<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Server Configuration — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../index.html" />
<link rel="up" title="The Bcfg2 Server" href="index.html" />
<link rel="next" title="Global Database Settings" href="database.html" />
<link rel="prev" title="SELinux" href="selinux.html" />
<link rel="stylesheet" href="../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../index.html"><img src="../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="database.html" title="Global Database Settings"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="selinux.html" title="SELinux"
accesskey="P">previous</a> |</li>
<li><a href="../index.html">home</a> | </li>
<!--<li><a href="../search.html">search</a> | </li>-->
<li><a href="../help/index.html">help</a> | </li>
<li><a href="../contents.html">documentation </a> »</li>
<li><a href="../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="index.html" accesskey="U">The Bcfg2 Server</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="server-configuration">
<span id="id1"></span><h1>Server Configuration<a class="headerlink" href="#server-configuration" title="Permalink to this headline">¶</a></h1>
<p>This page documents various aspects of server configuration.</p>
<div class="section" id="running-as-a-non-root-user">
<span id="server-dropping-privs"></span><h2>Running as a non-root user<a class="headerlink" href="#running-as-a-non-root-user" title="Permalink to this headline">¶</a></h2>
<p>Although the Bcfg2 server runs as root by default, it is possible (and
probably encouraged) to run it as an unprivileged user. This may
become the default in the future. This can be done in all versions of
Bcfg2, although it has become easier in 1.3.0. The steps to do so are
described in three sections below: Common steps for all versions;
steps for older versions only; and steps for 1.3.0.</p>
<div class="section" id="common-steps">
<h3>Common Steps<a class="headerlink" href="#common-steps" title="Permalink to this headline">¶</a></h3>
<p>We will assume for the sake of these steps that we are running the
Bcfg2 server as the <tt class="docutils literal"><span class="pre">bcfg2</span></tt> user, who is a member of the <tt class="docutils literal"><span class="pre">bcfg2</span></tt>
group. To create that user and group, you can run:</p>
<div class="highlight-bash"><div class="highlight"><pre>groupadd bcfg2
useradd -g bcfg2 -M -r -s /sbin/nologin -d /var/lib/bcfg2 <span class="se">\</span>
-c <span class="s2">"Bcfg2 server user"</span> bcfg2
</pre></div>
</div>
<p><tt class="docutils literal"><span class="pre">useradd</span></tt> arguments can vary wildly on different OSes, so please
read <tt class="docutils literal"><span class="pre">useradd</span></tt> and run a command appropriate for your platform.</p>
<p>The Bcfg2 server has to be able to read and write its data, so we need
to set ownership on several things. The config file and specification
data, of course:</p>
<div class="highlight-bash"><div class="highlight"><pre>chown bcfg2:bcfg2 /etc/bcfg2.conf
chmod 0600 /etc/bcfg2.conf
chown -R bcfg2:bcfg2 /var/lib/bcfg2/*
chmod -R 0700 /var/lib/bcfg2/*
</pre></div>
</div>
<p>Note that this does not change the permissions of <tt class="docutils literal"><span class="pre">/var/lib/bcfg2</span></tt>
itself, which would prevent the <tt class="docutils literal"><span class="pre">bcfg2</span></tt> user from enabling a new
plugin. If you depend on this capability (e.g., if your specification
is stored in a VCS and checked out onto the Bcfg2 server by a script
running as the <tt class="docutils literal"><span class="pre">bcfg2</span></tt> user), then you would want to <tt class="docutils literal"><span class="pre">chown</span></tt> and
<tt class="docutils literal"><span class="pre">chmod</span></tt> <tt class="docutils literal"><span class="pre">/var/lib/bcfg2</span></tt> rather than <tt class="docutils literal"><span class="pre">/var/lib/bcfg2/*</span></tt>. Note
also that the recursive <tt class="docutils literal"><span class="pre">chmod</span></tt> will change permissions on any files
that are using <tt class="docutils literal"><span class="pre">mode="inherit"</span></tt> in <a class="reference internal" href="info.html#server-info"><em>info.xml</em></a>.</p>
<p>The Bcfg2 server also needs to be able to read its SSL certificate,
key and the SSL CA certificate:</p>
<div class="highlight-bash"><div class="highlight"><pre>chown bcfg2:bcfg2 /etc/pki/tls/private/bcfg2.key <span class="se">\</span>
/etc/pki/tls/certs/bcfg2.crt
chmod 0600 /etc/pki/tls/private/bcfg2.key
chmod 0644 /etc/pki/tls/certs/bcfg2.crt
</pre></div>
</div>
<p>The paths to your SSL key and cert may be quite different,
