<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>NAT HOWTO — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<script type="text/javascript" src="../../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../../index.html" />
<link rel="up" title="Guides" href="../guides.html" />
<link rel="next" title="Ubuntu" href="ubuntu.html" />
<link rel="prev" title="Import existing ssh keys" href="import-existing-ssh-keys.html" />
<link rel="stylesheet" href="../../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../index.html"><img src="../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="ubuntu.html" title="Ubuntu"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="import-existing-ssh-keys.html" title="Import existing ssh keys"
accesskey="P">previous</a> |</li>
<li><a href="../../index.html">home</a> | </li>
<!--<li><a href="../../search.html">search</a> | </li>-->
<li><a href="../../help/index.html">help</a> | </li>
<li><a href="../../contents.html">documentation </a> »</li>
<li><a href="../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../index.html" >Appendix</a> »</li>
<li><a href="../guides.html" accesskey="U">Guides</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="nat-howto">
<span id="appendix-guides-nat-howto"></span><h1>NAT HOWTO<a class="headerlink" href="#nat-howto" title="Permalink to this headline">¶</a></h1>
<p>This page describes how to setup Bcfg2 to properly function with a
collection of clients behind NAT. It describes the issues, how the
underlying portions of the Bcfg2 system function, and how to correctly
setup client metadata to cope with this environment.</p>
<div class="section" id="issues">
<h2>Issues<a class="headerlink" href="#issues" title="Permalink to this headline">¶</a></h2>
<p>Bcfg2, by default, uses ip address lookup to determine the identity of
a client that has connected. This process doesn’t work properly in the
case of NAT’ed hosts, because all requests from these clients come from
the same external address when connecting to the server.</p>
<p>These client identification issues will manifest themselves in a number
of ways:</p>
<ul class="simple">
<li>Inability to setup discrete clients with different profiles</li>
<li>Incorrect sharing of probe results across clients in the same NAT pool</li>
<li>Inability to bootstrap clients properly when client data is not
predefined</li>
</ul>
</div>
<div class="section" id="architectural-issues">
<h2>Architectural Issues<a class="headerlink" href="#architectural-issues" title="Permalink to this headline">¶</a></h2>
<p>Client identification is performed at the beginning of each client/server
interaction. As of 0.9.3, client identification via IP address can be
completely short-circuited through the use of a client uuid. Setup of
client uuids requires actions of both the client and server. On the
server side, the client uuid must be added to the client record in
<tt class="docutils literal"><span class="pre">Metadata/clients.xml</span></tt>. This attribute allows the server to use the
user part of the authentication to resolve the client’s metadata. Also,
either the location attribute should be set to floating, or the IP address
of the NAT must be reflected in the address attribute. Once added,
the Client entry in clients.xml will look something like this:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><Client</span> <span class="na">profile=</span><span class="s">"desktop"</span> <span class="na">name=</span><span class="s">"test1"</span>
<span class="na">uuid=</span><span class="s">'9001ec29-1531-4b16-8198-a71bea093d0a'</span> <span class="na">floating=</span><span class="s">'true'</span><span class="nt">/></span>
</pre></div>
</div>
<p>Alternatively, the Client entry can be setup like this:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt"><Client</span> <span class="na">profile=</span><span class="s">"desktop"</span> <span class="na">name=</span><span class="s">"test1"</span>
<span class="na">uuid=</span><span class="s">'9001ec29-1531-4b16-8198-a71bea093d0a'</span> <span class="na">address=</span><span class="s">'ip-address-of-NAT'</span><span class="nt">/></span>
</pre></div>
</div>
<p>The difference between these definitions is explained in detail in the
<a class="reference internal" href="authentication.html#appendix-guides-authentication"><em>Authentication</em></a> section, but in short, the second
form requires that the client access the server from the NAT address,
while the first form allows it to connect from any address provided it
uses the proper uuid. (Client identification is orthogonal to the use
of per-client passwords; this can be set in addition to the attributes
above.)</p>
<p>Once this setup is done, each client must be configured to use the proper
uuid upon any server interaction. This can be done using either the
command line argument -u, or the setting “user” in the “communication”
section of <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt>.</p>
</div>
<div class="section" id="uuid-choice">
<h2>UUID Choice<a class="headerlink" href="#uuid-choice" title="Permalink to this headline">¶</a></h2>
<p>When determining client UUIDs, one must take care to ensure that UUIDs
are unique to the client. Any hardware-specific attribute, like a hash
of a mac address would be sufficient. Alternatively, if a local hostname
is unique, it may be used as well.</p>
</div>
<div class="section" id="automated-client-bootstrapping">
<h2>Automated Client Bootstrapping<a class="headerlink" href="#automated-client-bootstrapping" title="Permalink to this headline">¶</a></h2>
<p>Automated setup of new clients from behind NAT works by using the common
password. For example:</p>
<div class="highlight-python"><pre>/usr/sbin/bcfg2 -u ubik3 -p desktop -x <password></pre>
</div>
<p>It is not possible at this time to do automated setup without setting
up a pre-shared per-client key.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">NAT HOWTO</a><ul>
<li><a class="reference internal" href="#issues">Issues</a></li>
<li><a class="reference internal" href="#architectural-issues">Architectural Issues</a></li>
<li><a class="reference internal" href="#uuid-choice">UUID Choice</a></li>
<li><a class="reference internal" href="#automated-client-bootstrapping">Automated Client Bootstrapping</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="import-existing-ssh-keys.html"
title="previous chapter">Import existing ssh keys</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="ubuntu.html"
title="next chapter">Ubuntu</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../_sources/appendix/guides/nat_howto.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="ubuntu.html" title="Ubuntu"
>next</a> |</li>
<li class="right" >
<a href="import-existing-ssh-keys.html" title="Import existing ssh keys"
>previous</a> |</li>
<li><a href="../../index.html">home</a> | </li>
<!--<li><a href="../../search.html">search</a> | </li>-->
<li><a href="../../help/index.html">help</a> | </li>
<li><a href="../../contents.html">documentation </a> »</li>
<li><a href="../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../index.html" >Appendix</a> »</li>
<li><a href="../guides.html" >Guides</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
324
