(NOTE: Some of the techniques shown or described on this page--marked in purple--require new features in the latest official PIKT 1.19.0 release (pikt-current.tar.gz) that are unavailable in any previous version.)
PIKT is managed through the combined action of the interactive master control program, piktc (on the central piktmaster machine only), and the piktc_svc service daemon (on all client machines). piktc also serves as the PIKT configuration file preprocessor.
Here are the piktc command options:
Usage: piktc <-bBcCdefGhiIkKlLm#Mp#QrRstTUvVwWxXzZ> [+|-D <define(s)>] [+|-E <envar(s)>] [+C <command(s)>] [+M <macro(s)>] [+|-A|S[f] all|<alert(s)/script(s)>] [+|-P[f] all|<program(s)>] [+|-F[f] all|<file(s)>] [+|-O[f] all|<object(s)>] +|-H all|<host(s)> [ALL] -b backup alert/script/program/file/object file(s) -B restore alert/script/ program/file/object file(s) from backup -c syntax check all config files -C syntax doublecheck all config files -d disable alert(s) -e enable alert(s) -f diff alert/script/program/file/object file(s) -G run in debug mode -h show program help -i install alert/script/ program/file/object file(s) -I update #include/#verbatim files -k kill alert daemon (piktd) -K kill service daemon (piktc_svc) -l list alert/script/program/file/object file(s) -L list alert/script/ program/file/object or host/os/group/alias command-line item(s) -m# checksum alert/script/ program/file/object file(s), where # is checksum level 1-5 -M expand macros -p# pause # seconds -Q install PIKT.conf -r (re)start alert daemon (piktd) -R (re)start service daemon (piktc_svc) -s show alert(s) status -t delete alert/script/program/file/object /history/log file(s) -T run in test mode -U run in urgent mode -v run in verbose mode -V show version info -w view alert/script/program/file/object actual file(s) -W view alert/script/program/file/object authorized file(s) -x execute alert(s)/script(s) -X execute alert(s)/script(s) with no wait -z run in 'make check' mode -Z list all config elements +|-D <define(s)> define/undefine define(s) +|-E <envar(s)> set/unset environment variable(s) +C <command(s)> include command string(s) +M <macro(s)> include macro string(s) +|-A|S[f] all|<alert(s)> include/exclude (fix) alert(s) +|-P[f] all|<program(s)> include/exclude (fix) program file(s) +|-F[f] all|<file(s)> include/exclude (fix) other file(s) +|-O[f] all|<object(s)> include/exclude (fix) object file(s) +|-H all|<host(s)> include/exclude host(s)/os(es)/group(s)/alias(es) ALL +A all +S all +P all +F all +O all +H allBy specifying -b, whenever you install or delete files (or refresh PIKT.conf), piktc_svc will make a backup of the files first (with a file extension you specify using backup_extension in PIKT.conf, else the default is ".piktbak"). The backup option is especially useful when overwriting system configuration files during an initial PIKT setup (for example, when installing a PIKT-managed inetd.conf). If you goof up, you can revert to the backup copy.
With the -B option, you restore files from backup. On the piktc command line, specify alerts, scripts, programs, files, and/or objects (using the A, S, P, F, and/or O options) in the usual way but without giving any backup extension (e.g., use '+F inetd.conf' instead of '+F inetd.conf.piktbak'). A restore will replace the most recent file with its .piktbak backup (or whatever backup_extension you specify in PIKT.conf). (Note that, although the -b option works with the -Q option, install PIKT.conf, you cannot use -B to restore an earlier PIKT.conf. You would still have to do this manually.)
With the -c option, piktc syntax checks all config files for one or more hosts.
The -C option has piktc do its usual syntax check, then invoke pikt to do a second, more thorough syntax check. A -C check takes significantly longer than a -c check. You will will probably want to select -C after making major changes to your config files, and -c after spot changes.
