  Administration groups


  11..  IInnttrroodduuccttiioonn

  An admin group is a set of machines which are sharing some config
  files or parts of some config files. In Linuxconf parlance, they are
  sharing some subsystems. The concept of a subsystem is the same as
  that used for the "system profile versioning" feature.


  11..11..  DDeeffiinniittiioonn ooff aa ssuubbssyysstteemm

  A subsystem represents a set of logically tied configuration files.
  In some cases, a subsystem is made of only parts of a configuration
  file.

  Seen differently, all configuration files known to Linuxconf belongs
  to at least one subsystem. In some cases, a configuration is split
  logically into more than one subsystem. This is the case for
  _/_e_t_c_/_f_s_t_a_b which belongs to the _h_a_r_d_w_a_r_e and the _n_e_t_c_l_i_e_n_t subsystems.

  This ability to logically distribute one configuration file into
  various subsystems is the key to sharing. For example, many machines
  on a net may share the NFS client part of _/_e_t_c_/_f_s_t_a_b but can't share
  the rest as it is hardware dependent (partition layout, swap
  partitions, etc).


  22..  DDeeffiinniinngg aa ggrroouupp

  Here are the steps to create an administration group:


  22..11..  GGiivvee iitt aa nnaammee

  Each group must have a unique name. The name must not have any space.
  Each group corresponds to a subdirectory in


               /etc/linuxconf/admgroups


  The name of the subdirectory is simply the group name.


  22..22..  GGiivvee iitt aa ddeessccrriippttiioonn

  This is used to enhance various screens. It has no functional usage.


  22..33..  LLiinnkk iitt wwiitthh aann aaddmmiinniissttrraattiioonn ttrreeee

  An administration tree is like a virtual workstation in your computer.
  It either has (or could have) all the configuration files a fully
  configured Linux station would normally have.  By linking to a
  specific administration tree, you are saying that this administration
  group is picking all or parts of its configuration files from the
  configuration files of this administration tree.

  The idea of separating the administration tree from the administration
  group is in many environments. You will have one administration tree
  and the machine's part of this environment will split it this way:


  +o  Most machines: share a large part of the administration tree.

  +o  Some machines: share the same information except for specific
     services only.

  +o  Some other machines: are completely independent. As such, they are
     not members of any administration group.

  Often, all machines on the same physical network will share some
  aspect of a single administration tree.

  A help list shows available administration trees.  You can enter a
  name which is not in the list; just don't forget to create it later.


  22..33..11..  TThhee // aaddmmiinniissttrraattiioonn ttrreeee

  It is possible to share the configuration of the workstation itself.
  The administration tree is simply called / and is shown in the help
  list.


  22..44..  MMeemmbbeerrss ooff tthhee ggrroouupp

  Simply enumerate the various members (the machine names and domains)
  who must be synchronized. This is currently limited as you have to
  specify them one by one, but is expected to expand in various areas:


  +o  Allowing the definition of pseudo members which will themselves
     repeat the configuration file to other machines.  A repeater may
     act this way for several administration groups.

  +o  Allowing for usage of wild cards: *.domain.com.

  +o  Allowing for usage of network/netmask pairs.

  +o  Allowing for on demand supply of configuration files, since such
     administration groups may very well have no official members!


  22..55..  SSuubbssyysstteemm ttoo sshhaarree

  A list of all subsystems available is presented. On the left, the
  subsystem ID is presented. On the right, the description of the
  subsystem is presented. For each subsystem, there is a checkbox.  You
  can select which subsystems are shared.


  33..  DDiiaalloogg''ss bbuuttttoonnss

  Here are the functions associated with the various dialog buttons


  33..11..  AAdddd

  This will enlarge the dialog to allow more members (not completed
  yet).


  33..22..  DDeell

  This allows you to delete the administration group. This deletes the
  information in Linuxconf, but the files in


               /etc/linuxconf/admgroups/group-id


  are not deleted.


  33..33..  PPuubblliisshh

  This takes a snapshot of the selected subsystems in the administration
  tree. The snapshot is installed in


               /etc/linuxconf/admgroups/group-id


  Once published, an administration group is ready to be shared with
  members of the group, using either the _e_x_p_o_r_t functionality or any
  other means you can imagine. The directory tree of an administration
  group may be installed on any Linuxconf station with the netadm module
  and imported, making it operational.


  33..44..  EExxppoorrtt

  Export uses a custom protocol to reach another Linuxconf host. It
  sends the contents of the administration group repository and then
  triggers an _i_m_p_o_r_t procedure and an _a_c_t_i_v_a_t_i_o_n procedure (netconf
  --update).

  Currently, this procedure is manual. For each member of the
  administration group, Linuxconf prompts you for its root password.
  Using this password, it gets access and completes the operation.

  This is only one way an administration group repository may be shared.
  One may choose to export it using NFS (depending of the level of
  privacy required) or any other well known network protocol.

  We believe that much will be needed to make this sharing appropriate
  for the various network environments out there. Comments are welcome.


  33..44..11..  SSppeecciiaall aaccccoouunnttss ffoorr rreemmoottee aaddmmiinniissttrraattiioonn aanndd cclluusstteerr mmaannaaggee--
  mmeenntt

  Linuxconf uses special protocols to perform remote administration and
  cluster management. Those protocols may be encapsulated easily to
  enhance either connectivity and security.

  One nice encapsulating tool is ssh (secure shell). ssh is a great
  replacement for commands like rlogin, rsh, rcp and telnet. It does
  basically the same thing (and more), but with added encryption and
  compression.
  ssh is also very useful to interconnect two processes remotely, by
  providing a secure (encrypted) link. This is the way Linuxconf is
  using it.

  By setting a special account on workstations and servers, you will be
  able to use it with Linuxconf without even knowing it. This is
  experimental and comments are welcome.


  33..44..22..  HHooww ttoo sseett uupp aa hhoosstt ffoorr cclluusstteerr mmaannaaggeemmeenntt

  Linuxconf uses ssh to establish the link. It expects that a special
  user account "netadm" exists on the remote host. This user account
  must have the shell


               /usr/lib/linuxconf/lib/netadmshell


  The account must NOT have a password. The idea is to trigger Linuxconf
  immediately, which will request the root password using its remote
  management protocol.

  You can use ssh access control to limit who may access your box this
  way. They need the root password, no matter what, to access it.