Presentation on theme: "Pakiti. Pakiti Client Setup Install one small client rpm on the clients and a configuration file. –pakiti-client-0.8-1.noarch.rpm –edit /etc/pakiti/pakiti-client.conf."— Presentation transcript:
Pakiti Client Setup Install one small client rpm on the clients and a configuration file. –pakiti-client noarch.rpm –edit /etc/pakiti/pakiti-client.conf to point to the web server, select yum/apt/up2date, and insert sys admins name
tmp]# more /usr/share/doc/pakiti-server-1/README.SERVER INTRODUCTION The Pakiti Client is a small Perl script, which will check what packages are available to install on the system and report them to the central Pakiti Server. WHAT DOES IT DO? It simply gather packages provided by your vendor and send the list to the server. Pakiti DOES NOT INSTALL ANY UPDATED PACKAGE. HOW AVAILABLE PACKAGES ARE GATHERED? Pakiti can currently use 3 tools to gather information about available packages: - yum - up2date - apt-get Of course, the tool you choose MUST be first properly configured to be able to install updated packages relevant to your distri bution. For instance, if you decide to go for yum, it MUST point to a relevant yum repository. Extract from the README for more details:
HOW ARE THEY REPORTED TO THE SERVER? The Pakiti client send an HTTP message to the server containing the list of available packages. It is recommended to use HTTPS to authenticate the remote server and to send information through a secure channel. To use HTTPS, your Pakiti configuration file MUST contains the full path of the certificate of the CA who issued the Pakiti server's certif icate. In this way, the Pakiti client will be able to check the Pakiti server's certificate. Of course, to use HTTPS, your Paki ti server MUST be HTTPS enabled. WHERE CAN I CONFIGURE Pakiti CLIENT? There is only on configuration file to setup the Pakiti client. It is located here: /etc/pakiti/pakiti-client.conf It contains the following information: # Configuration file for Pakiti. # URL of your local Pakiti server. HTTPS is strongly recommended! server_url = https://pakiti.cern.ch/feed/ # CA Path for HTTPS connection to your local Pakiti server. # This is mandatory for HTTPS. ca_certificate = /etc/grid-security/certificates/ # Curl binary, with the options you like curl_path = /usr/bin/curl -s # Delay (minutes) delay = 0 # Package handling tool: 'up2date' or 'yum' or 'apt-get' method = apt-get # section: the contact for the system. # Put something small that can identify your site. admin = My_Organization Production # Log file location. log = /var/log/pakiti/pakiti.log
Pakiti Server Setup Need to install it on a web server Install the server rpm Configure MySQL Configure httpd
HOW CAN I CONFIGURE A PAKITI SERVER? On a RHEL/SL system, the following steps should be sufficient: 1. Install Apache, PHP, mysql-server, mod_ssl, php-mysql and pakiti-client # apt-get install httpd php mysql-server php-mysql mod_ssl pakiti-client If some other dependency are needed, the packages should be available through your vendor. For more information about installing the client, please see the previous section. 2. Install Pakiti-server Download the latest RPM and run: # rpm -i pakiti-server-*.rpm 3. Configure the MySQL server Configure MySQL to start at boot # chkconfig --level 235 mysqld on Start the mysqld service # /etc/init.d/mysqld start Change the MySQL root password # /usr/bin/mysql mysql ~ update mysql.user set Password=PASSWORD('strong_root_password') where User='root' and Host='localhost'; ~ flush privileges; ~ quit; Create the pakiti database # mysqladmin -u root -p create pakiti Fill the tables # /usr/bin/mysql -u root -p pakiti < /usr/share/doc/pakiti-server-*/pakiti.sql Create a Pakiti user # /usr/bin/mysql -u root -p mysql ~ GRANT SELECT,INSERT,UPDATE,DELETE ON pakiti.* TO IDENTIFIED BY 'mysql_password'; ~ flush privileges; ~ quit; Of course, 'mysql_user'and 'mysql_password' are up to you.
4. Configure Apache It is *strongly* recommended to use HTTPS and client authentication. One way of doing this is to create a /etc/httpd/conf.d/pakiti.conf containing: SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateKeyFile SSLCertificateFile SSLCACertificatePath /etc/grid-security/certificates DocumentRoot /var/lib/pakiti/www/ ErrorLog logs/pakiti-error CustomLog logs/pakiti-access common Alias /feed "/var/lib/pakiti/feed" SSLRequireSSL Options -All AllowOverride None DirectoryIndex index.php SSLVerifyClient require SSLVerifyDepth 5 SSLCACertificatePath /etc/grid-security/certificates/ SSLOptions +FakeBasicAuth AuthName "Pakiti: YOUR CERTIFICATE MUST BE REGISTERED" AuthType Basic require valid-user AuthUserFile /var/lib/pakiti/users SSLRequireSSL Options -All AllowOverride None DirectoryIndex index.php
Then people can be authenticated by putting their DN in /var/lib/pakiti/users such as: /C=CH/O=CERN/OU=GRID/CN=Romain Wartel 7120:xxj31ZMTZzkVA Note that FakeBasicAuth must have ":xxj31ZMTZzkVA" as a suffix of every DN. The format is the following: :xxj31ZMTZzkVA... For more details refer to Apache's FakeBasicAuth documentation.
5. Configure the Pakiti Server The configuration of the Pakiti server can be changed in /etc/pakiti/pakiti-server.conf # Configuration file for the Pakiti webinterface. # Set the parameters for connecting to # the Pakiti database. [mysql] hostname = localhost dbname = pakiti username = mysql_user password = mysql_password [webinterface] # URL of your local Pakiti server url = https://pakiti.cern.ch title = My_Organization # Reference URL to download the list of security RPMs. # This setting should normally *not* be changed. [security_module] security_rpms = [reporting] # This section contains details about statistics and full reports # that can be exported from this local Pakiti server to central Pakiti servers. # URLs of trusted *central* Pakiti servers, separated by ';' # that would receive statistics from this local Pakiti server #send_stats_to = # URLs of trusted *central* Pakiti servers, separated by ';' # that would receive detailed reports from this local Pakiti server #send_detailed_report_to = # CA Path for HTTPS reporting to the central servers. This is mandatory for HTTPS ca_certificate = /etc/grid-security/certificates/ # Curl binary to connect to the central Pakiti servers, with the options you like curl_path = /usr/bin/curl -s
Known Bugs RHEL 2.1 is using curl 7.8.1, which does not support SSL. This version of curl has also limited buffers. As a result, if the sy stem tries to report a large number of packages to be installed (>50), the reporting process might be broken. There are two workarounds: 1. Apply a few patches to reduce the number of outstanding updates. your system should not have a large number of fixes to appl y! 2. Update the curl package to curl The installation might not be nice, you might need to install it with "--no-deps" and you might need to create the following synlink: ln -s /usr/lib/libcurl.so.2 /usr/lib/libcurl.so.1 Note that curl handles SSL. Contact Please contact Romain Wartel for any information.
pakiti Shows all nodes grouped by OS version
pakiti 2 Shows Unpatched nodes
pakiti 3 Shows only vulnerable nodes Shows Nodes not responding