviates from the desired configuration, cfagent executes the defined actions to return the client to the proper state.

  • cfservd -- cfservd daemon has two roles:

    • cfservd runs on the master configuration server and is the clearinghouse for file transfer requests from the managed clients. cfagent on the managed clients contacts the master server’s cfservd and requests copies of the master policy files, and copies of any reference files that are needed as part of the defined configuration synchronization operations. The master cfservd is responsible for authenticating remote clients using a public/private key exchange mechanism and optionally encrypting the files that are transferred to the managed clients.

    • cfservd can optionally run on each managed client in order to process cfrun requests. cfrun allows the administrator to push changes to the managed clients instead of waiting for the clients to synchronize using some client-defined time interval. The cfrun command must be initiated from the master configuration server. It contacts each managed client listed in the cfrun.hosts files and connects to the managed client’s cfservd asking it to invoke cfagent to perform the synchronization work.

      cfservd is configured using cfservd.conf and started using /sbin/init.d/cfservd.

  • cfexecd -- cfexecd is a scheduling and reporting tool. If the administrator uses cron to perform synchronization runs at fixed intervals, cfexecd is the command placed in to the crontab file in order to wrap the invocation of cfagent. It stores the output of the cfagent run in the outputs directory (see cfagent.conf for details) and optionally sends email.

    cfexecd has it’s own cron-like features based on cfengine’s time classes. The administrator can choose to run cfexed in daemon mode and use it to invoke cfagent at defined intervals instead of cron. The default is to invoke cfagent every hour. When getting started with cfengine, it is simplest to start out using cron.

  • cfrun -- the cfrun command contacts the managed clients asking each to perform an immediate synchronization run. Specifically, it connects to the optional cfservd on each managed client which in turn launches cfagent.

Figure 3-1 “cfengine Overview” illustrates the relationship of the cfengine commands and daemons, and shows an example of the administrator using cfrun. The dashed lines in the diagram indicate calling sequences (for example, A calls B). Solid lines indicate that data is being read from configuration files.

Figure 3-1 cfengine Overview

cfengine Overview

  1. The administrator is logged into the master configuration synchronization server and makes a change to be propagated out to the managed clients, using the cfrun command.

  2. cfrun checks the file cfrun.hosts for the list of managed clients. Note that the master server can be a client of itself. In this diagram, there are two clients, the master server and a remote client.

  3. cfrun contacts cfservd on each managed client, which in turn invokes cfagent.

  4. cfagent first checks the master server for an updated copy of update.conf file and transfers it to the client if needed.

    If a standalone system is the master server, by default the master copy of update.conf is located in /var/opt/dsau/cfengine_master/inputs/. The master copies of other configuration files such as cfagent.conf, cfservd.conf, and cfrun.hosts are also located here. If the master server is a Serviceguard cluster, the master configuration files are located in the mount point associated with the package. For example, if this mount point is named csync, the path would be /csync/dsau/cfengine_master/inputs.

  5. When copying the configuration files to the local system, cfagent places them in /var/opt/dsau/cfengine/inputs for both standalone systems and clusters. cfagent first evaluates the contents of update.conf in order to update any changed cfengine binaries (if any) and gets the latest version of the policy files (cfagent.conf and related files.

    cfagent then evaluates cfagent.conf to determine the client is in the desired state. If there are deltas, cfagent performs the defined actions to correct the clients configuration.

cfengine Master Server Deployment Models

The cfengine master server can be a standalone HP-UX system servicing groups of distributed clients. The clients can themselves be standalone systems or members of a Serviceguard cluster. If you are already using a Systems Insight Manager central management server, this can be an ideal system to use as a cfengine master server. Master servers can also act as clients and the configuration synchronization tasks can be performed on these systems as well as the remote clients.

If you are managing Serviceguard clusters, cfengine can be deployed strictly for intra-cluster use to synchronize the members of a single cluster. In this configuration, cfservd is configured as a package for high availability but the only cfengine clients are the cluster members themselves. The package’s DNS name/IP address is the name for the cfengine master server.

In addition to providing configuration synchronization as an intra-cluster service, another Serviceguard configuration has the cluster providing the highly available configuration synchronization service to groups of remote client systems. Those clients can be standalone systems or Serviceguard clusters. The cluster providing the cfengine service can be a client of itself and also take advantage of cfengine’s configuration synchronization features. A possible but somewhat unusual configuration is to have a fixed member of Serviceguard cluster act as the master server but no package is configured so cfservd will not be highly available. This configuration is valid but not recommended.

Configuring cfengine

The following sections provide detailed instructions for setting up a configuration synchronization master server and its clients. The quickest way to get started is to use the Configuration Synchronization Wizard (csync_wizard), described below. Completely manual configurations are also described.

Using the Configuration Synchronization Wizard

The csync_wizard (see csync_wizard(1)) automates the task of setting a configuration synchronization master server and its managed clients. It supports setting up a standalone system or a Serviceguard cluster as the master server. The wizard configures all managed clients to run a cfservd so that cfrun (see cfrun(8)) can be used on the master server.

See the appropriate sections below for details.

Using the Wizard to Configure a Standalone Synchronization Server

To configure a synchronization server for a standalone system, run the csync_wizard(1) on the standalone system you wish to configure as the master synchronization server:

# /opt/dsau/sbin/csync_wizard

The wizard displays the following introductory screen:

Querying the system <local hostname> for current status, one moment...
 
This Configuration Synchronization Wizard helps you set up the Configuration
Engine (cfengine) environment. Cfengine is a powerful tool for performing
policy-based management for groups of systems and cluster environments.
 
It is a client/server based utility. A standalone system or Serviceguard 
cluster can be configured as the cfengine ‘master’. The master contains 
the configuration description and configuration files that will be used by 
all the clients. Clients copy the configuration description from the master 
and apply it to themselves. The configuration description supports a rich set 
of management actions such as copying configuration files from the master to
the client, performing edits to files, checking file ownerships, permissions, 
and checksums, executing shell commands, checking for processes, etc. 
 
For a detailed description of the cfengine management actions, please refer to
cfengine man page.
 
This wizard will help you set up this system as a cfengine master or to add or
remove a cfengine client, and to perform the required security setup.
 
Press ‘Return’ to continue...

Press return to continue and choose item 1 from the menu below to configure a master server: 

 Configuration Synchronization Wizard Menu
 =========================================
 
 (1) Set up a cfengine master server
 
 (2) Add a client
 
 (3) Remove a client
 
 (4) Key management for cfengine users
 
 (9) Exit
 
Enter choice: 1
 
The cfengine master server is being configured on:
 
<local hostname>

The wizard then asks if you would like to additionally configure managed clients immediately after configuring the server. For this example, answer no. Managed clients will be added later.

You can optionally specify additional remote clients to manage at this time. 
If you are running in an HA environment, you do not need to specify the 
cluster members.
 
Would you like to manage clients? [N]: n


The wizard proceeds to configure the system as a master server:

******* WARNING!!!! ******** 
 
To protect against possible corruption of sensitive configuration files, 
control-c has been disabled for the remainder of this configuration.
 
Configuration of the cfengine master server is starting.
 
Verifying the master has an entry in the /etc/hosts file on each client...
 
Keys are being created...
 
Keys have been created, now distributing....
 
Starting cfengine on the master and any pertinent client machines. This may 
take a few minutes....

When the configuration is completed, the wizard displays the following summary screens which direct the administrator to the main policy file, /var/opt/dsau/cfengine_master/inputs/cf.main, and the recorded answer file for this run of the wizard.

The Configuration Synchronization Wizard has completed the configuration of cfengine:
 
- The master configuration description template is here:
 
</var/opt/dsau/cfengine_master/inputs/cf.main>
 
This default template has examples of typical configuration synchronization 
actions performed in cfengine. For example, synchronizing critical files such
as /etc/hosts, package scripts, etc.
 
All the actions in the template are disabled by default (commented out).
Uncomment the lines corresponding to the desired synchronization actions for 
this configuration. See the cfengine reference documentation for a description 
of additional cfengine features: /opt/dsau/doc/cfengine/
 
Press ‘Return’ to continue...
 
The cfengine environment has been created with Master Host: <local hostname> 
and members:

Note that when configuring a master server but not adding any managed clients during the server configuration, the members (list of managed clients), will be empty as shown in the above example.

A file recording the answers for this run of the Configuration Synchronization
Wizard is stored here...
 
/var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt
 
This configuration can be reestablished by issuing the command:
 
/opt/dsau/sbin/csync_wizard \ 
-f /var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt


Using the Wizard to Configure a Serviceguard Cluster Synchronization Server

To configure a synchronization server for a Serviceguard cluster, there are two configuration choices:

  • Create a Serviceguard package for the configuration service to ensure high availability.

  • Configure a single member of the cluster as if it is a standalone system. The configuration synchronization service will not be highly available, and this configuration will also not work properly with the Serviceguard automation features discussed in the section on Serviceguard Automation features and is not recommended.

This section will focus on using the wizard to configure a highly available configuration synchronization service.

NOTE: Make sure that this cluster’s MAX_CONFIGURED_PACKAGES value can accommodate the additional package. For more information on this setting, please refer to the Managing Serviceguard manual that is part of the Serviceguard documentation set. Also, before starting the wizard, all the current cluster members should up and running in the cluster.

Start by running the Configuration Synchronization Wizard, csync_wizard(1):

# /opt/dsau/sbin/csync_wizard
 
Querying the system <local hostname> for current status, one moment...
 
This Configuration Synchronization Wizard helps you set up the Configuration
Engine (cfengine) environment. Cfengine is a powerful tool for performing
policy-based management for groups of systems and cluster environments.
 
It is a client/server based utility. A standalone system or Serviceguard cluster
can be configured as the cfengine ‘master’. The master contains the configuration
description and configuration files that will be used by all the clients. Clients
copy the configuration description from the master and apply it to themselves.
The configuration description supports a rich set of management actions such as
copying configuration files from the master to the client, performing edits to
files, checking file ownerships, permissions, and checksums, executing shell
commands, checking for processes, etc.
 
For a detailed description of the cfengine management actions, please refer to
cfengine man page.
 
This wizard will help you set up this system as a cfengine master or to add or
remove a cfengine client, and to perform the required security setup.
Press ‘Return’ to continue...

Press return to continue and choose item 1 from the menu below to configure a master server:

 Configuration Synchronization Wizard Menu
=========================================
 
(1) Set up a cfengine master server
 
(2) Add a client
 
(3) Remove a client
 
(4) Key management for cfengine users
 
(9) Exit
 
Enter choice: 1

After choosing 1 and pressing return, the wizard displays the following text:

This system is a member of a Serviceguard cluster. The cfengine configuration
will be defined as a package for high availability unless you answer no to the
below question. If you answer no, for the purposes of cfengine control, this
machine will be treated as a single machine without failover capability for
cfengine.
 
If you accept the default answer of ‘HA’ to the below question, cfengine will be
configured as a highly available Serviceguard package. This will ensure that your
cfengine master server is available as long as one of the cluster members that
can run the package is also available.
 
You will need a free IP address for this package and you need to configure
storage for the package before proceeding. For details on creating highly
available file systems, please refer to ‘Creating a Storage Infrastructure’
chapters of the Managing Serviceguard documentation.
 
Will this master server be Highly Available (HA) [Y]:

The wizard names the package name “csync” for configuration synchronization. This specific package name is required. The LVM storage configuration and network configuration for the package must be set up before continuing or before running the wizard. All the cluster members should also be up and available. For details, refer to the Managing Serviceguard book, under “Building an HA Cluster Configuration”, “Creating a Storage Infrastructure with LVM.”

NOTE: The wizard only supports creating packages based on LVM volume groups. When using CFS or VxVM, manual configuration is required. See the section on manually configuring a Serviceguard cluster for details on manually configuring the csync package.

The wizard prompts for the following, all of which should have already been configured:

  • LVM volume group name (for example, vgcsync)

  • Logical volume in the volume group (for example, /dev/vgcsync/lvol1)

  • The mount point of the filesystem (for example, /csync)

  • The mount options of the filesystem (for example, -o rw,largefiles). The mount options are used verbatim in the Service package control script’s FS_MOUNT_OPT[0] field. Note that the mount options must agree with the filesystem you created on the logical volume. For example, if the filesystem was created with largefiles support, the largefiles mount option should be specified.

  • The filesystem type (for example, VxFS)

  • The package IP address. This should also be a registered DNS name so the configuration synchronization is easy to configure on client systems.

  • The package subnet. Use netstat -i to determine the proper subnet.

Once the storage infrastructure is configured and the IP address obtained, press return to access the default answer of ‘yes’ and proceed with creating the package. The wizard now prompts for the package information: 

Configuring the csync Serviceguard package for a highly available cfengine
master.
 
The cfengine master server is being configured as a HA Serviceguard Package on
this cluster.
 
Please provide the following information for the package:
 
Enter the Volume group? []: vgcsync
 
You need to enter a fully qualified Logical Volume, for example:
/dev/vgname/lvol1 
 
Enter the fully qualified Logical Volume? []:
/dev/vgcsync/lvol1
 
Enter the Filesystem (Mount Point)? []: /csync
 
Enter the Mount Options? [-o rw,largefiles]:<return>
 
Enter the Filesystem Type? [vxfs]: <return>
 
Enter the IP address? []: 12.345.6.78
 
Enter the Subnet? []: 12.345.7.8


The wizard now asks if you would like to manage additional remote clients, that is, systems outside the cluster. The wizard automatically configures the current members of the cluster. This is why all members must be up and accessible when running the wizard. In the example shown below, the administrator chose ‘no’ so only cluster members are configured as clients initially.

Note that additional remote clients can easily be added later using the wizard. It is not necessary to use the wizard to add new clients when additional members are added to the cluster. Refer to the section on Serviceguard Automation features for details.

You can optionally specify additional remote clients to manage at this time. If
you are running in an HA environment, you do not need to specify the cluster
members.
 
Would you like to manage clients? [N]: <return>

The wizard now has all the data it needs to configure the cluster and proceeds to do so:

******* WARNING!!!! ******** 
 
To protect against possible corruption of sensitive configuration files,
control-c has been disabled for the remainder of this configuration.
 
Configuring the ‘csync’ Serviceguard package.
 
Applying the ‘csync’ Serviceguard package configuration file, this will take a
moment.
 
Starting the ‘csync’ Serviceguard package, this will take a few moments...
 
The ‘csync’ Serviceguard package has been started on <local hostname>.
 
Configuration of the cfengine master server is starting.
 
Verifying the master has an entry in the /etc/hosts file on each client...
 
Keys are being created...
 
Keys have been created, now distributing....
 
Starting cfengine on the master and any pertinent client machines.
This may take a few minutes....

When the configuration is done, the wizard displays the following summary screens which direct the administrator to the main policy file, mount_point/cfengine_master/inputs/cf.main, and the recorded answer file for this run of the wizard. Note that the policy file is located on the newly configured filesystem associated with the package. In our example, the administrator chose to mount the filesystem for the package as /csync.If the administrator had previously configured cfengine, before overwriting any existing configuration files, the wizard creates backups in the directory: 

/var/opt/dsau/cfengine/backups

The top level files in this directory are the most recent backup files. Any configurations before that are saved in timestamped subdirectories named v_timestamp. 

The Configuration Synchronization Wizard has completed the configuration of
cfengine:
 
- The master configuration description template is here:
 
</csync/dsau/cfengine_master/inputs/cf.main>
 
This default template has examples of typical configuration synchronization
actions performed in a cluster. For example, synchronizing critical files such as
/etc/hosts, package scripts, etc.
 
All the actions in the template are disabled by default (commented out).
Uncomment the lines corresponding to the desired synchronization actions for this
cluster. See the cfengine reference documentation for a description of additional
cfengine features: /opt/dsau/doc/cfengine/
 
Press ‘Return’ to continue...
 
The cfengine environment has been created with Master Host: <package hostname>
 
and members: <cluster member1>, <cluster member2>, ...
 
A file recording the answers for this run of the Configuration Synchronization
Wizard is stored here...
 
/var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt
 
This configuration can be reestablished by issuing the command:
 
/opt/dsau/sbin/csync_wizard \ 
-f /var/opt/dsau/cfengine/tmpdir/csync_wizard_input.txt
Cluster Configuration Notes

This section describes the details of a high availability configuration of cfengine in a Serviceguard cluster. For more information on the role of the various cfengine daemons and commands, refer to“cfengine Daemons and Commands”. The Serviceguard package ensures that cfengine’s cfservd daemon remains highly available. The cfengine configuration files update.conf and cfagent.conf define the master configuration synchronization server to be the registered DNS name for the relocatable IP address of the package. When managed clients run cfagent (see cfagent(8)), cfagent connects to cfservd on the package’s adoptive node. Thus the cluster members themselves are all managed clients. The member hosting the package additionally acts as the master server for the policy files.

When booting the cluster, each member will start a client cfservd. This is the cfservd that responds to cfrun requests. When the package starts on a member, that cfservd now has access to the filesystem of the package and becomes the master cfservd that serves the policy files to all managed clients. This cfservd is monitored by the package. If cfservd fails, the package will attempt to restart on another member. That member’s cfservd will then become the master cfservd.

