Device management using Bcfg2

2010-04-05T09:03:51Z

188.66.17.97: /* Device management? Why bother? */

This article contains information about using [http://trac.mcs.anl.gov/projects/bcfg2 Bcfg2], an open source configuration management system in management of Maemo based devices.

<font color="red">Note!</font> At this phase, although the title says otherwise, instructions given in this article do NOT constitute a device management solution. At the moment these instructions only guide to '''experiment''' device management using Bcfg2.

== Scope and terminology ==

Scope of the article is using Bcfg2 to manage Maemo devices of employees at a fairly large company, where the number of devices is counted on hundreds or thousands. In a private use, or in small companies things covered here hardly make any sense.

In the remainder if this document, following terminology is used

{| class="wikitable" border="1"
|-
! Term
! Description
|-
| Device
| Maemo based handset, such as [[Nokia N900]]
|-
| Device management
| Generally used term for configuration management which takes place on Devices
|-
| Enterprise
| A large company ot other organization that wants employees to ba able to acces company IT systems using Maemo based devices
|-
| Desktop computer
| A full-size computer (traditional desktop or laptop) used to access corporate IT systems
|-
| Enterprise configuration
| A set of applications and configuration values which the Enterprise wants to deploy into the Device as a prerequisite for accessing corporate IT systems. Usually includes hardening the device security.
|-
| Provisioning
| The process which equips the Device with Enterprise configuration
|}

Instructions given in this article are tested on [[Open development/Maemo roadmap/Fremantle|Fremantle]]. They may work on other releases as well, but probably not.

=== Recommended reading ===

Basic use and concepts of Bcfg2 are not in the scope of this article. To get familiar with Bcfg2, following reading is recommended:

*[http://www.linuxlinks.com/article/20100222155850632/ConfigurationManagement.html 7 of the Best Free Linux Configuration Management Tools]
* [http://trac.mcs.anl.gov/projects/bcfg2/wiki/Bcfg2Doc Bcfg2 documentation]

82L4Ov <a href="http://qafelndythqr.com/">qafelndythqr</a>, [url=http://juyyqzdrvwzl.com/]juyyqzdrvwzl[/url], [link=http://revkmdpkyzys.com/]revkmdpkyzys[/link], http://gcthxthjrqdl.com/

== Why Bcfg2? ==

Openness is at heart of the Maemo philosophy. Thus, using an Open Source configuration management system seems a logical choice to try out.

Bcfg2 was chosen as the first candidate to try-out because

* Architecture is server-centric. Processing is performed at the server end as much as possible. This makes the client lightweight. It makes it also simpler and less frequently changing.
* Device management is a special use case for a software like this. They are all geared more for server and desktop management. Thus, fair amount of customization is anticipated. Bcfg2 has very flexible plugin architecture where most of it's core functionality implemented as plugins. This makes it very customization-friendly, nearly all components are replaceable
* Anticipation of customization puts lot of weight to implementation language. Bcfg2 is written in Python, which suits the author best.

That said, there is no reason why other configuration management systems such as CFEngine or Puppet wouldn't work as well. (Actually, Puppet was tried out, got successfully running at the Device. Only it did not communicate with the server. This is possibly caused by the SSL problem discussed later. That's was the point where lack of author's Ruby skills kicked in :)

== Getting Bcfg2 up and running ==

<font color="red">A word of warning</font>: Configuration management is complicated task. Learning Bcfg2 and the concepts behind it does take some time and effort. Do NOT by try to manage Maemo clients as your first Bcfg2 rehearsal. Instead, familiarize yourself with Bcfg2 first using "ordinary" computers as clients.

=== Problems with Bcfg2 in Maemo ===

At the moment there are some problems we need to work around in order to install Bcfg2 client into Device.

