-
Notifications
You must be signed in to change notification settings - Fork 1
Example
Andrew Kesterson edited this page Aug 19, 2012
·
2 revisions
Presume we have a server with an incoming user, "disco", who has a home directory like this:
disco@server:~$ cat rsyncd.conf
[parameters]
path = /home/disco/parameters
read only = true
comment = DISCO Parameters
list = yes
use chroot = false
[testmodule-1.0]
path = /home/disco/modules/testmodule-1.0
read only = true
comment = v1.0 of the Test module
list = yes
use chroot = false
[othermodule-3.2]
path = /home/disco/modules/othermodule-3.2
read only = true
comment = v3.2 of othermodule
list = yes
use chroot = false
disco@server:~$ find parameters
parameters
parameters/localhost.localdomain
parameters/localhost.localdomain/parameters
parameters/localhost.localdomain/parameters/something
parameters/localhost.localdomain/modules
parameters/localhost.localdomain/modules/othermodule-3.2
parameters/localhost.localdomain/modules/testmodule-1.0
disco@server:~$ cat parameters/localhost.localdomain/parameters/something
LOLTHISKEYMEANSNOTHING
disco@server:~$ find modules
modules
modules/othermodule-3.2
modules/othermodule-3.2/requires
modules/othermodule-3.2/parameters
modules/othermodule-3.2/parameters/othermodule-3.2
modules/othermodule-3.2/scripts
modules/othermodule-3.2/templates
modules/othermodule-3.2/templates/etc
modules/othermodule-3.2/templates/etc/othermodule
modules/othermodule-3.2/templates/etc/othermodule/stuff.cfg
modules/othermodule-3.2/files
modules/testmodule-1.0
modules/testmodule-1.0/requires
modules/testmodule-1.0/parameters
modules/testmodule-1.0/parameters/testmodule-1.0
modules/testmodule-1.0/scripts
modules/testmodule-1.0/scripts/00-hello.sh
modules/testmodule-1.0/scripts/10-service_stop.sh
modules/testmodule-1.0/templates
modules/testmodule-1.0/files
disco@server:~$ cat modules/othermodule-3.2/templates/etc/othermodule/stuff.cfg
echo HOST=$(hostname)
echo KEY_VALUE=$(cat /var/disco/parameters/$(hostname)/parameters/something)
disco@server:~$ cat modules/testmodule-1.0/scripts/00-hello.sh
#!/bin/bash
echo "Hello, disco"
disco@server:~$ cat modules/testmodule-1.0/scripts/10-service_stop.sh
#!/bin/bash
service postgresql stop
... and that we have, on our client, a disco parameters tree set up like this:
[disco@client disco]$ disco-param dump
disco = {}
disco/client = {}
disco/client/cmds = {}
disco/client/cmds/rsync = rsync -qaWHe "ssh -i /home/disco/.ssh/id_rsa_disco"
disco/server = {}
disco/server/uri = disco@aklabs.net
... Then we can use disco to configure our host.
First we need to mount and initialize disco's testing/noop filesystem as root on the client.
[root@localhost disco]$ NOOP=true disco-fs-mount
[root@localhost disco]$ NOOP=true disco-fs-init
This will take a minute or two, the init does a lot of work. (But you only have to run the init once at system start, no matter how many times you run disco.) Now we can do our noop run:
[disco@localhost disco]$ NOOP=true disco dance
info: Processing testmodule-1.0
info: File: .d..t...... : /. : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-14:53:30', owner='root:root', selinux='?', md5=''
Hello, disco
warning: Would execute : service postgresql stop
info: Processing othermodule-3.2
info: File: .d..t...... : /. : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5=''
info: File: .d..t...... : /etc : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5=''
info: File: cd+++++++++ : /etc/othermodule : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5=''
info: File: >f+++++++++ : /etc/othermodule/stuff.cfg : mode='rw-r--r--', size='60', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5='77b20e4840b1be13a577e152edc6b443'
0a1,2
> HOST=localhost.localdomain
> KEY_VALUE=LOLTHISKEYMEANSNOTHING
Here we can see the noop at work; it is preventing potentially destructive commands like 'service' from running, while allowing other harmless commands to operate in the noop context so that script logic is not affected. We can also see the highly detailed statistics and diffs returned for file modifications, which is an improved version of what 'rsync -ani' gives you (see 'man rsync' for the description of this format). But none of the files actually wind up present on the system, and no running processes were affected:
[root@client ~]$ ps ax | grep -i postgresql
15595 pts/1 S+ 0:00 grep -i postgresql
24457 ? S 0:12 /usr/lib/postgresql/8.4/bin/postgres -D /var/lib/postgresql/8.4/main -c config_file=/etc/postgresql/8.4/main/postgresql.conf
[root@client ~]$ ls -l /etc/othermodule/stuff.cfg
ls: cannot access /etc/othermodule/stuff.cfg: No such file or directory
If we were to turn the NOOP flag off, this would all happen for real:
[root@client disco]$ disco dance
info: Processing testmodule-1.0
info: File: .d..t...... : /. : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-14:53:30', owner='root:root', selinux='?', md5=''
Hello, disco
warning: Would execute : service postgresql stop
info: Processing othermodule-3.2
info: File: .d..t...... : /. : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5=''
info: File: .d..t...... : /etc : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5=''
info: File: cd+++++++++ : /etc/othermodule : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5=''
info: File: >f+++++++++ : /etc/othermodule/stuff.cfg : mode='rw-r--r--', size='60', mtime='2012/08/19-15:04:45', owner='root:root', selinux='?', md5='77b20e4840b1be13a577e152edc6b443'
0a1,2
> HOST=localhost.localdomain
> KEY_VALUE=LOLTHISKEYMEANSNOTHING
... And we will see that the config file has been installed:
[root@client ~]$ cat /etc/othermodule/stuff.cfg
HOST=localhost.localdomain
KEY_VALUE=LOLTHISKEYMEANSNOTHING
... And that postgres has been stopped:
[root@client ~]# ps ax | grep -i postgresql
28394 pts/1 S+ 0:00 grep -i postgresql
Hooray!