Note that halting the package does not stop the cfservd daemon on the adoptive member since the expectation is that the daemon is present to respond to future cfrun requests. Also, unlike some other HA services, if the csync package is down or unavailable, remote clients are not adversely impacted. The clients continue to run with their currently defined configurations. The administrator would need to make sure the package is up and running in order to distribute any new configuration instructions to the managed clients.

The wizard automates cfengine key distribution to all cluster members. For a detailed description of key distribution steps performed, refer to “Security Notes”.

Serviceguard Automation Features

The Distributed Systems Administration Utilities require Serviceguard 11.17 or later. With Serviceguard 11.17 or later, when members are added to or deleted from the cluster the configuration synchronization tools will automatically take the appropriate configuration actions. Specifically:

  • When adding a member to the cluster, the new member will be automatically configured to participate in configuration synchronization. The following configuration actions occur automatically on the added member:

    1. etc/rc.config.d/cfservd is changed to set CSYNC_CONFIGURED to 1

    2. The appropriate cfengine public/private keys are created for the new member and placed in the members /var/opt/dsau/cfengine/ppkeys directory. The new keys for this member are also distributed to the /var/opt/dsau/cfengine/ppkeys directories on the other cluster members.

    3. The new member’s /var/opt/dsau/cfengine/inputs directory is populated.

    4. cfservd is started on the new member.

    5. The package files are copied to /etc/cmcluster/csync/ on the new member.

    6. A cfagent synchronization run is performed on the master to populate the master’s /var/opt/dsau/cfengine/inputs directory.

    7. A cfagent synchronization run is performed on the remote client.

  • When deleting a member from a cluster, the public key of the deleted member is deleted from the /var/opt/dsau/cfengine/ppkeys directory clusterwide.

Note that the administrator can define cfengine groups or classes that enumerate all the members of a particular Serviceguard cluster. These class definitions will not be updated automatically and the administrator must manually update the cfagent.conf and related files for cluster membership changes.

Configuring a Synchronization Client

You can use the Configuration Synchronization Wizard to add managed clients to an existing cfengine configuration. Run the wizard on the master server, not the client system. When a Serviceguard cluster is the master server, run the wizard on the adoptive node for the csync package. Note that adding a new cluster member in a High Availability setup as a client is done automatically. For more information, see the “Serviceguard Automation Features”.

Also, in order to securely distribute cfengine keys, the client must be configured for non-interactive ssh access by the root account of the master server. The csshsetup tool (see csshsetup(1)) makes it easy to configure ssh access to a remote system. That tool is used in the examples below.

The wizard can currently only manage clients when the clients are in the same DNS domain as the master server. For multi-domain configurations, refer to “Manual Configuration ” for instructions on adding clients manually.

Note that if adding a Serviceguard cluster as a managed client, each cluster member must be added individually.

Start by logging in as root on the master server and configure ssh access to the remote system:

# csshsetup <hostname of managed client>

csshsetup first tests ssh access to the remote system. If it is not configured, ssh prompts for the managed client’s password.

Run the Configuration Synchronization Wizard and choose option 2 to add a new client: 

 Configuration Synchronization Wizard Menu
 =========================================
 
 (1) Set up a cfengine master server
 
 (2) Add a client
 
 (3) Remove a client
 
 (4) Key management for cfengine users
 
 (9) Exit
 
Enter choice: 2

When prompted, enter the name of the client to add:

This option will configure additional clients to the cfengine domain.
 
Enter the name of the client to add: <new client>

The wizard then proceeds to configure the client and report on its progress:

Verifying the master has an entry in the /etc/hosts file on each client...
 
Keys are being created...
 
Keys have been created, now distributing....
 
The client <new client> has been added to the cfengine domain

The wizard configures each new client to run cfservd so it can respond to cfrun requests and adds the client to master’s cfrun.hosts file.

Manual Configuration

The following sections describe the steps required to manually configure cfengine master configuration synchronization servers or managed clients. Note that it typically easier to start by using the csync_wizard (see csync_wizard(1m)) and then modifying the resulting configuration instead of starting from scratch. This is especially true in a Serviceguard cluster where the wizard helps set up the package and takes care of propagating the correct configuration files to all members of the cluster.

When performing manual configurations, it is possible to create configurations that cannot subsequently be managed by the csync_wizard. For example, the wizard supports only single DNS domain configurations. When manually configuring multi-domain configurations, you cannot use the wizard to add and remove clients.

NOTE: You can use csshsetup to configure a trust relationship between the master server and the managed clients. This will allow you to use command fanout commands such as cexec and ccp (see cexec(1) and
ccp(1)). Using these commands can simplify the configuration steps described below when files need to be distributed to managed clients.
Manually Configuring a Standalone Synchronization Server

Perform the following one-time steps to configure a standalone system as a cfengine master server:

  1. Start by creating the master copies of the cfengine configuration files. These files are placed in a well known directory and are distributed to each managed client. The default directory is /var/opt/dsau/cfengine_master/inputs, referenced in the default templates. Start by creating the directory:

    # mkdir -p /var/opt/dsau/cfengine_master/inputs

  2. Copy the default templates files to the following directories:

    # cd /var/opt/dsau/cfengine_master/inputs 
    # cp /opt/dsau/share/cfengine/templates/cf.main.template cf.main 
    # cp /opt/dsau/share/cfengine/templates/update.conf.template update.conf 
    # cp /opt/dsau/share/cfengine/templates/cfagent.conf.template cfagent.conf
    # cp /opt/dsau/share/cfengine/templates/cfrun.hosts.template cfrun.hosts 
    # cp /opt/dsau/share/cfengine/templates/cfservd.conf.template cfservd.conf

  3. Next, edit update.conf. This file has a format similar to cfengine’s main configuration file cfagent.conf. It is used to transfer and update cfengine binaries and any updated configuration definitions files (for example, cfagent.conf) to the managed clients. It is critical to keep this file very simple and avoid errors. Errors in this file will require manually copying a new version to each managed client.

    The file contains tokens in the form <%token nam%> that are replaced by the csync_wizard with the administrator’s answers to questions. Replace the tokens as follows:

    1. Replace <%HOST_NAMER%> with the unqualified hostname of the master server.

    2. Replace <%DOMAIN_NAMER%> with the master server’s domain name. For example: 

      host_name = ( “master-server-name” ) 
      domain_name = ( “abc.xyz.com” )

      Note that this update.conf template assumes that the master server and its clients are all in a single DNS domain. If your master server will have managed clients in multiple DNS domains, change update.conf as follows:

    3. Replace <%HOST_NAMER%> with the fully qualified hostname of the master server..

    4. Delete the <domain_name> variable.

    5. Replace the line “domain = ( “${domain_name}” )” with the following: 

      domain = ( ExecResult(/sbin/awk ‘/domain/ {print $2}’ /etc/resolv.conf) )

      This sets the domain variable appropriately on the client side. Note that this technique assumes /etc/resolv.conf is properly configured on each managed client.

      These same domain edits must also be performed in cf.main and cfservd.conf as well. See the next steps. Use cfagent -p (or --parse-only) flag to verify the syntax of update.conf.

  4. Distribute the master update.conf to each managed client. This step is described in “Configuring a Synchronization Managed Client”.

  5. Create the master server’s security keys. cfengine uses a public/private key exchange to authenticate remote clients. A public/private key pair is generated on the master server and all managed clients. The public key for each managed client is copied to the master server and from the master server to the managed clients. It is important to exchange keys securely using a tool like secure copy, (see scp(1)) or using tape or CD-ROM. Start by generating the keys for the master server:

    # /opt/dsau/sbin/cfkey
    # cd /var/opt/cfengine/ppkeys

    This creates the files localhost.pub and localhost.priv.

    Copy the public key to root-master server IP address.pub. For example, assuming this system’s IP address is 10.0.0.5, use this command:

    # cp localhost.pub root-10.0.0.5.pub

    See “Configuring a Synchronization Managed Client” for details on copying the client keys to this master server.

  6. On the master server, configure the cfservd daemon to start at system startup. Edit /etc/rc.config.d/cfservd and change the line CSYNC_CONFIGURED=0 to CSYNC_CONFIGURED=1. Optionally, if you want to be able to push changes out to the managed clients using cfrun, replicate this change to all the managed clients.

  7. cfrun requires that the managed clients be listed in the file cfrun.hosts. In the default configuration, this file is located in /var/opt/dsau/cfengine_master/inputs. Edit it and add the hostnames of each managed client, one per line. It is simplest to make sure that all the host names are fully qualified. When using fully qualified hostnames, the “domain =” line is not required and can be deleted. If using unqualified hostnames find the line
    domain = <%DOMAIN_NAMER%>” and replace the token with the DNS domain of the client systems. This restricts all the clients to be members of that single domain.

  8. The file /var/opt/dsau/cfengine_master/inputs/cfagent.conf is the master policy file. The default cfagent.conf includes the default template cf.main which is a commented template file with examples of common synchronization actions for both standalone systems and Serviceguard clusters. cf.main contains the same <%HOST_NAMER%> and <%DOMAIN_NAMER%> tokens as those in update.conf. Perform the same edits described in Step 3 above.

    Note that this default cf.main file performs no management actions. All the action lines are commented out. This is a starting point for creating a custom set of cfengine policies and actions for your managed clients. The cfengine reference manual that documents the syntax and all the management actions defined in this file is located in /opt/dsau/doc/cfengine. Other example cfengine configuration files which are included with the open source cfengine distribution are located in /opt/dsau/share/cfengine/examples.

  9. The file /var/opt/dsau/cfengine_master/inputs/cfservd.conf controls which managed clients have access to the files served by cfservd on the master. Perform the following edits to cfservd.conf.

    • Delete the following line entirely:

      domain_name        = ( “<%DOMAIN_NAMER%>” )

    • Change the line reading

      domain             = ( “${domain_name}” )

      to the following:

      domain = ( ExecResult(/sbin/awk ‘/domain/ {print $2}’ /etc/resolv.conf)  )

    • The “admit:” stanza controls which remote clients have access to files on the server. Change each “*.${domain_name}” to a space separated list of managed client DNS domains. For example:

      /var/opt/dsau/cfengine_master/master_files *.abc.xyz.com *.cde.xyz.com

      This example allows all the hosts in the listed domains to access files on the master server. You also can specify lists of specific hosts, IP address ranges, etc. Please see the cfengine reference manual for additional information

  10. On the master server, start cfservd:

    # /sbin/init.d/cfservd start

    This is repeated for each managed client.

  11. Test the configuration by performing the following steps:

    1. On a managed client, use the command:

      # cfagent --no-lock --verbose --no-splay

      The verbose output will display the client checking for updated copies of the master policy files, copying them down to /var/opt/cfengine/inputs if needed, and then executing the contents of cfagent.conf/cf.main.

    2. On the master server, test the cfrun command:

      # cfrun -- --inform

      The --inform syntax instructs the remote cfagent to use the --inform flag which will produce messages for all changes cfengine performs on the system. For additional information, the --verbose can also be helpful:

      # cfrun -v -- --verbose

      The -v instructs cfrun itself to be more verbose and the --verbose is passed on to the remote cfagent.

    For additional troubleshooting information, refer to “cfengine Troubleshooting”.

Manually Configuring a Serviceguard Cluster Synchronization Server

Configuring cfengine for high availability in a Serviceguard cluster is similar to configuring it for a standalone machine, which is described in section “Using the Wizard to Configure a Standalone Synchronization Server”. The primary differences are the creation of the Serviceguard package and the mechanism used to distribute cfengine’s security keys. Follow all the steps described below.

  • Initial Serviceguard Package Preparation

    1. Start by obtaining an IP address for the package. This address is typically registered in DNS to simplify management of remote clients. If you are using cfengine for intra-cluster use only, it is sufficient to make sure the address is added to each member’s /etc/hosts file.

    2. Next, create the storage infrastructure required for a new package. The instructions for doing this are documented in the Managing Serviceguard book, under “Building an HA Cluster Configuration”, “Creating a Storage Infrastructure.” For example. if using an LVM storage infrastructure, that would include the following steps:

      1. Create the LVM volume group (VG) and logical volumes (LV) (for example, /dev/vgcsync/lvol1).

      2. Exporting/importing the VG cluster-wide.

      3. Setting up a filesystem on the LV.

      4. Creating the the filesystem’s mount point (for example, /csync) cluster-wide.

      The default templates assume you are using LVM-based storage. To use VxVM or other cluster-wide storage and filesystems, make the appropriate changes to the package templates described below.

    3. Make sure the filesystem for the package is mounted on the current member. For example, if using LVM do the following:

      # vgchange -a e /dev/vgcsync
      # mount -o rw,largefiles /dev/vgcsync/lvol1 /csync

  • Initial Policy File Customization

    1. Create a subdirectory for the master policy files and reference files. For example:

      # mkdir -p /csync/dsau/cfengine_master/master_files

      These example directories are those used by the csync_wizard.

    2. Copy the default templates into the master inputs directory:

      # cd /csync/dsau/cfengine_master/inputs
      # cp /opt/dsau/share/cfengine/templates/cf.main.template cf.main 
      # cp /opt/dsau/share/cfengine/templates/update.conf.template update.conf
      # cp /opt/dsau/share/cfengine/templates/cfagent.conf.template cfagent.conf 
      # cp /opt/dsau/share/cfengine/templates/cfrun.hosts.template cfrun.hosts 
      # cp /opt/dsau/share/cfengine/templates/cfservd.conf.template cfservd.conf

    3. Edit update.conf. This file has a format similar to cfengine’s main configuration file cfagent.conf. It is used to transfer and update cfengine binaries and any updated configuration definitions files (for example, cfagent.conf) to the managed clients. It is critical to keep this file very simple and avoid errors. Errors in this file will require manually copying a new version to each managed client.

      The file contains tokens in the form <%token name%> which are replaced by the csync_wizard with the administrator’s answers to questions. Replace the tokens as follows:

      • Replace <%HOST_NAMER%> with the unqualified hostname of the Serviceguard package.

      • Replace <%DOMAIN_NAMER%> with the package’s DNS domain name. For example: 

        host_name = ( “package-hostname”) 
        domain_name = ( “abc.xyz.com”)

      Note that this update.conf template assumes that the master server and its clients are all in a single DNS domain. If your master server will have managed clients in multiple DNS domains, change update.conf as follows:

      • Replace <%HOST_NAMER%> with the fully qualified hostname of the Serviceguard package.

      • Delete the “domain_name” variable.

      • Replace the line domain = ( “${domain_name}” ) with the following: 

        domain = ( ExecResult(/sbin/awk ‘/domain/ {print $2}’ /etc/resolv.conf) )

        This sets the domain variable appropriately on the client-side.

      These same domain edits must also be performed in cf.main and cfservd.conf as well. See below. Use cfagent’s -p (--parse-only) flag to verify the syntax of update.conf.

  • List Managed Clients in cfrun.hosts

    cfrun requires that all managed clients be listed in the file cfrun.hosts. Since each cluster member is considered a client, make sure each member is listed in /csync/dsau/cfengine_master/inputs/cfrun.hosts.

    Edit it and add the hostnames of each member, one per line. It is simplest to make sure that all the host names are fully qualified. When using fully qualified hostnames, the “domain = line” is not required and can be deleted. If using unqualified hostnames, find the line “domain = <%DOMAIN_NAMER%>” and replace the token with the DNS domain of the cluster members. This restricts all the clients to be members of that single domain.

  • Edit the Master Policy File

    The file /var/opt/dsau/cfengine_master/inputs/cfagent.conf is the master policy file. The default cfagent.conf includes the default template cf.main which is a commented template file with examples of common synchronization actions for both standalone systems and Serviceguard clusters. Edit cf.main to replace the following tokens: cf.main contains the same <%HOST_NAMER%> and <%DOMAIN_NAMER%> tokens as update.conf. Perform the same edits described in item 3 in the previous bulleted item, “Initial Policy File Customization.”

    Note that this default template performs no management actions. All the action lines are commented out. It does contain many examples specific to synchronizing files in a Serviceguard cluster. This is a starting point for creating a custom set of cfengine policies and actions for your cluster and other managed clients.

    The cfengine reference manual which documents the syntax and all the possible management actions defined in this file is located in /opt/dsau/doc/cfengine/.

    Other example cfengine configuration files which are included with the open source cfengine distribution are located in /opt/dsau/share/cfengine/examples.

  • Edit the cfservd.conf File

    The file /var/opt/dsau/cfengine_master/inputs/cfservd.conf controls which managed clients have access to the files served by cfservd on the master. Perform the following edits to cfservd.conf.

    • Delete the following line entirely:

      domain_name        = ( “<%DOMAIN_NAMER%>” )

    • Change the line reading

      domain             = ( “${domain_name}” )

      to the following:

      domain = ( ExecResult(/sbin/awk ‘/domain/ {print $2}’ /etc/resolv.conf)  )

    • The “admit:” stanza controls which remote clients have access to files on the server. Change each “*.${domain_name}” to a space separated list of managed client DNS domains. For example:

      /var/opt/dsau/cfengine_master/master_files *.abc.xyz.com *.cde.xyz.com

      This example allows all the hosts in the listed domains to access files on the master server. You also can specify lists of specific hosts, IP address ranges, etc. Please see the cfengine reference manual for additional information.

