From 0347d1d79bc2275f54303c9f794a6348fa546916 Mon Sep 17 00:00:00 2001 From: Robert Frank Date: Fri, 17 Jan 2014 10:56:53 +0000 Subject: [PATCH] added files --- manifests/apache.pp | 111 ++++++++++++++++++++++++ manifests/config.pp | 85 ++++++++++++++++++ manifests/install.pp | 5 ++ manifests/params.pp | 65 ++++++++++++++ manifests/service.pp | 114 +++++++++++++++++++++++++ templates/administrative_info.erb | 8 ++ templates/agent_configuration.conf.erb | 95 +++++++++++++++++++++ templates/ssl_auth.conf.erb | 10 +++ 8 files changed, 493 insertions(+) create mode 100644 manifests/apache.pp create mode 100644 manifests/config.pp create mode 100644 manifests/install.pp create mode 100644 manifests/params.pp create mode 100644 manifests/service.pp create mode 100644 templates/administrative_info.erb create mode 100644 templates/agent_configuration.conf.erb create mode 100644 templates/ssl_auth.conf.erb diff --git a/manifests/apache.pp b/manifests/apache.pp new file mode 100644 index 0000000..1b7cf89 --- /dev/null +++ b/manifests/apache.pp @@ -0,0 +1,111 @@ +class perfsonar::apache( + $hostcert = $perfsonar::params::hostcert, + $hostkey = $perfsonar::params::hostkey, + $capath = $perfsonar::params::capath, + $clientauth = $perfsonar::params::clientauth, + $verifydepth = $perfsonar::params::verifydepth, + $authdn = [], +) inherits perfsonar::params { + augeas { 'set mod_ssl params': + incl => "${perfsonar::params::mod_dir}/ssl.conf", + lens => 'Httpd.lns', + context => "/files/${perfsonar::params::mod_dir}/ssl.conf/VirtualHost", + changes => [ + "set *[.='SSLCertificateFile']/arg ${hostcert}", + "set *[.='SSLCertificateKeyFile']/arg ${hostkey}", + "set directive[.='SSLCACertificatePath'] 'SSLCACertificatePath'", # create node if not exist + "set *[.='SSLCACertificatePath']/arg ${capath}", # set value for node + "set directive[.='SSLVerifyClient'] 'SSLVerifyClient'", + "set *[.='SSLVerifyClient']/arg ${clientauth}", + "set directive[.='SSLVerifyDepth'] 'SSLVerifyDepth'", + "set *[.='SSLVerifyDepth']/arg ${verifydepth}", + ], + } + $have_auth = $authdn ? { + undef => 0, + default => size($authdn), + } + if $have_auth > 0 { + augeas { 'set mod_ssl auth': + incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", + lens => 'Httpd.lns', + context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", + changes => [ + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthShadow']", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthType']", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthName']", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='Require']", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='Include'] 'Include'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthShadow']", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthType']", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthName']", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='Require']", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='Include'] 'Include'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", + # instead of the set commands above, the setm regex versions below should work as well (they do in augtool), + # but for some reason they produce an error when run by puppet ('Could not evaluate: missing string argument 2 for setm', no useful debug output either) + # the rm commands below work, but we shouldn't use them with the single set commands above because they can cause security problems + # e.g., if the original auth section is removed without from an unexpected directory entry without adding the include + #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='AuthShadow']", + #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='AuthType']", + #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='AuthName']", + #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/directive[.='Require']", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='Include'] 'Include'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Include']/arg '${perfsonar::params::httpd_dir}/ssl_auth.conf'", + ] + } + file { "${perfsonar::params::httpd_dir}/ssl_auth.conf": + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0644', + content => template("${module_name}/ssl_auth.conf.erb"), + } + } else { + augeas { 'restore mod_ssl auth': + incl => "${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", + lens => 'Httpd.lns', + context => "/files/${perfsonar::params::conf_dir}/apache-toolkit_web_gui.conf", + changes => [ + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Include']", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthShadow'] 'AuthShadow'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='AuthShadow']/arg 'on'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthType'] 'AuthType'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='AuthType']/arg 'Basic'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='AuthName'] 'AuthName'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='AuthName']/arg '\"Password Required\"'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/directive[.