tpkg

Application packaging and deployment


This page documents how one site uses the tpkg externals feature in conjunction with etch.

Overview

The tpkg for an application should encapsulate all files and configuration needed for the application to run on top of a generic base system in our environment. As such there is a mechanism for a tpkg to request custom OS configuration from our OS configuration management system Etch. This is done through the "externals" section in tpkg.yml. Entries in "externals" trigger tpkg to call pre-defined external scripts that we provide, which in our case register requests with etch for the desired configuration and then run etch to activate that configuration. When a package is removed the external script is run to remove the request and run etch to deactivate the configuration.

The general format of the externals section is:

externals:
  - name: user
    data: myuser
  - name: nfs
    datafile: nfsmountsfile
  - name: sysctl
    datascript: ./calculate_kernel_memory_settings

The name field specifies the name of the external to call (see below for valid options). The data to pass to the external can either be specified inline via the "data" field, in an external file referenced via the "datafile" field, or an external script referenced via the "datascript" field. The script for datascript can be any form of valid executable, it should be contained in your package directory structure, and referenced with a path relative to the top of the package directory structure (i.e. the directory where tpkg.yml lives). Whatever your datascript script outputs will be fed to the tpkg external script. We envision this being particularly useful in calculating kernel parameters based on things like the amount of physical memory in a system.

Supported Externals

User

  externals:
  - name: user
    data: myuser
  - name: user
    group:mygroup

Requests that etch add the specified user to /etc/passwd and /etc/shadow. The user must already exist in our database, either as a human or as an application account defined though the SingleSignOn system. If the request is for group:mygroup then all members of the mygroup group will be added. Requests for groups and human users will only be honored on non-production systems.

Group

  externals:
  - name: group
    data: mygroup

Requests that etch add the specified group to /etc/group. This is currently a no-op in our environment as etch always adds all groups to all systems. However, feel free to include this in your package as documentation that your package requires a particular group, and on the off chance that the etch behavior changes at some point in the future (highly unlikely).

Sudo

  externals:
  - name: sudo   
    data: myuser
  - name: sudo
    data: group:mygroup

Requests that etch give the specified user sudo privileges. You should probably also have a user external to add the user's account. If the request is for group:mygroup then all members of the mygroup group will be given privileges. Requests for sudo privileges will only be honored on non-production systems.

NFS

  externals:
  - name: nfs
    data: mymount nfsserver:/path/to/mount

Adds the specified entry to /etc/auto.auto, thus creating an automount point under /auto. This is our standard location for NFS mounts. The entry is added to /etc/auto.auto as is, so any valid automount options and syntax can be specified.

Sysctl

  externals:
  - name: sysctl
    data: kernel.bogus = 0

Adds the specified entry to /etc/sysctl.conf, used for setting kernel parameters.

IPtables

  externals:
  - name: iptables
    data: 
<filter>
-A INPUT -m tcp -p tcp --dport ssh --syn -j ACCEPT
</filter>
<nat>
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 4000
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 4000
</nat>

Adds the specified entries to /etc/sysconfig/iptables, used for packet filtering. Entries within <filter> are added to the *filter section in the config file. This is the most common usage, these rules are used to filter packets. Entries within <nat> are added to the *nat section of the config file. This is not as frequently used, but can be used to redirect packets from one port to another port and various forms of NAT and PAT.

Limits

  externals:
  - name: limits
    data: myuser hard nofile 4096

Adds the specified entries to /etc/security/limits.conf, used for controlling various per-user limits like number of open filehandles and number of processes.

View on GitHub