  • Distribute the Master update.conf to Each Cluster Member

    Use the following commands:

    # cd /var/opt/dsau/cfengine/master_files/inputs

    # ccp update.conf /var/opt/dsau/cfengine/inputs/

    cfengine itself will take care of distributing the remaining files cluster-wide and to all managed clients.

  • Distribute the cfengine Security Keys

    Since cfengine uses a public/private key exchange model to validate the authenticity of managed clients, a key must be configured that is associated with the relocatable IP address of the package. That address is the one that remote clients see as the master server. Since any cluster member can become the adoptive node, this key must be identical across all cluster members. cfengine’s cfkey generates a public/private key pair for the current system. cfkey creates the files localhost.priv and localhost.pub.

    cfengine expects keys to be named using the following convention:

    username-IP address.pub

    For example:

    root-10.0.0.3.pub

    The administrator copies the localhost.pub key to the correct name based on the system’s IP address. For the case of a cluster, the keys for the current member are used to generate the keys cluster-wide using the following steps:

    1. Use cfkey to create the public and private key pair for this cluster member: 

      # mkdir -p /var/opt/dsau/cfengine/ppkeys 
      # cd /var/opt/dsau/cfengine/ppkeys 
      # /opt/dsau/sbin/cfkey

      This will create keys named localhost.priv and localhost.pub.

    2. The public key, localhost.pub is then copied to root-package IP address.pub. For example,

      # cp localhost.pub root-10.116.9.74.pub

      where 10.116.9.74 is the relocatable IP address of the csync package.

    3. This member’s localhost.pub is then used to create the member-specific keys for each member:

      # cp localhost.pub root-<member1 IP address>.pub 
      # cp localhost.pub root-<member2 IP address>.pub 
      # cp localhost.pub root-<member3 IP address>.pub 
      ...
      # cp localhost.pub root-<memberN IP address>.pub

    4. Finally, all the keys are copied to each member.

      # ccp * /var/opt/dsau/cfengine/ppkeys

      Note: ccp, a command-fanout command, performs a cluster copy, copying a command to all cluster members.

  • Configure and start cfservd

    1. Configure the cfservd daemon to start at system startup. Edit /etc/rc.config.d/cfservd and change the line CSYNC_CONFIGURED=0 to CSYNC_CONFIGURED=1.

    2. Propagate this change cluster-wide:

      # ccp /etc/rc.config.d/cfservd /etc/rc.config.d/cfservd

    3. On the master server, start cfservd:

      # /sbin/init.d/cfservd start

    4. Repeat for the remaining cluster members. If you have configured for cluster for use with the DSAU command fanout tools, use the following command to start the daemons cluster-wide:

      # cexec /sbin/init.d/cfservd start

  • Create the csync Package

    To create the configuration synchronization package, modify the default package template files as appropriate for your Serviceguard environment. Note that it is required that the package be called csync. Failure to do so will cause the Serviceguard automated operations to fail. For more information, refer to the section “Serviceguard Automation Features” .

    Start by making the changes described below.

    1. Create the package directory cluster-wide: 

      # cexec mkdir /etc/cmcluster/csync

    2. Copy the template package ASCII file and package control script to the /etc/cmcluster/cysnc directory on the current member: 

      # cd /etc/cmcluster/csync 
      # cp /opt/dsau/share/serviceguard/templates/csync.conf.template csync.conf
      # cp /dsau/share/serviceguard/templates/csync.script.template csync 
      # chmod +x csync

    3. Edit the csync.conf package ASCII configuration file to replace the placeholder tokens with the appropriate values. The tokens are in the form <%token name%>. Find the line “SUBNET <%SG_PKG_SUBNET%>” and replace the token with the subnet for the csync package. Use netstat -i to help identify the subnet.

    4. Edit the package control script, and substitute appropriate values for the placeholder tokens.

      Note: The default script template assumes you are using an LVM-based storage configuration. If you are using VxVM and/or CFS, refer to the Managing Serviceguard documentation for more information on configuring packages using those technologies. You will have to comment out the LVM parts of the template described below and substitute the appropriate VxVM or CFS stanzas.

      1. Find the the line “VG[0]=“<%SG_PKG_VOL_GRP%>”” and replace the token with the name of the LVM volume group for the package. For example, VG[0]“vgcsync”.

      2. Find the line “LV[0]=“<%SG_PKG_LOG_VOL%>”” and replace the token with the full name of the logical volume. For example, LV[0]=“/dev/vgcsync/lvol1”.

      3. Find the line “FS[0]=“<%SG_PKG_FS%>”” and replace the token with the name of the filesystem mount point created for this package. For example, FS[0]=“/csync”.

        Note that this mount point should have been created on each cluster member as part of the storage configuration described above.

      4. Find the line “FS_MOUNT_OPT[0]=“<%SG_PKG_MNT_OPT%>””and replace the token with the filesystem’s mount options. For example, FS_MOUNT_OPT[0]=“-o rw,largefiles”.

      5. Find the line “FS_TYPE[0]=“<%SG_PKG_FS_TYPE%>””and replace the token with the filesystem type. For example, FS_TYPE[0]=“vxfs”.

      6. Find the line “FS_UMOUNT_OPT[0]=“<%SG_PKG_FS_UMOUNT_OPT%>”” and replace the token with any filesystem umount options. The token can be removed and this option left blank if there are no special umount options. For example, FS_UMOUNT_OPT[0]=“”.

      7. Find the line “FS_FSCK_OPT[0]=“<%SG_PKG_FS_FSCK_OPT%>”” and replace the token with any filesystem specific fsck options. As above, the token can be deleted and this option left blank. For example, FS_FSCK_OPT[0]=“”.

      8. Find the line “IP[0]=“<%SG_PKG_IP%>””and replace the token with the IP address of the csync package. For example, IP[0]= 123.456.789.3.

      9. Find the line “SUBNET[0]=“<%SG_PKG_SUBNET%>””and replace the token with the subnet for the package’s IP address. Use netstat -i to help determine the subnet. Fore example, SUBNET[0]= 123.456.789.0.

    5. Distribute the package control script and package ASCII configuration files cluster-wide:

      # ccp csync csync.conf /etc/cmcluster/csync/

    6. Apply the package and start it: 

      # cmapplyconf -P csync.conf 
      # cmmodpkg -e csync

  • Test the csync Package Configuration

    Test the configuration by performing a the following steps:

    1. On a managed client, use the command:

      # cfagent --no-lock --verbose --no-splay

      The verbose output will display the client, checking for updated copies of the master policy files, copying them down to /var/opt/cfengine/inputs if needed, and then executing the contents of cfagent.conf/cf.main.

    2. On the master server, test the cfrun command:

      # cfrun -- --inform

      --inform instructs the remote cfagent to use the --inform flag which will produce messages for all changes cfengine performs on the system. For additional information, the --verbose command can also be helpful:

      # cfrun -v -- --verbose

      The -v instructs cfrun itself to be more verbose and the --verbose is passed on to the remote cfagent.

      For additional troubleshooting information, please refer to “cfengine Troubleshooting”.

Configuring a Synchronization Managed Client

When manually configuring managed clients, the basic steps are:

  • Exchanging security keys. This establishes the trust relationship between the managed client and master server.

  • Copying update.conf from the master server to the managed client.

  • Setting a schedule for which cfagent will perform synchronization operations.

To configure a Serviceguard cluster as a client of an existing cfengine master server, then each cluster member is treated as if it were a standalone system and configured individually. If you add new members to the cluster, each must be configured appropriately.If you are adding a new member to a Serviceguard cluster and that cluster is running the csync package, then the members of the cluster are automatically configured as cfengine-managed clients. In this scenario, the csync package acts as the master server. New members will be automatically configured as a managed clients and also able to handle failover for the package. The package’s storage infrastructure and filesystem should be configured before adding the member to the cluster. To add a new managed client, start by configuring the trust relationship between the client and the master server. The two systems exchange security keys to authenticate each other. The master server’s public key needs to be copied to the client and the client’s public key is copied to the master server:

  1. As root, create the client’s security key using cfkey:

    # mkdir -p /var/opt/cfengine/ppkeys
    # cd /var/opt/cfengine/ppkeys
    # /opt/dsau/sbin/cfkey

    This creates the files localhost.pub and localhost.priv for this client.

  2. Copy this client’s key to the master server. The master server uses the following naming convention for the client keys, <username>-<client_IP_address>.pub.

  3. Push the client’s public key to the master server’s ppkeys directory using the following naming convention:

    # scp localhost.pub master_server:\ 
      /var/opt/cfengine/ppkeys/root-client_IP_address.pub

    Note that its important to use a utility like secure copy (see scp(1)) when transferring the key in order to protect its integrity.

  4. Finally, copy the master server’s key to this managed client:

    # scp master_server:/var/opt/cfengine_master/ppkeys/localhost.pub \
      root-master_IP_address.pub

  5. Next, copy the master server update.conf to the managed client:

    # mkdir -p /var/opt/dsau/cfengine/inputs
    # cd /var/opt/dsau/cfengine/master_files/inputs
    # cd /var/opt/dsau/cfengine/inputs
    # scp master_server:/var/opt/dsau/cfengine/inputs/update.conf ./update.conf


To allow this client to accept cfrun requests, do the following:

  1. Edit /etc/rc.config.d/cfservd and set the CSYNC_CONFIGURED variable to “1” -- this will start cfservd at system boot time.

  2. Start cfservd:

    # /sbin/init.d/cfservd start

  3. Test the configuration with cfagent (see cfagent(8)):

    # cfagent --no-lock --verbose --no-splay

    The verbose output will display the client checking for updated copies of the master policy files, copying them down to /var/opt/cfengine/inputs if needed, and then executing the contents of cfagent.conf/cf.main.

For additional troubleshooting information, refer to the section “cfengine Troubleshooting”.

Choosing a Synchronization Invocation Method

As the administrator, you can push changes out to managed clients by using the cfrun command (see cfrun(8)). cfrun contacts the cfservd daemon on each managed client and cfservd invokes cfagent does the actual synchronization work. You can also choose to have cfagent run at intervals on the client. There are two approaches:

  • Run cfagent from a cron job.

    When running cfagent from cron, invoke it using cfexecd -F. An example crontab entry is shown below:

    0 * * * * /var/opt/dsau/cfengine/bin/cfexecd -F

    This crontab entry will cause cfagent to be run every hour.

    In this example, cfexecd (see cfexecd(8)) acts a wrapper for cfagent and collects any output and places it in /var/opt/dsau/cfengine/outputs. cfexecd can also cause mail to be sent to the administrator if specified in the cfagent.conf file. For details, refer to the cfengine reference manual in /opt/dsau/doc/cfengine.

    Note that the default cf.main has an example for automatically adding the above line to the crontab file of each managed client.

  • Run cfexecd in daemon mode.

    cfexecd has cron-like features based on cfengine’s time classes and can be used instead of cron to run cfagent. cfexecd defaults to running cfengine every hour. When first getting started with cfengine, it probably easiest to use cron for scheduling client side synchronization. For details on using cfexecd in daemon-mode, refer to the cfengine tutorial located in /opt/dsau/doc/cfengine/.

Security Notes

cfengine has many security features that range from parameters to control denial-of-service attacks to access control lists that prevent managed clients from accessing reference file directories on the server. For details on the cfengine security features, refer to the reference manual located in /opt/dsau/doc/cfengine/. The security topics discussed below include:

  • Key exchange

  • Network port usage

  • Encryption

  • Checksum alerts

Key Exchange

All the key exchange examples shown thus far have used scp to securely transfer master server public key to the managed client and the managed client’s public key to the master server. A scheme like this provides the highest level of security but can be inconvenient in certain situations. Other key distribution alternatives include the following:

  • When connecting to a new client, cfrun has an interactive mode akin to ssh, where the administrator is prompted to accept the remote system’s key. For example:

    cfrun(0): .......... [ Hailing remote-host.abc.xyz.com ] .......... 
    WARNING - You do not have a public key from host remote-host.abc.xyz.com =
    12.345.678.90 
    Do you want to accept one on trust? (yes/no)
    -> yes
    cfrun:<master server name>: Trusting server identity and willing to accept key
    from remote-host.abc.xyz.com=12.345.678.90

  • For large numbers of new clients, this interactive mode can be inefficient. cfrun supports a -T option which tells cfengine to trust all new keys from the hosts listed in cfrun.hosts.

  • cfservd.conf supports a TrustKeysFrom control clause. For example:

    control:
    TrustKeysFrom = ( 128.39.89.76 ) # A trust host
    TrustKeysFrom = ( 128.39.89.76/24 ) # A trusted subnet

    The enumerated host or subnet addresses will be implicitly trusted and their keys automatically accepted.

All of these key exchange alternatives should be used with extreme caution and only in a secure environment where the LAN is trusted and the remote hosts are trusted. Once a public key is accepted it will not be updated unless it is deleted by hand from the master server’s /var/opt/dsau/cfengine/ppkeys directory or manually replaced with a new key.

Network Port Usage

cfservd uses TCP port 5308 by default. You can instruct cfagent to connect to cfservd using a different port by specifying a port in the cfrun.hosts file. For example: 

host1.abc.xyz.com # Use standard port
host2.abc.xyz.com		# Use standard port
host3.abc.xyz.com:4444	# Use port 4444

Also, cfengine will honor a cfengine tcp port defined in /etc/services.

Encryption

In general, file transfer traffic between the master server and a managed client is not encrypted. For many system management related configuration files this is acceptable. For certain files, an encrypted file transfer is desirable. The copy action in cfagent.conf has an “encrypt = true”option to encrypt the specified file. For additional encryption options, please refer to the cfengine reference manual located in /opt/dsau/doc/cfengine.

Checksum Alerts

cfengine has a checksum alert feature similar to Tripwire. To monitor changes to a file’s checksum, do the following:

  • Add the following stanza to /var/opt/dsau/cfengine_master/inputs/cfagent.conf:

    ChecksumUpdates = ( “on” )

  • In cfagent.conf’s “files”actionsequence, add checksum = md5 or checksum = sha options for the files to monitor. For example: 

    files:
    class::
    /etc/example
    mode = 644
    checksum = md5

    Note that that this checksum option is different from the checksum = true option used in the copy actionsequence. That option tells cfengine to use checksum instead of timestamps when deciding if files need to be copied.

cfagent creates the checksum database on the client if it does not already exist. When ChecksumUpdates is set to “on”or “true,” then the current checksum for the monitored files is added to or updated in the checksum database. After this initial run to populate the checksum database, change ChecksumUpdates to “off.” At this point, any changes to a checksum of a monitored file causes a security warning. For example:

host1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
host1: SECURITY ALERT: Checksum for /etc/example changed!
host1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Disabling Use of cfengine

The csync_wizard does not have an unconfigure option to stop a system from being a master server. To disable a master server, simply stop cfservd:

# /sbin/init.d/cfservd stop

To prevent cfservd from starting at system startup, edit /etc/rc.config.d/cfservd and change CSCYN_CONFIGURED to “0”.

If the csync_wizard was used to create the cfengine configuration and add managed clients, it can be used to remove managed clients. Run the wizard on the master server and select the “Remove a client”option. The wizard requires that non-interactive ssh access to the managed client has been configured as described in the section “Configuring a Synchronization Client”. The specified client will be deleted from cfrun.hosts, and its public key deleted from the master ppkeys directory, and the master’s key deleted from the client’s ppkeys directory.

Logging Options

cfengine is intentionally silent about most configuration changes but there are several configuration options to increase the verbosity of cfengine output, as follows:

  • Most cfagent.conf actions such as “copy”, “editfiles”, and “processes”, support a syslog = true option to cause the specific action to be logged to syslog.

  • Similarly, most actions support an “inform = true”option to cause cfagent to report any changes.

  • cfagent.conf’s control section supports global “inform = (true)” and “syslog = true”options.

  • cfagent (see cfagent(8)) supports the --inform switch on the command line. For more information, refer to the cfengine reference manual in /opt/dsau/doc/cfengine.

cfengine Troubleshooting

The following are some troubleshooting hints for working with cfengine.

  1. Run cfservd on the master server using the --no-fork (-F) and the --verbose (-v) options. This will provide useful information for any troubleshooting efforts

  2. You may see authentication errors. When performing a “cfagent -K” operation, the following messages are displayed:

    cfengine:: BAD: key could not be accepted on trust
    cfengine:: Authentication dialogue with <master server>.abc.xyz.com failed
    cfengine:client:/var/opt/dsau/cfengine/inputs/update.conf:194: Warning:
    actionsequence is empty 
    cfengine:client:/var/opt/dsau/cfengine/inputs/update.conf:194: Warning: perhaps
    cfagent.conf/update.conf have not yet been set up?

