Purpose (top - introduction - files - procedure - example - tools)

This document is intended to supplement the General Configuration and Change Management Plan for ARSC systems by providing details on how configuration files and local modifications are maintained across all ARSC platforms.

Document Index / Related Documentation

Introduction (top - introduction - files - procedure - example - tools)

The general principle is files are not arbitrarily modified and are monitored for correctness including type, content, ownership, and mode (access permission). In addition, change history and backout copies are retained for all configuration changes and for recovery and security these are maintained on a administrative host not exposed to general users. These principles apply to all aspects of systems management, but software installed and managed by vendor tools (rpm, pkginst, lslpp, ...), or under /usr/local using 'Installing Third Party Software' are managed by those procedures. Likewise account creation is also handled by separate procedures even though the related files are monitored under ConfigFiles.

The ConfigFiles are typically under /etc or /usr, but may fall under other directories. Typically /usr/local files do not fall under ConfigFiles, but there are a few exceptions for critical files. Any file in system space which must be added, changed, or replaced (e.g., a binary) outside of a vendor provided tool is a candidate for ConfigFiles to ensure it is not regressed or arbitrarily lost or changed. Any files which have significant security ramifications, whether locally modified or not, are also monitored by ConfigFiles. The suid|sgid files which must be monitored for security are handled via the permchk process, a few exceptions are in ConfigFiles for local modification or version tracking.

ARSC uses similar procedures across all platforms:

Platform Type	host(s)	admin from	/var/local/ directories	List and machines	Uses push?	Other platform tools	Email
Linux	puppychow, ag*, cms, workstations (48+), ...	dispatch	LinuxFiles	LinuxFiles/List.txt LinuxFiles/Long.txt etc/machines.linux	yes		linuxman
Sun Solaris	40+ systems	dispatch	SunFiles	SunFiles/List.txt SunFiles/Long.txt etc/machines.sun	yes	mush	sunman
Sun Linux	midnight (420+ nodes)	mn1sm	LinuxFiles	LinuxFiles/List.txt LinuxFiles/Long.txt etc/machines.linux	yes	pdsh	midman
Cray CLE	pingo (25) ognip (7)	piboot ogboot	CrayFiles	CrayFiles/List.txt CrayFiles/Long.txt etc/machines.cray	yes	xtopview xtspec pdsh	crayman

Management Files (top - introduction - files - procedure - example - tools)

• /usr/local/adm/etc/machines.* (.cray, .linux, .sun, ...)

  This file contains the list of managed systems and is manually maintained. The white space delimited columns include:

     1  machine               # hostname
     2  type                  # e.g.: 'x4200', 'V120', 'w1100z', ...
     3  status                # 'offline' or 'ok' (or 'Linux', 'SunOS', ...)
     4  usage/class           # e.g.: 'admin', 'compute', 'login', ...
     5  version_major         # e.g.: '5.2', 'rh4', '2.6', ...
     6  version_minor         # e.g.: '4', '8', ...
     7  serial_number/alias   # e.g.: '0521AM0162', 'a=csmflyer', ...
     8  location/rack/other   # e.g.: 'Butro007', 'W105-G', ...
     9  management_server     # Where used, indicates controlling server (e.g.: 'nis', 'mn1sm', ...)
    10  reserved1             # - not currently used -
    11  reserved2             # - not currently used -
    12  comments              # Any content permitted, including white space.
  

  Columns 1 - 9 are used by various scripts. The 'comments' column is always the last column. As the need arises, additional columns (such as 'reserved1' and 'reserved2) may from time to time be inserted just before the comments column. No column entry may contain white space, with the exception of the final field ('comments'). The 'status' field is used to indicate whether a system is online and must be updated when a machine is down for a significant period of time to prevent delays (ssh timeouts) in push and monitoring processes.

  Contact platform ISSO for other specific column meanings.