Disco will report other types of file modifications, as well. If you were to open an interactive shell in the disco chroot, and perform some more interesting operations, representing what a more advanced sort of script might do:
[disco@client disco]$ NOOP=true disco-sh-shell
[root@client /]# rm -f /etc/passwd
[root@client /]# grep -v root /etc/shadow | tee tmpfile
bin:*:15240:0:99999:7:::
daemon:*:15240:0:99999:7:::
adm:*:15240:0:99999:7:::
lp:*:15240:0:99999:7:::
sync:*:15240:0:99999:7:::
shutdown:*:15240:0:99999:7:::
halt:*:15240:0:99999:7:::
mail:*:15240:0:99999:7:::
uucp:*:15240:0:99999:7:::
operator:*:15240:0:99999:7:::
games:*:15240:0:99999:7:::
gopher:*:15240:0:99999:7:::
ftp:*:15240:0:99999:7:::
nobody:*:15240:0:99999:7:::
dbus:!!:15324::::::
usbmuxd:!!:15324::::::
avahi-autoipd:!!:15324::::::
vcsa:!!:15324::::::
rtkit:!!:15324::::::
rpc:!!:15324:0:99999:7:::
pulse:!!:15324::::::
haldaemon:!!:15324::::::
avahi:!!:15324::::::
saslauth:!!:15324::::::
postfix:!!:15324::::::
apache:!!:15324::::::
ntp:!!:15324::::::
rpcuser:!!:15324::::::
nfsnobody:!!:15324::::::
gdm:!!:15324::::::
sshd:!!:15324::::::
tcpdump:!!:15324::::::
disco:$6$Hv67bVi.$d/EolMfURGTMbq1hBr1QL2HdYMYxAXvruq550Qqgu2HCOKWQ1YptMghLKvOAgr3h0NwzXZwHpXQ6fVLdpYe.9.:15533:0:99999:7:::
discostu:!!:15558:0:99999:7:::
[root@client /]# mv tmpfile /etc/shadow
mv: overwrite `/etc/shadow'? y
[root@client /]# echo LOL > /var/lib/p0wnt
bash: /var/lib/p0wnt: restricted: cannot redirect output
[root@client /]# echo LOL | tee /var/lib/p0wnt
LOL
[root@client /]# echo > /bin/myhotbash
bash: /bin/myhotbash: restricted: cannot redirect output
[root@client /]# touch /bin/myhotbash
[root@client /]# exit
... Since that was done inside of the noop shell (where all the scripts and templates run during noop), we can easily report on these activities:
[disco@client disco]$ NOOP=true disco-fs-diff
info: File: >f+++++++++ : /tmpfile : mode='rw-r--r--', size='0', mtime='2012/08/19-15:08:11', owner='root:root', selinux='?', md5='d41d8cd98f00b204e9800998ecf8427e'
info: File: .d..t...... : /.unionfs : mode='rwxrwx---', size='4096', mtime='2012/08/19-15:07:57', owner='root:root', selinux='?', md5=''
info: File: .d..t...... : /etc : mode='rwxrwx---', size='4096', mtime='2012/08/19-15:07:57', owner='root:root', selinux='?', md5=''
info: File: *_deleted__ : /etc/passwd : mode='rw-------', size='0', mtime='2012/08/19-15:07:57',
1,35d0
< root:x:0:0:root:/root:/bin/bash
< bin:x:1:1:bin:/bin:/sbin/nologin
< daemon:x:2:2:daemon:/sbin:/sbin/nologin
< adm:x:3:4:adm:/var/adm:/sbin/nologin
< lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
< sync:x:5:0:sync:/sbin:/bin/sync
< shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
< halt:x:7:0:halt:/sbin:/sbin/halt
< mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
< uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
< operator:x:11:0:operator:/root:/sbin/nologin
< games:x:12:100:games:/usr/games:/sbin/nologin
< gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
< ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
< nobody:x:99:99:Nobody:/:/sbin/nologin
< dbus:x:81:81:System message bus:/:/sbin/nologin
< usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
< avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
< vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
< rtkit:x:499:496:RealtimeKit:/proc:/sbin/nologin
< rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
< pulse:x:498:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
< haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
< avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
< saslauth:x:497:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
< postfix:x:89:89::/var/spool/postfix:/sbin/nologin
< apache:x:48:48:Apache:/var/www:/sbin/nologin
< ntp:x:38:38::/etc/ntp:/sbin/nologin
< rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
< nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
< gdm:x:42:42::/var/lib/gdm:/sbin/nologin
< sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
< tcpdump:x:72:72::/:/sbin/nologin
