Sunday, April 20, 2008

A sheep in wolf's clothing

My recent post regarding configuring OpenSSH on Windows using Cygwin was written from the perspective of users wanting to exploit ControlTier in a broadly Windows based environment.

In this post, I'm going to document a Unix-centric OpenSSH/Cygwin installation designed to make a Windows server look as much like a Unix system as possible when accessed from the network in order to simplify managing a few Windows based systems in largely Unix based environment.

Cygwin software installation
  • Create a local or domain Windows administrator account that has a POSIX user name (I use the "build" account for these notes).
  • Download and run the Cygwin installer.
  • The cleanest way to install Cygwin in the root of its own dedicated partition since it is absolutely necessary that the Cygwin root directory is synonymous with the Windows file system root for that drive so that Java's platform agnostic path management will work equally well with the Unix or Windows versions of key paths. Using a separate partition is desirable in order to separate the application installation (under ControlTier and Cygwin) from the Windows OS installation (typically on drive C:):
    $ df -k
    Filesystem           1K-blocks      Used Available Use% Mounted on
    E:\bin                20964348    213848  20750500   2% /usr/bin
    E:\lib                20964348    213848  20750500   2% /usr/lib
    E:                    20964348    213848  20750500   2% /
    c:                     8377864   7003552   1374312  84% /cygdrive/c
    $ cd /
    $ ls
    Cygwin.bat  RECYCLER                   bin       dev  home  proc  usr
    Cygwin.ico  System Volume Information  cygdrive  etc  lib   tmp   var
  • If this is not feasible then ignore the warnings and select "C:\" as the installation root directory to create a "hybrid" directory structure:
    $ pwd
    /
    $ ls
    AUTOEXEC.BAT            MSDOS.SYS                  WINDOWS   home          tmp
    CONFIG.SYS              MSOCache                   bin       lib           usr
    Cygwin.bat              NTDETECT.COM               boot.ini  ntldr         var
    Cygwin.ico              Program Files              cygdrive  pagefile.sys
    Documents and Settings  RECYCLER                   cygwin    proc
    IO.SYS                  System Volume Information  etc
  • Beyond the base package set make sure you include "openssh" (and hence its dependencies). Of course, there are many many other useful packages that you'll probably like to include for a practical installation of Cygwin (e.g. "rsync", "unzip", "zip", "vim", etc).
SSH server configuration
  • Cygwin includes a script to configure the SSH service, run from a "Cygwin Bash Shell" (Note the value given to the CYGWIN environment variable. Note also my comment to the original posting regarding W2k3 Server complications) :
    $ ssh-host-config
    Generating /etc/ssh_config file
    Privilege separation is set to yes by default since OpenSSH 3.3.
    However, this requires a non-privileged account called 'sshd'.
    For more info on privilege separation read /usr/share/doc/openssh/README.privsep
    .

    Should privilege separation be used? (yes/no) yes
    Generating /etc/sshd_config file


    Warning: The following functions require administrator privileges!

    Do you want to install sshd as service?
    (Say "no" if it's already installed as service) (yes/no) yes

    Which value should the environment variable CYGWIN have when
    sshd starts? It's recommended to set at least "ntsec" to be
    able to change user context without password.
    Default is "ntsec".  CYGWIN=binmode ntsec tty

    The service has been installed under LocalSystem account.
    To start the service, call `net start sshd' or `cygrunsrv -S sshd'.

    Host configuration finished. Have fun!
  • Start the SSH service:
    $ net start sshd
    The CYGWIN sshd service is starting.
    The CYGWIN sshd service was started successfully.
Java installation
  • Naturally, you can use the Windows system default Java installation so long as its either Java 1.4 or 1.5. However, it may be preferable to install a version of Java specifically for the use of ControlTier. By convention this is installed into "$CTIER_ROOT/pkgs" (usually "$HOME/ctier/pkgs" of the account used to run ControlTier).
  • Note that although Sun distributes its JDK in Windows (graphical) installer format, there's nothing stopping you creating a Zip file of a "reference" installation and using that to setup Java across the network.
  • Wherever Java is installed, set up the JAVA_HOME environment variable ahead of the ControlTier installation.
ControlTier installation
  • As of ControlTier 3.1.5 the Unix install script ("install.sh") is not compatible with Cygwin (possibly due to assumptions built into Sun's JDK on Windows).
  • For this reason, installing the ControlTier software over the network still follows the Windows pattern.
  • Setup the key environment variables with Windows style values:
    $ export CTIER_ROOT=~/ctier
    $ export JAVA_HOME=~/ctier/pkgs/jdk1.5.0_14
  • The key thing is to run the "install.bat" command shell from the Cygwin Bash shell:
    $ cmd.exe /C install.bat -client

    -check-prereqs:
         [echo] Using compatible Java version: 1.5

    -load-props:
         [echo] Using CTIER_ROOT: /home/build/ctier
    .
    .
    .
         [echo]     if [ -f ~/.ctierrc ]; then
         [echo]     . ~/.ctierrc
         [echo]     else
         [echo]     echo ~/.ctierrc not found 1>&2
         [echo]     fi

    install-client:
         [echo] Install Complete
  • Next, manually setup the ".ctierrc" file in the Cygwin user's home directory to ensure the correct shell environment is available:
    $ pwd
    /home/build
    $ cat .ctierrc
    # this file was generated by ControlTier installer.
         
    export CTIER_ROOT=~/ctier

    export ANTDEPO_HOME=~/ctier/pkgs/antdepo-1.3.1
    export ANTDEPO_BASE=~/ctier/antdepo

    # Server settings
    export JOBCENTER_HOME=~/ctier/pkgs/jobcenter-0.7
    export CATALINA_HOME=~/ctier/workbench
    export CATALINA_BASE=~/ctier/workbench

    export JAVA_HOME=~/ctier/pkgs/jdk1.5.0_14

    export PATH=$JOBCENTER_HOME/bin:$ANTDEPO_HOME/bin:$CATALINA_HOME/bin:$PATH

    if [ -n "$BASH" ] ; then
    . $ANTDEPO_HOME/etc/bash_completion.sh ;
    if [ -t 0 -a -z "$ANTDEPO_CLI_TERSE" ]
    then
    ANTDEPO_CLI_TERSE=true
    export ANTDEPO_CLI_TERSE
    fi
    fi
  • Finally, override the "depot-setup" and "ad" scripts to invoke their Windows counterparts:
    $ cat $ANTDEPO_HOME/bin/depot-setup
    #!/bin/sh

    exec cmd.exe /C depot-setup.bat "$@"
    $ cat $ANTDEPO_HOME/bin/ad
    #!/bin/sh

    exec cmd.exe /C ad.bat "$@"
With this "sleight of hand" in place, it is possible to manage Windows systems on the network in the same way as their Unix/Linux counterparts taking full advantage of the Cygwin and Java/Ant abstractions of the underlying OS facilities.

(By the way, a future version of ControlTier will resolve the script and JDK compatibility issues that result in the customizations in this posting).

Anthony Shortland,
anthony@controltier.com
Posted by at
Labels: , , ,

2 comments:

Chuck said...

other issues you may have to deal with after installing cygwin....

* permissions
** chmod 644 /etc/passwd
** chmod 644 /etc/group
** chmod 1775 /var

* group membership
** change local account's primary group from "None" to "Administrators"

11/14/08, 8:37 AM
Anonymous said...

Can anyone recommend the robust MSP software for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: [url=http://www.n-able.com] N-able N-central event management
[/url] ? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

12/15/09, 3:59 AM

Post a Comment

Subscribe to: Post Comments (Atom)