  Note, capability for a virtual host alias column prior to "other" exists and is recognized for push commands, for example:

  #machine type  status usage   Maj Min alias      other   comments
  #------- ----  ------ -----   --- --- -----      ----    --------
  flyman   flyer AIX    admin   5.2  9  a=csmflyer MS      management server
  iceflyer flyer AIX    login   5.2  9  a=f2n1     Login   p650 node
  icef1n1  flyer AIX    compute 5.2  9  a=f1n1     Compute p690 lpar
  icef3n1  flyer AIX    test    5.2  9  a=f3n1     Test    p610 node
  icef4n1  flyer AIX    compute 5.3  5  a=f4n1     Compute p575 node
  ...
  

  In the above, 'a=' allows a node to be recognized by a common alias, such as:

  dispatch: push -ibm -m csmflyer cmd -eq uname -a
           flyman:AIX csmflyer 2 5 00095C1A4C00
  

  Note that any machine *Files entries must represent the actual host name not the alias, e.g. krb5.keytab.flyman. The 'push -o' option can still be used:

  dispatch: push -ibm -o MS cmd -eq uname -a
           flyman:AIX csmflyer 2 5 00095C1A4C00
          bergman:AIX csmberg 2 5 0007BB3A4C00
  

• /var/local/*Files/... (Config*, Linux*, Sun*, ...)

  These directories represent the monitored ConfigFiles for each platform. The directories and contents are manually maintained on the administrative management host for the platform. The structure maps the file monitored, for example, the directory
    /var/local/ConfigFiles/etc/hosts/
  maps /etc/hosts for platform nodes.

  Note:

  • Any sub-directory containing a backout identifies a monitored file.
  • For new ConfigFiles in progress defer the 'mkdir backout'.
  • For ConfigFiles being retired 'mv backout retired'.
  • Ownership of ConfigFiles directories is root:*man and mode 0750.

• /var/local/*Files/.../filename.extension

  These files map the actual files on the managed machines, for example:
    /var/local/ConfigFiles/etc/hosts/hosts.mcgrew
  represents the /etc/hosts file on mcgrew including contents, mode, and ownership. The extension (in order of precedence) can be .hostname, .type, .usage, .Maj, .Maj.Min, .other, or .template. For example, if machines.list contained:

  #machine  type    status   usage    Maj  Min   Other
  #-------  ----    ------   -----    ---  ---   -----
  csmflyer  csm     AIX      admin    5.2  9.03  MS
  f2n1      p4      AIX      network  5.2  8csp  Frame2      
  f3n1      p4      AIX      test     5.2  9.03  Frame3
  f4n1      p5      AIX      compute  5.3  4csp  Frame4
  

  The file for node f2n1 under /var/local/ConfigFiles/etc/hosts/ might be (first match):

  hosts.f2n1	(machine)	specific to the node
  hosts.p4	(type)	for power4 systems
  hosts.network	(usage)	for network nodes
  hosts.5.2	(MajorOS)	for AIX 5.2 nodes
  hosts.5.2.8csp	(Maj.Min)	for AIX 5200-08-CSP nodes
  hosts.Frame2	(Other)	for nodes in Frame2
  hosts.template	(general)	for any node not matched above

  When the above are files, the mode and ownership match what is on the node and the file contents should be identical. For platforms where the management host is a different architecture, pay attention to the numeric UID|GID for ownership as there may be variance in the alpha representation when <100. Note, ACLs are not supported by ARSC and are not specifically monitored. However, presence of an ACL will be detected and reported. ACLs are represented with a '+' after the 4-character octal mode.

  In addition, the following special representations or files can exist within a ConfigFiles directory:

  1. A symlink containing a '/' identifies the target system is a symlink not a file, for example:
       hosts.f2n1 -> /usr/software/etc/hosts
     indicates:
       f2n1:/etc/hosts -> /usr/software/etc/hosts
     These links represent the symlink on the managed node and cannot be maintained via 'push config'.

  2. A symlink to a file in the ConfigFiles directory, for example:
       hosts.f3n1 -> hosts.special
     indicates the f3n1 file is represented by hosts.special.

