HP-UX CMGR A.02.00 Administrator's and Developer's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

HP-UX CMGR A.02.00 Administrator's

and Developer's Guide

HP-UX 11i Version 3

HP Part Number: 5992-5376

Published: November 2008

Edition: 1

Summary of content (48 pages)

PAGE 1
HP-UX CMGR A.02.
PAGE 2
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents About This Document.....................................................................................................................7 Intended Audience...............................................................................................................7 Document Organization.......................................................................................................7 Typographic Conventions............................................................................
PAGE 4
3.3.7 The help Element..................................................................................................30 3.3.8 The repeat Element...............................................................................................30 3.3.9 The success Element..............................................................................................31 3.3.10 The template_version Element............................................................................31 3.3.11 The xi:include Element..
PAGE 5
List of Figures 1-1 3-1 HP-UX CMGR Architecture........................................................................................12 Using HP-UX CMGR..................................................................................................
PAGE 6
List of Examples 3-1 6 IPFilter Template ........................................................................................................
PAGE 7
About This Document This document describes how to create new and modify existing security templates for HP-UX 11i v3. Intended Audience This guide is written for the following audience: • HP-UX developers and integrators that create or modify CMGR templates. These users must be knowledgeable in configuring the subsystems used by their templates and should be familiar with XML. • System administrators that apply CMGR templates to HP-UX systems.
PAGE 8
ENVIRONMENT VARIABLE The name of an environment variable, for example, PATH. [ERROR NAME] The name of an error, usually returned in the errno variable. Key The name of a keyboard key. Return and Enter both refer to the same key. Term The defined use of an important word or phrase. User input Commands and other text that you type. Variable The name of a placeholder in a command, function, or other syntax display that you replace with an actual value. [] The contents are optional in syntax.
PAGE 9
In particular, the following documents are available: • • • • HP-UX Security Containment and Role-Based Access Control (RBAC) documented in the HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3, available athttp://docs.hp.com/en//oshpux11iv3.html#System%20Administration HP Process Resource Manager (PRM) documentation is available at http:// docs.hp.com/en/ha.html#Process%20Resource%20Manager HP-UX IPFilter documentation is available at http://docs.hp.com/en/ internet.
PAGE 10
PAGE 11
1 Introduction The HP-UX Configuration Synchronization Manager (CMGR) includes the cmgr tool and libraries. CMGR tracks specific changes made to configuration files. It can track multiple changes applied to one configuration file (service) or it can track individual changes to multiple files (services). CMGR associates changes made to a file with labels and uses the labels to trace and display the changes that it made to the configuration files.
PAGE 12
Figure 1-1 HP-UX CMGR Architecture 1.2 Features and Benefits CMGR has the following features and benefits: • Manages and tracks specific configuration changes for a subsystem or application. • Associate configuration changes across multiple subsystems and applications. • Provides configuration life-cycle interface (add, delete, replace, list). • User defined, XML based templates for defining and associating configuration actions.
PAGE 13
2 Installing CMGR The HP-UX Configuration Synchronization Manager (cmgr) is part of the HP-UX-SRP bundle. The HP-UX-SRP bundle consists of two products: CMGR and SRP. The CMGR product includes the CMGR runtime commands and libraries. The SRP product includes the SRP application templates and setup scripts. You can install the HP-UX-SRP bundle with both products, or you can install the CMGR product only. This section describes the steps required to install and configure the cmgr toolkit.
PAGE 14
# swlist -d @ /tmp/srp_depot_name.depot 7. To install the CMGR product only, enter the following command: # swinstall -s /tmp/srp_depot_name.depot CMGR To install the CMGR and SRP products, enter the following command: # swinstall -s /tmp/srp_depot_name.depot HP-UX-SRP 2.3 Verifying the HP-UX CMGR Installation Verify the installation of the HP-UX Configuration Synchronization Manager using the following steps: 1.
PAGE 15
3 Building a Template You can use the CMGR templates with the cmgr command to coordinate the configuration of subsystems and services. A CMGR template is an XML document used to describe a set of configuration actions to perform for the add, delete, replace, list, and help operations of the cmgr command. The CMGR template syntax is enforced via the Document Type Definition (DTD) schema file.
PAGE 16
NOTE: You can not include any attributes in the structure elements. 3.1.1 The template Element The template element is required. It is the highest level element in the CMGR template. The template element can have the following child elements: Child Element Description head Required prologue Optional body Required 3.1.2 The head Element The head element is required. We recommended that you use the head element to group elements that must be processed when cmgr is first invoked.
PAGE 17