    This problem is most likely due to the cfengine security setup. To resolve the problem, you will need to exchange cfengine public keys between the managed client and master server. The csync_wizard (see csync_wizard(8)) automates this process when adding clients. See the section “Configuring a Synchronization Managed Client” for instructions on manually distributing keys to managed clients.

  3. Warning: actionsequence is empty” errors

    Use the cfagent -v option to get more information. One possible cause of this message is that update.conf has not been added to the client’s /var/opt/dsau/cfengine/inputs directory.

  4. Syntax error due to missing white space

    # cfagent -K cfengine::/var/opt/dsau/cfengine/inputs/update.conf:39: syntax error cfengine::/var/opt/dsau/cfengine/inputs/update.conf:Execution terminated after
    parsing due to errors in program

    Check for white space within the configuration files. As a general rule, using white space can improve readability. One common issue is omitted whitespace within parentheses. For example, functions should have no space between the function name and leading parenthesis but the function itself requires leading and trailing whitespace within the enclosing parentheses. For example, the following shows the use of required leading and trailing whitespace.

    control:
    my_variable = ( ExecResult(/bin/ls -l) )

    In the example above, cfengine is reporting a syntax error on line 39 of the update.conf. It is possible that the error is a whitespace error from line 38 in the file.

  5. Unable to connect to a cfengine client or master.

    # cfrun
    cfrun(0): .......... [ Hailing host1 ] ..........
    cfrun(0): .......... [ Hailing host2 ] ..........
    cfrun:host2: Couldn’t open a socket
    cfrun:host2: socket: Connection refused

    Check that the cfservd daemon on host2 is configured and running. Use /sbin/init.d/cfservd start to start cfservd if it is not running.

  6. Can’t stat” messages

    When running using either cfrun or cfagent you might get “can’t stat”errors. For example:

    host1: Can’t stat
    /var/opt/dsau/cfengine_master/master_files/etc/test in copy

    Check your master file repository, and ensure that the file in question is available and has the right permissions.

  7. Couldn’t open a socket ”or “unable to establish connection:”errors

    cfagent and cfrun can display errors such as:

    cfengine:: Couldn’t open a socket
    cfengine:: Unable to establish connection with host1 (failover)
    host2: Couldn’t open a socket

    If the master server cfservd is running, this error could indicate that a there is a firewall or port issue such that the client cannot reach port TCP 5308 on the master server. When using cfrun, the master server must also be able to reach TCP port 5308 on the remote client. Ensure that any firewall rules allow access to these ports.

  8. cfengine command line arguments are case-sensitive. For example, cfagent supports both the -k and -K options which have different meanings:

    • -k instructs cfagent to ignore the copy action sequence

    • -K instructs cfagent to ignore locks when running

  9. How do I make cfengine more verbose?

    Most cfengine tools and daemons accept a verbose option and several debugging options. For example:

    cfagent -d, -d1, -d2, -d3, or -d4 # for debug output
    cfservd -v
    cfrun -v

Introduction to syslog

syslogd (see syslogd(1M)) is a ubiquitous component of UNIX systems that performs system logging activities. syslogd reads from a set of log sources such as /dev/log and /dev/klog and processes the log messages as instructed in /etc/syslog.conf. Applications log messages to syslog using the syslog() call (see syslog(3C)).

syslog Message Format

A syslog message has a standard format which includes an optional priority level and facility. The priority level indicates the urgency of the message. The facility indicates the subsystem that posted the message. Table 3-1 “syslog Priority Levels” lists the priority level and facilities defined in /usr/include/syslog.h.

Table 3-1 syslog Priority Levels

MessageDescription
LOG_EMERGA panic condition, normally broadcast to all users.

LOG_ALERT

A condition that should be corrected immediately, such as a corrupted system database.

LOG_CRIT

A critical condition such as a hard device error.

LOG_ERR

General errors.

LOG_WARNING

Warning messages.
LOG_NOTICE

Conditions that are not error conditions, but may require special attention.

LOG_INFO

Informational messages.

LOG_DEBUG

Messages that contain information normally of use only when debugging a program.

 

Table 3-2 “syslog Facilities Messages” describes syslog Facilities Messages.

Table 3-2 syslog Facilities Messages

MessageDescription

LOG_KERN

Messages generated by the kernel. These cannot be generated by any user processes.

LOG_USER

Messages generated by random user processes. This is the default facility identifier if none is specified.

LOG_MAIL

Messages from the mail system.

LOG_DAEMON

Messages from the system daemons such as inetd, ftpd (see inetd(1M), ftpd(1M)).

LOG_AUTH

Messages from the authorization system, including login, su, getty (see login(1), su(1),
getty(1M)).

LOG_SYSLOG

Messages generated internally by the syslogd daemon.

LOG_LPR

Messages from the printer spooling system, such as lp, lpsched (see lp(1), lpsched(1M)).

LOG_NEWS

Messages from the news system.

LOG_UUCP

Messages from the UUCP system.

LOG_CRON

Messages from the CRON daemon.

LOG_LOCAL0 - LOC_LOCAL7

Reserved for local use.

 

Message Filtering

Using /etc/syslog.conf, messages can be filtered based on their priority level and facility. Messages can be directed to:

  • Specific log files

  • The console

  • A specified user. The message will be sent to his terminal if the user is logged in.

  • All logged-in users

  • Forwarded to remote systems. For more information, see the “Log Consolidation Overview”.

See the syslogd(1M) manpage for additional information on configuring message filters.

Log Consolidation Overview

Log forwarding is a feature of the standard UNIX syslogd. In addition to logging messages to the local host's log files, syslogd can forward log messages to one or more remote systems. These systems are referred to as log sinks or log consolidation servers.

Log consolidation offers benefits such as the following:

  • Easier log file analysis - The centralized log provides a single location for the administrator to perform log file analysis. It offers single view of events that impact multiple systems

  • Increased security - A security breach might compromise the local logs but not the centralized copy. The log consolidation system can be hardened in ways that are likely to be inappropriate for log forwarding clients.

  • Simplified archiving of logs - It is sometimes simpler to archive a set of centralized logs versus per-system logs.

There are several disadvantages of using the standard syslogd on a log consolidation server:

  • syslogd supports forwarding using UDP only. The Universal Datagram Protocol (UDP) is a "connectionless" protocol and does not offer flow control or guaranteed delivery of messages. As such, it is possible for forwarded log messages to be lost.

  • The filtering features of syslogd are quite simple: you can filter only on a message’s facility and priority.

  • A log consolidation system represents a single point of failure. If the system is unavailable, the messages forwarded from clients are lost. Note that the messages still exist on the individual client systems. The are lost only from the consolidated log.

Improved Log Consolidation

The Distributed Systems Administration Utilities (DSAU) uses syslog-ng, or syslog “Next Generation,” to address the weaknesses of the traditional syslogd mentioned above.

syslog-ng is an open source syslogd replacement. It performs all the functions of the standard syslogd in addition to providing features such as the following:

  • Improved filtering functionality. In addition to syslog's facility/priority level filtering, syslog-ng can perform regular expression filtering against the program name, hostname, text of the message itself, the sender's IP address, and so on.

  • TCP transport - In addition to syslogd’s UDP transport, syslog-ng supports a TCP transport which offers better delivery guarantees.

    NOTE: It is important to note that syslog-ng's support for a TCP transport does not imply that it safeguards against all message loss. For example, if the log consolidation server is down, the remote forwarding clients will indeed experience packet loss once their buffers are exceeded (the client-side buffer size is configurable with syslog-ng). TCP can offer better reliability in general, however, and can offer increased security. For example, TCP-based log traffic can be encrypted using ssh.

  • Log rotation based on output filenames - Log output filenames can be based on templates names which support macro expansion. For example, if the output filename template contains the month macro, a new filename will created each month.

  • Launching programs - A message can trigger a program to be launched, sending the message to its standard input

  • Log forwarding for arbitrary text-based logs - In conjunction with DSAU's clog_tail tool, syslog-ng can be used to forward and consolidate arbitrary text-based application log files such as Serviceguards package log files.

syslog Co-existence

The Distributed Systems Administration Utilities configures syslog-ng to co-exist and work alongside the standard syslogd. syslogd continues to handle all the local logging for the system. syslog-ng is used when forwarding messages to a log consolidation system and is used on the log consolidator to receive and filter messages. The following diagrams illustrate the relationship between syslogd and syslog-ng. Figure 1 depicts the configuration on a syslog-ng client system that is forwarding logs to a remote log consolidation server.

Figure 3-2 syslog-ng Log-Forwarding Configuration

syslog-ng Log-Forwarding Configuration

  1. The grey area represents standard syslogd operation. Applications such as Serviceguard’s cmcld daemon call syslog (see syslog(3C)) to send messages to syslogd. syslog writes messages to the local system’s /var/adm/syslog/syslog.log and related files. Applications also frequently have application-specific log files. In this example, Serviceguard maintains a log of package operations in /etc/cmcluster/<package name>/<package name>.log.

  2. The clog_tail daemon of DSAU, labeled “Log reader” in the diagram, monitors text-based logs and sends new log lines to syslog-ng for processing. In a Serviceguard cluster, clog_tail defaults to monitoring all the package logs.

  3. The log_reader sends all new log messages to a named pipe (log_consolidation_fifo), which is one of the log sources for syslog-ng.

  4. The syslog-ng reads any new data from the named pipe and forwards it to the log consolidation server.

  5. The local syslogd, in addition to writing log messages to the local /var/adm/syslog/syslog.log, is configured to additionally forward all messages to the local instance of syslog-ng. syslog-ng in turn, forwards these messages to the log consolidator. The administrator can choose to use UDP, TCP, or TCP with ssh when forwarding messages.

Figure 3-3 “syslog-ng Log Consolidator Configuration” illustrates the configuration on the log consolidation server.

Figure 3-3 syslog-ng Log Consolidator Configuration

syslog-ng Log Consolidator Configuration

  1. The syslog-ng server reads the incoming log data from the UDP or TCP connected clients. Note: gray arrows indicate a read operation; black arrows, a write.

  2. The grey area is identical to the client configuration in Figure 3-2 “syslog-ng Log-Forwarding Configuration” In terms of the local system, syslog-ng acts as client and is processing locally forwarded syslog messages and clog_tail messages.

  3. The syslog-ng server processes all messages and filters them into the appropriate consolidated log files. In this specific example, the administrator has created a filesystem named “/clog” to house the consolidated logs. /clog/syslog/ would contain the consolidated syslog-related file. /clog/packages would contain consolidated package logs for a Serviceguard cluster.

Log Consolidation Configuration

The following sections describe how to configure log consolidation servers and log forwarding clients. Configuring a consolidation server is a multi-step process. The clog_wizard tool vastly simplifies the configuration process. If you choose not to use the wizard, the manual configuration steps are also described below.

Using the Log Consolidation Wizard

The Log Consolidation Wizard is installed as /opt/dsau/sbin/clog_wizard. The wizard supports creating the following configurations:

  • a standalone log consolidation server

  • a highly-available log consolidation server for use within a single Serviceguard cluster (intra-cluster use only)

  • a highly-available log consolidation server for use by the local Serviceguard cluster and remote systems, including Serviceguard cluster clients

  • a standalone system forwarding logs to a remote log consolidation server

  • a Serviceguard cluster forwarding logs to a remote log consolidation server

Choose the appropriate configuration option.

The wizard detects whether you are running on standalone system or a Serviceguard cluster, as described in the next sections.

Configuring a Log Consolidation Standalone Server with clog_wizard


For a standalone system, the wizard first displays introductory paragraphs explaining log consolidation and then asks:

Do you want to configure log consolidation? (y/n) [y]:

Answer yes or simply press Enter. The next question is:

You can configure this system hostname as either:
- Consolidation server
- Client that forwards logs to a remote consolidation server

Do you want to configure hostname as a Consolidation Server?
(y/n) [y]:

Answer yes. The wizard then prompts:

Enter the fully qualified directory where the consolidated
logs should be stored? []:

It is typically best to select a dedicated filesystem for the consolidated logs. Since consolidated logs like syslog can grow rapidly, HP also recommends that the filesystem be configured for “largefiles.” For this example, assume that a filesystem named “/clog” is used.

Next, the wizard prompts for the client’s transport:

You can choose to have the clients forward logs to this
consolidation server via the UDP protocol or the TCP
protocol (recommended).

Do you want to use the TCP protocol? (y/n) [y]:

Note that selecting TCP does not necessarily preclude the use of UDP forwarded log messages by clients. Whether the log consolidator allows TCP log messages exclusively, depends on whether the system is consolidating its own local syslog file. See below for details.

You need to choose a free port on this system for log
receiving.

Note: When configuring log consolidation on the clients,
this port will need to be specified.

Enter the TCP port to be used for log receiving? []:

There is no reserved port for the TCP transport of syslog-ng. Any port that is not in use can be chosen. HP recommends that the administrator choose a port from the reserved range, that is, ports below 1024. Only privileged processes on a remote system can connect to privileged ports. Note that this provides only a weak security guarantee because it implies that the administrator trusts the remote system. See the ssh section in the log forwarding client section for establishing stronger security guarantees.

The /etc/services file documents the well-known reserved ports. When choosing a reserved port, the wizard will check both /etc/services and use “netstat -an” to check that the port is not in use.

Note that syslogd uses UDP port 514. TCP port 514 is reserved for use by remsh. remsh is not a secure protocol and is disabled at many sites. If remsh has been disabled on the consolidator, you could use TCP port 514. This has the advantage that it is a privileged port and it is the same as the UDP port number so it is easy to remember and manage. However, if the administrator changes the system to re-enable the use of remsh, syslog-ng would have to be reconfigured to use a new port and all the client systems that forward to this system would have to be updated.

Unlike UDP, TCP is a connection-oriented protocol. Each log forwarding client using TCP will have a connection to the log consolidation server. In order to avoid denial of service attacks, the default number of TCP connections accepted by syslog-ng is limited to 10 connections. For larger numbers of clients, edit the consolidation server’s /etc/syslog-ng.conf.server file. Find the TCP source line in the file:

source s_syslog_tcp { tcp(port(<TCP port>)
keep-alive(yes));};

and add a max-connections() attribute as follows:

source s_syslog_tcp { tcp(port(<TCP port>) keep-alive(yes)
max-connections(N)); };

where N is the expected number of clients.

Next, the wizard prompts for which local logs should be consolidated:

Log files that reside on this system can be consolidated.

Would you like to consolidate this system's syslogs? (y/n) [y]:

Answering yes places this log consolidation system’s own local syslog data in the consolidated log along with the client system syslog data. To preserve the priority and facility of syslog entries, UDP local loopback is used, and syslog is configured to also forward entries to its local UDP port 514. syslog-ng is configured to read from this port. Thus, consolidating this system’s syslogs allows clients to also connect to this log consolidation server via UDP port 514, even if TCP transport is specified earlier. If you choose not to consolidate this system’s syslogs, then choosing a TCP transport earlier will require that all log forwarding clients be configured to use the TCP transport.The wizard displays a summary of all the configuration choices made by the administrator:

Summary of Log Consolidation Configuration:

       You have chosen to configure hostname as a Log
       Consolidation Server.
       Logs will be forwarded from the remote consolidation
       clients to local port 1776 using the TCP protocol.

       The consolidated logs will be stored under directory:
               /clog

       The following logs from the local system will be
       consolidated:
              Syslog

If these choices are correct, continue:

Do you want to continue? (y/n) [y]: y

The wizard displays its progress by describing which files are being modified. For a complete description of the modified files, please refer to “Manually Configuring Log Consolidation”.

Copying files that will be modified by the wizard to
/var/opt/dsau/root_tmp/clog. These files will be used to
restore the system to its current log consolidation
configuration, in the event of a failure.
 
Configuring hostname as a log consolidation server.
 
Creating the /etc/syslog-ng.conf.server configuration
file.
 
Creating a symbolic link from /etc/syslog-ng.conf to the 
/etc/syslog-ng.conf.server configuration file.
Creating /etc/rc.config.d/syslog-ng, the log
consolidation configuration file.
 
Updating the syslog configuration:
       Updating the /etc/rc.config.d/syslogd file to add
       -N SYSLOGD_OPTS. This stops syslogd from
       listening to UDP port 514.
 
       Updating the /etc/syslog.conf file for UDP local
       loopback.
 
       Starting syslogd for the configuration changes to
       take effect.
 
Registering the log consolidation ports in the
/etc/services file.
 
Starting syslog-ng.
 
Successfully configured hostname as a log consolidation
server.
Configuring a Serviceguard Cluster as a Log Consolidation Server with clog_wizard


When running the clog_wizard (see clog_wizard(1M)) in a cluster, first make sure that all the cluster members are up and available. The wizard needs to perform configuration operations on each member. It only needs to be run once, from any member of the cluster.

The wizard will set up and create a Serviceguard package for the consolidated logging service. Make sure that this cluster’s MAX_CONFIGURED_PACKAGES value can accommodate the additional package. For more information on this setting, please refer to the Managing Serviceguard manual which is part of the Serviceguard documentation set.

