What is rekonf application?
Rekonf is simple application based on dinemic framework that allows you to manage configuration files across whole cluster of machines. It uses dinemic as database to store copy of configuration files on each node. Config files are secured by dinemic’s cryptographic keys. There are three data kinds in rekonf application cluster:
- ConfigFile – single file, in path (for example /etc/issue). Each file contains its contents, encrypted with keys owned by nodes that are obligated to monitor such file. Also each file could have defined pre and post update script to be executed before and after change of file. For example after updating server’s config file you can define script to restart this server.
- ConfigNode – represents single computer in your cluster that is monitoring files. Each node has list of files assigned to it, so you can select which files on which node should be updated
- ConfigAdmin – administrators, they are able to change particular ConfigFiles and add them to ConfigNodes. ID strings of admins are added to nodes and ConfigFiles as authorized keys, to enable them making updates. Non authorized admins are not able to change files or update nodes.
Note: we will use sudo for each command to get access to /etc/dinemic/keys. If you don’t wish to launch it as root, then change ownership of /etc/dinemic/keys to proper user)
For begining you will need at least two machines. For test you can do everything on one too. Rekonf could be also launched on any virtual machine to manage its configs. So we will get your admin’s computer and at least one node. On each of them install rekonf package and libdinemic on Ubuntu 18.04:
wget https://packages.dinemic.io/projects/rekonf/ubuntu-18.04/19.06.78215897/rekonf_19.06.78215897_amd64.deb wget https://packages.dinemic.io/stable/ubuntu-18.04/19.08.76639786/libdinemic_19.08.76639786_amd64.deb
For other distributions and architectures browse packages.dinemic.io, and select proper distribution and the same version of packets as above. Alternatively get sources from gitlab.ccom/dinemic/ and compile at your own.
Finally, let’s install above files:
aptitude install libdinemic_19.08.76639786_amd64.deb rekonf_19.06.78215897_amd64.deb
This will install redis-server dependency and create new service in your operating system. Adjust configuration file in /etc/dinemic/config.dinemic and restart rekonf:
service rekonf restart
Then on admin’s machine create ConfigAdmin object. Save its ID:
sudo rekonf --create --admin-create --admin-name "My name" --admin-email "firstname.lastname@example.org"
It should print string like ConfigAdmin:a978feal…. Whole this string is your admin ID related to its public key. Its private keys is stored in /etc/dinemic/keys. You can create more admins on other computers for other persons.
Next, on each node launch:
sudo rekonf --create --node-create --admin-id ConfigAdmin:a978feal...
Make sure to put whole string of your admin in above command. Mind that admin keys are known only on your admin’s machine. Each node will validate changes made on yours admin machine only by its digital signature and public cryptographic key, shared internally by libdinemic. Nodes could know only its public key, or even at all. IDs are cryptographically corelated to public keys, so nobody else can’t create key pair for admin with such ID.
By passing –admin-id option you authorize particular admin to make modifications of this node. Especially this admin with this ID will be able to assign ConfigFiles to this node.
Above command should print ID of you new node, like <em<confignode:oq843foja…< em=””>. Save it too. Each config file should get this ID too to encrypt its contents with node’s key to allow node to decrypt its contents.</em<confignode:oq843foja…<>
Create new file
Now let’s create new ConfigFile. At beginning ti will have no contents, we will add it later:
sudo rekonf --create --file-create /etc/nginx/nginx.conf --admin-id ConfigAdmin:a978feal... --node-id ConfigNode:oq843foja...
Again, this will print string with ID of config file: ConfigFile:oerap…. Save it for later. We had to pass here ConfigAdmin id by the same reason as with ConfigNode – this admin should be able to modify this file contents. ConfigNode ID is passed to encrypt all ConfigFile sensitive data (contents, pre and post script) by node’s public key too. Then ConfigNode with assigned to ConfigFile key will be able to read its contents. Nobody else in cluster, who hasn’t been authorized won’t be able to read its contents.
Then let’s assign this file to node:
sudo rekonf --oneshot --admin-id ConfigAdmin:a978feal... --file-id ConfigFile:oerap... --node-id ConfigNode:oq843foja... --node-add-file
and set its contents and post command:
sudo rekonf --oneshot --admin-id ConfigAdmin:a978feal... --file-id ConfigFile:oerap... --file-edit "Some contents of file" sudo rekonf --oneshot --admin-id ConfigAdmin:a978feal... --file-id ConfigFile:oerap... --file-post-update "service nginx restart"
To list admins, nodes or files use following commands with oneshot mode:
sudo rekonf --oneshot --file-list sudo rekonf --oneshot --node-list sudo rekonf --oneshot --admin-list
Mind, that admin’s details are encrypted and if you are not authorized, you will not see this data.
In case of problems check first for permissions and presence of keys in /etc/dinemic/keys directory. First, most probable issue is that you have no permissions to write. Then check if rekonf application is running in background or separate terminal in –launch node. This mode should be present on each node in cluster. Finally check for firewalls if are not blocking multicast communications. You can adjust it also in /etc/dinemic/config.dinemic file.
To launch dinemic web console and list updates or objects present in your cluster just type:
sudo rekonf -W -P 8080
and open in your webbrowser: http://localhost:8080