  3. A symlink to NOFILE, for example:
       hosts.compute -> NOFILE
     indicates compute nodes, such as f4n1 should not have an /etc/hosts file at all. The NOFILE link is used primarily when a *.template must exist but one or more nodes do not have a file. An empty ConfigFiles directory (with backout sub-directory) indicates no nodes on the platform should have that file, this technique is used to ensure files like /.rhosts do not appear unnoticed.

  4. A symlink to NFS, for example:
       sguid.list.template -> NFS
     indicates the template (majority of nodes) is on an NFS mounted filesystem and should be ignored for push and and sanity checks. The NFS link is used primarily where there are multiple /usr/local directories being managed (e.g., LinuxFiles from dispatch or mnism).

  5. A symlink to DIRECTORY, for example:
       network.neladm -> DIRECTORY
     indicates the target on neladm is a directory. For example, RHEL Linux has /etc/sysconfig/network as a file while on SUSE Linux this is a directory. These links represent the managed node has a directory, the mode and ownership is not monitored and these and cannot be maintained via 'push config'.

  6. NOPUSH
     Presence of a NOPUSH file in a ConfigFiles directory indicates the file is not usually pushed, but merely monitored. An example of this is /etc/passwd which is maintained by the Ids tools. The NOPUSH can be overriden with 'push config' by using the '-C' option.

  7. README.ARSC
     Generally specific information files do not exist in ConfigFiles directories. However, if non-standard procedures are required to distribute the file or other special considerations are required, such as referencing a RT ticket for using ConfigFiles to distribute a vendor emergency fix or identifying special considerations why the file exists in ConfigFiles, this file should be created. It is good practice to create a README.ARSC in directories which have a NOPUSH file.

     The README.ARSC files are typically short indicating when, who, any pertinent history, why, and linking to more detailed information in a particular RT ticket or ARSC web document.

  8. backout/
     This directory must exist. It is used for identifying ConfigFiles directories by the automated scripts. ARSC procedure is to always have a backout copy of individual files in the backout/ directories, this is facilitated byt the edconfig and mkbko tools. The backout files are named *.yymmdd[.hhmm]. In addition original files as distributed by the vendors (recommend using an OS version extension) or files for retired systems may be stored in the backout directories. Many files permit inline history comments, but backout copies are retained for actual files used and may date back several years.

• /var/local/*Files/List.txt (Config*, Linux*, Sun*, ...)

  This file contains the list of managed files and is updated by the upd_*Files.ksh script manually or nightly cron via chk_sanity.ksh. The ConfigFiles are under the corresponding /var/local/*Files directory for each platform and are identified by the presence of a 'backout' directory in any sub-directory.

• /var/local/*Files/Long.txt (Config*, Linux*, Sun*, ...)

  This file contains the long listing (mode, ownership, size, sum) of all files under the /var/local/*Files and is used by the chk_sanity.ksh script. This file is updated by the upd_*Files.ksh script manually or nightly cron via chk_sanity.ksh.

Procedure (top - introduction - files - procedure - example - tools)

Any time ConfigFiles are updated the following will generally be followed:

1. Pre-planning as appropriate:
   1. Review within S&U project or related projects
   2. Open RT entry
   3. Define change test and validation procedures
   4. Define backout plan
   5. Establish implementation schedule
   Minor changes under common procedures may be done with minimal planning and no associated RT entry.

2. admin: cd /var/local/*Files/directory
   1. Check if any file specified README.ARSC exists and follow those instructions.
   2. Ensure the current version has been copied into ./backout/file.yyyymmdd.hhmm
      This provides a central tracking and a recovery method.
      The ckbko and mkbko commands can be used for verifying or generating backout copies.

3. admin: /usr/local/adm/bin/edconfig filename.ext
   
   1. Make necessary changes.
   2. If permitted by the file, update the file history at the top or bottom with the date (YYYY-mm-dd), your initials, and a brief summary of what was changed and why, reference RT number if appropriate.
   Note, the edconfig command will automatically make the backout/*.yyyymmdd.hhmm copy.