< akesterson:x:500:10::/home/akesterson:/bin/bash
< discostu:x:501:501::/home/discostu:/bin/bash
info: File: .d..t...... : /bin : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:09:42', owner='root:root', selinux='?', md5=''
info: File: .f..t...... : /bin/myhotbash : mode='rw-r--r--', size='0', mtime='2012/08/19-15:09:42', owner='root:root', selinux='?', md5='d41d8cd98f00b204e9800998ecf8427e'
info: File: .d..t...... : /etc : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:09:23', owner='root:root', selinux='?', md5=''
info: File: .f..t...... : /etc/shadow : mode='rw-r--r--', size='938', mtime='2012/08/19-15:09:06', owner='root:root', selinux='?', md5='336d0b913c8f8cd029964afd00357952'
info: File: .d..t...... : /root : mode='r-xr-x---', size='4096', mtime='2012/08/19-15:08:30', owner='root:root', selinux='?', md5=''
info: File: >fcst...... : /root/.bash_history : mode='rw-------', size='7595', mtime='2012/08/19-15:09:49', owner='root:root', selinux='?', md5='87021098c47d63507515bc06229c81e5'
237a238,249
> exit
> rm -f /etc/passwd
> grep -v root /etc/shadow | tee tmpfile
> mv tmpfile /etc/shadow
> echo LOL > /var/lib/p0wnt
> echo LOL | tee /var/lib/p0wnt
> echo > /bin/myhotbash
> touch /bin/myhotbash
> exit
info: File: .d..t.og... : /tmp : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:09:23', owner='root:root', selinux='?', md5=''
info: File: .d..t...... : /var : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:09:34', owner='root:root', selinux='?', md5=''
info: File: .d..t...... : /var/lib : mode='rwxr-xr-x', size='4096', mtime='2012/08/19-15:09:34'
info: File: .f..t...... : /var/lib/p0wnt : mode='rw-r--r--', size='4', mtime='2012/08/19-15:09:34', owner='root:root', selinux='?', md5='5732edd7e4e1240b868e15bc95d36339'
0a1
> LOL
And here we see some more of Disco's rather extensive noop reporting capabilities.
But let's say that this run took longer than we thought it should. What was taking so much time? Disco will tell us.
[root@disco ~]# disco report
report: _internal: fetch_params
report: time_real 0.54 : time_user 0.00 : time_sys 0.08
report: mem_avg 0 : mem_max 8864 : mem_faults_major 0 : mem_faults_minor 1512
report: io_fsin 0 : io_fsout 0 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: othermodule-3.2: diff
report: time_real 0.80 : time_user 0.12 : time_sys 0.61
report: mem_avg 0 : mem_max 4752 : mem_faults_major 0 : mem_faults_minor 14394
report: io_fsin 0 : io_fsout 8 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: othermodule-3.2: fetch
report: time_real 0.96 : time_user 0.01 : time_sys 0.12
report: mem_avg 0 : mem_max 8864 : mem_faults_major 0 : mem_faults_minor 2519
report: io_fsin 0 : io_fsout 24 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: othermodule-3.2: template
report: etc/othermodule/stuff.cfg :
report: time_real 0.63 : time_user 0.03 : time_sys 0.42
report: mem_avg 0 : mem_max 4576 : mem_faults_major 122 : mem_faults_minor 4886
report: io_fsin 25536 : io_fsout 16 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: testmodule-1.0: diff
report: time_real 0.32 : time_user 0.05 : time_sys 0.22
report: mem_avg 0 : mem_max 4752 : mem_faults_major 0 : mem_faults_minor 5988
report: io_fsin 0 : io_fsout 0 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: testmodule-1.0: exec
report: 00-hello.sh :
report: time_real 0.33 : time_user 0.03 : time_sys 0.23
report: mem_avg 0 : mem_max 4592 : mem_faults_major 54 : mem_faults_minor 3881
report: io_fsin 10992 : io_fsout 8 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: 10-service_stop.sh :
report: time_real 0.50 : time_user 0.03 : time_sys 0.34
report: mem_avg 0 : mem_max 4608 : mem_faults_major 110 : mem_faults_minor 4547
report: io_fsin 22328 : io_fsout 8 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0
report: testmodule-1.0: fetch
report: time_real 0.95 : time_user 0.01 : time_sys 0.13
report: mem_avg 0 : mem_max 8864 : mem_faults_major 0 : mem_faults_minor 2513
report: io_fsin 0 : io_fsout 24 : io_sockin 0 : io_sockout 0 : io_signals 0
report: exit: 0