particularly on older versions of Bcfg2.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">This step can be skipped if you are using the CherryPy
<a class="reference internal" href="#server-backends"><em>backend</em></a>. CherryPy reads in the
certificate data before dropping privileges, so you can (and
should) keep the keypair owned by root to prevent a compromised
Bcfg2 server process from modifying that data.</p>
</div>
<p>Most of these steps can (and should) be done via Bcfg2 itself.</p>
</div>
<div class="section" id="steps-on-older-versions">
<h3>Steps on older versions<a class="headerlink" href="#steps-on-older-versions" title="Permalink to this headline">¶</a></h3>
<p>On older versions of Bcfg2, you must change the location of the PID
file. This change has been made the default in newer versions.</p>
<p>This can be accomplished in one of two ways.</p>
<ul class="simple">
<li>On systems where <tt class="docutils literal"><span class="pre">/var/run</span></tt> is world-writable with the sticky bit set,
no change needs to be made.</li>
<li>On systems where <tt class="docutils literal"><span class="pre">/var/run</span></tt> is only writable by root, create a
subdirectory for the PID file and configure the Bcfg2 server to
write its PID file there:</li>
</ul>
<div class="highlight-bash"><div class="highlight"><pre>mkdir /var/run/bcfg2-server
chown bcfg2:bcfg2 /var/run/bcfg2-server
chmod 0644 /var/run/bcfg2-server
</pre></div>
</div>
<p>To change the PID file:</p>
<ul class="simple">
<li>On Debian and derivatives, add <tt class="docutils literal"><span class="pre">export</span>
<span class="pre">PIDFILE=/var/run/bcfg2-server/bcfg2-server.pid</span></tt> to
<tt class="docutils literal"><span class="pre">/etc/default/bcfg2-server</span></tt></li>
<li>On Red Hat Enterprise Linux and derivatives, add <tt class="docutils literal"><span class="pre">export</span>
<span class="pre">PIDFILE=/var/run/bcfg2-server/bcfg2-server.pid</span></tt> to
<tt class="docutils literal"><span class="pre">/etc/sysconfig/bcfg2-server</span></tt>. This includes recent versions that
are using systemd.</li>
<li>On other platforms, take the appropriate steps to change the PID
file, which is given to the <tt class="docutils literal"><span class="pre">bcfg2-server</span></tt> process with the <tt class="docutils literal"><span class="pre">-D</span></tt>
option, in your init system.</li>
</ul>
<p>On older versions of Bcfg2, you must also manually change the init script
or process to drop privileges to the <tt class="docutils literal"><span class="pre">bcfg2</span></tt> user before the daemon
is even invoked.</p>
<ul class="simple">
<li>On RHEL and derivatives that are not using systemd, modify the
<tt class="docutils literal"><span class="pre">bcfg2-server</span></tt> init script to run <tt class="docutils literal"><span class="pre">daemon</span> <span class="pre">--user=bcfg2</span> <span class="pre">$DAEMON</span>
<span class="pre">...</span></tt> in the <tt class="docutils literal"><span class="pre">start()</span></tt> function.</li>
<li>On Debian and derivatives, modify the <tt class="docutils literal"><span class="pre">bcfg2-server</span></tt> init script
to run <tt class="docutils literal"><span class="pre">start_daemon</span> <span class="pre">--user=bcfg2</span> <span class="pre">${DAEMON}</span> <span class="pre">...</span></tt> in the
<tt class="docutils literal"><span class="pre">start()</span></tt> function.</li>
<li>On systems that use systemd as their init system, add <tt class="docutils literal"><span class="pre">User=bcfg</span></tt>
to the <tt class="docutils literal"><span class="pre">[Service]</span></tt> section of
<tt class="docutils literal"><span class="pre">/etc/systemd/system/bcfg2-server.service</span></tt></li>
<li>On other platforms, take the appropriate steps to change to the
<tt class="docutils literal"><span class="pre">bcfg2</span></tt> user when spawning the <tt class="docutils literal"><span class="pre">bcfg2-server</span></tt> daemon.</li>
</ul>
<p>Restart <tt class="docutils literal"><span class="pre">bcfg2-server</span></tt> and you should see it running as non-root in
<tt class="docutils literal"><span class="pre">ps</span></tt> output:</p>
<div class="highlight-python"><pre>% ps -ef | grep '[b]cfg2-server'
1000 11581 1 0 07:55 ? 00:00:15 python usr/sbin/bcfg2-server -C /etc/bcfg2.conf -D /var/run/bcfg2-server/bcfg2-server.pid</pre>
</div>
</div>
<div class="section" id="steps-on-bcfg2-1-3-0">
<h3>Steps on Bcfg2 1.3.0<a class="headerlink" href="#steps-on-bcfg2-1-3-0" title="Permalink to this headline">¶</a></h3>
<p class="versionadded">
<span class="versionmodified">New in version 1.3.0.</span></p>
<p>On Bcfg2 1.3, the default PID file location has been changed, but it
is still owned by root since no <tt class="docutils literal"><span class="pre">bcfg2</span></tt> user is created by default.
