Device management using Bcfg2

m
m
Line 104: Line 104:
Download and install version 1.0.1 following instructions found at [http://trac.mcs.anl.gov/projects/bcfg2/wiki/Download Bcfg2 web site]
Download and install version 1.0.1 following instructions found at [http://trac.mcs.anl.gov/projects/bcfg2/wiki/Download Bcfg2 web site]
 +
 +
Note that the server should reside in a network the Device is able to access.
=== Client installation ===
=== Client installation ===
Line 109: Line 111:
==== Option 1: Install old version ====
==== Option 1: Install old version ====
-
Download [http://ftp.mcs.anl.gov/pub/bcfg/archive/bcfg2-0.9.6.tar.gz bcfg2-0.9.6] in to the Device. Open terminal window and enter following commands
+
Download [http://ftp.mcs.anl.gov/pub/bcfg/archive/bcfg2-0.9.6.tar.gz bcfg2-0.9.6] in to the Device. Open terminal window and install Bcfg2 by entering following commands
  apt-get install python
  apt-get install python
Line 135: Line 137:
  def ComponentProxy (url, user=None, password=None, fingerprint=None,
  def ComponentProxy (url, user=None, password=None, fingerprint=None,
                     key=None, ca=None, allowedServerCNs=None, cert=None):
                     key=None, ca=None, allowedServerCNs=None, cert=None):
-
 
-
 
Edit <code>bcfg2-1.0.1/setup.py</code>
Edit <code>bcfg2-1.0.1/setup.py</code>
Add the packages <code>Bcfg2.tlslite</code>, <code>Bcfg2.tlslite.integration</code>, and <code>Bcfg2.tlslite.utils</code> back into the packages list in setup.py, as seen in [https://trac.mcs.anl.gov/projects/bcfg2/browser/trunk/bcfg2/setup.py?rev=5182 here]
Add the packages <code>Bcfg2.tlslite</code>, <code>Bcfg2.tlslite.integration</code>, and <code>Bcfg2.tlslite.utils</code> back into the packages list in setup.py, as seen in [https://trac.mcs.anl.gov/projects/bcfg2/browser/trunk/bcfg2/setup.py?rev=5182 here]
 +
 +
Repackage the source directory
 +
 +
tar zcvf bcfg2-1.0.1-mod.tar.gz bcfg2-1.0.1
 +
 +
Transfer <code>bcfg2-1.0.1-mod.tar.gz</code>. To the Device. Open (at Device) terminal window and install Bcfg2 by entering following commands
 +
 +
apt-get install python
 +
tar zxvf bcfg2-1.0.1-mod.tar.gz
 +
cd bcfg2-1.0.1
 +
python setup.py install --install-layout deb --record /root/bcfg2files
 +
 +
=== Installation notes ===
 +
 +
Reinstalling Bcfg2: Remove <code>bcfg2-1.0.1/build</code> directory before re-run of <code>setup.py</code>
 +
 +
Removing Bcfg2: remove files listed at <code>/root/bcfg2files</code>
 +
 +
=== Hooking the Device and Bcfg2 together ===
 +
 +
In the following we assume that a group <code>maemo</code> is already defined at <code>/var/lib/bcfg2/Metadata/groups.xml</code> (We also assume the configuration repository is at default location)
 +
 +
Add following line into <code>/var/lib/bcfg2/Metadata/clients.xml</code>
 +
 +
<Client uuid="foo" name="bar" profile="maemo" password="xyzzy" pingable="N" location="floating" auth="cert+password"/>
 +
 +
No need to restart the Bcfg2 server, it picks the changes on the fly. Next, at the Device, edit the file  <code>/etc/bcfg2.conf</code> to look like following:
 +
 +
[communication]
 +
protocol = xmlrpc/ssl
 +
user = foo
 +
password = xyzzy
 +
 +
[components]
 +
bcfg2 = https://bcfg2server.example.com:6789
 +
 +
Now you should be able to invoke Bcfg2 client and make first connection to the server using command
 +
 +
bcfg2 -I
 +
 +
 +
 +
 +
root@linox02:/var/lib/bcfg2/code# cat

Revision as of 13:51, 24 March 2010

Contents

Under Construction

This article contains information about using Bcfg2, an open source configuration management system in management of Maemo based devices.

