Integrated Server Solution Built on Puppet and RHEL-Derivatives

Well I have a little bit of time today, so I am going to make a post. I know I have again disappointed by not updating, ever! This is the typical distracted person right? Hey, I’m going to make a blog, and never post on it. However beyond the point let’s get this going.

Today, we are faced with many issues when deploying stable Linux platforms, and it seems that there is a niche that could be filled and I suspect work has been done here before but I feel like taking my spin on it. The plan is to implement RHEL ( or it’s derivatives ) with Enterprise IPA, Puppet, Application Management (light at first), and an easy PXE boot setup using a basic Kickstart. These are the basic goals, eventually a network file system such as OpenAFS or NFS to handle roaming profiles as well as pushing applications to the machines. I am planning to break down these things into roles, that could potentially be rolled out as one machine, ( don’t do it ) or rolled out as multiple machines. The deployment of the first server and puppet repositories are going to be handled in a distributed manor with git, instead of the traditional puppet configuration of client/server with load balanced server. None of these components must be used however, as they are simply various options that will be available in the puppet modules called

The first issue at hand was obtaining a platform with working FreeIPA, which currently was unavailable and into the 6.1 release it wasn’t stable or usable by any means due to the inconsistent behavior it exhibited. Fortunately RHEL 6.2 has shipped and this has resolved this situation, and now on to the next issue.

The second problem is coming up with a structure for puppet, beyond just the normal structures everyone is used to, to make the roles clearly defined, and finding out what things are truly different between these machines for the configuration process. I also need to be concerned with error log handling from workstations, since this is something that should have easily identifiable headers to the administration email account. I may have to develop some basic graphical tools to quickly setup such a server for the non-tech savvy or just quick testing of it.

Application management, fortunately has been sorted out using a combination of puppet and wrapper scripts. So hopefully I can establish a standardize way of install Linux applications that are commercial across the network. (that’s sensible) I do believe I have covered almost every circumstance possible, including a few crazy ones as I have garnered experience from an environment that could be just as troublesome.

The boot process has been a tricky one I have thought about, and haven’t quite solved. Using the method from the shop I was at previous would involve usb/disk booting with a Kickstart already there. The best option would be something like Cobbler with PXE booting setup and the setup pointed to various Kickstart files. I will hash this out as soon as I get there…

Now to the important part, why do all this work? Well this is more me seeing if I can clean room build an effective environment with descent documentation for anyone to use. I would like to see what is possible with puppet using git, as well as test use OpenAFS in a setting other than a university that is effective. This work could potentially pan out to be an entirely unpaid effort, but it’s still an interesting investigation none the less. I am eating my own poison here, so don’t assume this is just some academic not familiar with the territory.

I will continue on once I get the images for the distribution…

« Apparently I am not allowed to do that…

Apparently I am not allowed to do that…

Well, I forgot I don’t have free reign to host a distribution off my web host, but that was more of a mistake since I am used to the university resources allowing hosting of things like a Linux Distribution. So I will go a different route, and find a more flexible host that is more equipped to handle a distribution. I would like to think they wont have an issue with hosting pages and links to the various files. Although they are a “Web Host,” so that was pretty much expected…

Integrated Server Solution Built on Puppet and RHEL-Derivatives »« Ubuntu repository mirroring

Ubuntu repository mirroring

Hello everyone, I decided to create a mirror of Ubuntu as I am working on a solution built on top of it, and I became quite tired of constantly building from repositories only or using the local cache of packages which often led to more downloading due to missing packages. So an easy option was to take advantage of a tool built for Ubuntu and Debian called apt-mirror.

Prior to installing apt-mirror is planning out how you will store your repositories and what repositories you are going to need. I am planning on storing everything in /var since I have placed /var on a raid array. since the default location is /var/spool/apt-mirror I will not have to change the “base_path” in the apt-mirror mirror.list configuration file.

I used the default mirror.list configuration file for apt-mirror only adding what was needed to support 64-bit and network installation. This file is located at /etc/apt/mirror.list and below is my mirror.list file:


############# config ##################
#
set base_path /var/spool/apt-mirror
set cleanscript $var_path/clean.sh
set nthreads 4
set _tilde 0
#set limit_rate 10k - Trickle updates down at 100Kbps to prevent network hogging
#
############# end config ##############

#Ubuntu Lucid 10.04 (32-bit)
deb-i386 http://archive.ubuntu.com/ubuntu lucid main restricted universe multiverse
deb-i386 http://archive.ubuntu.com/ubuntu lucid-security main restricted universe multiverse
deb-i386 http://archive.ubuntu.com/ubuntu lucid-updates main restricted universe multiverse