Consequently, you simply have to run:</p>
<div class="highlight-bash"><div class="highlight"><pre>chown bcfg2:bcfg2 /var/run/bcfg2-server
chmod 0644 /var/run/bcfg2-server
</pre></div>
</div>
<p>Additionally, the server daemon itself supports dropping privileges
natively in 1.3. Simply add the following lines to <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="p">[</span><span class="n">server</span><span class="p">]</span>
<span class="o">...</span>
<span class="n">user</span> <span class="o">=</span> <span class="n">bcfg2</span>
<span class="n">group</span> <span class="o">=</span> <span class="n">bcfg2</span>
</pre></div>
</div>
<p>Restart <tt class="docutils literal"><span class="pre">bcfg2-server</span></tt> and you should see it running as non-root in
<tt class="docutils literal"><span class="pre">ps</span></tt> output:</p>
<div class="highlight-python"><pre>% ps -ef | grep '[b]cfg2-server'
1000 11581 1 0 07:55 ? 00:00:15 python usr/sbin/bcfg2-server -C /etc/bcfg2.conf -D /var/run/bcfg2-server/bcfg2-server.pid</pre>
</div>
</div>
</div>
<div class="section" id="server-backends">
<span id="id2"></span><h2>Server Backends<a class="headerlink" href="#server-backends" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.3.0.</span></p>
<p>Bcfg2 supports two different server backends: a builtin server
based on the Python SimpleXMLRPCServer object, and a server that uses
CherryPy (<a class="reference external" href="http://www.cherrypy.org">http://www.cherrypy.org</a>). Each one has advantages and
disadvantages.</p>
<p>The builtin server:</p>
<ul class="simple">
<li>Is very stable and mature;</li>
<li>Supports certificate authentication;</li>
<li>Works on Python 2.4;</li>
<li>Is slow with larger numbers of clients.</li>
</ul>
<p>The CherryPy server:</p>
<ul class="simple">
<li>Is very new and potentially buggy;</li>
<li>Does not support certificate authentication yet, only password
authentication;</li>
<li>Requires CherryPy 3.2, which requires Python 2.5;</li>
<li>Is smarter about daemonization, particularly if you are
<a class="reference internal" href="#server-dropping-privs"><em>Running as a non-root user</em></a>;</li>
<li>Is faster with large numbers of clients.</li>
</ul>
<p>Basically, the builtin server should be used unless you have a
particular need for performance, and can sacrifice certificate
authentication.</p>
<p>To select which backend to use, set the <tt class="docutils literal"><span class="pre">backend</span></tt> option in the
<tt class="docutils literal"><span class="pre">[server]</span></tt> section of <tt class="docutils literal"><span class="pre">/etc/bcfg2.conf</span></tt>. Options are:</p>
<ul class="simple">
<li><tt class="docutils literal"><span class="pre">cherrypy</span></tt></li>
<li><tt class="docutils literal"><span class="pre">builtin</span></tt></li>
<li><tt class="docutils literal"><span class="pre">best</span></tt> (the default; currently the same as <tt class="docutils literal"><span class="pre">builtin</span></tt>)</li>
</ul>
<p>If the certificate authentication issues (a limitation in CherryPy
itself) can be resolved and the CherryPy server proves to be stable,
it will likely become the default (and <tt class="docutils literal"><span class="pre">best</span></tt>) in a future release.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Server Configuration</a><ul>
<li><a class="reference internal" href="#running-as-a-non-root-user">Running as a non-root user</a><ul>
<li><a class="reference internal" href="#common-steps">Common Steps</a></li>
<li><a class="reference internal" href="#steps-on-older-versions">Steps on older versions</a></li>
<li><a class="reference internal" href="#steps-on-bcfg2-1-3-0">Steps on Bcfg2 1.3.0</a></li>
</ul>
</li>
<li><a class="reference internal" href="#server-backends">Server Backends</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="selinux.html"
title="previous chapter">SELinux</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="database.html"
title="next chapter">Global Database Settings</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/server/configuration.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="database.html" title="Global Database Settings"
>next</a> |</li>
<li class="right" >
<a href="selinux.html" title="SELinux"
>previous</a> |</li>
<li><a href="../index.html">home</a> | </li>
<!--<li><a href="../search.html">search</a> | </li>-->
<li><a href="../help/index.html">help</a> | </li>
<li><a href="../contents.html">documentation </a> »</li>
<li><a href="../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="index.html" >The Bcfg2 Server</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
432
