Question #3369
closed
One time triggers
Description
I've managed to implement almost everything we need on our nodes into Rudder. However, I still got a few questions:
- We use a package called etckeeper, which basicly is a hook into apt/yum to store /etc into git. I need to perform a "etckeeper init && etckeeper commit \"Initial commit\"" to make it actually work. Is it possible, and if so, what would be the best practice to do this?
- We use an Ubuntu PPA (additional repository) to install the latest git. I need to download/import a GPG key to make this actually work - the package manager will complain otherwise and Rudder fails to install git. Is it possible, and if so, what would be the best practice to do this?
Updated by Dennis Cabooter about 11 years ago
Since the last question should be a separate one, I will create a new question for it.
Updated by Dennis Cabooter about 11 years ago
With winbind I've got the same problem. I need to perform a "net ads join createcomputer=INFRA/LINUX -U AD_ADMIN%ADMIN_PASS" to make winbind actually work. Otherwise I have to login to about 40 desktops, just to perform that command.
Updated by Jonathan CLARKE about 11 years ago
- Category set to Techniques
- Status changed from New to Discussion
Dennis Cabooter wrote:
With winbind I've got the same problem. I need to perform a "net ads join createcomputer=INFRA/LINUX -U AD_ADMIN%ADMIN_PASS" to make winbind actually work. Otherwise I have to login to about 40 desktops, just to perform that command.
Dennis Cabooter also wrote:
I've managed to implement almost everything we need on our nodes into Rudder. However, I still got a few questions:
- We use a package called etckeeper, which basicly is a hook into apt/yum to store /etc into git. I need to perform a "etckeeper init && etckeeper commit \"Initial commit\"" to make it actually work. Is it possible, and if so, what would be the best practice to do this?
I understand your use case. It sounds very similar to the "post-hook commands" you can use in the file editing or file copying Techniques - ie run commands only if something changed. This feature is not available in all Techniques, but it's true it could be useful elsewhere also.
The good news is, we can certainly write a new Technique or extend an existing one quickly to help you. To do this, I want to make sure I understand your requirements first. How does that sound to you?
So, you've mentioned two cases:
1) You run a command, and depending on it's output, run another command. This could either be acheived through the proposed design of http://www.rudder-project.org/redmine/issues/2428 (as you commented there), or just by using a plain shell script, I guess. Am I right?
2) For your etckeeper init example, how do you think this should work? Could you, if necessary, compress it into it a similar pattern of test command + repair command is the test command didn't return zero/output anything/something else? If not, should we add a post-hook in the package install Techniques to run a command when a package is newly installed?
- We use an Ubuntu PPA (additional repository) to install the latest git. I need to download/import a GPG key to make this actually work - the package manager will complain otherwise and Rudder fails to install git. Is it possible, and if so, what would be the best practice to do this?
Right, I saw this is #3371. Will followup there.
Updated by Dennis Cabooter over 10 years ago
Workflow for etckeeper (as discussed with ncharles on irc):
Install etckeeper on RHEL
yum -y install etckeeper
Install etckeeper on Ubuntu
apt-get install -y python-software-properties add-apt-repository ppa:git-core/ppa apt-get update apt-get -y install git etckeeper
Configure etckeeper on Ubuntu (on RHEL it's already done)
perl -pi -e 's/^VCS="bzr"/# VCS="bzr"/' /etc/etckeeper/etckeeper.conf perl -pi -e 's/^# VCS="git"/VCS="git"/' /etc/etckeeper/etckeeper.conf
"Post-install" etckeeper
git config --global user.name `hostname -s` git config --global user.email info@example.com etckeeper init && etckeeper commit "Initial commit"
Configure remote (should be optional)
- Copy /root/.ssh/id_rsa
cd /etc git remote add git-central git-user@git-server:/data/etc git push git-central master:etc-`hostname -s`
Create etckeeper hook (should be optional)
vim /etc/etckeeper/post-install.d/60vcs-commit-push
#!/bin/sh set -e git push git-central master:etc-`hostname -s`
chmod a+x /etc/etckeeper/post-install.d/60vcs-commit-push
Updated by Dennis Cabooter over 10 years ago
Workflow for winbind (as discussed with ncharles on irc):
Install additional software on Ubuntu
apt-get install krb5-user krb5-config libpam-krb5 samba winbind
Edit system-auth and authconfig on Centos/RHEL
vim /etc/pam.d/system-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
vim /etc/sysconfig/authconfig
USEWINBINDAUTH=yes USEKERBEROS=no USESYSNETAUTH=no USEPAMACCESS=no USEMKHOMEDIR=no FORCESMARTCARD=no USESMBAUTH=no USESMARTCARD=no USELDAPAUTH=no USEDB=no USEWINBIND=yes USESHADOW=yes PASSWDALGORITHM=md5 USELOCAUTHORIZE=yes USEHESIOD=no USELDAP=no USEPASSWDQC=no USECRACKLIB=yes USENIS=no
Edit smb.conf & nsswitch.conf (the first one has some values that need to be changed)
vim /etc/samba/smb.conf
[global] workgroup = WORKGROUP realm = EXAMPLE.COM security = ADS idmap uid = 1000-65535 idmap gid = 1000-65535 template homedir = /adhome/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false preferred master = no hosts allow = 1.2. 127. encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes idmap backend = idmap_rid:WORKGROUP=1000-65535 winbind normalize names = Yes
vim /etc/nsswitch.conf
# /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files automount: files aliases: files
Edit krb5.conf on RHEL/Centos (has some values that need to be changed)
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Last but not least: join AD
net ads join createcomputer=organizational_unit -U ad_admin%ad_admin_pass
Start Winbind and add services to system startup on Centos/RHEL
service winbind start chkconfig winbind on
Start Winbind on Ubuntu
/etc/init.d/winbind start
Updated by Nicolas CHARLES over 10 years ago
I have 2 questions:
- If the configuration files change for winbind, do we need to run net ads join createcomputer=organizational_unit -U ad_admin%ad_admin_pass again ?
- do you think that a posthook at creation of the file only would allow it to work ? If the file is there, and editied, we don't run posthook; if file wasn't there, but is created, we run the posthook ?
Updated by Dennis Cabooter over 10 years ago
1) I think it depends on what is changed. If you change example.com to rudder-project.org, you need to authenticate again.
2) This is difficult. Maybe it would be good if a succesfull join could be checked.
# net ads testjoin Join is OK # echo $? 0
Updated by Benoît PECCATTE almost 9 years ago
- Status changed from Discussion to Resolved
Thank you Dennis, I think you answered you own question, so I'm closing it.
Fell free to reopen it if it's no the case.