The wizard first displays introductory paragraphs explaining log consolidation:

Log file consolidation allows you combine the log entries from
multiple remote systems into a single file. The standard use of
this feature is to consolidate syslog data from several
systems. Each remote system continues to write entries to its
local syslog.log and additionally forwards the entries to the
consolidating host. The system's forwarding log entries are
consolidation clients. The system they are sending the entries
to is the consolidation server. In addition to syslog data,
arbitrary textual log files can also be consolidated.
 
In a Serviceguard cluster, this tool can help you automate package
log file consolidation. Log consolidation is especially useful in a
Serviceguard cluster, since it allows you to look at a single
consolidated file instead of the per-member logs. This tool needs
to be run only once in the cluster and not on each cluster member.
All cluster members should be up when running this wizard.
 
clog_wizard will prompt you for information to configure log
file consolidation. Some of these questions have a default
answer contained within square brackets. If you press Return,
the default answer is assumed.
 
Do you want to configure log consolidation? (y/n) [y]:

Answer yes or simply press Enter. The next question is

You can configure this cluster clustername as either:
- Consolidation server
- Client that forwards logs to a remote consolidation server
 
Do you want to configure clustername as a Consolidation Server?  (y/n) [y]:

Answer yes.

In a cluster, the wizard configures syslog-ng to be highly available using a Serviceguard package. The package name is “clog” for consolidated logging. The LVM storage configuration and network configuration for the package must be set up before continuing or before running the wizard. For additional details, refer to Managing Serviceguard, in Chapter 5, “Building an HA Cluster Configuration,” in the section “Creating a Storage Infrastructure with LVM.”

NOTE: The wizard only supports creating packages based on LVM volume groups. When using CFS or VxVM, manual configuration is required. See the section “Manually Configuring Log Consolidation” for details.

The wizard prompts for the following, all of which should have already been configured:

  1. LVM volume group name (for example, vgclog)

  2. Logical volume in the volume group (for example, /dev/vgclog/lvol1)

  3. The filesystem’s mount point (for example, /clog)

  4. The filesystem’s mount options (for example, -o rw,largefiles). The mount options are used verbatim in the Service package control script’s FS_MOUNT_OPT[0] field. Note that the mount options must agree with the filesystem you created on the logical volume. For example, if the filesystem was created with largefiles support, the largefiles mount option should be specified. Since consolidated logs tend to be large, it is recommended to configure VxFS filesystems with the largefiles option.

  5. The filesystem type (for example, VxFS)

  6. The package IP address. This should also be a registered DNS name so the log forwarding is easy to configure on client systems.

  7. The package subnet. Use netstat -i to determine the proper subnet.

Next, the wizard prompts for the client’s transport.

You can choose to have the clients forward logs to this
consolidation server via the UDP protocol or the TCP protocol
(recommended).
 
Do you want to use the TCP protocol? (y/n) [y]:

Note that selecting TCP does not necessarily preclude the use of UDP forwarded log messages by clients. Whether the log consolidator allows TCP log messages exclusively, depends on whether the system is consolidating its own local syslog file. See below for details.

When answering Yes to TCP, you must select a free TCP port. This port must be free on all cluster members. See the section “Configuring a Log Forwarding Client Using clog_wizard” using the clog_wizard for details on choosing a TCP port.

Next the wizard prompts for which local logs should be consolidated:

Log files that reside on this cluster can be consolidated.
 
Would you like to consolidate this cluster's syslogs? (y/n) [y]:
 
Would you like to consolidate this cluster's package logs? (y/n) [y]:

In a Serviceguard cluster, you can consolidate all the member-specific syslog files into a single consolidated syslog containing syslog.log, mail.log and syslog-ng.log. Each member-specific package log can also be consolidated.

Note that if you choose to consolidate the cluster’s syslogs, the remote clients can also forward UDP syslog messages to the cluster, regardless of the answer to the “Do you want to use the TCP protocol” question. If you choose not to consolidate this cluster’s syslogs, then choosing a TCP transport earlier will require that all log forwarding clients be configured to use the TCP transport.

The consolidated logs are placed in the filesystem associated with the package. Using the example above, the consolidated syslog.log would be located here:

/clog/syslog/syslog.log,mail.log,syslog-ng.log

The consolidated packages logs would be located here:

/clog/package/package1.log, package2.log, ..., packageN.log

The wizard now has all the data it needs to configure the consolidated logging package. It displays a summary confirmation screen and then performs the configuration:

Summary of Log Consolidation Configuration:
       You have chosen to configure clustername as a Log Consolidation
       Server.
       Logs will be forwarded from the remote consolidation clients to local 
       port port-number using the TCP protocol.
 
       For high availability the Serviceguard package "clog" will be 
       configured with the following attributes:
             Volume Group:     vgclog
             Logical Volume:   /dev/vgclog/lvol1
             Filesystem:       /clog
             Mount Options:    -o rw,largefiles
             Filesystem Type:  vxfs
             IP Address:       123.456.789.10
             Subnet:           123.456.788.0
 
       The following logs on this cluster will be consolidated:
             Syslog
             Serviceguard package logs Do you want to continue? (y/n) [y]:
 
Do you want to continue? (y/n) [y]:
 
Copying files that will be modified by the wizard to /var/opt/dsau/root_tmp/clog on each cluster node. These files will be used to restore the cluster to its current log consolidation configuration, in the event of a failure.
 
Configuring clustername as a log consolidation server.
 
The configuration will be done on all cluster nodes.
It will take a few minutes....
 
Creating the /etc/syslog-ng.conf.server configuration file.
 
Creating the /etc/syslog-ng.conf.client configuration file.
 
Creating a symbolic link from /etc/syslog-ng.conf to the
/etc/syslog-ng.conf.client configuration file.
 
Halting the "clog" Serviceguard package if it is up.
 
Creating /etc/rc.config.d/syslog-ng, the log consolidation configuration file.
Updating the syslog configuration:
       Updating the /etc/rc.config.d/syslogd file to add -N to SYSLOGD_OPTS.
       This stops syslogd from listening to UDP port 514.
 
       Updating the /etc/syslog.conf file for UDP local loopback.
 
       Starting syslogd for the configuration changes to take effect.
 
Registering the log consolidation ports in the /etc/services file.
 
Starting syslog-ng.
 
Setting up the log consolidation server to be highly available.
 
Configuring the "clog" Serviceguard package.
 
Applying the "clog" Serviceguard package configuration file, this will take a moment.
 
Starting the "clog" Serviceguard package, this will take a few moments...
 
The "clog" Serviceguard package has been started on cluster-member.
 
Successfully created the "clog" Serviceguard package.
 
Successfully configured clustername as a log consolidation server.
Cluster Configuration Notes


In a Serviceguard cluster, the adoptive node for the clog package performs the log consolidation functions. All the other cluster members participate as log forwarding clients and send log messages to the relocatable IP address of the clog package. DSAU maintains two configuration files that control whether the instance of syslog-ng on a particular cluster member operates as a consolidation server or a log forwarding client: /etc/syslog-ng.conf.server and /etc/syslog-ng.conf.client. The symbolic link /etc/syslog-ng.conf points to one of the configuration files. When the cluster is booted, all the members start as log forwarding clients with syslog-ng running on each member. The /sbin/init.d/syslog-ng startup script sets the symbolic link /etc/syslog-ng.conf to point to /etc/syslog-ng.conf.client. When the clog package starts, the adoptive node restarts that instance of syslog-ng as a log consolidation server instance. The package script resets the /etc/syslog-ng.conf symbolic link to point to /etc/syslog-ng.conf.server. If the clog package is halted, the symlink is changed to point to /etc/syslog-ng.conf.client and the syslog-ng instance on that member restarted. Note that when a cluster is a log consolidation server, and the package is down, no log consolidation occurs and forwarded log messages are lost.

Note that cluster members can forward log messages to the consolidator using either UDP or TCP. Within a Serviceguard cluster, ssh port forwarding is not used. ssh port forwarding can be used to secure the log traffic forwarded by remote clients outside the cluster. For additional information, refer to “ssh Port Forwarding”.

Serviceguard Automation Features


The Distributed Systems Administration Utilities require Serviceguard 11.17 or later. With Serviceguard 11.17 or later, when members are added to or deleted from cluster or packages are added and deleted, the DSAU consolidated logging tools will automatically take the appropriate configuration actions. Specifically:

  • When adding a member to the cluster, the new member will be automatically configured to participate in log consolidation according to the cluster’s configuration. The following files are automatically configured on the added member:

    • /etc/rc.config.d/syslog-ng

    • /etc/rc.config.d/syslogd

    • /etc/syslog.conf

    • /etc/syslog-ng.conf.client, /etc/syslog-ng.conf.server, and the /etc/syslog-ng.conf symbolic link

    • /etc/services

  • When deleting a member from a cluster:

    • The member is still configured as a log-forwarding client and will continue to forward syslog messages to the cluster if that option had been chosen during the initial run of the clog_wizard. If the system should no longer forward log messages to the cluster, rerun the wizard to configure the system to forward to a different consolidator, or disable log consolidation entirely. Refer to “Disabling Log Consolidation” for additional information.

    • The package logs on the deleted member are still monitored until a reboot. Since this member is no longer part of the cluster, the package logs will not be active.

  • When adding or deleting a package, the following automated actions occur:

    • The package is added to or deleted from /etc/syslog-ng.conf.server cluster-wide. There is a reserved section of these files dedicated for use by the DSAU tools. The configuration stanzas added in this section direct syslog-ng to filter package log messages into the appropriate consolidated package logs.

    • The clog_tail log monitor adds or deletes the package log file from its list of files to monitor.

Minimizing Message Loss During Failover


When there is a failure on the adoptive node, it takes a finite amount of time for the clog package to fail over to another cluster member. The longer this failover time, the more likely that messages could be lost from the consolidated log. Use the following guidelines to minimize message loss during failover.

  • Configure clients to use the TCP transport instead of the UDP transport. UDP messages will be lost unconditionally when the package is down. The TCP protocol contains retry mechanisms, congestion control, and so on, that help minimize message loss.

  • syslog-ng can buffer TCP messages on the client side. The number of messages buffered is controlled by the syslog-ng log_fifo_size() setting. This sets an upper limit on the number of messages that can be buffered. The default /etc/syslog-ng.conf() file sets log_fifo_size to 10000.

  • syslog-ng has a time_reopen() option to configure the time to wait before a dead connection is reestablished. The /etc/syslog-ng.conf file has time_reopen() set to 10 seconds.

  • Serviceguard offers various configuration options to improve failover times such as HEARTBEAT_INTERVAL and NODE_TIMEOUT. Serviceguard Extension for Faster Failover (SGeFF) is also available to optimize failover times for two-node clusters. Since syslog-ng itself starts quickly, SGeFF is an ideal candidate for improving failover times and minimizing message loss.

Configuring a Log Forwarding Client Using clog_wizard


There are two ways to configure a log forwarding client: as a standalone machine or as a Serviceguard cluster. When configuring a cluster as a log forwarding client, all the members of the cluster will be configured identically as clients. The wizard asks the same questions and performs the same configuration actions for single systems and for clusters. The examples below show use of the clog wizard on a Serviceguard cluster.After starting clog_wizard, answer “yes” to the following question:

Do you want to configure log consolidation? (y/n) [y]:

or simply press Enter. The next question is:

You can configure this cluster clustername as either:
- Consolidation server
- Client that forwards logs to a remote consolidation server
 
Do you want to configure clustername as a Consolidation Server?  (y/n) [y]: n

Answer “No” here. At this point you are configuring a log forwarding client. The wizard displays the following:

You now need to specify what system will be the
consolidator. If the consolidator is a Serviceguard
cluster, you should specify the IP address of the "clog"
Serviceguard package for this question. The "clog"
package is used to make log consolidation highly
available on the consolidator.
 
The consolidation server must already be configured.
 
Enter the hostname or IP address of the consolidator?
[]: clog.usa.xyz.com

After entering the hostname or IP address of the log consolidation server, the wizard asks if you want to use the TCP transport when forwarding log messages:

You can choose to forward logs to the consolidator via
the UDP protocol or the TCP protocol (recommended).
 
Do you want to use the TCP protocol? (y/n) [y]:

Standard syslogd forwards messages using the UDP protocol. UDP is a high-performance, broadcast-oriented protocol with no flow control or message delivery verification. syslog-ng supports syslogd’s UDP protocol and a TCP protocol. The TCP transport offers both flow control and message delivery checks. However, since TCP is a connection-oriented protocol, it requires additional resources on the log consolidation server. The consolidation server’s max-connections() attribute must be set according to the maximum number of expected clients. Refer to section “Configuring a Log Consolidation Standalone Server with clog_wizard” for a discussion of the max-connections() setting. If you answer “yes” to using TCP, the next question asks for the TCP port to forward messages to:

You need to find out from the administrator of the
consolidation server the TCP port that was configured
for log receiving.
 
Enter the TCP port configured on the CONSOLIDATOR for
log receiving? []: 1776

You must use the TCP port selected by the system administrator of the log consolidation server. If the clog_wizard was used to configure the server, the port number is saved in /etc/rc.config.d/syslog-ng as the variable CLOG_TCP_PORT. In this example, TCP port 1776 was used. If you answer “yes” to the TCP question, the following question is displayed:

The TCP protocol can be used in conjunction with Secure
Shell port forwarding to enhance security. Each member
of this cluster must already have non interactive Secure
Shell Authentication set up with the consolidator. You
can use the tool /opt/dsau/bin/csshsetup to configure
non interactive Secure Shell Authentication.
 
Do you want to configure Secure Shell port forwarding? (y/n) [y]:

Choose yes in order to use ssh port forwarding. This will encrypt all the traffic sent from this local log forwarding client to the log consolidator.

NOTE: A special ssh security configuration is required on the server when a Serviceguard cluster is the log consolidation server. For details, refer to “ssh Port Forwarding”.

ssh port forwarding requires an additional free TCP port on the local client system:

You need to choose a free port on this cluster for ssh port forwarding. The port chosen should be free on all cluster nodes.

Enter the ssh port to be used for port forwarding? []: 1175

The same guidelines for choosing a free syslog-ng TCP port apply to this port. For details, refer to “Configuring a Log Consolidation Standalone Server with clog_wizard”. In this example, the local port 1775 was used. For a Serviceguard cluster log forwarding client, the cluster’s syslogs and package logs can be forwarded to the log consolidation server. For a standalone system, the wizard asks only about forwarding syslog messages:

Log files that reside on this cluster can be forwarded to the consolidator.
 
Would you like to forward this cluster's syslogs? (y/n) [y]:
 
Would you like to forward this cluster's package logs? (y/n) [y]:

Note that when forwarding a cluster’s package logs, manual configuration is required on the consolidation server in order to add the syslog-ng filtering lines to cause these package logs to be consolidated into their own unique files. See “Manually Configuring Log Forwarding Clients” for details.

After all the questions have been answered, the clog_wizard displays the following summary screen:

Summary of Log Consolidation Configuration:
 
       You have chosen to configure clustername as a Log Consolidation Client.
       Logs will be forwarded to the remote consolidation server
       clog.usa.xyz.com on port 1776 using the TCP protocol.
 
       The TCP protocol will be used in conjunction with Secure Shell 
       Port Forwarding using port 1775, for added security.
 
       The following logs will be forwarded for consolidation:
            Syslog
            Serviceguard package logs
 
Do you want to continue? (y/n) [y]:

Confirm your answers with a “yes” response and the wizard summarizes the configuration steps that it performs:

Copying files that will be modified by the wizard to /var/opt/dsau/root_tmp/clog on each cluster node.
These files will be used to restore the cluster to itscurrent log consolidation configuration, in the eventof a failure.
 
Configuring clustername as a log consolidation client.
 
The configuration will be done on all cluster nodes.
It will take a few minutes....
 
Creating the /etc/syslog-ng.conf.client configuration file.
 
Creating a symbolic link from /etc/syslog-ng.conf to the /etc/syslog-ng.conf.client configuration file.
 
Creating /etc/rc.config.d/syslog-ng, the log consolidation configuration file.
Updating the syslog configuration:
       Updating the /etc/rc.config.d/syslogd file to add -N to SYSLOGD_OPTS.
       This stops syslogd from listening to UDP port 514.
 
       Updating the /etc/syslog.conf file for UDP local loopback.
 
       Starting syslogd for the configuration changes to take effect.
 
Registering the log consolidation ports in the /etc/services file.
 
Starting syslog-ng.
 
Successfully configured clustername as a log consolidation client.

For additional information on the configuration actions performed by the clog_wizard, refer to “Manually Configuring a Serviceguard Cluster as a Log Consolidation Server”.

Manually Configuring Log Consolidation

If you choose not to use the Consolidated Logging Wizard, use the following sections for the manual steps required to configure a log consolidation server and log forwarding clients. Because there are many steps required to set up clients and servers, HP recommends using the clog_wizard.

Manual configuration is required for the following cases:

  • When a cluster is a log forwarding client and forwarding package logs, manual configuration is required on the consolidation server (standalone or cluster) to filter the package logs appropriately.

  • When configuring a Serviceguard Cluster as a log consolidator and you require:

    • Special customization of the clog package

    • Use of VxVM instead of LVM

    • Use of the Cluster File System (CFS)

It is often simplest to run the wizard and let it complete the basic configuration and then customize, starting from that point.