='Require'] 'Require'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Require']/arg[1] 'group'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Require']/arg[2] 'wheel'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin\"']/*[.='Require']/arg[3] 'admin'", + "rm Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Include']", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthShadow'] 'AuthShadow'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='AuthShadow']/arg 'on'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthType'] 'AuthType'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='AuthType']/arg 'Basic'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='AuthName'] 'AuthName'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='AuthName']/arg '\"Password Required\"'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/directive[.='Require'] 'Require'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Require']/arg[1] 'group'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Require']/arg[2] 'wheel'", + "set Directory[arg='\"/opt/perfsonar_ps/toolkit/web/root/admin/logs\"']/*[.='Require']/arg[3] 'admin'", + # below should work, but the setm command suffers the same problem as the ones in the "if $have_auth > 0" block + #"rm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')]/*[.='Include']", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='AuthShadow'] 'AuthShadow'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='AuthShadow']/arg 'on'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='AuthType'] 'AuthType'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='AuthType']/arg 'Basic'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='AuthName'] 'AuthName'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='AuthName']/arg '\"Password Required\"'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] directive[.='Require'] 'Require'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Require']/arg[1] 'group'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Require']/arg[2] 'wheel'", + #"setm Directory[arg=~regexp('.*/web/root/admin(/.*)?\"?')] *[.='Require']/arg[3] 'admin'", + ] + } + file { "${perfsonar::params::httpd_dir}/ssl_auth.conf": + ensure => 'absent', + } + } +} diff --git a/manifests/config.pp b/manifests/config.pp new file mode 100644 index 0000000..26f70ad --- /dev/null +++ b/manifests/config.pp @@ -0,0 +1,85 @@ +class perfsonar::config( + $admininfo = {}, + $agentconfig = {}, +) inherits perfsonar::params { + exec { 'ps_initdb_cacti': + environment => [ "HOME=/root" ], + command => $perfsonar::params::ps_initdb_cmd_cacti, + logoutput => 'on_failure', + require => Service['mysqld'], + unless => '/bin/echo "show databases" | /usr/bin/mysql | /bin/grep -q "^cacti$"', + } + exec { 'ps_initdb_psb_bwctl': + environment => [ "HOME=/root" ], + command => $perfsonar::params::ps_initdb_cmd_psb_bwctl, + logoutput => 'on_failure', + require => Service['mysqld'], + unless => '/bin/echo "show databases" | /usr/bin/mysql | /bin/grep -q "^bwctl$"', + } + exec { 'ps_initdb_psb_owamp': + environment => [ "HOME=/root" ], + command => $perfsonar::params::ps_initdb_cmd_psb_owamp, + logoutput => 'on_failure', + require => Service['mysqld'], + unless => '/bin/echo "show databases" | /usr/bin/mysql | /bin/grep -q "^owamp$"', + } + exec { 'ps_initdb_tr_ma': + environment => [ "HOME=/root" ], + command => $perfsonar::params::ps_initdb_cmd_tr_ma, + logoutput => 'on_failure', + require => Service['mysqld'], + unless => '/bin/echo "show databases" | /usr/bin/mysql | /bin/grep -q "^traceroute_ma$"', + } + exec { 'ps_initdb_pinger': + environment => [ "HOME=/root" ], + command => $perfsonar::params::ps_initdb_cmd_pinger, + logoutput => 'on_failure', + require => Service['mysqld'], + unless => '/bin/echo "show databases" | /usr/bin/mysql | /bin/grep -q "^pingerMA$"', + } + # the perfsonar kickstart post script replaces all 'yes' values in /etc/sysconfig/readahead to 'no' + # we do the same here with augeas, it replaces all '"yes"' and 'yes' values to 'no' + # let's hope they don't start using single quotes in that file, + # my attempts to update single quoted values as well failed miserably + # (maybe I should have gone for a simple 'sed -i' exec) + augeas { 'disable readahead': + incl => '/etc/sysconfig/readahead', + lens => 'Shellvars.lns', + context => '/files/etc/sysconfig', + changes => 'setm readahead *[label()!