4. Copy file to production, using one of:
   1. If the file is not to be immediately pushed, create a NOPUSH file to prevent others from accidentally pushing out the change:
      admin: sudo touch ./NOPUSH
      Be sure to email appropriate folks (*man email alias) to notify them of the work-in-progess and that chk_sanity will likely report this file.

   2. If the platform supports push, push the file out to the target systems:

      admin: /usr/local/adm/bin/push config filename
      or
      admin: /usr/local/adm/bin/push one system1[,system2,...] filename
      or
      admin: /usr/local/adm/bin/push -m system1[,system2,...] config filename
      

   3. If the file or platform does not support push, copy the file to production location.
      Note, for binaries be sure to first mv (same filesystem) the target to preserve the inode if the binary is likely in active use.

5. Validate or test the change as appropriate.

6. Appropriately log and notify that file(s) have been pushed:
   1. For platforms which use logit, make an entry.
      Note, both edconfig and push invoke sudo which logs what was done (but not why).
   2. Update any RT entries.
      Not all ConfigFiles changes require RT entries, significant changes or changes with potential user impact will. Note, the RT email facilities can be used in conjunction with the following notifications.
   3. For significant changes email the appropriate *man alias describing the change.
   4. Copy consult and/or the S&U project alias if the change may have user impact.
   5. If the change includes or is implemented with a system restart, the downtime procedure must be followed to log the outage. The downtime email is a substitute for *man|consult email.

7. Next businesss day review the sysmon chk_sanity message to ensure the modifications were properly logged and installed.

Example (top - introduction - files - procedure - example - tools)

The following fabricated ConfigFile demonstrates symlink translations, including:

• Nodes f3n1,f4n1,f4n2 each do not have the file, explicitely for f4n[12] but by lack of template for f3n1.
• For in-directory alias can NOT link to './*', however, the ./directory or ./nofile will work.
• Case does not matter for ./directory or ./nofile.
• Remote mode, ownership, group are not managed on symlinks or directories.
• Nodes f4n[34] both represent symlinks on the remote node, f4n3 would be an alias to yyy in the ConfigFiles/var/local/test directory if that files existed (like xxx for f4n1).

csmflyer: uals -y Mog; pwd
d 0750 root     ibmman backout
l 0777 kcarlson ibmman test.csmflyer -> Directory  
l 0777 kcarlson ibmman test.f1n1 -> xxx
l 0777 kcarlson ibmman test.f1n3 -> ./xxx
- 0640 kcarlson ibmman test.f2n1
l 0777 kcarlson ibmman test.f4n1 -> nofile
l 0777 kcarlson ibmman test.f4n2 -> ./NOFILE
l 0777 kcarlson ibmman test.f4n3 -> yyy
l 0777 kcarlson ibmman test.f4n4 -> ./yyy
- 0640 kcarlson ibmman xxx
/var/local/ConfigFiles/var/local/test

csmflyer: dsh -av -n csmflyer \
 uals -dMog /var/local/test 2>&1 | sort
csmflyer: d 0700  root     root   /var/local/test
f1n1: - 0640 kcarlson ibmman /var/local/test
f1n3: l 0777 root     root   /var/local/test -> ./xxx
f2n1: - 0640 kcarlson ibmman /var/local/test
f3n1: uals: /var/local/test: No such file or directory
f4n1: uals: /var/local/test: No such file or directory
f4n2: uals: /var/local/test: No such file or directory
f4n3: l 0777 root     root   /var/local/test -> yyy
f4n4: l 0777 root     root   /var/local/test -> ./yyy