Note! At this phase, although the title says otherwise, instructions given in this article do NOT constitute a device management solution. At the moment these instructions only guide to experiment device management using Bcfg2.

Scope and terminology

Scope of the article is using Bcfg2 to manage Maemo devices of employees at a fairly large company, where the number of devices is counted on hundreds or thousands. In a private use, or in small companies things covered here hardly make any sense.

In the remainder if this document, following terminology is used

Term Description
Device Maemo based handset, such as Nokia N900
Device management Generally used term for configuration management which takes place on Devices
Enterprise A large company ot other organization that wants employees to ba able to acces company IT systems using Maemo based devices
Desktop computer A full-size computer (traditional desktop or laptop) used to access corporate IT systems
Enterprise configuration A set of applications and configuration values which the Enterprise wants to deploy into the Device as a prerequisite for accessing corporate IT systems. Usually includes hardening the device security.
Provisioning The process which equips the Device with Enterprise configuration

Instructions given in this article are tested on Fremantle. They may work on other releases as well, but probably not.

Recommended reading

Basic use and concepts of Bcfg2 are not in the scope of this article. However, find below some links which may help you to get started

Device management? Why bother?

Provisioning Devices without management is like standing on the waterfront, throwing rocks in to a lake trying to get them land into a bucket at a bottom. The throwing movement can be very controlled and calculated, but once the rock is released from hand, all control and traceability is lost. As a result, we do not really know if it ever hit the bucket. And if it did not, there is no way to get it there. Not to mention ability to move it into another bucket if so desired. Over time, we also inevitably lose track of how many rocks have we have thrown.

Hence, Provisioning-only approach leads at least following shortcomings

  • No statistics about Devices Provisioned
  • No information about success of the Provisioning
  • No method to fix failed Provisioning
  • No method for managing changes at Enterprise configuration (other than publish a new release hoping users will pick it up)

Using the rock analogy, in Device management approach we never completely release the rock. We tie a thin nylon line into each rock before throwing it. Now we can follow the line and track whether the rock did hit the bucket or not. We can use the line to lift misses to the bucket. We can also use the line to move them to another bucket if so desired. We can also easily have statistics about the rocks thrown; just count the lines.

It should be also noted that there are legislations such as Sarbanes-Oxley which mandate keeping track of computers able to access and store corporate data.

Why Bcfg2?

Openness is at heart of the Maemo philosophy. Thus, using an Open Source configuration management system seems a logical choice to try out.

Bcfg2 was chosen as the first candidate to try-out because

  • Architecture is server-centric. Processing is performed at the server end as much as possible. This makes the client lightweight. It makes it also simpler and less frequently changing.
  • Device management is a special use case for a software like this. They are all geared more for server and desktop management. Thus, fair amount of customization is anticipated. Bcfg2 has very flexible plugin architecture where most of it's core functionality implemented as plugins. This makes it very customization-friendly, nearly all components are replaceable
  • Anticipation of customization puts lot of weight to implementation language. Bcfg2 is written in Python, which suits the author best.

That said, there is no reason why other configuration management systems such as CFEngine or Puppet wouldn't work as well. (Actually, Puppet was tried out, got successfully running at the Device. Only it did not communicate with the server. This is possibly caused by the SSL problem discussed later. That's was the point where lack of author's Ruby skills kicked in :)


Getting Bcfg2 up and running

A word of warning: Configuration management is complicated area. Learning Bcfg2 and the concepts behind it do take some time and effort. Do NOT by try to manage Maemo clients as your first Bcfg2 rehearsal. Instead, familiarize yourself with Bcfg2 first using "ordinary" computers as clients.

Problems with Bcfg2 in Maemo

At the moment there are some problems we need to work around in order to install Bcfg2 client into Device.

