Saving fai-logs via rsyncd: Difference between revisions
(→hook for saving logs via rsync: adding my 2 cents to this great page) |
m (+ category) |
||
(One intermediate revision by one other user not shown) | |||
Line 169: | Line 169: | ||
* with the init.d method and for FAISERVERs with several network interfaces one can also use the IP# of the SERVERINTERFACE with the --address IP# command-line option or the address config-file option to restrict the interfaces rsync listens | * with the init.d method and for FAISERVERs with several network interfaces one can also use the IP# of the SERVERINTERFACE with the --address IP# command-line option or the address config-file option to restrict the interfaces rsync listens | ||
* eventually one should use use rsync --password-file instead of env var (more secure for softupdate). Mode 600 of course ;) | |||
== Wishes == | == Wishes == | ||
Line 177: | Line 178: | ||
* would be nice to combine this rsyncd with the error collecting method of the default savelog.LAST method. | * would be nice to combine this rsyncd with the error collecting method of the default savelog.LAST method. | ||
[[Category:Howto]] |
Latest revision as of 10:33, 17 November 2009
Saving fai-logs via rsyncd
Here is a quick hack to transfer the fai-logs to the install server via rsyncd.
What you need
- rsyncd service on the install server
- some password (this is only used for the rsync module, no system user required)
- hook in your config space which saves the logs via rsync
Benefits
- no need for additional (insecure) user account (aka $LOGUSER)
- logs can be saved to a write-only module, so clients can not read other clients logs
- easy setup
In this howto the faiserver has the hostname zs13 and the client is named vm5, both running Ubuntu 6.06 Dapper.
Setup and test rsyncd
On the install server we need to setup rsyncd. This can be run standalone or by (x)inetd. You could use any machine that the clients can see during install, but I'll use the install server for now.
faiserver:/etc/rsyncd.conf:
log file = /var/log/rsyncd.log [failogs] auth users = fai secrets file = /etc/rsyncd.secrets hosts allow = *.physik.fu-berlin.de path=/var/log/failogs # write only = yes read only = no use chroot = yes uid = 0 gid = 0
The user given in the auth users line is internal to rsyncd. You need a line in /etc/rsyncd.secrets which contains the username and a password (cleartext):
zs13:/etc/rsyncd.secrets:
fai:StupidPasswordPleaseChangeMe
Now you need to configure (x)inetd to start rsyncd upon connections to the rsync port (873/tcp):
zs13:/etc/xinetd.d/rsync:
service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID }
Tell xinetd to reload its config:
root@zs13:~> /etc/init.d/xinetd reload Reloading internet superserver configuration: xinetd.
If you are using inetd, you'll need a line like the following in /etc/inetd.conf:
rsync stream tcp nowait root /usr/bin/rsync rsync --daemon
test rsyncd
You can check if xinetd listens on the rsync port:
root@zs13:~> lsof -c xinetd -a -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME xinetd 24768 root 5u IPv4 1278934 TCP *:rsync (LISTEN) xinetd 24768 root 6u IPv4 553296 UDP *:tftp
You can now check for the module from the client machine even without the password (note the two :'s!):
root@vm5:~> rsync zs13:: failogs
To list the contents of the rsync module (you need to comment the write only = yes in rsyncd.conf) you need a password:
root@zs13:~> touch /var/log/failogs/this_is_zs13-var-log-failogs root@vm5:~> RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync fai@zs13::failogs drwxr-xr-x 96 2006/08/31 16:59:59 . -rw-r--r-- 0 2006/08/29 19:11:20 this_is_zs13-var-log-failogs
with write only = yes you get:
root@vm5:~> RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync fai@zs13::failogs ERROR: module is write only
The password can be stored in a file and then referenced with the --password-file=... option of rsync.
tcp wrappers
If you get an error message like:
root@vm5:~> rsync zs13:: rsync: read error: Connection reset by peer (104) rsync error: error in rsync protocol data stream (code 12) at io.c(584)
you might need to configure tcp-wrappers to allow the connection. In this case the server should log this to /var/log/daemon.log:
Aug 31 16:43:53 zs13 xinetd[26979]: libwrap refused connection to rsync (libwrap=rsync) from 130.133.32.45
To enable access for the rsync client, add a line to /etc/hosts.allow on the server. The following example allows access for all machines in the 160.45.32.0/22 and 130.133.32.0/22 subnets and for localhost:
root@zs13:~> grep ^rsync /etc/hosts.allow rsync: 160.45.32.0/22 130.133.32.0/22 127.0.0.1
hook for saving logs via rsync
I'm currently using a hook savelog.DEFAULT to transfer the logs. Ideally this would be part of fai-savelog accompanied by some variables in fai.conf.
$FAI/hooks/savelog.DEFAULT
#!/bin/bash #JMD(29.08.06): hook version of rsync support for logfiles [ "$debug" ] && set -x # this should go into /etc/fai/fai.conf FAI_RSYNC_USER=fai FAI_RSYNC_HOST=zs13 FAI_RSYNC_MODULE=failogs # this should go into $NFSROOT:/usr/lib/fai/fai-savelog save_log_remote_rsync() { if ! which rsync >/dev/null; then # rsync is missing [ $FAI_ACTION = "install" ] && cat <<EOF ERROR: You selected FAI_LOGPROTO=rsync but rsync is not available in nfsroot. You need to add rsync to the packages-variable in make-fai-nfsroot.conf and run make-fai-nfsroot. EOF exit fi echo "Saving log files via rsync to $FAI_RSYNC_HOST::$FAI_RSYNC_MODULE" local _tmpdir=$(mktemp -d -p /tmp savelog.XXXXXX) # constructing logdir structure mkdir -p $_tmpdir/$FAI_ACTION-$FAI_RUNDATE cp -a $LOGDIR/. $_tmpdir/$FAI_ACTION-$FAI_RUNDATE/. ln -snf $FAI_ACTION-$FAI_RUNDATE $_tmpdir/last-$FAI_ACTION ln -snf $FAI_ACTION-$FAI_RUNDATE $_tmpdir/last RSYNC_PASSWORD=StupidPasswordPleaseChangeMe rsync -a ${debug:+-v} \ $_tmpdir/ $FAI_RSYNC_USER@$FAI_RSYNC_HOST::$FAI_RSYNC_MODULE/$HOSTNAME rm -fr $_tmpdir } save_log_remote_rsync
Oh, yeah, right. You might want to change that password from StupidPasswordPleaseChangeMe to something else...
Comments
by allee:
- /var/log/failogs/ and /etc/rsyncd.secrets contains security sensitive information
chmod 700 /var/log/failogs/ chmod 600 /etc/rsyncd.secrets
- at least kubuntu and debian pkgs come with an init.d script that can be used as an alternative to the *inetd methods:
vi /etc/default/rsync # set: RSYNC_ENABLE=true invoke-rc.d rsync start
- with the init.d method and for FAISERVERs with several network interfaces one can also use the IP# of the SERVERINTERFACE with the --address IP# command-line option or the address config-file option to restrict the interfaces rsync listens
- eventually one should use use rsync --password-file instead of env var (more secure for softupdate). Mode 600 of course ;)
Wishes
by allee:
- having such a helpful error msg for softupdate as for install would be nice
- would be nice to combine this rsyncd with the error collecting method of the default savelog.LAST method.