=\'#comment\'][.=~regexp(\'"?yes"?\')] "no"', + # we need the onlyif because the above command produces an error if the regex can't find any values + onlyif => 'match readahead/*[label()!=\'#comment\'][.=~regexp(\'"?yes"?\')] size > 0', + } + # ensure ssh is enabled by default, otherwise saving the configuration in the webinterface (or boot can disable it) + augeas { 'enable ssh': + context => '/files/opt/perfsonar_ps/toolkit/etc/enabled_services', + incl => '/opt/perfsonar_ps/toolkit/etc/enabled_services', + lens => 'Shellvars.lns', + changes => 'set ssh_enabled "enabled"' + } + $site_project = 'pS-NPToolkit-3.3.1' + file { '/opt/perfsonar_ps/toolkit/etc/administrative_info': + ensure => 'present', + owner => 'root', + group => 'root', + mode => '0644', + content => template("${module_name}/administrative_info.erb"), + } +# file { '/opt/perfsonar_ps/toolkit/etc/external_addresses': +# ensure => 'present', +# owner => 'root', +# group => 'root', +# mode => '0644', +# content => template("${module_name}/administrative_info.erb"), +# } + $agent_options = merge($perfsonar::params::agentconfig, $agentconfig) + file { '/opt/perfsonar_ps/mesh_config/etc/agent_configuration.conf': + ensure => 'present', + owner => 'perfsonar', + group => 'perfsonar', + mode => '0644', + content => template("${module_name}/agent_configuration.conf.erb"), + } + # ??? run "sudo -u perfsonar /opt/perfsonar_ps/mesh_config/bin/generate_configuration" when agent_configuration.conf is changed + # it takes a long time to complete, so it's probably not a good idea, it's being run by a cron job every night any way +} diff --git a/manifests/install.pp b/manifests/install.pp new file mode 100644 index 0000000..bc38d4a --- /dev/null +++ b/manifests/install.pp @@ -0,0 +1,5 @@ +class perfsonar::install ( + $packages = $perfsonar::params::install_packages, +) inherits perfsonar::params { + package { $packages: } +} diff --git a/manifests/params.pp b/manifests/params.pp new file mode 100644 index 0000000..a8caa27 --- /dev/null +++ b/manifests/params.pp @@ -0,0 +1,65 @@ +class perfsonar::params { + # package list taken from centos6-netinstall.cfg (from the perfsonar netinstall cd) + # system packages (already installed on standard installation) and + # packages that are dependencies of packages in this list have been removed from the original list + $install_packages = [ + 'perl-perfSONAR_PS-Toolkit', + 'perl-perfSONAR_PS-Toolkit-SystemEnvironment', + 'perl-perfSONAR_PS-MeshConfig-Agent', + 'kmod-sk98lin', + 'iperf3', + 'gcc', + 'mysql-devel', + 'device-mapper-multipath', + 'nuttcp', + 'php-gd', + 'php-xml', + 'syslinux', + 'tcptrace', + 'xplot-tcptrace', + ] + # other packages in the original kickstart, but left out + # 'perl-DBD-mysql' doesn't exist, it's called perl-DBD-MySQL + # 'xkeyboard-config' do we need it, we don't run X ?? + # 'comps-extras' contains images only, do we need it ?? + + # init database commands + # names of db init scripts to run can be found in /opt/perfsonar_ps/toolkit/scripts/initialize_databases + # we can just run two of them directly, the others call perl scripts which we have run directly + $ps_initdb_cmd_cacti = '/opt/perfsonar_ps/toolkit/scripts/initialize_cacti_database' + $ps_initdb_cmd_pinger = '/opt/perfsonar_ps/toolkit/scripts/initialize_pinger_database' + # the following perl commands ask for the mysql root password on stdin, so we extract it from /root/.my.cnf + # the original shell scripts (/opt/perfsonar_ps/toolkit/scripts/initialize_* scripts just pipe echo into the + # perl script and would require a mysql server without a root password + $ps_initdb_cmd_psb_bwctl = '/bin/sed -n "s/^password=//p" /root/.my.cnf | tr -d "\n\'" | /opt/perfsonar_ps/perfsonarbuoy_ma/bin/bwdb.pl -i root' + $ps_initdb_cmd_psb_owamp = '/bin/sed -n "s/^password=//p" /root/.my.cnf | tr -d "\n\'" | /opt/perfsonar_ps/perfsonarbuoy_ma/bin/owdb.pl -i root' + $ps_initdb_cmd_tr_ma = '/bin/sed -n "s/^password=//p" /root/.my.cnf | tr -d "\n\'" | /opt/perfsonar_ps/traceroute_ma/bin/tracedb.pl -i root -c /opt/perfsonar_ps/perfsonarbuoy_ma/etc' + + # apache options + $hostcert = '/etc/grid-security/hostcert.pem' + $hostkey = '/etc/grid-security/hostkey.pem' + $capath = '/etc/grid-security/certificates' + $clientauth = 'optional' + $verifydepth = '5' + + # default mesh config + $agentconfig = { + mesh => [], + traceroute_master_conf => '/opt/perfsonar_ps/traceroute_ma/etc/traceroute-master.conf', + owmesh_conf => '/opt/perfsonar_ps/perfsonarbuoy_ma/etc/owmesh.conf', + pinger_landmarks => '/opt/perfsonar_ps/PingER/etc/pinger-landmarks.xml', + restart_services => 0, + use_toolkit => 1, + send_error_emails => 1, + skip_redundant_tests => 1, + } + # paths + case $::osfamily { + 'RedHat': { + $httpd_dir = '/etc/httpd' + $mod_dir = "${httpd_dir}/conf.d" + $conf_dir = "${httpd_dir}/conf.d" + } + default: {} + } +} diff --git a/manifests/service.pp b/manifests/service.pp new file mode 100644 index 0000000..78d390c --- /dev/null +++ b/manifests/service.pp @@ -0,0 +1,114 @@ +class perfsonar::service( +) { + # start stop restart + service { 'bwctld': + ensure => 'running', + enable => true, + hasstatus => false, + hasrestart => true, + } + # start stop restart + service { 'config_daemon': + } + # start + service { 'configure_nic_parameters': + } + # start stop(nil) restart(start) + service { 'dicover_external_address': + } + # start stop(nil) restart + service { 'generate_motd': + } + # start stop status restart condrestart|try-restart(stop start) force-reload|reload(nil) + service { 'htcacheclean': + } + service { 'httpd': + } + # start stop restart + service { 'ls_cache_daemon': + } + # start stop restart + service { 'ls_registration_daemon': + } + # start stop status restart condrestart|try-restart(restart) force-reload|reload + service { 'multipathd': + } + # start stop status restart|reload + service { 'ndt': + } + # start stop restart + service { 'npad': + } + # start stop status restart condrestart|try-restart(restart) force-reload|reload + service { 'nscd': + } + # start stop status restart condrestart|try-restart(restart) force-reload(restart) reload(restart) + service { 'openct': + } + # start stop restart + service { 'owamp': + } + # start stop restart status condrestart|try-restart + service { 'pcscd': + } + # start stop restart + service { 'perfsonarbuoy_bw_collector': + } + # start stop restart + service { 'perfsonarbuoy_bw_master': + } + # start stop restart + service { 'perfsonarbuoy_ma': + } + # start stop restart + service { 'perfsonarbuoy_owp_collector': + } + # start stop restart configure + service { 'perfsonarbuoy_owp_master': + } + # start stop restart + service { 'PingER': + } + # start stop restart condrestart|try-restart(restart) reload(nil) force-reload(restart) status + service { 'portreserve': + } + # start stop status restart|reload|force-reload condrestart|try-restart + service { 'rpcbind': + } + # start stop restart + service { 'services_init_script': + } + # start stop restart + service { 'simple_ls_bootstrap_client': + } + # start stop restart + service { 'snmp_ma': + } + # start stop restart + service { 'topology_service': + } + # start stop restart + service { 'traceroute_ma': + } + # start stop restart + service { 'traceroute_master': + } + # start stop restart + service { 'traceroute_ondemand_mp': + } + # start stop restart + service { 'tracerouet_scheduler': + } + + # the following services are installed by perfsonar, but not enabled + # avahi daemon + # bluetooth + # cups + # nfs + # nfslock + # rpcgssd (nfs gss) + # rpcidmapd + # rpcsvcgssd + # snmpd + # snmptrapd +} diff --git a/templates/administrative_info.erb b/templates/administrative_info.erb new file mode 100644 index 0000000..1cfc509 --- /dev/null +++ b/templates/administrative_info.erb @@ -0,0 +1,8 @@ +<% unless @admininfo && @admininfo.has_key?