The prologue element can have the following child elements: Child Element Description All configuration elements (See Section 3.2) Optional All processing elements (See Section 3.3) Optional 3.1.4 The body Element The body element is required. We recommended that you use the body element to group elements that perform the actual confirmation changes for the template. The body element can have the following child elements: Child Element Description All configuration elements (See Section 3.
PAGE 18
Child Element Description success Optional failure Optional See Section 3.3 for more information on these child elements. 3.2.1 The commands Element The commands element executes the specified HP-UX commands. Upon invocation, the commands element handler checks the operation option from the cmgr command line and performs one of the following tasks: Operation Description add, delete, replace, and list The contents of the concatenated data child elements are supplied as input to /usr/bin/sh.
PAGE 19
option from the cmgr command and performs one of the following tasks for the compartment identified by the compartment attribute: Operation Description add Searches the /etc/cmpt directory for a file containing a definition for the compartment. If the file is not found, a new /etc/cmpt/compartment.rules is created and a compartment definition for the compartment is added. The contents of the concatenated data child elements are then added to the top of the compartment definition.
PAGE 20
Attribute Description compartment The name of the compartment. Required with the add, delete, and replace operations. Optional with list and help operations. cmptdelete If FALSE, do not remove empty compartment definitions on a delete operation. Default is TRUE. cmptactivate If FALSE, do not execute the compartments activation command. Default is TRUE. cmptvalidate If FALSE, do not execute the compartments validation command. Default is TRUE. See Section 3.
PAGE 21
Operation Description replace Performs the equivalent of a delete followed by an add operation. list Searches the /etc/rc.config.d/netconf and /etc/rc.config.d/ netconf-ipv6 files for IP address entries containing matching meta-tags. If a match is found, cmgr displays the entire meta-tag string. If used with -verbose option, cmgr lists the IP address configuration information. The ipaddress element can have the following attributes: Attribute Description id Optional. Common attribute.
PAGE 22
ipfilter handler checks the operation option from the cmgr command and performs one of the following tasks: Operation Description add Adds concatenated data child elements to the beginning of the IPFilter configuration file. NOTE: You must include meta-tags around the configuration data to be added. See Section 3.2.8 for more information on meta-tags.
PAGE 23
Attribute Description ipfactivate Optional. If FALSE, do not execute the IPFilter activation command. Default is TRUE. ipfvalidate Optional. If FALSE, do not execute the IPFilter validation command. Default is TRUE. 3.2.5 The ipsec Element The ipsec element manages interaction with HP-UX IPsec configuration.
PAGE 24
3.2.6 The prm Element The prm element manages interaction with the Process Resource Management (PRM) configuration file specified by the prmfile attribute. Upon invocation, the prm handler checks the operation option from the cmgr command and performs one of the following tasks: Operation Description add Adds concatenated data child elements to the end of the prm configuration file. NOTE: You must include meta-tags around the configuration data to be added. See Section 3.2.
PAGE 25
Attribute Description prmfile Required. Specifies the PRM configuration file to use. prmactivate Optional. If FALSE, do not execute the prm activation command. Default is TRUE. prmvalidate Optional If FALSE, do not execute the prm validation command. Default is TRUE. 3.2.7 The provision Element The provision element manages user defined provision scripts specifed by the prog attribute. It stores data passed to the provision script on the add and replace operations specifed by the tag_file attribute.
PAGE 26
The provision handler can have the following attributes: Attribute Description id Optional. if Optional. if_op Optional. tag_file Required. Absolute path of file containing provision tags. prog Required. Name of provision script to execute. 3.2.8 Using meta-tags The configuration elements, commands, compartment, ipfilter, prm, ipsec, and provision use meta-tags to mark the configuration changes that their respective handler has done.
PAGE 27
3.3.1 The data Element The data element is used to encapsulate template data. The handler of the parent element processes the data in the data element. The data element has the following child element: Child Element Description repeat Optional. Expands a subset of the data to support insertion of multi-valued variables. The data element has the following attributes: Attribute Description if Optional. Common Attribute. if_op Optional. Common Attribute. 3.3.
PAGE 28
Attribute Description name Variable name string. The cmgr command logically replaces instances of $name in the template with the current contents of the value attribute as they are encountered during template processing. prompt_level The minimum value for the prompt argument to allow cmgr to prompt for this variable. The cmgr command always prompts if the value attribute is null when it encounters a variable replacement. Default level is 1.
PAGE 29
Value Description “fileTest(‘test’,’error Tests file where test is a filetest operator as defined by Perl. For instance, msg’)” test can be -dd for directory test, -ee for exists, x for executable. “csvList(‘function’, Calls function (arg1,….,argN) for each element in a comma separated list. arg1, … argN)” Templates can contain variables anywhere within a template.
PAGE 30