Manually Configuring a Log Consolidation Server


The following sections describe the detailed steps required to configure a standalone system or a Serviceguard cluster as a log consolidation server manually.

Manually Configuring a Standalone Log Forwarding Client

Start by configuring the standard syslogd to co-exist with a syslog-ng consolidator. By default, syslogd listens for incoming log messages on UDP port 514. If you want to accept UDP syslog messages from remote clients or consolidate this server’s local syslogs, syslog-ng must listen on UDP port 514. Edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch, which prevents syslogd from listening on port 514. For example:

SYSLOGD_OPTS=“-D -N”

If you want the local syslog messages from the log consolidation server itself to be part of the consolidated syslog, edit the consolidator’s /etc/syslog.conf file to forward log messages to port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as an example, add the following lines:

mail.debug                @<log consolidation server>
*.info;mail.none          @<log consolidation server>

where <log consolidation server> is the fully qualified domain name of the consolidation server. The name must be fully qualified or syslogd will not forward the messages properly. Note that there must be a <tab> before each @ sign.

If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

syslogd must be stopped and restarted for these changes to take effect, using the following commands:

# /sbin/init.d/syslogd stop

# /sbin/init.d/syslogd start

With syslogd appropriately configured, now configure syslog-ng. Start with the same syslog-ng.conf templates used by the clog_wizard. Copy /opt/dsau/share/clog/templates/syslog-ng.conf.server.template to /etc/syslog-ng.conf.server. This file has tokens named <%token-name%> that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

Replace the tokens as follows:

  • When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:

    source s_syslog_udp { udp(port(514)); };

    Replace the <%UDP_LOOPBACK_LOG%> token with:

    log { source(s_syslog_udp); destination(d_syslog_tcp); };

    This causes the syslog-ng consolidator to read the local syslogd’s UDP messages and send them to syslog-ng on the local TCP port. Optionally, the destination could be set to be the local consolidation file directly, (destination(d_syslog) in this default template), but this configures the consolidation server client components in the same manner as a remote client. In other words, when the consolidator is a client of itself, it’s configured identically to remote clients.

    If using the UDP protocol or not consolidating the local syslogs of this server, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

  • Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported if the consolidation of the server’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.

  • For the “source s_syslog_<%TYPE%> ” line, replace the <%PORT%> and <%KEEP_ALIVE%> tokens with appropriate values, as follows: 

    source s_syslog_<%TYPE%> { <%TYPE%>(port(<%PORT%>) <%KEEP_ALIVE%>); };

    For TCP, the port needs to be an available TCP port. See section “Configuring a Log Consolidation Standalone Server with clog_wizard” for a discussion of selecting an available port. For UDP, use port 514.

    <%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with “keep-alive(yes)” which instructs syslog-ng to keep connections open when it is rereading its configuration file. If using UDP, delete this token.

  • For the “destination d_syslog_<%TYPE%>” line, replace the <%IP%> and <%PORT%> tokens: 

    destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP>” port(<%PORT%>)); };

    For example, for TCP: 

    destination d_syslog_tcp { tcp(“local hostname” port(1776)); };

    where the <%IP%> is replaced by the server’s IP address or local hostname and the <%PORT%> is replaced by the selected TCP port number.

    For UDP: 

    destination d_syslog_udp { udp(“local hostname” port(514)); }
    where <%IP%> is replaced by the server’s IP address or local hostname and the <%PORT%> token is replaced by 514, the standard syslog UDP port.

  • Replace the <%FS%> token with the filesystem or directory where the consolidated logs will be kept. For example, 

    destination d_syslog { file(“<%FS%>/syslog/syslog.log”); };

    becomes: 

    destination d_syslog { file(“/clog/syslog/syslog.log”); };

    Make sure that this directory exists or the appropriate filesystem is mounted. Since consolidated logs can grow quite large, HP recommends that this filesystem use the largefiles option and that there is sufficient room for growth.

  • When using TCP, record the port number you choose above in the /etc/services file. For example, add the line:

    clog_tcp  1776/tcp   # Consolidated logging with syslog-ng

  • Create the following symbolic link: 

    ln -sf /etc/syslog-ng.conf.server /etc/syslog-ng.conf

  • The syslog-ng startup procedure, /sbin/init.d/syslog-ng relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    • Change the CLOG_CONFIGURED line to: 

      CLOG_CONFIGURED=1

    • Add the following lines: 

      CLOG_CONSOLIDATOR=1
      CLOG_FS=<directory where the consolidated logs will be stored>

      If using the TCP protocol, add:

      CLOG_TCP=1
      CLOG_TCP_PORT=<tcp port chosen for log consolidation>

      otherwise, if using the UDP protocol, add:

      CLOG_TCP=0

      If consolidating the local syslogs, add:

      CLOG_SYSLOG=1

      otherwise add: 

      CLOG_SYSLOG=0

      For a standalone consolidator, add the following:

      CLOG_SYSTEM_LOG_CONSOLIDATION_DIR=<consolidated log directory/syslog>
      CLOG_SERVICEGUARD_PACKAGE_LOG_CONSOLIDATION_DIR=<consolidated log directory/packages>

    • Add the following two values that are used by the System File Viewer: 

      CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts 
      CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  • Test the configuration by performing the following steps:

    1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the /etc/syslog-ng.conf file. This should be a symbolic link to /etc/syslog-ng.conf.server as described above.

    2. Start syslog-ng using /sbin/init.d/syslog-ng start.

    3. If consolidating the local syslogs, use logger <test message> and make sure this message is in the consolidated syslog.log. If you are not consolidating the local logs, use the logger command from a log forwarding client. Note that the logger messages are first sent to the local syslog which forwards them to syslog-ng. syslogd by default suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique.

Manually Configuring a Serviceguard Cluster as a Log Consolidation Server

Configuring a Serviceguard cluster as a log consolidation server is similar to the steps for a single system. All cluster members must be up and accessible before proceeding.

Create the configuration files described below on every cluster member. The simplest approach is to configure one member completely and then copy each configuration file cluster-wide. The cexec and ccp tools can simplify replicating changes cluster-wide.

For a cluster configuration, syslog-ng is configured as a package so the log consolidation service is highly available. The package must be named clog and the package configuration files require the following information:

  • Registered IP address and DNS name for the clog package

  • The subnet associated with that IP address

  • Cluster-wide storage configuration using LVM or VxVM

  • A filesystem configured on the cluster-wide storage, that can be VxFS or CFS. Since consolidated logs grow rapidly, HP recommends that the filesystem be configured using the largefiles option and that there is room for growth.

Complete IP address registration and storage/filesystem configuration before continuing. For additional information on creating the Serviceguard storage/filesystem configuration for a package, refer to the Managing Serviceguard manual.

Refer to section “Cluster Configuration Notes” for an overview of how to configure consolidated logging in a cluster.

  1. If you want the local syslog messages for the cluster itself to be part of the consolidated syslog, complete the following tasks:

    1. Start by configuring the standard syslogd to co-exist with a syslog-ng consolidator. By default, syslogd is listens for incoming log messages on UDP port 514. To use the UDP protocol or consolidate this server’s local syslogs, syslog-ng must listen on UDP port 514. Edit etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch to prevent syslogd from listening on port 514. For example:

      SYSLOGD_OPTS=“-D -N”

    2. Edit the /etc/syslog.conf file to forward log messages to UDP port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as the example, add the following lines:

      mail.debug              @<log consolidation server>
      *.info;mail.none        @<log consolidation server>

      where <log consolidation server> is the fully qualified domain name of the local cluster member. The name must be fully qualified or syslogd will not forward messages properly.

      If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

    3. Since /etc/rc.config.d/syslogd is generic, it can be distributed cluster-wide using ccp, as follows:

      # cpp /etc/rc.config.d/syslogd /etc/rc.config.d/

    4. The /etc/syslog.conf is specific to each member and the edits described above must be performed on each cluster member.

    5. Making the above changes on each cluster member, syslogd must be restarted for these changes to take affect. Use cexec to do this on all members of the cluster:

      # cexec “/sbin/init.d/syslogd stop;/sbin/init.d/syslogd start”

  2. To configure syslog-ng, start with the same syslog-ng.conf templates used by the clog_wizard. On one cluster member, copy /opt/dsau/share/clog/templates/syslog-ng.conf.server.template to /etc/syslog-ng.conf.server. Then copy an /opt/dsau/share/clog/templates/syslog-ng.conf.client.template to /etc/syslog-ng.conf.client. Both files have tokens named <%token-name%> that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

    Manually replace the tokens in /etc/syslog-ng.conf.server as follows:

    1. When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with: 

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with: 

      log { source(s_syslog_udp); destination(d_syslog_tcp); };

      This causes the syslog-ng consolidator to read the local syslogd’s UDP messages and send them to syslog-ng on the local TCP port. Optionally, the destination could be set to be the local consolidation file directly (destination(d_syslog) in this default template), but the above configuration sets the consolidation server client components in the same manner as a remote client. In other words, when the consolidator is a client of itself, it is configured identically to remote clients.

      If using the UDP protocol or not consolidating the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported, if the consolidation of the cluster’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.

    3. For the “source s_syslog_<%TYPE%>” line, replace the <%PORT%> and <%KEEP_ALIVE%> tokens with appropriate values: 

      source s_syslog_<%TYPE%> {<%TYPE%>(port(<%PORT%>)<%KEEP_ALIVE%>); };

      For TCP, the port needs to be an available TCP port on all cluster members. See section “Configuring a Log Consolidation Standalone Server with clog_wizard” for a discussion of selecting an available port. For UDP, use port 514.

      <%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with “keep-alive(yes)” which instructs syslog-ng to keep connections open when it is rereading its configuration file. If using UDP, delete this token.

    4. For the destination d_syslog_<%TYPE%> line, replace the <%IP%> and <%PORT%> tokens:

      destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP%>” port(<%PORT%>)); };

      For example, for TCP: 

      destination d_syslog_tcp { tcp(“package IP” port(1776)); };

      where the <%IP%> is replaced by the clog package IP address or hostname and the <%PORT%> is replaced by the selected TCP port number.

      For UDP: 

      destination d_syslog_udp { udp(“package IP” port(514)); };

      where <%IP%> is replaced by the clog package IP address or hostname and the <%PORT%> token is replaced by 514, the standard syslog UDP port.

    5. Replace the <%FS%> token with the filesystem or directory where the consolidated logs will be kept. This filesystem/directory is the one managed by the Serviceguard package. For example: 

      destination d_syslog { file(“<%FS%>/syslog/syslog.log”); };

      becomes:

      destination d_syslog { file(“/clog/syslog/syslog.log”); };

      Make sure that this filesystem mount point exists cluster-wide and that the storage fails over correctly cluster-wide. Since consolidated logs can grow quite large, HP recommends that this filesystem use the largefiles option and that there is sufficient room for growth.

      For additional information on creating the Serviceguard storage/filesystem configuration for a package, refer to the Managing Serviceguard manual.

  3. Manually replace the tokens in /etc/syslog-ng.conf.client as follows:

    1. If configuring the cluster to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with: 

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with:

      log { source(s_syslog_udp); destination(d_syslog_<type>); };

      where <type> is either tcp or udp depending on the desired log transport. This causes syslog-ng to read the local syslogd’s UDP messages and send them to the log consolidation server.

      If you do not want to consolidate the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace all the <%TYPE%> tokens with either tcp or udp depending on the desired log transport.

    3. Find the line: “destination d_syslog_<%TYPE%>{ <%TYPE%>(“<%IP%>”port(<%PORT>%>)); };.

      Replace <%IP%> with the IP address of the clog package. For TCP, replace <%PORT%> with TCP port used for log forwarding (selected above). For UDP, replace <%PORT%> with 514, the standard UDP port.

  4. The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    1. Change the CLOG_CONFIGURED line to: 

      CLOG_CONFIGURED=1

    2. Add the following lines: 

      CLOG_CONSOLIDATOR=1

      If using the TCP protocol, add:

      CLOG_TCP=1
      CLOG_TCP_PORT=<tcp port chosen for log consolidation>

      otherwise, if using the UDP protocol, add:

      CLOG_TCP=0

      If consolidating the local syslogs, add:

      CLOG_SYSLOG=1

      otherwise, add:

      CLOG_SYSLOG=0

      If consolidating package logs of this cluster, add:

      CLOG_PACKAGE=1

      otherwise

      CLOG_PACKAGE=0

    3. Add the following two values which are used by the System Log Viewer: 

      CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts 
      CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  5. All the files edited thus far need to be distributed cluster-wide:

    # ccp /etc/syslog-ng.conf.server /etc/
    # ccp /etc/syslog-ng.conf.client /etc/
    # ccp /etc/rc.config.d/syslog-ng /etc/rc.config.d/


  6. When using TCP, record the port number you chose above in the /etc/services file. For example, add the line:

    clog_tcp  1776/tcp   # Consolidated logging with syslog-n

    Add this line to /etc/services for each member of the cluster.

Creating the clog Package

To create the consolidated logging or clog package, start by copying the package templates:

# mkdir /etc/cmcluster/clog
# cd /etc/cmcluster/clog
# cp /opt/dsau/share/serviceguard/templates/clog.conf.template clog.conf
# cp /opt/dsau/share/serviceguard/templates/clog.script.template clog
# chmod +x clog

Both the clog.conf package configuration file and the clog package control script need to be edited to replace marker tokens with the correct values.

For clog.conf, there is only one token to replace, <%SG_PKG_SUBNET%>. This identifies the package’s subnet. It is the same as the subnet value in the package control script. Use netstat -i to help identify the proper subnet for the package’s IP address.

For the package control script, clog, make the changes described below.

The default script template assumes you are using an LVM-based storage configuration. Replace the volume group/filesystem related tokens as appropriate for the package’s storage configuration as follows:

  1. Find the line “VG[0]=“<%SG_PKG_VOL_GRP%>”” and replace the token with the name of the VM volume group for the package. For example:

    VG[0]=“vgclog”

    If using VxVM, comment out the LVM Volume Group line VG[0]=”<%SG_PKG_VOL_GRP%>”. Uncomment the line “VXVM_DG[0]=” and put in the VxVM Disk Group.

  2. Find the line “LV[0]=“<%SG_PKG_LOG_VOL%>””and replace the token with the full name of the logical volume. For example: 

    LV[0]=“/dev/vgclog/lvol1”

  3. Find the line “FS[0]=“<%SG_PKG_FS%>”” and replace the token with the name of the filesytem created for this package. For example: 

    FS[0]=“/clog”

    All the consolidated logs will reside on this filesystem. The specific location for the consolidated package logs and the consolidated syslogs is specified in the /etc/syslog-ng.conf.server file. Using /clog as the example, the default locations based on the template /etc/syslog-ng.conf.server file are: 

    /clog/syslog/syslog.log 
    /clog/packages/<package name>.log

  4. Find the line “FS_MOUNT_OPT[0]=“<%SG_PKG_MNT_OPT%>”: ” and replace the token with the filesystem’s mount options. For example:

    FS_MOUNT_OPT[0]=-o rw,largefiles

  5. Find the line “FS_TYPE[0]=“<%SG_PKG_FS_TYPE%>”” and replace the token with the filesystem type. For example:

    FS_TYPE[0]=vxfs

  6. Find the line “FS_UMOUNT_OPT[0]=“<%SG_PKG_FS_UMOUNT_OPT%>”” and replace the token with any filesystem umount options. The token can be removed and this option left blank if there are no special umount options. For example:

    FS_UMOUNT_OPT[0]=“

  7. Find the line “FS_FSCK_OPT[0]=“<%SG_PKG_FS_FSCK_OPT%>”” and replace the token with any filesystem specific fsck options. The token can be deleted and this option left blank. For example:

    FS_FSCK_OPT[0]=

  8. Find the line “IP[0]=“<%SG_PKG_IP%>”” and replace the token with the IP address of the clog package. For example:

    IP[0]= 192.119.152.3

  9. Find the line “SUBNET[0]=“<%SG_PKG_SUBNET%>”” and replace the token with the subnet for the packages IP address. Use netstat -i to help determine the subnet. For example:

    SUBNET[0]= 192.119.152.0

Now, you need to distribute the package files clusterwide. To do this, do the following steps:

  1. Distribute the package files clusterwide. First, create the package directory on all the other members:

    # cexec mkdir /etc/cmcluster/clog

  2. Copy the package control script and package ASCII configuration file:

    # ccp clog clog.conf /etc/cmcluster/clog/

  3. Update the /etc/rc.config.d/syslog-ng file, by adding the following lines:

    CLOG_PKG_VOL_GRP=<LVM volume group>
    CLOG_PKG_LOG_VOL=<logical volume (full path)>
    CLOG_PKG_FS=<filesystem mount point where the consolidated logs are stored>
    CLOG_PKG_MNT_OPT=<file systems mount options such as -o rw,largefiles>
    CLOG_PKG_FS_TYPE=<file system type>
    CLOG_PKG_IP=<IP address of the clog package>
    CLOG_PKG_SUBNET=<subnet of the clog package’s IP address>
    CLOG_SYSTEM_LOG_CONSOLIDATION_DIR=<file system mount point/syslog>
    CLOG_SERVICEGUARD_PACKAGE_LOG_CONSOLIDATION_DIR=<file system mount point/packages>
    CLOG_PKG_RETRY_TIMES=1
    CLOG_PKG_MONITOR_INTERVAL=5

  4. . Distribute it cluster-wide:

    # ccp /etc/rc.config.d/syslog-ng /etc/rc.config.d/
Testing and Starting the clog Package

Before starting the package, test the configuration thus far:

  1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the /etc/syslog-ng.conf.server and /etc/syslog-ng.conf.client files. For the package’s adoptive node, a symbolic link will be created named /etc/syslog-ng.conf and this symbolic link will point to the .server file. For the remaining cluster members, the symbolic link will point to the .client file. Since the package is not yet running, use syslog-ng to check each file explicitly as follows:

    # /opt/dsau/sbin/syslog-ng --syntax-only --cfgfile /etc/syslog-ng.conf.server
    # /opt/dsau/sbin/syslog-ng --syntax-only --cfgfile /etc/syslog-ng.conf.client

    If all the edits have been applied correctly, no errors should be displayed.

