NOTE
For Func 0.17 and before, see OldFuncInstallAndSetupGuide
The following covers current versions of Func (0.18) and beyond.
Shortcut! If you are using Cobbler 1.3 and later for provisioning, this is even more efficient. Read this document first, understand it, and then read this page to learn more about using cobbler to auto setup your node enslavements, we mean, err, registrations.
Establish The Master
- Install the "func" package on your master control machine. This is included in Fedora and EPEL for your favorite platform (see GetReleases). For other distros, you may want to rebuild
from the source RPM see GetReleases for those instructions as well. This will automatically pull in the required package certmaster which handles certificate distribution. Certmaster is also packaged in Fedora and EPEL, just like Func. Certmaster has it's own setup instructions, but you really should only need this document. For completeness, they are here.
yum install func
If you want, edit /etc/certmaster/certmaster.conf to enable auto-signing. It is off by default. You should not have to change any other settings here.
- Engage the certmaster service, which hands out certificates to the machines you will manage:
/sbin/chkconfig --level 345 certmaster on /sbin/service certmaster start
Ready The Minions
- Install the "func" package on all the machines you want to manage. This would be a good thing to add to all of your kickstart
files.
yum install func
- Edit /etc/certmaster/minion.conf to specify which certmaster they will get certificates from.
[main] certmaster = yourcertmaster.example.org log_level = DEBUG cert_dir = /etc/pki/certmaster
- Enable and run the the funcd service:
/sbin/chkconfig --level 345 funcd on /sbin/service funcd start
- On your certmaster system run:
certmaster-ca --list
then sign keys for the systems you want
certmaster-ca --sign hostname
If you have turned on autosigning, this will be done automatically.
Running func client as non-root
Generally it's recommended to do as much of your work as possible as non-root. To allow user access to the certificates necessary to run func, run these commands as root, replacing MYUSER with the name of your normal login.
setfacl -d -R -m 'u:MYUSER:rX' /etc/pki/certmaster/ setfacl -R -m 'u:MYUSER:rX' /etc/pki/certmaster/ setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster/certs setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster/certmaster/certs setfacl -d -R -m 'u:MYUSER:rX' /var/lib/certmaster/peers setfacl -R -m 'u:MYUSER:rX' /var/lib/certmaster/peers setfacl -d -R -m 'u:MYUSER:rwX' /var/lib/func setfacl -R -m 'u:MYUSER:rwX' /var/lib/func setfacl -d -R -m 'u:MYUSER:rwX' /var/log/func/ setfacl -R -m 'u:MYUSER:rwX' /var/log/func/
From now on you can run /usr/bin/func as an ordinary user, and also execute Python scripts which import func.
Debian Notes
Most of the instructions above are all fine and well for Debian based distributions as well, save for a few steps. Obviously yum install func won't work, and unfortunately neither will apt-get install since it's not in any repositories yet -- but do not fret -- we can do it manually.
Go on and GetTheSource, then come back here. From in the main directory do this:
make install
From above, replace Establishing the Master Step 2 with this:
update-rc.d certmaster defaults invokce-rc.d certmaster start
Apply that same transformation to Ready the Minions in Step 3 above and you get...
update-rc.d funcd defaults invokce-rc.d funcd start
Non-Linux Platforms?
See also AIX
Firewalls? Network Issues?
See PortInfo
See also FAQ for some notes about hostnames and DNS.
El Fin
You're done.
When funcd starts on each managed system, they will check in with the certmaster and automatically acquire certificates.
You can then begin ordering them about.
See the manpage on "func" and "certmaster" for more details.