NOTE: The failure element has no child element and no attributes. 3.3.6 The group Element The group element is a generic grouping element. It can be used to group elements to be executed under a common condition. The group element can have the following child elements: Child Element Description All configuration elements (See Section 3.2) Optional All processing elements (See Section 3.3) Optional NOTE: The group element has no attributes. 3.3.
PAGE 31
The color 1 is red The color 2 is yellow The color 3 is green NOTE: The repeat element has no child element. The repeat element can have the following attributes: Attribute Description if Optional. Common attribute. if_op Optional. Common attribute. vary Required. Comma separated list of variable names to vary. 3.3.9 The success Element The success element is used to encapsulate element success messages that can be displayed when the processing of the parent element returns without an error.
PAGE 32
3.4 Common Attributes The CMGR template includes command attributes and handler specific attributes. You can also create your own attributes. The cmgr command supports the following attributes: Attribute Description id Element identity, does not have to be unique. if Specifies a condition that must be true for cmgr to process the element. Can be any valid Perl condition statement. if_op Limits the cmgr processing of this element to cases with a matching cmgr operation argument.
PAGE 33
Figure 3-1 Using HP-UX CMGR 3.
PAGE 34
Example 3-1 IPFilter Template To use this template, follow these steps: 1. Logon to your system as root and copy this template to a temporary location, for example, /tmp/example.cst. 2.
PAGE 37
@tag-start Example Dynamic IPFilter Service Rule="Rule_2" ; block in quick proto tcp from 192.0.2.2 to any port = 1257 @tag-end ; IPFilter Configuration (/tmp/example_ipf.conf): @tag-start Example Dynamic IPFilter Service Rule="Rule_1" ; block in quick proto tcp from 192.0.2.1 to any port = 1257 @tag-end ; Read the configuration file: # more /tmp/example_ipf.conf #@tag-start Example Dynamic IPFilter Service Rule="Rule_2"; block in quick proto tcp from 192.0.2.
PAGE 38
PAGE 39
4 Developing a CMGR Plug-in This chapter describes how to extend CMGR’s functionality by developing a new element handler and a new variable validation function for CMGR. 4.1 Developing an Element Handler CMGR uses Perl modules to process CMGR template elements. The rules for writing a handler for a new element are: 1. Select a lower-case name for the new element. For “Example Plug-in” (page 41), we chose the element . 2. Update CMGR’s template Document Type Definition (DTD) with the new element.
PAGE 40
for reading attribute values attached to the handler’s XML element in the template. The following functions can be called on the $context and $node: Function Name Description $context->get_data() Returns the contents of the concatenated child elements of the new element, with the variable values substituted for their names. $context->get_op() Returns the current operation: add, delete, replace, help, or list. $context->get_var(“name”) Returns the value of the template variable “name”.
PAGE 41
4.3 Example Plug-in The example contained in this section is for a template that updates a configuration file which specifies a list of client computer system names. The template is used with the cmgr command to add, delete, replace, and list entries from the configuration file.
PAGE 42
2. Create a new CMGR template, custom.cst, that uses the myconf element to update a configuration file and the check_system validation function to verify whether a remote host will respond to ping(1M). Note that the configuration filename is specified with the “config_file” attribute for the “myconf” element:
PAGE 43
######## sub process_myconf { my ($context, $node)=@_; # get the current operation my $op = $context->get_op(); my $verbose = $context->get_var('verbose'); # get the concatenated data buffers my $data = $context->get_data(); # read the config file into $contents my $configFile=$node->getAttribute(‘config_file’); $configFile='/tmp/myconf' if !$confFile; my $contents = read_config($configFile); # get the tag out of the data buffer (if it is there) my $tag = ($data =~ /$TAG\s*(\w+)/) ? $1: ""; # add, delete, o
PAGE 44
{ my ($file, $contents) = @_; open my $out, '>', "$file" or die "Error: couldn't open $file for writing: $!\n"; print {$out} $contents; } 1; 4. Create a variable validation function, Cmgr::My_check_vars::check_system(), that is referenced by the example template: #!/usr/bin/perl package Cmgr::My_check_vars; use strict; use warnings; sub check_system { my ($name, $value, $errMsg) = @_; # detaint $value=~/^(.
PAGE 45
5. Run the cmgr command with the custom.cst template: % cmgr -t custom.cst -a Enter the requested values when prompted, then press return. Enter "?" for help at prompt. Press control-c to exit. Client system name: xxxyyyzzz --------------------------------------------------------------Error: xxxyyyzzz is not reachable. Enter "?" for help at prompt. Press control-c to exit.
PAGE 46
PAGE 47
5 Invoking cmgr to Configure Services The cmgr command coordinates the configuration of multiple subsystems. Related configuration changes can be added, viewed, replaced, or deleted as a set. The cmgr command line arguments are combined with the XML-based CMGR templates to define the actual configuration operations to perform. You can execute cmgr as a command line or in batch mode. The batch mode suppresses the guided prompt base processing of the specified template.
PAGE 48
option, cmgr displays detailed contents of the specified configuration components. 48 -r, -replace Replaces the contents of the configuration associated with the newly supplied data. -t, -template name Identifies the template file to use for this operation name. The cmgr command processes it as a file system path when the name ends with .template . Otherwise, cmgr creates a path name such as /opt/hpcmgr/etc/ templates/name.template.

HP-UX CMGR A.02.00 Administrator's and Developer's Guide

Summary of content (48 pages)

PAGE 35

PAGE 36