siteXYtools

Current release: siteXYtools 0.3, 5 November 2006 | Changelog · · · GitHub: Source | Issues

Description

siteXYtools aid in generating siteXY.tgz and siteXY-hostname.tgz fileset tarballs as used by the OpenBSD installer. It offers a generic install.site, removing the need to write code when automatically adding users, packages, etc during install. It has support for defining common files shared by all hosts, defining arbitrary roles shared by any number of hosts, as well as host-specific files that are only available to a single host.

An example session, complete from start to finish follows. We want sshd_config to the be the same on every host. We want DNS data copied to DNS servers and the pf ruleset must be placed on the firewalls.

$ mkdir siteXY-work && cd siteXY-work
$ mkdir -p common/etc/ssh roles/dns/var/named roles/fw/etc
$ cp /etc/ssh/sshd_config common/etc
$ cp -r /var/named roles/dns/var/named
$ cp /etc/pf.conf roles/fw/etc
$ mkdir -p host1/etc host2/etc host3/etc host4/etc host5/etc host6/var/www/conf
$ touch host1/.role-dns host2/.role-dns
$ touch host3/.role-fw host4/.role-fw
$ $EDITOR host5/etc/sysctl.conf
$ $EDITOR .siteXYrc - set ballDir=/tmp
tweak etc/hostname.if on each host as needed
$ generate
/tmp/site40-host1.tgz: common role dns .. done
/tmp/site40-host2.tgz: common role dns .. done
/tmp/site40-host3.tgz: common role dns .. done
/tmp/site40-host4.tgz: common role fw .. done
/tmp/site40-host5.tgz: common .. done
/tmp/site40-host6.tgz: common .. done
/tmp/site40.tgz: Including common directory
Whoops, we forgot a file for host6
$ $EDITOR host6/var/www/conf/httpd.conf
$ generate host6
/tmp/site40-host6.tgz: common .. done

Now copy the tarballs to a webserver and create index.txt with their names so the OpenBSD installer may find them.

$ cd /var/www/htdocs/siteXY
$ sudo cp /tmp/site*.tgz .
$ ls *.tgz > index.txt

Files

• .siteXYrc - the variable ballDir defines where to place generated fileset tarballs.
• common/ - entire contents here will be included in siteXY.tgz.
• common/patches/* - common patches to be applied to system configuration files.
• roles/*/ - arbitrary roles defined here (e.g. dns, mx, sausage, web) by creating a directory with the desired role name. Content ends up in siteXY-hostname.tgz
• roles/*/patches/ - role-specific patches that either overwrite or do additional patching of system configuration files.
• hostname/pkg_add_list - list of packages to be installed on this particular host, seperated by newlines
• hostname/pkg_add_path - list of URLs and paths to use for PKG_PATH
• hostname/adduser_list
• hostname/rm_list
• hostname/.role-*
• hostname/patches/* - host-specific patches that either overwrite or do additional patching of system configuration files.

Note that common/*, roles/*/* and hostname/* all end up in the root of the tarball, so it's possible to overwrite common or role settings on individual hosts by simply including a file of the same name. This method may also be used to confuse the hell out of administrators, so make sure hosts which override the global settings are properly documented.

Known problems

• Can't fake-install packages into tarballs. Packages must currently be installed by each individual system. This currently prevents one from distributing single siteXY-hostname.tgz to customer sites that do not have internet access.
• File permissions are handled poorly. When files are extracted during install, permissions and ownership are preserved from the tarball. This poses a problem if the tarballs were generated by a non-root user, like it would be on a build host of some sort. This problem is solved by running mtree at the end of install.site, but no mtree specs exist for files that belong to ports.
• How to do safe mass-build and distribution of sshd keys, krb5.srvtabs, etc?

Related work

• Unattended install of OpenBSD