CDB Namespaces, “service templates” and profile structure Véronique Lefébure June the 13 th 2008 ELFms Brainstorming meeting

OUTLINE Namespaces –Organisation of templates ACLs Alignment to latest Quattor release Service templates Profile structure –Environment variables –Configuration tree MISC –Future PANC, SLC5, security timeline

Namespaces Top directories: –test –preprod –prod –usertest – –profiles –repository –retired (new, to be populated) stages Contain templates

Namespaces Under any stage: –pan/ –quattor/ –components/ –monitoring/lemon/ –hardware/ –services/ –os/ –site/cern_cc/ –cluster/ –vpd/ –netinfo/ –serialmap/ Quattor base templates Quattor base templates with cern configuration Make use of all above, service per service OS releases (defaults) Make use of all above, site-specific Make use of all above, cluster-specific Machine data (Serial numbers, mac addresses, …) “vital product data”

components/ components/[component_name]/ –config.tpl Pkg_add (“ncm-[component_name]”,version,arch) Default configuration –schema.tpl –[ functions.tpl ]

monitoring/lemon/ configuration/ infrastructure/ rpms/ metrics/ sensors/ ACLs: monitoring Service Managers only

hardware/ cards/ cpus/ disks/ memory/ rams/ contracts/ vendors/ monitoring/ machines/ ACLs: procurement team only Make use of all above: HW types, ex: “ex_07_3” Make use of /prod/monitoring/*

Services/ services/[service_name]/config.tpl Contains: –Packages (use default versions) –Component(s) –Monitoring –Chkconfig –Iptables config

Service template: ex: afs_client template services/afs_client/config; # # Packages # variable architecture = if (value("/system/architecture") == "i386") { "i686"; } else { value("/system/architecture") }; variable kernelversion = value("/system/kernel/version"); variable openafsversion = " SL5"; "/software/packages" = pkg_add("openafs", openafsversion, architecture); "/software/packages" = pkg_add("openafs-client", openafsversion, architecture); "/software/packages" = pkg_add("openafs-kpasswd", openafsversion, architecture); "/software/packages" = pkg_add("openafs-krb5", openafsversion, architecture); "/software/packages"=pkg_add("kernel-module-openafs-"+kernelversion,openafsversion, architecture); # # Start the service # "/software/components/chkconfig/service/afs/on" = "345"; "/software/components/chkconfig/service/afs/add" = true; "/software/components/chkconfig/service/afs/startstop" = true; # # Monitoring # include pro_monitoring_metrics_afs; include pro_monitoring_sensor_afscm; # # Component # include components/afsclt/config;

os/ –i386_slc5/ –x86_64_slc5/ rpms/ –defaults.tpl

site/ site/cern_cc/ –configuration/ no_network/config.tpl only_monitoring/config.tpl i386_slc5/ x86_64_slc5/ –core/config.tpl –minimal/config.tpl –components/ –infrastructure/ –rpms/ –services/ –people_acls/ One of them to be included in the cluster template Used by the above (internal) Smods, sysadmins, etc

“core” and “minimal” “core” installation: –Aims and PrepareInstall work Incl. sindes, sms-set-state –Quattor –Console and ssh “minimal” installation: –= Core configuration + Lemon monitoring of: hardware, Quattor and “minimal” services User access (krb5 client) Sendmail, ntp, nscd, chkconfig Operator, sysadmins, smods acls

ACL’s : ex: root access for sysadmins template site/cern_cc/people_acls/sysadmins; variable sysadmin_list = list("jjmarin","grossir","bclement","tfabio","obouffet","ebonfill","ccor reia","hroussea","rbernard","dhoang","anovais","lgoguey","cguiller","console"); variable number_of_people = length(sysadmin_list); "/software/components/useraccess/users/root/roles" = { i = 0; result = self; while (i < number_of_people) { name = sysadmin_list[i]; result = push(name); i = i + 1; }; result; }; "/software/components/useraccess/roles/" = { i = 0; result = self; while (i < number_of_people) { name = sysadmin_list[i]; result[name]= nlist ("kerberos5", list(nlist("principal",name,"realm","CERN.CH"))); i = i + 1; }; result; };

cluster/ cluster/[cluster_name]/config.tpl Contains –Base configuration include site/cern_cc/configuration/x86_64_slc5/minimal/config; –Additionnal services include services/afs_client/config; –Acls include site/cern_cc/people_acls/sysadmin; –Aob “/system/cluster/usercontact” =

Cluster example: lxdev template cluster/lxdev/config; include {'site/cern_cc/configuration/'+ELFMS_ARCH+'_'+ELFMS_OS+'/minimal/config'}; "/system/cluster/name" = ELFMS_SVCCLASS; "/system/ccdomain" = "FIO"; "/system/defaultstate" = "maintenance"; "/system/contract" = "E"; "/system/importance" = 5; "/system/cluster/description" = "The development cluster for FIO"; "/system/cluster/usercontact" = "/system/accounting/name" = ELFMS_RESOURCE ; "/system/rootmail" = include cluster/lxdev/filepartition; include services/afs_client/config; "/system/cluster/tplname" = "lxdev";

Profile structure Proposed by FIO/FS object template profile_lxdev30; include stages/prod; include quattor/profile_declarations; variable ELFMS_OS = "slc5"; variable ELFMS_ARCH = "x86_64"; variable ELFMS_SVCCLASS = "lxdev"; variable ELFMS_RESOURCE = "c3"; variable ELFMS_CUSTOMIZATION = undef; include hardware/machines/elonex_2800_64; include vpd/lxdev30; #include monitoring/lemon/hardware/machines/elonex_2800_64; #not ready for slc5 include netinfo_lxdev30; include serial_map_lxc2ri25; "/hardware/rack/name" = "rb46"; include { ‘cluster/’+ELFMS_SVCCLASS+’/config’}; include { if (exists('resources/'+ ELFMS_RESOURCE)) 'resources/'+ ELFMS_RESOURCE }; include quattor/repository_cleanup;

Misc Future PANC : See new coding rules and syntax on SLC5 progress on Security review for sensors and components: coming ELFms meeting

Timeline From now on: ALL SLC5 machine profiles have to comply to the new profile content Beginning of September 2008: update LEAF scripts (used by Remedy/HMS) to support the new profile structure, with backward compatibility By end of September 2008: ALL SLC5 machines should not include ANY pro_* template anymore As far as possible, replace the usage of pro_* templates by the new templates everywhere (i.e. not only slc5 but also slc4(3) )