Saving fai-logs via rsyncd

From FAIWiki
Jump to navigation Jump to search

Saving fai-logs via rsyncd

Here is a quick hack to transfer the fai-logs to the install server via rsyncd.

What you need

  • rsyncd service on the install server
  • some password (this is only used for the rsync module, no system user required)
  • hook in your config space which saves the logs via rsync

Benefits

  • no need for additional (insecure) user account (aka $LOGUSER)
  • logs can be saved to a write-only module, so clients can not read other clients logs
  • easy setup

In this howto the faiserver has the hostname zs13 and the client is named vm5, both running Ubuntu 6.06 Dapper.

Setup and test rsyncd

On the install server we need to setup rsyncd. This can be run standalone or by (x)inetd. You could use any machine that the clients can see during install, but I'll use the install server for now.

faiserver:/etc/rsyncd.conf:

log file = /var/log/rsyncd.log
[failogs]
  auth users = fai
  secrets file = /etc/rsyncd.secrets
  hosts allow = *.physik.fu-berlin.de
  path=/var/log/failogs
#  write only = yes
  read only = no
  use chroot = yes
  uid = 0
  gid = 0

The user given in the auth users line is internal to rsyncd. You need a line in /etc/rsyncd.secrets which contains the username and a password (cleartext):

zs13:/etc/rsyncd.secrets:

fai:StupidPasswordPleaseChangeMe

Now you need to configure (x)inetd to start rsyncd upon connections to the rsync port (873/tcp):

zs13:/etc/xinetd.d/rsync:

service rsync
{
       disable         = no
       socket_type     = stream
       wait            = no
       user            = root
       server          = /usr/bin/rsync
       server_args     = --daemon
       log_on_failure  += USERID
}

Tell xinetd to reload its config:

root@zs13:~> /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.

If you are using inetd, you'll need a line like the following in /etc/inetd.conf:

rsync   stream  tcp     nowait  root    /usr/bin/rsync    rsync --daemon

test rsyncd

You can check if xinetd listens on the rsync port:

root@zs13:~> lsof -c xinetd -a -i
COMMAND   PID USER   FD   TYPE  DEVICE SIZE NODE NAME
xinetd  24768 root    5u  IPv4 1278934       TCP *:rsync (LISTEN)
xinetd  24768 root    6u  IPv4  553296       UDP *:tftp

You can now check for the module from the client machine even without the password (note the two :'s!):

root@vm5:~> rsync zs13::
failogs

To list the contents of the rsync module (you need to comment the write only = yes in rsyncd.conf) you need a password:

root@zs13:~> touch /var/log/failogs/this_is_zs13-var-log-failogs
root@vm5:~> RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync fai@zs13::failogs
drwxr-xr-x          96 2006/08/31 16:59:59 .
-rw-r--r--           0 2006/08/29 19:11:20 this_is_zs13-var-log-failogs

with write only = yes you get:

root@vm5:~> RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync fai@zs13::failogs
ERROR: module is write only

The password can be stored in a file and then referenced with the --password-file=... option of rsync.

tcp wrappers

If you get an error message like:

root@vm5:~> rsync zs13::
rsync: read error: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(584)

you might need to configure tcp-wrappers to allow the connection. In this case the server should log this to /var/log/daemon.log:

Aug 31 16:43:53 zs13 xinetd[26979]: libwrap refused connection to rsync (libwrap=rsync) from 130.133.32.45

To enable access for the rsync client, add a line to /etc/hosts.allow on the server. The following example allows access for all machines in the 160.45.32.0/22 and 130.133.32.0/22 subnets and for localhost:

root@zs13:~> grep ^rsync /etc/hosts.allow
rsync: 160.45.32.0/22 130.133.32.0/22 127.0.0.1

hook for saving logs via rsync

I'm currently using a hook savelog.DEFAULT to transfer the logs. Ideally this would be part of fai-savelog accompanied by some variables in fai.conf.

$FAI/hooks/savelog.DEFAULT

#!/bin/bash
#JMD(29.08.06): hook version of rsync support for logfiles

[ "$debug" ] && set -x

# this should go into /etc/fai/fai.conf
FAI_RSYNC_USER=fai
FAI_RSYNC_HOST=zs13
FAI_RSYNC_MODULE=failogs

# this should go into $NFSROOT:/usr/lib/fai/fai-savelog
save_log_remote_rsync() {
    if ! which rsync >/dev/null; then
        # rsync is missing
        [ $FAI_ACTION = "install" ] && cat <<EOF
ERROR: You selected FAI_LOGPROTO=rsync but rsync is not available in nfsroot.
You need to add rsync to the packages-variable in make-fai-nfsroot.conf and
run make-fai-nfsroot.
EOF
        exit
    fi
    echo "Saving log files via rsync to $FAI_RSYNC_HOST::$FAI_RSYNC_MODULE"
    local _tmpdir=$(mktemp -d -p /tmp savelog.XXXXXX)

    # constructing logdir structure
    mkdir -p $_tmpdir/$FAI_ACTION-$FAI_RUNDATE
    cp -a $LOGDIR/. $_tmpdir/$FAI_ACTION-$FAI_RUNDATE/.
    ln -snf $FAI_ACTION-$FAI_RUNDATE $_tmpdir/last-$FAI_ACTION
    ln -snf $FAI_ACTION-$FAI_RUNDATE $_tmpdir/last

    RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync -a ${debug:+-v} \
        $_tmpdir/ $FAI_RSYNC_USER@$FAI_RSYNC_HOST::$FAI_RSYNC_MODULE/$HOSTNAME

    rm -fr $_tmpdir
}

save_log_remote_rsync

Oh, yeah, right. You might want to change that password from StupidPasswordPleaseChangeMe to something else...


Comments

by allee:

  • /var/log/failogs/ and /etc/rsyncd.secrets contains security sensitive information
 chmod 700 /var/log/failogs/
 chmod 600 /etc/rsyncd.secrets
  • at least kubuntu and debian pkgs come with an init.d script that can be used as an alternative to the *inetd methods:
 vi /etc/default/rsync     # set: RSYNC_ENABLE=true
 invoke-rc.d rsync start
  • with the init.d method and for FAISERVERs with several network interfaces one can also use the IP# of the SERVERINTERFACE with the --address IP# command-line option or the address config-file option to restrict the interfaces rsync listens
  • eventually one should use use rsync --password-file instead of env var (more secure for softupdate). Mode 600 of course ;)

Wishes

by allee:

  • having such a helpful error msg for softupdate as for install would be nice
  • would be nice to combine this rsyncd with the error collecting method of the default savelog.LAST method.