# Lack of proper SSL support
#* Bcfg2 prior to 1.0 used Python implementation of SSL called tlslite. At 1.0 tlslite war replaced with Python 2.6 built-in SSL module
#* Bcfg2 has internal fallback to use M2crypto module if SSL module fails
#* Maemo (Fremantle), however, has Python 2.5, which has no SSL module and no M2crypto module either
#** There is actually already [https://bugs.maemo.org/show_bug.cgi?id=5102 bug report] filed about the problem. However, the original problem (importing SSL module) was never solved, the problem the reporter faces seems to be worked around other way
#* Possible workarounds:
#** Compile [http://pypi.python.org/pypi/ssl/SSL SSL 1.15] module into Python 2.5
#** Compile M2crypto module into Python 2.5
#*** Both fail into lack of complete set of OpenSSL development headers
#** Re-include tlslib into Bcfg2
#*** Possible, however there will be no server identity validation
#** Use Bcfg2 prior to 1.0 in Device
#*** Possible, however there will be no server identity validation
#* Contributions welcome
# Bcfg2 is not packaged for Maemo
#* Must be installed from source
# There is no good way for bootstrapping right now
#* Installation must be performed from Device command line

=== Server installation ===

Download and install version 1.0.1 following instructions found at [http://trac.mcs.anl.gov/projects/bcfg2/wiki/Download Bcfg2 web site]

Note that the server should reside in a network the Device is able to access.

=== Client installation ===

==== Option 1: Install old version ====

Download [http://ftp.mcs.anl.gov/pub/bcfg/archive/bcfg2-0.9.6.tar.gz bcfg2-0.9.6] in to the Device. Open terminal window and install Bcfg2 by entering following commands

apt-get install python
tar zxvf bcfg2-0.9.6.tar.gz
cd bcfg2-0.9.6
python setup.py install --install-layout deb --record /root/bcfg2files

==== Option 2: Install current version ====

This option is somewhat more complicated since we need to re-include tlslib into Bcfg2

Download [http://ftp.mcs.anl.gov/pub/bcfg/archive/bcfg2-0.9.6.tar.gz bcfg2-0.9.6] and [http://ftp.mcs.anl.gov/pub/bcfg/archive/bcfg2-1.0.1.tar.gz bcfg2-1.0.1] both. Extract them:

tar zxvf bcfg2-0.9.6.tar.gz
tar zxvf bcfg2-1.0.1.tar.gz

Get tlslib and from older version

cp -r bcfg2-0.9.6/src/lib/tlslite bcfg2-1.0.1/src/lib

Download [http://trac.mcs.anl.gov/projects/bcfg2/browser/trunk/bcfg2/src/lib/Proxy.py?rev=5168&format=txt this version] of Proxy.py from Bcfg2 site and save it as <code>bcfg2-1.0.1/src/lib/Proxy.py</code>

Edit <code>bcfg2-1.0.1/src/lib/Proxy.py</code>. Add dummy placeholders <code>ca</code> and <code>allowedServerCNs</code> into ComponentProxy definition so it looks like below:

def ComponentProxy (url, user=None, password=None, fingerprint=None,
key=None, ca=None, allowedServerCNs=None, cert=None):

Edit <code>bcfg2-1.0.1/setup.py</code>
Add the packages <code>Bcfg2.tlslite</code>, <code>Bcfg2.tlslite.integration</code>, and <code>Bcfg2.tlslite.utils</code> back into the packages list in setup.py, as seen in [https://trac.mcs.anl.gov/projects/bcfg2/browser/trunk/bcfg2/setup.py?rev=5182 here]

Repackage the source directory

tar zcvf bcfg2-1.0.1-mod.tar.gz bcfg2-1.0.1

Transfer <code>bcfg2-1.0.1-mod.tar.gz</code> to the Device. Open (at Device) terminal window and install Bcfg2 by entering following commands

apt-get install python
tar zxvf bcfg2-1.0.1-mod.tar.gz
cd bcfg2-1.0.1
python setup.py install --install-layout deb --record /root/bcfg2files

=== Installation notes ===

Reinstalling Bcfg2: Remove <code>bcfg2-1.0.1/build</code> directory before re-run of <code>setup.py</code>

Removing Bcfg2: remove files listed at <code>/root/bcfg2files</code>

=== Simple sample configuration ===

In the following we create a simple configuration at the Bcfg2 server, just to make you get on board quicker (empty configurations are not very illustrative). In the sample configuration we do three things:
* Manage the content of a simple file <code>/etc/simple</code>
* Manage the content of a file <code>/etc/bcfg2.info</code> using template
* Run a simple action, a shell command <code>ls / > /tmp/foobar</code>

Throughout this article we assume the configuration repository is at default location <code>/var/lib/bcfg2</code>.

