Distributing file changes to IDP cluster nodes



In a typical Access Manager deployment, customizations are made to the Java Server Pages (JSPs) that generate the user interface used for login, logout, and other activities. These customizations need to be copied to every node in the cluster. This can be a burdensome and error prone activity, especially if you have a large cluster.  One way to lessen this burden and improve configuration management is to use the Linux utility rdist.



The rdist utility is expressly designed for distributing files to multiple hosts. It has options to avoid overwriting newer files and to make backup copies of files that are being updated. A good introduction can be found at: http://www.benedikt-stockebrand.de/rdist-intro_en.html

As an example of how to use rdist I will use a customer environment consisting of a nonproduction IDP cluster of two nodes and a production IDP cluster of six nodes. Node 1 of the nonproduction cluster will be the used as the master copy of all files. The steps I followed to set up rdist are:

  1. (Optional) set SSH authentication using a key file. If you don’t do this you will be prompted to enter the password for each connection.
    1. Create an SSH key pair for root on nonproduction IDP 1. Note that you could use the novlwww user if you prefer and if you enable the account to login
    2. Distribute the public key and install it as a trusted key on all the other IDP nodes. (The ssh-copy-id utility is a great way to do this)
    3. Install the private key for use by the root user on production IDP 1.
  2. Install rdist on both nonproduction IDP 1 and production IDP 1. (rdist is an optional package in the SLES 12 repository)
  3. Create the directory /opt/novell/nam/rdist on both nonproduction IDP 1 and production IDP 1.
  4. On nonproduction IDP 1, use a text editor to create the distribution file /opt/novell/nam/rdist/Distfile with content shown below:

/opt/novell/nam/idp/webapps/nidp/images/custom ->

        install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/images ;

/opt/novell/nam/idp/webapps/nidp/css ->

        install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/css ;

/opt/novell/nam/idp/webapps/nidp/jsp ->

        install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/jsp ;

Replace the IP address shown with the IP address or host name of your nonproduction IDP node 2. Now change to the /opt/novell/nam/rdist directory and execute the command:

           rdist -v -P /usr/bin/ssh

The utility will look for the default distribution file (Distfile) in the current directory and will execute the command there to compare the contents of the images, css, and jsp directories of node 1 to those on node 2. Since we used the -v option, no updates will be made but it will  notify you if any files need to be updated. The output is shown below:

          msdavieds1301:/opt/novell/nam/rdist # rdist -v -P /usr/bin/ssh

 updating host

 /opt/novell/nam/idp/webapps/nidp/jsp/nyclogin2.jsp: need to update

 updating of finished

In this case the file nyclogin2.jsp is newer on node 1 than it is on node 2. The output shows that is needs to be updated. Since this output matches what I was expecting, I’ll now run the command without the -v option:

msdavieds1301:/opt/novell/nam/rdist # rdist -P /usr/bin/ssh                                   updating host /opt/novell/nam/idp/webapps/nidp/jsp/nyclogin2.jsp: updating updating of finished

This output indicates that the file was updated. We had two options set on each action in the distribution file. The “younger” option instructs rdist to update the file only if the file on the source is newer than the one on the destination. If the file on node 2 had been newer, then a warning would be output and the file would not be overwritten. The “keeptargets” option results in a backup being created for each file that is updated. The backup in this case will be named nyclogin2.jsp.OLD. Note that only one backup file is kept so if you update the file a second time you will lose the original content when a new .OLD file is created.

In the scenario described, I do all the editing and updates on nonproduction node 1 and then distribute the updates to nonproduction node 2. Once the changes are tested and ready to go to production, I use a similar process to move the files from nonproduction node 1 to production node 1. To do this, I created a distribution file called DistToProdMaster. The contents of this file are very similar to the first distribution file:

/opt/novell/nam/idp/webapps/nidp/images/custom -> prodidp1.company.com

        install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/images ;

/opt/novell/nam/idp/webapps/nidp/css -> prodidp1.company.com

        install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/css ;

/opt/novell/nam/idp/webapps/nidp/jsp -> prodidp1.company.com

        install -oyounger,savetargets /opt/novell/nam/idp/webapps/nidp/jsp ;


To test the distribution to the production master, I execute the command:

          msdavieds1301:/opt/novell/nam/rdist # rdist -v -P /usr/bin/ssh -f DistToProdMaster

This will tell me what actions would be taken. Once I’m satisfied with what I see, I execute the command:

          msdavieds1301:/opt/novell/nam/rdist # rdist  -P /usr/bin/ssh -f DistToProdMaster

Notice that I’m not distributing from the nonproduction server to each production IDP directly. This is very intentional. First, because I like having the opportunity to verify the results on the first node before it is applied across production. Second, because I want to ensure that all the production nodes are perfectly consistent and I want to be able to verify that they are without involving the nonproduction system.

On production node 1 I'll now create a distribution file. Since this will be the default distribution action we will name it “Distfile”.  The contents of the file will be:

/opt/novell/nam/idp/webapps/nidp/images/custom -> (prodidp2 prodidp3 prodidp4 prodidp5 prodidp6)

        install /opt/novell/nam/idp/webapps/nidp/images/custom ;

/opt/novell/nam/idp/webapps/nidp/css -> (prodidp2 prodidp3 prodidp4 prodidp5 prodidp6)

        install /opt/novell/nam/idp/webapps/nidp/css ;

/opt/novell/nam/idp/webapps/nidp/jsp -> (prodidp2 prodidp3 prodidp4 prodidp5 prodidp6)

        install opt/novell/nam/idp/webapps/nidp/jsp ;

Notice that I did not include the “younger” and “savetargets” options. This is because I want to ensure that the nodes are identical. There is already a backup on node 1 so creating backups recursively is something to avoid.

Now I execute the following command to distribute all the updated files to every production node.

          prodmaster:/opt/novell/nam/rdist # rdist -P /usr/bin/ssh                                          

This example can be extended to any additional files you need to manage across nodes.



Support Tip
How To-Best Practice
Comment List