#Ubuntu Lucid 10.04 (64-bit)
deb-amd64 http://archive.ubuntu.com/ubuntu lucid main restricted universe multiverse
deb-amd64 http://archive.ubuntu.com/ubuntu lucid-security main restricted universe multiverse
deb-amd64 http://archive.ubuntu.com/ubuntu lucid-updates main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu lucid-proposed main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu lucid-backports main restricted universe multiverse

#Ubuntu Lucid 10.04 (Source)
deb-src http://archive.ubuntu.com/ubuntu lucid main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu lucid-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu lucid-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu lucid-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu lucid-backports main restricted universe multiverse

#Security Updates (32-bit)
deb-i386 http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-i386 http://security.ubuntu.com/ubuntu lucid-security universe
deb-i386 http://security.ubuntu.com/ubuntu lucid-security multiverse
#Security Updates (64-bit)
deb-amd64 http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-amd64 http://security.ubuntu.com/ubuntu lucid-security universe
deb-amd64 http://security.ubuntu.com/ubuntu lucid-security multiverse

#Security Updates (Source)
deb-src http://security.ubuntu.com/ubuntu lucid-security main restricted
deb-src http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse

#Netboot Requuirement (32-bit/64-bit)
deb-i386 http://archive.ubuntu.com/ubuntu lucid main/debian-installer restricted/debian-installer universe/debian-installer multiverse/debian-installer
deb-amd64 http://archive.ubuntu.com/ubuntu lucid main/debian-installer restricted/debian-installer universe/debian-installer multiverse/debian-installer

#cleanup routine
clean http://archive.ubuntu.com/ubuntu
clean http://security.ubuntu.com/ubuntu

After modifying the mirror.list you can at this point add a cron job to run apt-mirror at a designated time or manually run it to control when updates happen on your network. I also have a separate mirror.list I pass to apt-mirror on a hourly cronjob for security updates separate since I actually pull normal package updates when I want to update. So running apt-mirror will update the packages on the system and cron will automatically pull the security updates on a constant basis. Then the auto-update daemon will grab those updates on the clients. So far everything is working, hopefully when someone needs to make netboot working this will help since the information was quite vague in regard into what package needed to be added since I assume when you add restricted it will add debian-installer. This simply isn't the case with Ubuntu's repositories at least when I tried it with apt-mirror.

Apparently I am not allowed to do that… »« Well I managed to neglect this page once again… I keep saying I’m going to fix that…

Well I managed to neglect this page once again… I keep saying I’m going to fix that…

This doesn’t matter I can resolve this by writing more post about the current investigations I have before me. Just to overview what I have been getting myself into lately in order of importance to me, FPGAs, cfengine, AFS, and MIT Kerberos. The reason for the slack is that other things have managed to keep my attention well focused. This is fine, but I would like to update this blog more since I managed to get myself sick and that’s what it took for me to remember about it. I hopefully wont keep this pattern up but I always say that! I wont be mentioning much about FPGAs because I am still in the process of learning and I am no expert in this area.

However onto cfengine, I want to write up a guide on implementing cfengine under a Windows environment at least with the newer edition of cfengine specifically version 3. Assuming I can get it working in a environment similar to what is operating in some businesses and colleges. Specifically, those that have configured AFS and MIT Kerberos in their environment and have had success in a mixed environment. I am curious if it is viable to use cfengine with Windows 7 in this environment without the need for a crossrealm relationship with a AD or taking advantage of this latest release of samba and using MIT Kerberos side by side. This is by no means for a production environment, this is more of an investigation of what might be possible down the road when samba 4 becomes more stable.

It seems people tend to look at using the AD for everything or using a system of mixed authentication to handle various services. It appears that using the AD can solve the problem but do you really want to depend on one vendor? However the other side adds extreme amounts of complexity to the system. It seems to me that group policy management is quite a battle to implement cross platform specifically when involving Windows. At least if you don’t plan on using Microsoft’s products to implement such a configuration.

OpenAFS, is a distributed file system that alleviates load from the traditional file servers and client hierarchy into a system where clients also provide data to each other. This functionality is limited to read-only content but is quite useful when used to deploy applications  on Linux and *nix workstations, as well as sharing large amounts of static data between clients. When integrated with cfengine it can be used in the deployment and storing of configuration of clients in addition to the features mentioned above. The OpenAFS clients and servers integrate well with Kerberos Authentication also since it will obtain a token via Kerberos Ticket.

MIT Kerberos, is quite important to this structure since this provides an authentication that does not send passwords over the wire and allows the ticket to gain access to additional services like AFS and intranet services via a Ticket Granting Ticket or TGT. This allows a client who is logged into a Kerberos system to seamlessly use machines within the network that take advantage of the Kerberos Authentication to allow the user access without demanding a password. Essentially this is your network identification, you can use to obtain services around the network.