  2. Start syslog-ng on each cluster member. Each syslog-ng will start as a log forwarding client:

    # cexec /sbin/init.d/syslog-ng start

    Use the cluster-wide ps command, cps, to validate that all the daemons started correctly:

    # cps -ef | grep syslog-ng

    You should see a syslog-ng daemon running on each cluster member.

  3. Create the clog package:

    # cd /etc/cmcluster/clog/
    # cmapplyconf -P clog.conf

    Serviceguard will validate the package configuration and report any errors. Correct any errors and try again.

  4. Start the clog package:

    # cmmodpkg -e clog

    Then use cmviewcl to make sure it is running: 

    # cmviewcl -p clog

    If there are problems running the package, check the /etc/cmcluster/clog/clog.log files on each member to help troubleshoot the problem.

  5. Validate that log forwarding is working properly. If consolidating the cluster’s local syslogs, use “logger <test message>” and make sure this message is in the consolidated syslog.log. If you are not consolidating local logs, use the logger command from a log forwarding client.

    Note that logger messages are first sent to the local syslogd, which forwards them to syslog-ng. By default, syslogd suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique. The logger message should appear in the consolidated syslog.log located in the directory specified in the /etc/syslog-ng.conf.server file. For the examples above, that directory would be /clog/syslog/syslog.log.

    If consolidating package logs for this cluster, any package actions that generate package log information, such as a package failover, should cause a consolidated package log to appear in /clog/packages.

Using VxVM Instead of LVM

The default clog package script template assumes that you are using LVM based storage. To use VxVM storage instead, you must edit the clog package script under /etc/cmcluster/clog/clog. Comment out the LVM Volume Group line “VG[0]=“xxx””, uncomment the line “VXVM_DG[0]=”, and enter the VxVM Disk Group.

Manually Configuring Log Forwarding Clients

In configuring a log forwarding client, you can configure it as a standalone system or as a Serviceguard cluster. For each case, you set up both syslogd and syslog-ng.

Manually Configuring a Standalone Log Forwarding Client

  1. Start by configuring the standard syslogd to co-exist with a syslog-ng forwarder.

    1. By default, syslogd listens for incoming log messages on UDP port 514. If you want to forward this systems syslogs, syslog-ng must listen on UDP port 514. Edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch which prevents syslogd from listening on port 514. For example:

      SYSLOGD_OPTS=“-D -N”

    2. Edit the system’s /etc/syslog.conf file to forward log messages to port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as the example, add the following lines:

      mail.debug              @<fully qualified hostname>
      *.info;mail.none        @<fully qualified hostname>

      Where <fully qualified hostname> is the fully qualified hostname of this system. The name must be fully qualified or syslogd will not forward the messages properly.

      If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

    3. Stop and restart syslogd for these changes to take effect:

      # /sbin/init.d/syslogd stop
      # /sbin/init.d/syslogd start


  2. To configure syslog-ng, start with the same syslog-ng.conf templates used by the clog_wizard.

    Copy /opt/dsau/share/clog/templates/syslog-ng.conf.client
    .template     to /etc/syslog-ng.conf.client. This file has tokens named <%token-name%> which are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

    Manually replace the tokens in /etc/syslog-ng.conf.client as follows:

    1. If configuring the system to forward its syslogs to the consolidation server, replace the <%UDP_LOOPBACK_SOURCE%> token with: 

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with: 

      log { source(s_syslog_udp); destination(d_syslog_<type>); };

      where <type> is either tcp or udp depending on the desired log transport. This causes syslog-ng to read the local syslogd’s UDP messages and send them to the log consolidation server. If you do not want to consolidate the local syslogs of this system, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace all the _<%TYPE%> tokens with either tcp or udp depending on the desired log transport.

    3. Find the line 

      “destination d_syslog_<%TYPE%>{<%TYPE%>(“<%IP%>” port(<%PORT%>)); };”

      If using the UDP protocol, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with 514, the standard UDP port.

      If using the TCP protocol with ssh port forwarding, replace <%IP%> with 127.0.0.1 and <%PORT%> with the port chosen for ssh port forwarding. The same guidelines for choosing a free syslog-ng TCP port apply to this port. For details, refer to section “Configuring a Log Consolidation Standalone Server with clog_wizard”.
      Non-interactive secure shell authentication must be set up between this system and the log consolidator (you can use /opt/dsau/bin/csshsetup tool for the configuration). For details, refer to “ssh Port Forwarding”.

      If using the TCP protocol without ssh port forwarding, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with TCP port chosen on the log consolidator used for log consolidation.

    4. Create the following symbolic link: 

      ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf

  3. The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    1. Change the CLOG_CONFIGURED line to: 

      CLOG_CONFIGURED=1

    2. Add the following lines:

      CLOG_CONSOLIDATOR=0
      CLOG_CONS_IP=<IP address of the log consolidator>

    3. If using the TCP protocol add the following lines:

      CLOG_TCP=1
      CLOG_TCP_PORT=<log consolidation server tcp port>

      If using ssh port forwarding add:

      CLOG_SSH=1
      CLOG_SSH_PORT=<ssh port chosen>

      otherwise , use:

      CLOG_SSH=0

      otherwise, if using the UDP protocol, use:

      CLOG_TCP=0

      If consolidating the local syslogs, use:

      CLOG_SYSLOG=1

      otherwise, use:

      CLOG_SYSLOG=0

  4. When using TCP with ssh port forwarding , record the ssh port number you chose above in the /etc/services file. For example, add the line:

    clog_ssh  1776/tcp    # Consolidated logging with ssh port forwarding

    Add this line to the /etc/services file of this system.

  5. Test the configuration by performing the following steps:

    1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the /etc/syslog-ng.conf file. This should be a symbolic link to /etc/syslog-ng.conf.client as described above.

    2. Start syslog-ng using the following command:

      # /sbin/init.d/syslog-ng start

    3. If consolidating the local syslogs, use “logger <test message>” and make sure this message is in the consolidated syslog.log on the log consolidation server. Note that the logger messages are first sent to the local syslog which forwards them to syslog-ng. syslogd by default suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique.

Manually Configuring a Serviceguard Cluster as a Log Forwarding Client

Configuring a Serviceguard cluster as a log forwarding client is similar to configuring a single system. All cluster members must be up and accessible before proceeding. You will first configure syslogd, then syslog-ng.

Create the configuration files described below on every cluster member. The simplest approach is to completely configure one member and then copy each configuration file cluster-wide. The cexec and ccp tools can simplify replicating changes cluster-wide.

  1. If you want the syslog messages for the cluster to be forwarded to the log consolidator, do the following:

    1. Start by configuring the standard syslogd to co-exist with a syslog-ng forwarder. By default, syslogd listens for incoming log messages on UDP port 514. To forward this cluster’s syslogs, syslog-ng must listen on UDP port 514. Edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch; this prevents syslogd from listening on port 514. For example, 

      SYSLOGD_OPTS=“-D -N”

    2. Edit the system’s /etc/syslog.conf file to forward log messages to port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as the example, add the following lines:

      mail.debug              @<fully qualified hostname>
      *.info;mail.none        @<fully qualified hostname>

      where <fully qualified hostname> is the fully qualified hostname of this cluster member. This name must be fully qualified or syslogd will not forward the messages properly.

      If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

    3. syslogd must be stopped and restarted for these changes to take effect:

      # /sbin/init.d/syslogd stop
      # /sbin/init.d/syslogd start

    4. Since /etc/rc.config.d/syslogd is generic, it can be distributed cluster-wide using ccp:

      # cpp /etc/rc.config.d/syslogd /etc/rc.config.d/

    5. The /etc/syslog.conf is specific to each member and the edits described above must be performed on each cluster member.

    6. Making the above changes on each cluster member, syslogd must be restarted for these changes to take effect. Use cexec to do this on all members of the cluster:

      # cexec “/sbin/init.d/syslogd stop;/sbin/init.d/syslogd start”

  2. To configure syslog-ng, start with the same syslog-ng.conf templates used by the clog_wizard.

    On one cluster member, copy the /opt/dsau/share/clog/templates/syslog-ng.conf.client.template to /etc/syslog-ng.conf.client. This file contains tokens named <%token-name%> which are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

    Manually replace the tokens in /etc/syslog-ng.conf.client as follows:

    1. If configuring the cluster to forward its syslogs to the consolidation server, replace the <%UDP_LOOPBACK_SOURCE%> token with: 

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with: 

      log { source(s_syslog_udp); destination(d_syslog_<type>); };

      where <type> is either tcp or udp depending on the desired log transport. This causes syslog-ng to read the local syslogd’s UDP messages and send them to the log consolidation server. If you do not want to consolidate the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace all the <%TYPE%> tokens with either tcp or udp depending on the desired log transport.

    3. Find the line

      “destination d_syslog_<%TYPE%> {<%TYPE%>(“<%IP%>”port(<%PORT%>)); };”

      If using the UDP protocol, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with 514, the standard UDP port. If using TCP protocol with ssh port forwarding, replace <%IP%> with 127.0.0.1 and <%PORT%> with the port chosen for ssh port forwarding. The same guidelines for choosing a free syslog-ng TCP port apply to this port. For details, refer to “Configuring a Log Consolidation Standalone Server with clog_wizard”. (Note that the ssh port chosen should be a free port on all cluster members). Non-interactive secure shell authentication must be set up between each member of this cluster and the log consolidator (can use /opt/dsau/bin/csshetup tool for the configuration). For details, refer to “ssh Port Forwarding”.

      If using the TCP protocol without ssh port forwarding, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with TCP port chosen on the log consolidator used for log consolidation.

  3. The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    1. Change the CLOG_CONFIGURED line to: 

      CLOG_CONFIGURED=1

    2. Add the following lines:

      CLOG_CONSOLIDATOR=0
      CLOG_CONS_IP=<IP address of the log consolidator>

    3. If using the TCP protocol, add the following lines:

      CLOG_TCP=1
      CLOG_TCP_PORT=<log consolidation server tcp port>

      If using ssh port forwarding, add:

      CLOG_SSH=1
      	CLOG_SSH_PORT=<ssh port chosen>

      otherwise, add:

      CLOG_SSH=0

      otherwise, if using the UDP protocol, add:

      CLOG_TCP=0

      If consolidating the local syslogs, add:

      CLOG_SYSLOG=1

      otherwise add:

      CLOG_SYSLOG=0

      If consolidating this cluster’s package logs, add:

      CLOG_PACKAGE=1

      otherwise, add:

      CLOG_PACKAGE=0

  4. All the files edited thus far need to be distributed cluster-wide:

    # ccp /etc/syslog-ng.conf.client /etc/
    # ccp /etc/rc.config.d/syslog-ng /etc/rc.config.d/

    Create the following symbolic link on each cluster member: 

    # ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf

  5. When using TCP with ssh port forwarding, record the ssh port number you chose above in the /etc/services file. For example, add the line:

    clog_ssh  1776/tcp   # Consolidated logging with ssh port forwarding

    Add this line to the /etc/services file of each cluster member.

  6. To consolidate this cluster’s package logs, additional manual steps are needed on the log consolidation server. Each time a package is created or deleted on this cluster, these steps need to be done. Refer to “Consolidating Package Logs on the Log Consolidation Server”.

  7. Test the configuration by performing the following steps:

    1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the /etc/syslog-ng.conf file. This should be a symbolic link to /etc/syslog-ng.conf.client as described above.

    2. Start syslog-ng on all cluster members using 

      # cexec “/sbin/init.d/syslog-ng start”

    3. If consolidating the local syslogs, use “logger <test message>” and make sure this message is in the consolidated syslog.log on the log consolidation server. Note that the logger messages are first sent to the local syslog which forwards them to syslog-ng. By default, syslogd suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique.

Consolidating Package Logs on the Log Consolidation Server

To consolidate the package logs forwarded from cluster clients to a Log Consolidation Server, the following needs to be done on the Log Consolidation Server:

  1. For each package that will be forwarded from a cluster client, add the following destination, filter and log lines to the syslog-ng.conf.server file, after the HP_AUTOMATED_LOG_FILE_CONSOLIDATION section.

    destination d_<clu1>_<pkg1> { file(“<fs>/packages/<clu1>_<pkg1>.log”); };
    filter f_<clu1>_<pkg1> { program(<clu1>_<pkg1>.log); };
    log { source(s_syslog_<type>);
    filter(f_<clu1>_<pkg1>);destination(d_<clu1>_<pkg1>); flags(final);};

    where <pkg1> is the package name, <clu1> is the cluster alias that is forwarding this package log, and <fs> is the filesystem on the log consolidator where the consolidated logs will be stored.

  2. If the log consolidator is a Serviceguard cluster, make sure to copy the edited /etc/syslog-ng.conf.server file cluster-wide as follows:

    # ccp /etc/syslog-ng.conf.server /etc/

  3. sighup syslog-ng on the log consolidator, so that it re-reads its configuration file. (sighup is a UNIX method for restarting a process.) On a Serviceguard log consolidator, sighup syslog-ng only on the adoptive node of the clog package.

  4. For each package that is deleted from a cluster client that is forwarding its package logs, delete the corresponding destination, filter and log lines from the /etc/syslog-ng.conf.server file of the log consolidator. syslog-ng on the log consolidator will need to be sighup’d so that it re-reads this configuration file. On a Serviceguard log consolidator, the updated /etc/syslog-ng.conf.server file will need to be distributed cluster-wide. However, the sighup of syslog-ng only needs to be done on the adoptive node of the clog package.

Disabling Log Consolidation

The clog_wizard enables log consolidation configurations but does not have an unconfigure or deconfigure option. Thus you must disable a system from participating in log consolidation manually, using the following instructions.

Disabling a Standalone Log Consolidation System

Perform the following steps to deconfigure log consolidation:

  1. If the local syslogs were being consolidated, or the UDP protocol was used, edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to remove the -N switch. For example, make the following edit:

    SYSLOGD_OPTS=“-D

  2. If the local syslogs were being consolidated, also edit the system’s /etc/syslog.conf file to remove the following lines:

    mail.debug             @<fully qualified hostname>
    *.info;mail.none       @<fully qualified hostname>

    where <fully qualified hostname> is the fully qualified hostname of this system.

  3. Restart syslogd, using the following commands:

    #/sbin/init.d/syslogd stop 
    #/sbin/init.d/syslogd start

  4. Stop syslog-ng:

    # /sbin/init.d/syslog-ng stop

  5. Edit the /etc/rc.config.d/syslog-ng file, as follows:

    1. Change the CLOG_CONFIGURED line to CLOG_CONFIGURED=0.

    2. Remove all other CLOG lines except for the following: 

      CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts
      CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  6. If the TCP protocol was used, remove the following line from /etc/services:

    clog_tcp <port>/tcp # Consolidated logging with syslog-ng

Disabling a Serviceguard Cluster Log Consolidation System

Perform the following steps to disable log consolidation in a Serviceguard cluster. These steps should be done on each cluster member:

  1. If local syslogs were being consolidated or the UDP protocol was used, edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to remove the -N switch For example:

    SYSLOG_OPTS="-D"

  2. Restart syslogd with the following commands:

    #/sbin/init.d/syslogd stop 
    #/sbin/init.d/syslogd start

  3. If the local syslogs were being consolidated, edit the systems /etc/syslog.conf file to remove the following lines:

    mail.debug             @<fully qualified hostname>
    *.info;mail.none       @<fully qualified hostname>

    Where <fully qualified hostname> is the fully qualified hostname of this system. Note that a <tab> precedes each @sign.

  4. Halt the clog package with the command:

    #/usr/sbin/cmhaltpkg clog

  5. Stop syslog-ng with the following command:

    # /sbin/init.d/syslog-ng stop

    (Note that this stops the syslog-ng daemon and package log consolidation if configured.)