('site_project') -%> +site_project=<%= @site_project %> +<% end +if @admininfo + @admininfo.keys.sort.each do |k| -%> +<%= k %>=<%= @admininfo[k] %> +<% end +end -%> diff --git a/templates/agent_configuration.conf.erb b/templates/agent_configuration.conf.erb new file mode 100644 index 0000000..76e0ef7 --- /dev/null +++ b/templates/agent_configuration.conf.erb @@ -0,0 +1,95 @@ +# Managed by Puppet +<% @agent_options['mesh'].each do |meshconfig| -%> + +<% meshconfig.keys.sort.each do |mcopt| -%> + <%= mcopt %> <%= meshconfig[mcopt] %> +<% end -%> + +<% end -%> + +<% @agent_options.keys.sort.each do |acopt| + if acopt != 'mesh' then -%> +<%# TODO allow array for admin_email -%> +<%= acopt %> <%= @agent_options[acopt] %> +<% end +end -%> + +## Use 'mesh' blocks to to specify each mesh that the agent should +## configure the host against + +## You can define more meshes to configure against by adding more 'mesh' blocks. +# +# ## Use 'configuration_url' to specify the URL where the agent should obtain +# ## the mesh configuration from +# configuration_url https://host.otherdomain.edu/mesh.json +# +# ## To ensure that the configuration is trusted, you can set the +# ## 'validate_certificate' option to 1. This will validate that the certificate +# ## is valid, and matches the hostname. If the 'validate_certificate' option is +# ## set to 1, the 'ca_certificate_file' option must be set. +# #validate_certificate 0 +# +# ## The 'ca_certificate_file' specifies which CAs to use to validate the +# ## certificates. +# #ca_certificate_file /etc/pki/tls/bundle.crt +# +# ## The 'required' field specifies that if this mesh isn't available, or has +# ## problems, to skip making any changes to the host configuration. +# #required 1 +# + +# Use the traceroute_master_conf, owmesh_conf and pinger_landmarks options to +# specify the location of the files to write. In a normal configuration, these +# should be left as what's included below. +#traceroute_master_conf /opt/perfsonar_ps/traceroute_ma/etc/traceroute-master.conf +#owmesh_conf /opt/perfsonar_ps/perfsonarbuoy_ma/etc/owmesh.conf +#pinger_landmarks /opt/perfsonar_ps/PingER/etc/pinger-landmarks.xml + +## You can include one or more 'address' options to specify which address +## corresponds to this host. By default, the agent will attempt to guess the +## address using the hostname of the host, as well as the hostname IPs. +#address chic-pt1.es.net + +# The 'restart_services' option can be used to specify whether the services +# should be restarted after their configuration is updated. If the +# 'use_toolkit' variable below is set to 0, you will need to use the +# 'cron-restart_services' cron script included in +# /opt/perfsonar_ps/mesh_config/doc to restart the services. +#restart_services 1 + +# The 'use_toolkit' option can be used to specify whether the agent should use +# the pS-Performance Toolkit's configuration daemon to save the configuration, +# and restart the services. If the agent is not installed on a toolkit +# instance, you will make sure that the configuration files listed above are +# all writable by user 'perfsonar'. The 'perfsonar' user cannot restart the +# services so you will need to disable 'restart_services' above, and use the +# 'cron-restart_services' cron script included in +# /opt/perfsonar_ps/mesh_config/doc to restart the services. +#use_toolkit 1 + +# The 'send_error_emails' option can be used to tell the agent to send an email +# (via sendmail) when an error occurs. These emails will be sent to the +# applicable administrators (e.g. the local administrator(s), the mesh +# administrator(s), the site administrator(s), and/or the host +# administrator(s). +#send_error_emails 1 + +## By default, the from address for the error emails will be +## mesh_agent@[hostname]. However, if you'd like to specify a different email +## address, you can do so here. +#email_from_address admin@host.site.edu + +## One or more 'admin_email' options can be included to specify email addresses +## to send errors to. These email addresses will receive all errors (including +## parsing errors). This is in addition to the emails that will be sent to the +## various affected administrators (e.g. the mesh administrator or the site +## administrator). +#admin_email admin1@site.edu +#admin_email admin2@site.edu + + +## The 'skip_redundant_tests' can be used so that if the meshes end up creating +## multiple tests between hosts with the exact same test parameters, it will +## only setup the hosts to only run one test. If you enable this, you won't see +## the skipped tests in the Toolkit GUI +#skip_redundant_tests 1 diff --git a/templates/ssl_auth.conf.erb b/templates/ssl_auth.conf.erb new file mode 100644 index 0000000..600c848 --- /dev/null +++ b/templates/ssl_auth.conf.erb @@ -0,0 +1,10 @@ +SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \ + ( %{SSL_CLIENT_S_DN} in { \ +<% lsep = ',' + dnlist = @authdn.uniq +dnlist.each do |dn| + lsep = '' if dn == dnlist.last -%> + "<%= dn %>"<%= lsep %> \ +<% end -%> + }) \ +)