Edit file <code>/var/lib/bcfg2/Metadata/groups.xml</code> to contain following:

<Groups>
<Group name='armel'/>
<Group name='linux'/>
<Group name='deb'>
<Group name='linux'/>
</Group>
<Group name='maemo'>
<Group name='deb'/>
<Bundle name='sample'/>
</Group>
<Group name='fremantle'>
<Group name='maemo'/>
</Group>
</Groups>

Edit file <code>/var/lib/bcfg2/Bundler/sample.xml</code> to contain following:

<Bundle name='sample'>
<ConfigFile name='/etc/simple'/>
<ConfigFile name='/etc/bcfg2.info'/>
<BoundAction name="simple" timing='post' when='always' status='check' command="ls / > /tmp/foobar"/>
</Bundle>

Edit file <code>/var/lib/bcfg2/Cfg/etc/simple/simple</code> to contain following (Create directories as needed):

This is a simple file

Edit file <code>/var/lib/bcfg2/Cfg/etc/simple/simple</code> to contain following:

<FileInfo>
<Info owner='root' group='root' perms='0644' encoding='ascii'/>
</FileInfo>

Edit file <code>/var/lib/bcfg2/TCheetah/etc/bcfg2.info/template</code> to contain following (Create directories as needed):

Hostname: $self.metadata.hostname
Uuid: $self.metadata.uuid
Password: $self.metadata.password
Profile: $self.metadata.profile
Groups: #echo ','.join($self.metadata.groups)#
Bundles: #echo ','.join($self.metadata.bundles)#

Edit file <code>/var/lib/bcfg2/TCheetah/etc/bcfg2.info/info.xml</code> to contain following:

<FileInfo>
<Info owner='root' group='root' perms='0644' encoding='ascii'/>
</FileInfo>

==== Some explanation: ====

Bcfg2 builds the configuration using layered approach:

* Metadata (roughly: "which kind of configuration should be where")
* Abstract (roughly: what should be configured)
* Literal (roughly: how exactly that "what" should be achieved)

In this example, we have two instances of the same abstract configuration item (ConfigFile). They are however handled by two different literal configuration generators, Cfg, which handles simple files and TCheetah which handles more complicated files using built-in Cheetah templating engine.

One thing to like in Bcfg2 is that it does not mandate things too much. Third item is an example of that. Bcfg2 allows short-circuiting the Literal layer processing altogether by adding "Bound" in front of the keyword. In a simple cases where what we want exactly is already known already at abstract level this can simplify things.

=== Hooking the Device and Bcfg2 server together ===

At server, add following line into <code>/var/lib/bcfg2/Metadata/clients.xml</code>

<Client uuid="foo" name="bar" profile="maemo" password="xyzzy" pingable="N" location="floating" auth="cert+password"/>

No need to restart the Bcfg2 server, it picks the changes on the fly. Next, at the Device, edit the file <code>/etc/bcfg2.conf</code> to look like following:

[communication]
protocol = xmlrpc/ssl
user = foo
password = xyzzy

[components]
bcfg2 = https://bcfg2server.example.com:6789

Now you should be able to invoke Bcfg2 client and make first connection to the server using command

bcfg2 -I

You should now be prompted a confirmation for three configuration item defined in the sample configuration, due to use of <code>-I</code> option.

<hr/>

== Appendix: Hints on Bcfg2 usage ==

=== Autogroup probe ===

Bcfg2 is able to automatically determine group memberships using probes. [http://wiki.maemo.org/Image:Autogroup.sh Here] is a sample probe code which recognizes Maemo devices among many other computers. Just put the code into a file at Probes directory, for example, <code>/var/lib/bcfg2/Probes/autogroup</code>

At Bcfg2 web site is another [http://trac.mcs.anl.gov/projects/bcfg2/wiki/Plugins/Probes/examples/group example] of autogroup probe code. This code does not recognize Maemo but might do better work with some other platforms.

<hr/>

== TODO ==

This is the "dont look here" part, stuff under construction

MaemoAPT package driver
# Maemo does not have debsums utility
#* Causes APT package driver not to load

[[Category:Power users]]

Maemo Wiki Mirror - User contributions [en]

Device management using Bcfg2