This page documents how one site uses the tpkg externals feature in conjunction with etch.
Overview
The tpkg for an application should encapsulate all files and configuration needed for the application to run on top of a generic base system in our environment. As such there is a mechanism for a tpkg to request custom OS configuration from our OS configuration management system Etch. This is done through the "externals" section in tpkg.yml. Entries in "externals" trigger tpkg to call pre-defined external scripts that we provide, which in our case register requests with etch for the desired configuration and then run etch to activate that configuration. When a package is removed the external script is run to remove the request and run etch to deactivate the configuration.
The general format of the externals section is:
externals:
- name: user
data: myuser
- name: nfs
datafile: nfsmountsfile
- name: sysctl
datascript: ./calculate_kernel_memory_settings
The name field specifies the name of the external to call (see below for valid options). The data to pass to the external can either be specified inline via the "data" field, in an external file referenced via the "datafile" field, or an external script referenced via the "datascript" field. The script for datascript can be any form of valid executable, it should be contained in your package directory structure, and referenced with a path relative to the top of the package directory structure (i.e. the directory where tpkg.yml lives). Whatever your datascript script outputs will be fed to the tpkg external script. We envision this being particularly useful in calculating kernel parameters based on things like the amount of physical memory in a system.
Supported Externals
User
externals:
- name: user
data: myuser
- name: user
group:mygroup
Requests that etch add the specified user to /etc/passwd and /etc/shadow. The user must already exist in our database, either as a human or as an application account defined though the SingleSignOn system. If the request is for group:mygroup then all members of the mygroup group will be added. Requests for groups and human users will only be honored on non-production systems.
Group
externals:
- name: group
data: mygroup
Requests that etch add the specified group to /etc/group. This is currently a no-op in our environment as etch always adds all groups to all systems. However, feel free to include this in your package as documentation that your package requires a particular group, and on the off chance that the etch behavior changes at some point in the future (highly unlikely).
Sudo
externals:
- name: sudo
data: myuser
- name: sudo
data: group:mygroup
Requests that etch give the specified user sudo privileges. You should probably also have a user external to add the user's account. If the request is for group:mygroup then all members of the mygroup group will be given privileges. Requests for sudo privileges will only be honored on non-production systems.
NFS
externals:
- name: nfs
data: mymount nfsserver:/path/to/mount
Adds the specified entry to /etc/auto.auto, thus creating an automount point under /auto. This is our standard location for NFS mounts. The entry is added to /etc/auto.auto as is, so any valid automount options and syntax can be specified.
Sysctl
externals:
- name: sysctl
data: kernel.bogus = 0
Adds the specified entry to /etc/sysctl.conf, used for setting kernel parameters.
IPtables
externals:
- name: iptables
data:
<filter>
-A INPUT -m tcp -p tcp --dport ssh --syn -j ACCEPT
</filter>
<nat>
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 4000
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 4000
</nat>
Adds the specified entries to /etc/sysconfig/iptables, used for packet filtering. Entries within <filter> are added to the *filter section in the config file. This is the most common usage, these rules are used to filter packets. Entries within <nat> are added to the *nat section of the config file. This is not as frequently used, but can be used to redirect packets from one port to another port and various forms of NAT and PAT.
Limits
externals:
- name: limits
data: myuser hard nofile 4096
Adds the specified entries to /etc/security/limits.conf, used for controlling various per-user limits like number of open filehandles and number of processes.