  1. Lack of proper SSL support
    • Bcfg2 prior to 1.0 used Python implementation of SSL called tlslite. At 1.0 tlslite war replaced with Python 2.6 built-in SSL module
    • Bcfg2 has internal fallback to use M2crypto module if SSL module fails
    • Maemo (Fremantle), however, has Python 2.5, which has no SSL module and no M2crypto module either
      • There is actually already bug report filed about the problem. However, the original problem (importing SSL module) was never solved, the problem the reporter faces seems to be worked around other way
    • Possible workarounds:
      • Compile SSL 1.15 module into Python 2.5
      • Compile M2crypto module into Python 2.5
        • Both fail into lack of complete set of OpenSSL development headers
      • Re-include tlslib into Bcfg2
        • Possible, however there will be no server identity validation
      • Use Bcfg2 prior to 1.0 in Device
        • Possible, however there will be no server identity validation
    • Contributions welcome
  2. Bcfg2 is not packaged for Maemo
    • Must be installed from source
  3. There is no good way for bootstrapping right now
    • Installation must be performed from Device command line
  4. Maemo does not have debsums utility
    • Causes APT package driver not to load

Server installation

Download and install version 1.0.1 following instructions found at Bcfg2 web site

Note that the server should reside in a network the Device is able to access.

Client installation

Option 1: Install old version

Download bcfg2-0.9.6 in to the Device. Open terminal window and install Bcfg2 by entering following commands

apt-get install python
tar zxvf bcfg2-0.9.6.tar.gz
cd bcfg2-0.9.6
python setup.py install --install-layout deb --record /root/bcfg2files

Option 2: Install current version

This option is somewhat more complicated since we need to re-include tlslib into Bcfg2

Download bcfg2-0.9.6 and bcfg2-1.0.1 both. Extract them:

tar zxvf bcfg2-0.9.6.tar.gz 
tar zxvf bcfg2-1.0.1.tar.gz

Get tlslib and from older version

cp -r bcfg2-0.9.6/src/lib/tlslite bcfg2-1.0.1/src/lib

Download this version of Proxy.py from Bcfg2 site and save it as bcfg2-1.0.1/src/lib/Proxy.py

Edit bcfg2-1.0.1/src/lib/Proxy.py. Add dummy placeholders ca and allowedServerCNs into ComponentProxy definition so it looks like below:

def ComponentProxy (url, user=None, password=None, fingerprint=None,
                    key=None, ca=None, allowedServerCNs=None, cert=None):

Edit bcfg2-1.0.1/setup.py Add the packages Bcfg2.tlslite, Bcfg2.tlslite.integration, and Bcfg2.tlslite.utils back into the packages list in setup.py, as seen in here

Repackage the source directory

tar zcvf bcfg2-1.0.1-mod.tar.gz bcfg2-1.0.1

Transfer bcfg2-1.0.1-mod.tar.gz. To the Device. Open (at Device) terminal window and install Bcfg2 by entering following commands

apt-get install python
tar zxvf bcfg2-1.0.1-mod.tar.gz
cd bcfg2-1.0.1
python setup.py install --install-layout deb --record /root/bcfg2files

Installation notes

Reinstalling Bcfg2: Remove bcfg2-1.0.1/build directory before re-run of setup.py

Removing Bcfg2: remove files listed at /root/bcfg2files

Hooking the Device and Bcfg2 together

In the following we assume that a group maemo is already defined at /var/lib/bcfg2/Metadata/groups.xml (We also assume the configuration repository is at default location)

Add following line into /var/lib/bcfg2/Metadata/clients.xml

<Client uuid="foo" name="bar" profile="maemo" password="xyzzy" pingable="N" location="floating" auth="cert+password"/>

No need to restart the Bcfg2 server, it picks the changes on the fly. Next, at the Device, edit the file /etc/bcfg2.conf to look like following:

[communication]
protocol = xmlrpc/ssl
user = foo
password = xyzzy

[components]
bcfg2 = https://bcfg2server.example.com:6789

Now you should be able to invoke Bcfg2 client and make first connection to the server using command

bcfg2 -I




root@linox02:/var/lib/bcfg2/code# cat


Note, Category is intentionally broken, this is not in any shape for showing up yet [[ Category:Power users ]]