Saving fai-logs via rsyncd

From FAIWiki
Jump to: navigation, search


Saving fai-logs via rsyncd

Here is a quick hack to transfer the fai-logs to the install server via rsyncd.

What you need

  • rsyncd service on the install server
  • some password (this is only used for the rsync module, no system user required)
  • hook in your config space which saves the logs via rsync


  • no need for additional (insecure) user account (aka $LOGUSER)
  • logs can be saved to a write-only module, so clients can not read other clients logs
  • easy setup

In this howto the faiserver has the hostname zs13 and the client is named vm5, both running Ubuntu 6.06 Dapper.

Setup and test rsyncd

On the install server we need to setup rsyncd. This can be run standalone or by (x)inetd. You could use any machine that the clients can see during install, but I'll use the install server for now.


log file = /var/log/rsyncd.log
  auth users = fai
  secrets file = /etc/rsyncd.secrets
  hosts allow = *
#  write only = yes
  read only = no
  use chroot = yes
  uid = 0
  gid = 0

The user given in the auth users line is internal to rsyncd. You need a line in /etc/rsyncd.secrets which contains the username and a password (cleartext):



Now you need to configure (x)inetd to start rsyncd upon connections to the rsync port (873/tcp):


service rsync
       disable         = no
       socket_type     = stream
       wait            = no
       user            = root
       server          = /usr/bin/rsync
       server_args     = --daemon
       log_on_failure  += USERID

Tell xinetd to reload its config:

root@zs13:~> /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.

If you are using inetd, you'll need a line like the following in /etc/inetd.conf:

rsync   stream  tcp     nowait  root    /usr/bin/rsync    rsync --daemon

test rsyncd

You can check if xinetd listens on the rsync port:

root@zs13:~> lsof -c xinetd -a -i
xinetd  24768 root    5u  IPv4 1278934       TCP *:rsync (LISTEN)
xinetd  24768 root    6u  IPv4  553296       UDP *:tftp

You can now check for the module from the client machine even without the password (note the two :'s!):

root@vm5:~> rsync zs13::

To list the contents of the rsync module (you need to comment the write only = yes in rsyncd.conf) you need a password:

root@zs13:~> touch /var/log/failogs/this_is_zs13-var-log-failogs
root@vm5:~> RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync fai@zs13::failogs
drwxr-xr-x          96 2006/08/31 16:59:59 .
-rw-r--r--           0 2006/08/29 19:11:20 this_is_zs13-var-log-failogs

with write only = yes you get:

root@vm5:~> RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync fai@zs13::failogs
ERROR: module is write only

The password can be stored in a file and then referenced with the --password-file=... option of rsync.

tcp wrappers

If you get an error message like:

root@vm5:~> rsync zs13::
rsync: read error: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(584)

you might need to configure tcp-wrappers to allow the connection. In this case the server should log this to /var/log/daemon.log:

Aug 31 16:43:53 zs13 xinetd[26979]: libwrap refused connection to rsync (libwrap=rsync) from

To enable access for the rsync client, add a line to /etc/hosts.allow on the server. The following example allows access for all machines in the and subnets and for localhost:

root@zs13:~> grep ^rsync /etc/hosts.allow

hook for saving logs via rsync

I'm currently using a hook savelog.DEFAULT to transfer the logs. Ideally this would be part of fai-savelog accompanied by some variables in fai.conf.


#JMD(29.08.06): hook version of rsync support for logfiles

[ "$debug" ] && set -x

# this should go into /etc/fai/fai.conf

# this should go into $NFSROOT:/usr/lib/fai/fai-savelog
save_log_remote_rsync() {
    if ! which rsync >/dev/null; then
        # rsync is missing
        [ $FAI_ACTION = "install" ] && cat <<EOF
ERROR: You selected FAI_LOGPROTO=rsync but rsync is not available in nfsroot.
You need to add rsync to the packages-variable in make-fai-nfsroot.conf and
run make-fai-nfsroot.
    echo "Saving log files via rsync to $FAI_RSYNC_HOST::$FAI_RSYNC_MODULE"
    local _tmpdir=$(mktemp -d -p /tmp savelog.XXXXXX)

    # constructing logdir structure
    mkdir -p $_tmpdir/$FAI_ACTION-$FAI_RUNDATE
    cp -a $LOGDIR/. $_tmpdir/$FAI_ACTION-$FAI_RUNDATE/.
    ln -snf $FAI_ACTION-$FAI_RUNDATE $_tmpdir/last-$FAI_ACTION
    ln -snf $FAI_ACTION-$FAI_RUNDATE $_tmpdir/last

    RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync -a ${debug:+-v} \

    rm -fr $_tmpdir


Oh, yeah, right. You might want to change that password from StupidPasswordPleaseChangeMe to something else...


by allee:

  • /var/log/failogs/ and /etc/rsyncd.secrets contains security sensitive information
 chmod 700 /var/log/failogs/
 chmod 600 /etc/rsyncd.secrets
  • at least kubuntu and debian pkgs come with an init.d script that can be used as an alternative to the *inetd methods:
 vi /etc/default/rsync     # set: RSYNC_ENABLE=true
 invoke-rc.d rsync start
  • with the init.d method and for FAISERVERs with several network interfaces one can also use the IP# of the SERVERINTERFACE with the --address IP# command-line option or the address config-file option to restrict the interfaces rsync listens
  • eventually one should use use rsync --password-file instead of env var (more secure for softupdate). Mode 600 of course ;)


by allee:

  • having such a helpful error msg for softupdate as for install would be nice
  • would be nice to combine this rsyncd with the error collecting method of the default savelog.LAST method.
Personal tools