csmflyer: push config -q test

push_rcp: 1 file(s)
 csmflyer:#symbolic link: /var/local/ConfigFiles/var/local/test/test.csmflyer
     f2n1:/usr/bin/rcp -p /var/local/ConfigFiles/var/local/test/test.f2n1 f2n1:/var/local/test:new
     f1n1:/usr/bin/rcp -p /var/local/ConfigFiles/var/local/test/xxx f1n1:/var/local/test:new
     f1n3:#symbolic link: /var/local/ConfigFiles/var/local/test/test.f1n3
     f3n1:#no appropriate /var/local/ConfigFiles/var/local/test/test.*
     f4n1:#linked NOFILE: /var/local/ConfigFiles/var/local/test/test.f4n1
     f4n2:#linked NOFILE: /var/local/ConfigFiles/var/local/test/test.f4n2
     f4n3:#symbolic link: /var/local/ConfigFiles/var/local/test/test.f4n3
     f4n4:#symbolic link: /var/local/ConfigFiles/var/local/test/test.f4n4

Associated Tools: (top - introduction - files - procedure - example - tools)

The following tools reside in /usr/local/adm/bin and are used to validate or manage system configuration:

• Validation:
  • chk_sanity.ksh
    Perform ConfigFiles sanity check on one or more systems.

  • permchk
    Validate registered sguid.list files.

  • chk_local_dirs.ksh # Crays (and formerly IBM and Irix)
    xts_dirs.ksh # Cray chk_local_dirs.ksh wrapper
    Validate ARSC created directories are properly created.

  • get_state and chk_state # get and check node statefiles

• Management:
  • push
    Push ConfigFiles to system(s), etc.

  • cmp_sanity.ksh
    Back-copy and compare ConfigFiles from one or more systems.

  • edconfig
    Edit a file invoking sudo. Automatically creates ./backout copy after update is made.
    Does not create backout of existing file, use mkbko if necessary.

  • mkbko -? # Create backout of file(s)

      Usage:  mkbko -options file1 [file2...]
    
      Make backout copy of file in [../]backout|old/*.YYYYMMDD[.HHMM] 
    
      Options:
        -q*uiet   # very quiet, do not report anything
        -Q*uiet   # semi-quiet, report any copies made
        -i mask   # files to ignore via egrep, current: " _\.|~$"
        -s*udo    # re-invoke with sudo
    

  • ckbko -? # Validate backout of files(s)

      Usage:  ckbko -options file1 [file2...]
    
      Check backout copy of file in [../]backout|old  with *.YYYYMMDD[.HHMM] stamp.
    
      Options:
        -diff|-sdiff-s|-SDiff  # compare with diff, sdiff -s, or sdiff
        -q*uiet   # quieter (do not report Ok's)
        -[0-9]*   # compare against an older backup
        -i mask   # files to ignore via egrep, current: " _\.|~$"
        -s*udo    # re-invoke with sudo
        -D*ebug   # debug option enabling set -x
    

  • cksumnode -? # Comple files between two systems

    Usage: cksumnode [-options] 
    
    Check file sums (bsd) between two systems
    
    Options:
      -d     compare directories,    Default: $PWD
      -1|-f  1st host to compare,    Default: piman
      -2|-o  other hosts to compare, Default: 
      -e     exclude filter,         Default: backout|old
      -c     use [r|s|kr]sh command, Default: ssh -q
      -y     uals fields beyond sum, Default: 
      -r     do not use sum
      -s     use root (sudo)
      +s     not 'sdiff -s'
    

  • upd_ConfigFiles.ksh -u
    upd_LinuxFiles.ksh -u
    upd_SunFiles.ksh -u
    upd_CrayFiles.ksh -u

    These scripts are used to regenerate the *Files/List.txt and *Files/Long.txt files. They can be invoked manually and are invoked from chk_sanity.ksh in the nightly cron job or any time all nodes on a platform are being checked.

  • uals
    Enhanced ls used by other tools or manually. Includes:
    • '--sum' ('sum -r' equivalent, BSD 4.3 algorithm)
    • '--both' for numeric and alpha UID|GID
    • '--field' for field specification
    • '-RzZ' for recursion and full path listing
    • find-like options, such as '--newer'
    • formattable time, ACL detection, octal mode, and many other capabilities
    Reference:
         uals --help
    or:  man -M /usr/local/adm/man uals
    for additional information.