  6. Edit the /etc/rc.config.d/syslog-ng file and change the CLOG_CONFIGURED line to the following:

    CLOG_CONFIGURED=0

    Remove all other CLOG lines except for:

    CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts 
    CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  7. Delete the clog package with the following command:

    # cmdeleteconf -p clog

Disabling a Standalone Log Forwarding Client

Perform the following steps to disable log forwarding on a standalone client:

  1. If syslog messages were being forwarded to the log consolidator, edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to remove the -N switch. For example, 

    SYSLOGD_OPTS=“-D”

  2. Edit the systems /etc/syslog.conf file to remove the following lines: 

    mail.debug             @<fully qualified hostname> 
    *.info;mail.none       @<fully qualified hostname>

    where <fully qualified hostname> is the fully qualified hostname of this system. Note that there is a <tab> before the @ sign.

  3. Restart syslogd with the following commands:

    #/sbin/init.d/syslogd stop 
    #/sbin/init.d/syslogd start

  4. Stop syslog-ng with the following command:

    # /sbin/init.d/syslog-ng stop

    (Note that this will stop the syslog-ng daemon and also ssh port forwarding, if it was configured.)

  5. Edit the /etc/rc.config.d/syslog-ng file and change the CLOG_CONFIGURED line to the following:

    CLOG_CONFIGURED=0

    Remove all other CLOG lines except for the following: 

    CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts 
    CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  6. If ssh port forwarding had been configured, remove the following line from /etc/services:

    clog_ssh <port>/tcp # Consolidated logging with ssh port forwarding

Disabling a Serviceguard Cluster Log Forwarding Client

Perform the following steps to deconfigure log forwarding. These steps need to be done on each cluster member:

  1. If syslog messages were being forwarded to the log consolidator, edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to remove the -N switch. For example, SYSLOGD_OPTS=“-D”.

  2. Edit the systems /etc/syslog.conf file to remove the following lines:

     mail.debug             @<fully qualified hostname>
    *.info;mail.none        @<fully qualified hostname>

    where <fully qualified hostname> is the fully qualified hostname of this system.

  3. Stop and restart syslogd with the following commands:

    # /sbin/init.d/syslogd stop
    # /sbin/init.d/syslogd start

  4. Stop syslog-ng:

    # /sbin/init.d/syslog-ng stop

    (Note this will stop the syslog-ng daemon, stop ssh port forwarding if configured, and stop package log forwarding if configured.)

  5. Edit the /etc/rc.config.d/syslog-ng file and change the CLOG_CONFIGURED line to CLOG_CONFIGURED=0. Remove all other CLOG lines except for the following:

    CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  6. If ssh port forwarding had been configured, remove the following line from /etc/services:

    clog_ssh <port>/tcp # Consolidated logging with ssh port forwarding

Securing Consolidated Logs

On a standard HP-UX system, all users can view the system’s local /var/adm/syslog/syslog.log. Access to consolidated logs is typically restricted. The log consolidation server system itself is usually a restricted access system with strict security policies in place.

Log File Protections

One level of protection is the permissions on the consolidated log files themselves. This is controlled via the syslog-ng.conf.server file. Each syslog-ng “file” destination can have specific permissions specified. If the log directory for a consolidated file does not exist, syslog-ng can be instructed to create it (create_dirs(yes)) and set the directory’s ownership and permissions on the directory as well. For example,

destination d_file { file(“/clog/test/example.log” );
dir_owner(root);
dir_group(sys);
dir_perm(0600);
owner(root);
group(sys);
perm(0600);
};

ssh Port Forwarding

ssh port forwarding sets up an encrypted tunnel for the log traffic between the syslog-ng log forwarding client and the syslog-ng log consolidation server. This ssh-based tunnel is only available when using the TCP transport, not UDP. Also, ssh port forwarding is not used when forwarding log traffic within a Serviceguard cluster (member to member). Standard TCP or UDP is used for intra-cluster log traffic.

ssh port forwarding is transparent to syslog-ng. The /etc/syslog-ng.conf.client file is configured so that syslog-ng forwards log traffic to a local port managed by ssh. The local ssh connects to the remote sshd on the log consolidation server and sshd opens the standard syslog-ng TCP port. The remote log consolidation believes it has a standard log forwarding client and is unaware of the tunneling taking place.

One problem with ssh tunneling is failures of the log consolidation server. If the syslog-ng server stops or crashes, the remote ssh tunnels disconnect. The client ssh tunnels will try to reconnect at one minute intervals. The reconnect time is configurable.

Each failed reconnect attempt is logged to the client’s local syslog.log. During this time, syslog-ng’s client log (/var/adm/syslog/syslog-ng.log) will show it trying to reconnect to the tunnel. The default reconnect time is 10 seconds. This is configurable using syslog-ng’s global setting “time_reopen(<seconds>)”. See the syslog-ng open source reference manual (/opt/dsau/doc/syslog-ng) for details.

ssh Port Forwarding to a Serviceguard Cluster Log Consolidator

When using ssh port forwarding with a Serviceguard cluster as the log consolidation server, a special ssh configuration is required.

In general, using ssh port forwarding requires that the log consolidation server perform a key exchange with the log forwarding client. Specifically, the ssh public key for the remote log forwarding client must be added to the consolidation server’s authorized keys file. Also, the fingerprint for the log consolidation server is added to the log forwarding client’s /.ssh/known_hosts file. The client log forwarder is a trusted system after this key exchange, and the consolidation server does not need to prompt for any ssh passwords at this point.

Since the consolidation server is a package, it can potentially run on every member of the cluster. This key exchange between the remote log forwarding client and a cluster member must be replicated for each cluster member. Each cluster member has to establish the same trust relationship to the log forwarding clients.

A problem can arise with the log forwarding client’s known_host fingerprints. When using a package’s relocatable IP address for the initial ssh key exchange, the client will have the adoptive node’s fingerprint added to his local /.ssh/known_hosts file. When the package fails over and the ssh connection is re-established, the new adoptive node will have a different fingerprint and ssh will detect this as a man-in-the-middle attack and refuse to re-establish the ssh tunnel.

In order to prevent this, each cluster member must look like the same system from the perspective of the log forwarding clients. This can be achieved by having each cluster member use an identical host key. The ssh host keys are located in /opt/ssh/etc and contained in the following files:

  • ssh_host_key

  • ssh_host_key.pub

  • ssh_host_dsa_key

  • ssh_host_dsa_key.pub

  • ssh_host_rsa_key

  • ssh_host_rsa_key.pub

Pick one of the cluster members and copy these files to the same directory on the other cluster members. Using the “cluster copy” or cpp tool is a quick way to do this, using the following commands:

# cd /opt/ssh/etc/
# ccp ssh_host_* /opt/ssh/etc/

Then from each log consolidation client, perform a standard ssh key exchange with the relocatable IP address of the clog package. One way to do this is using the csshsetup tool (see csshsetup(1)), as follows:

# csshsetup <DNS name of the clog package>

csshsetup will prompt for the password of the cluster in order to do the initial key exchange.

Using Bastille to Harden the System

Bastille is a security-hardening lockdown tool that can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system-by-system basis by allowing the administrator to choose which security features to enable or disable from hardening/lockdown checklists.

Bastille can be used to harden a log consolidation server. When enabling IP filtering, note that the following ports must be left open for syslog and syslog-ng:

  • UDP 514 - this port is used by syslogd clients for forwarding log messages

  • TCP port <selected port> - the administrator chooses which TCP port a syslog-ng log consolidator uses to receive messages.

  • TCP port 22 - When using ssh port forwarding to create encrypted tunnels, the remote clients communicate with the log consolidation server’s sshd daemon. In a default configuration, this daemon listens on TCP port 22.

Viewing Consolidated Logs

Use the System Management Homepage’s System Log Viewer to filter and view a system’s local syslog log files. For a system that is also a log consolidator, the System Log Viewer also filters and displays the consolidated logs.

Starting System Management Homepage

To log in to the System Management Homepage, navigate to:

http://hostname:2301

Enter a username and password. Root logins are enabled by default. For additional information on starting and logging into the System Management Homepage, refer to the HP Systems Management Homepage User Guide.

After logging in to System Management Homepage, choose the Logs tab and then “System Log Viewer.”

Using the System Log Viewer

The System Log Viewer will display the syslog-related logs for the system. By default, this includes the local logs for the system from /var/adm/syslog. If this system is also a log consolidator, the consolidated logs will also be listed.

NOTE: In a Serviceguard cluster configured as a log consolidation server, the consolidated logs are placed on the filesystem associated with the “clog” package. See “Cluster Configuration Notes” for additional details. When using LVM and VxVM storage failover configurations, this means that the consolidated logs are only accessible to a single cluster member at a time. Use cmvviewcl to determine which cluster member the clog package is currently running on, and start the System Management Homepage on that system to view the consolidated logs.

Choose a log to view from the main Select tab. Use the Filter tab to specify filter expressions to search for specific entries, and then choose the Display tab to display the contents of the log. For additional information on using the System Log Viewer, use the on-line help available from within the application.

Introduction to Command Fanout

Command fanout utilities allow the system administrator to replicate shell commands across multiple systems. Traditionally, administrators have created wrappers around tools such as remote shell (see remsh(1)) and secure shell (see ssh(1)) to provide command fanout functions.

Parallel Distributed Shell

The Distributed Systems Administration Utilities (DSAU) include the open souce tool Parallel Distributed Shell (pdsh). pdsh formalizes the use of remsh and ssh for distributing commands to groups of systems. Unlike remsh/ssh wrappers, pdsh offers the following benefits:

  • High performance
    Commands are issued in parallel to groups of target system. pdsh supports a sliding window or fanout setting to control the number of concurrent commands.

  • Command timeout settings
    pdsh supports a command execution timeout which controls how long a remote command can execute before being disconnected (to prevent problem commands from hanging). It also supports a connect timeout which prevents blocking when remote systems are unreachable.

  • Output processing and return status
    pdsh correctly handles stdout and stderr processing and supports returning a “worst of”return status so the caller can detect errors from remote systems.

  • Flexible target system specifications

    pdsh supports several mechanisms for specifying the target hosts on which to operate. They can be specified on the command line, on stdin, in a well known file (/etc/machines) or in a file pointed to by the WCOLL environment variable. Specific systems can be excluded from the command line as well.

  • Hostlist expressions

    For groups of systems using a prefixNNN naming convention (for example, h1, h2, ..., hN), pdsh allows target nodes specification using hostlist expressions such as “h[1-10]” which would fan out a command to hosts named h1 through h10.

  • Intelligent output filtering

    pdsh prefaces each line of output with the hostname of originating system. dshbak (see dshbak(8)) is a filter that can format the standard pdsh output in several different ways. The dshbak -c flag looks for output from different hosts that is identical and consolidates the output instead of duplicating it. The header will indicate the hosts to which the consolidated output applies.

  • Choice of command transports

    pdsh can use either remote shell rcmd (see rcmd(3)) or ssh as a command transport. Note that the ssh transport offers greatly improved security. See “Security Configuration” for details.

  • Parallel copy command

    The pdcp command provides a parallelized copy command to copy a local source file to multiple targets.

Figure 3-4 “pdsh Architecture ”shows the components of pdsh and its architecture.

Figure 3-4 pdsh Architecture

pdsh Architecture

For more information on pdsh and dshbak, refer to their reference manpages.

pdsh Utility Wrappers

Administrators can build wrapper commands around pdsh for commands that are frequently used across multiple systems and Serviceguard clusters. Several such wrapper commands are provided with DSAU. These wrappers are Serviceguard cluster-aware and default to fanning out cluster-wide when used in a Serviceguard environment. These wrappers support most standard pdsh command line options and also support long options (--option syntax) .

cexec

cexec is a general purpose pdsh wrapper. In addition to the standard pdsh features, cexec includes a reporting feature. Use the --report_loc option to have cexec display the report location for a command. The command report records the command issued in addition to the nodes where the command succeeded, failed, or the nodes that were unreachable. The report can be used with the --retry option to replay the command against nodes that failed, succeeded, were unreachable, or all nodes.

ccp

ccp is a wrapper for pdcp and copies files cluster-wide or to the specified set of systems.

cps

cps fans out a ps command across a set of systems or cluster.

ckill

ckill allows the administrator to signal a process by name since the pid of a specific process will vary across a set of systems or the members of a cluster.

cuptime

cuptime displays the uptime statistics for a set of systems or a cluster.

All the wrappers support the CFANOUT_HOSTS environment variable when not executing in a Serviceguard cluster. The environment variable specifies a file containing the list of hosts to target, one hostname per line. This will be used if no other host specifications are present on the command line. When no target nodelist command line options are used and CFANOUT_HOSTS is undefined, the command will be executed on the local host.

For more information on these commands please refer to their reference manpages.

Security Configuration

The command fanout tools support both remote shell (rsh or rcmd) and ssh transports. Each requires specific security setup steps in order to authorize the user initiating the command fanout operation to execute a command on the remote target systems. The command fanout tools require that the remote system not prompt for a password. Both rsh and ssh transports must be preconfigured on each remote system to allow non-interactive access. The following sections describe the required setup steps to enable command fanout operations for each transport.

Remote Shell Security Setup

When using the remote shell command transport, the local user must have a $HOME/.rhosts file configured on each remote target system. Refer to the rhosts(4) reference manpage for details on configuring the $HOME/.rhosts file.

ssh Security Setup

ssh uses public host keys to authenticate remote hosts and supports public key authentication to authenticate users. When users’ public keys are properly configured on a set of remote systems, they can access those systems without being prompted for a password. Manually configuring ssh for non-interactive access is a multistep process where ssh configuration files are edited on each system. The csshsetup tool greatly simplifies configuring ssh trust relationships. For example, when using the command fanout tools in a Serviceguard cluster, you typically want to be able to issue commands from any member and target any other member. This requires an n^2 distribution of ssh public keys. Start by creating a text file listing the members the cluster, one per line. Invoke csshsetup using this file. Note that this command needs to be issued only once since it configures each member of the cluster:

# csshsetup -r -f members_list.txt

The -r option instructs csshsetup to distribute the keys in a round-robin or n^2 fashion. The user will be prompted for his password on each remote host. csshsetup then automates the entire public key distribution process.

Note that csshsetup is not specific to Serviceguard clusters; it can be used for arbitrary groups of systems. Also, the trust relationship does not have to bidirectional. Omit the -r option when setting up a one-way trust relationship between the current host and a set of remote target hosts. For additional details, refer to the csshsetup(1) reference manpage.

Security Notes

The remote shell protocol is an inherently insecure protocol. It is the protocol used by the Berkeley “r commands,rlogin, rcp, remsh, and so on. Many system administrators disable the use of the “r” commands as a matter of policy. For example, the Bastille security hardening tool offers a default option to disable these insecure services. If disabled, the pdsh -R rsh option to use the remote shell transport will not work.

If the “r” services are not disabled, use of the pdsh -R rsh option by unprivileged users is still disabled by default because of the inherent security risk. By default, only users with root privileges can use the pdsh -R rsh option. This is because the remote shell rcmd library call requires the use of a privileged port. Even though privileged users can use -R rsh, the ssh transport is still preferred.

If the hosts and users are trusted in your environment, you can enable the use of the pdsh -R rsh option for unprivileged users with the following commands:

# cd /opt/dsau/bin/pdsh

# chown root:bin pdsh

# chmod u+s pdsh

Command Fanout Troubleshooting

This section contains troubleshooting tips for common error messages produced by pdsh and the wrapper commands.

You may see the following error messages when using the ssh command transport:

  • ssh command transport messages:

    • pdsh@<local hostname>: <target hostname>: ssh exited with exit code 1

      Reason: The target system is unreachable.

    • pdsh@<local hostname>: <target hostname>: ssh exited with exit code 255

      Reason: This message occurs when the target hostname is unknown or the target host’s IP address in /etc/hosts is incorrect. Note that 255 is exit code used by ssh when ssh itself encounters an error.

  • rsh command transport messages:

    • pdsh@<local hostname>: gethostbyname(“<target hostname>”) failed

      Reason: When the hostname is unknown.

    • pdsh@<local hostname>: <target hostname>: connect: Connection refused

      Reason: The target system is unreachable. The r services might be disabled for this system.

    • pdsh@<local hostname>: <target hostname>: connect: timed out

      Reason: The hostname exists (e.g. the ip address lookup succeeded) but the system is not up or not reachable.

    • rresvport: bind: Permission denied pdsh@<local hostname>: <local hostname>: rcmd: socket: Permission denied

      Reason: An unprivileged user is attempting to use the remote shell transport. See the Security Notes section for details on allowing unprivileged users to use pdsh with the remote shell transport.

    • <target hostname>: remshd: Login incorrect.
      remote

      Reason: The user’s $HOME/.rhosts on the remote system is not allowing access.

  • Target node error messages:

    • <target hostname>: sh: <command name>: not found

      Reason: The command does not exist on the target node. Note that the remote shell invoked by pdsh has only a minimal path. The user’s login scripts are not executed on the remote nodes. Make sure to specify commands using full paths.



Using System Administration Manager (SAM)
  		 


Controlling Access to a System  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1997-2006 Hewlett-Packard Development Company, L.P.