I will try to do a write up whenever I start really grasping the aspects of this system and how to take advantage of it in a mixed environment. This is just a little overview of what I’ve been becoming more familiar with lately.

Related Links:
cfengine
OpenAFS
MIT Kerberos

Ubuntu repository mirroring »« The Future

The Future

I noticed the other day, that people pay little attention to the future none the less the next decision they should make. I sometimes think about what runs in the minds of these people. I mean do they wake up in the morning and decide I should quit school and flip burgers for the rest of their lives or is there more to it than that. I’ve seen it first hand what forces them into those sort of decisions. Whether it’s the unexpected kid, difficulty, or just simply loss of interest it bugs me that people don’t have the determination to keep going even if it seems like an uphill battle. That battle I am talking about is just simple life choices everyone has to make on a daily basis the good and bad ones. We’ve all made those decisions since we were born into this world. I can not grasp an understanding  of why folks immediately assume all is lost after their “bad decisions” and think it is truly a total loss. When in reality the only loss that has happened is your decision to give up.

Since, I am on the topic of the future and now specifically my future. I am quite content with the education at UNCC and feel that if I had went else where it would have been a disservice to myself. I also would like to note the semester has been going pretty well with some minor hiccups which I’m sure will be sorted out before the end of the semester but it’s to be expected since I am at a new school of course.

I found it a bit entertaining one of my friends has opened up a blog (probably with little choice on the matter) but still entertaining nonetheless, called “Tech in the Complex Plain.” Which you can visit here.

It’s a bit late, but this is rather important to mention, a good friend of mine passed away recently under some bizarre circumstances. Quite a few people in the community are upset and saddened, but it seems there is nothing anyone knew about the events that lead to her death. It’s quite a sad thought that my friend was motivated enough to climb out of a pile of bad decisions, and was almost in the clear, but this had to happen…

Well I managed to neglect this page once again… I keep saying I’m going to fix that… »« Somewhere between the Zombie B Movies and Programming lies…

Somewhere between the Zombie B Movies and Programming lies…

Well more importantly A real news update, I have been tracking the efforts of openpandora.org and the Pandora Handheld it looks like they didn’t make their July 20th date so the wait goes on there ( to be expected as there is a lot for them to do ). I’ve been investigating OpenSim Engine for doing something similar to WireMod and Garry’s Mod. Since the Source Engine carries quite a few limitations but that is to be expected since overriding it’s limits generates massive problems. Then again I’m not too sure if OpenSim can handle what I am looking for in a “game engine” at least for my idea.

On to other topics, I actually managed to hose my Netbook firmware and the recovery method is no longer functioning. I am going to gamble it is completely shot now since it does not even accept any flash images or even cycle properly. The laptop is a Acer Aspire One but all attempts to use the Fn + Esc while powering to flash have failed so far. Also for your information I have tried using both FAT and FAT32 formats on the flash drives, used multiple cases for naming, and thumb drives to restore it, all of which have failed. So I am forced to send the laptop back via RMA.

I have added some GFC Integration to my site for the moment to do some testing with it, but so far it’s not the integration I was looking for and I believe it needs more work. The individual who wrote the plug-in doesn’t seem to be available anymore or his site at least isn’t so that is kind of bothersome. However it doesn’t seem to take much to improve it but it is more of a question of time.

Interestingly enough I had fun watching some old zombie flicks, hence the title, it’s quite amazing how low budget those films were and manage to stand the test of time as far as being entertaining.

The Future »« Well seems I’m done at gaston, and now onto UNC-C

Well seems I’m done at gaston, and now onto UNC-C

So it seems I need to make an update, the Pandora is getting ever so close to release since they are pretty much done with all the hiccups barring the case design which they are finalizing. I think that’s good news since it’s about time we seen some activity from them. I’ve been keeping myself busy this summer with programming projects and helping around the house. Other than that maybe next week I’ll get caught up on the blog, until next time, bye!

Somewhere between the Zombie B Movies and Programming lies… »« It Is Official, School Is Out! At Least For The Moment

It Is Official, School Is Out! At Least For The Moment

Well first thing on the agenda is the Yubi Key it is rather important since it brings a RSA SecurID or Vasco style key into the consumer market. It is quite affordable compared to other solutions since other solutions require a certificate server and numerous other hurdles just to get the thing implemented. It is not completely secure but it’s better than not bothering to secure the system at all. I did see there were efforts to read the yubi key and some folks are making progress in that department which is slightly scary. I do not know if they have had any success but it is worth noting. I am grabbing the SDK or Software Development Kit, for the less savvy, for it and looking at possible options for portable devices and whether these options would be worth it. It would be nice if you could lock down the device you have completely to deter thieves from grabbing a device using a Yubi Key but currently that would require the device to have some functions to stop usage completely if it did not have a Yubi Key plugged in. I thought about implementing something at boot time, but that is limited by the bios technology we have. If we had Unified Extensible Firmware Interface we might be able to put a dent into those who think they can simply wipe or reset the bios via CMOS battery to make the device functional again. We’ve seen bios solutions like what IBM and Toshiba do with their hardware and how excessive they go to protect their devices from both data theft and just plain thievery. I know there are some modules you can add to BIOSes out there to fix that issue but I don’t think that is a complete solution. It is not exactly the best idea to completely lock out access to the bios or firmware, but it should stop the common crook. Overall the best defense is simply making the device as impossible to use and make functional also since your assumed to use encryption anyway your data would be quite safe. However, I do not know of many device manufacturers that ensure there is a way to make the device into a paper-weight beyond a laptop.

I am also investigating OpenCL as a option for future projects, particularly on Linux. Seems the open API and the fact there are state trackers being implemented for it in Gallium3D are making it quite attractive to develop on.

Also, I may going to start adding pages but then again this site is a bit informal for that purpose even though I speak about topics I do not tend to acknowledge anyone on the site specifcally due to the methods at which spam and phishers work I cannot post too much on myself otherwise I become a target for that madness.

A small note on the Open Pandora seems they have started really moving on the progress meter at least with getting it out the door, maybe in a month or two we will see it for real.

Well seems I’m done at gaston, and now onto UNC-C »« This Month, What Interesting Things Are Going On!

This Month, What Interesting Things Are Going On!

I’m definitely taking the break off but I am looking for reading material for Linear Algebra, and I doubt anyone pays attention to my site. I found quite a few books that relate it to Computer Science and Engineering which might be good options, again I’m still searching. If anyone wants to help me there just forward me an email with the author and title.

Well it looks like we’re approaching the release of the Open Pandora. I hope everything works out and I get it in one peice should be interesting to actually get to test and use one of these devices, once and for all. I’d like to note that the device is steam rolling toward completion and if I do not see it, the first 500 probably will for the rest of us who preordered one. We’ll see the final kinks worked out either way.

I would to point out to the internet community and the politically blind, deaf-mutes, and just pure ignorant to the facts that there is a agenda being pushed whether it’s nice or not. If your not aware they are proposing that the Infrastructure is to be controlled, which I would recommend you read on here.

I should get more lively here over the summer but we’ll see…

It Is Official, School Is Out! At Least For The Moment »« Long overdue update… Let’s try this again!

Long overdue update… Let’s try this again!

The slow updates are due to school and the time it consumes and prevents me from maintaining the site in proper and consistent manor. This does not mean, I will not update the site at all. I have some important topics to bring up that are going on in different areas of technology.

It’s worth mentioning that the squabbles that Nvidia and Intel are having are apparently dealing with the use of the on-board memory controllers that Intel has built onto their processors versus an external one that most manufacturers of chipsets will have to deal with. Nvidia apparently is out of their arena making the chipset utilise this feature thus causing this lawsuit to occur. In an interesting turn of events the rumour mills have been pushing out that Nvidia may have a contract with Apple to be used as a chipset for newer Macs this presents another reason the whole issue cropped up. I don’t know if information was leaked to the Intel camp but it seems this wasn’t in Intel’s best interest to allow Nvidia to profit from Apple as they have been since the processor transition. I am curious to see if Nvidia is going to get hurt even though I am running their products it doesn’t mean I like or dislike the company. I was driven by a decision to cut cost on my computer and not fork out cash for a larger powersupply unless until power management is improved for ATI.

Debian 5.0 or Lenny has been out for quite a bit, and I’ve am running it as my primary OS at the moment with a tainted kernel as I am using Nvidia’s blob driver, so I have 3d functionality. I have been investigating the nouveau and possible future options for the card assuming I get my system completely working right. What has impressed me so far is the massive update it has made to the entire OS overall along with adding newer versions of stable software to the repository finally among other things. I moved away from Gentoo to Debian Lenny when emerging the world took more than 12 hours I decided recompiling everything might not have been the best plan.

This comes as a interesting surprise but it looks like heavy development is going on with wayland in the redhat camp. I think it could become a serious X server and possibly more when it becomes mature. But this remains to be seen. The push to implement this on Ubuntu and Fedora mainly, and others probably to come is important to regain speed loses due to the bloat in the current implementation of X. It’s to be seen how this will fair with the one graphics manufacturer that has failed to open up their drivers to support what is needed to get this working. But ATI and Intel have both made efforts and had success with implementation on the platform. I am curious to see if Nvidia will follow suit if it becomes more successful or will the nouveau folks beat nvidia to implementation who knows. It’s like Nvidia is stuck in some awkward position that opening specifications would be some violation of a agreement which it could be.

Until next update…

This Month, What Interesting Things Are Going On! »« And now for the current situation…