The -e option enables alerts, and the -d option disables them. Enablement registers an alert (or alerts) in the file =piktdir/etc/piktd.conf. (Refer to the sample piktd.conf file.) Disablement removes an alert (or alerts) from that file. piktd.conf is the file that piktd reads on startup. It tells piktd what alerts to run and when (among other information).
After enablement/disablement, an alert doesn't become active/inactive until, using the -r option (else a manual daemon restart or a system reboot, if you have so configured the system startup scripts), piktc (re)starts the client piktd daemon.
With the -f option, piktc fetches files from the client machine(s) and diff's them against the master configuration. This is useful during initial setup, for catching client-side changes made bypassing the usual PIKT operation, also for detecting file changes perhaps done by a hacker.
The -G option turns on debugging. Debug messages are sent to stderr.
Besides providing information useful for debugging communications and authentication issues with piktc_svc, 'piktc -G' also will help you debug preprocessing problems, reporting, for example, each config file and #include file as it opens. If piktc hangs on an #include'd command, 'piktc -G' will tell you that. It's possible, too, that you use excessive modularization of your config files, with many #include file opens and closes, so your piktc preprocessing runs very slowly. 'piktc -G' will also help you diagnose that.
The -h option shows program help (shown above).
The -i option installs alert/object/programs files on clients. Installation places alerts in =piktdir/lib/alerts, object files in =piktdir/lib/objects, and program files in =piktdir/lib/programs. However, you can override the default program installation directory by using a full file path as the program stanza identifier.
The -I option has piktc update the on-disk #include or #verbatim files with associated process output.
In other words, suppose your systems.cfg contained
#verbatim <systems/down_systems.cfg> [/pikt/lib/programs/downsys.pl 10]If you specify the '-I' (for "update include files") piktc option, as in
# piktc -cI +H piktmasterthis will read from [/pikt/lib/programs/downsys.pl 10] and write that process output to the file <systems/down_systems.cfg>. If you omit the '-I' option, piktc will just reference the <systems/down_systems.cfg> file.
Although you could use the '-I' routinely in all of your piktc commands, of course you shouldn't, for that would slow your piktc operations down dramatically. Better to do this just occasionally, say once a day (overnight) only.
To auto-update your configuration and refresh your scripts and data sets with the very latest and most accurate information on all systems, you could regularly schedule (e.g., nightly) the sequence
piktc -cI +H piktmaster piktc -iv ALLeither by cron'ing it or by having PIKT itself run it on the piktmaster machine.
Here is a short Pikt script to auto-update your #include and #verbatim files (as it would appear in alarms.cfg):
#if piktmaster UpdateIncludeFilesAdmin // auto-update the PIKT // #include|#verbatim files exec wait "=piktc -cI +H piktmaster" #endif // piktmasterYou might run this together with your other Admin scripts (from alerts.cfg):
#if piktmaster Admin // for scripts aiding in the administration of // the PIKT system timing 30 3 * * * 5 mailcmd "=mailx -s 'PIKT Alert on =pikthostname: Admin' =piktadmin" scripts UpdateIncludeFilesAdmin ... #endif // piktmasterHere is one way you might auto-configure your Solaris 2.8 systems in systems.cfg:
solaris28 members #verbatim <systems/solaris28_systems.cfg> [for sys in `/pikt/bin/piktc -L -H down`; do /pikt/lib/programs/maxtime.exp 10 /usr/bin/ssh $sys "uname -a | egrep 'SunOS.+ 5.8' >/dev/null && hostname"; done 2>/dev/null]The preceding will work, but here is a more convenient way:
solaris28 members #verbatim <systems/solaris28_systems.cfg> [/pikt/bin/piktc -xI +C "=uname -a | =egrep 'SunOS .+ 5.8' >/dev/null && =hostname" -H down 2>/dev/null](piktc deals with timeouts automatically, making explicit use of maxtime.exp unnecessary.)
If you are running piktc and referencing an #include (or #verbatim) process [/pikt/bin/piktc ...], you will be running two concurrent piktc's. Under ordinary circumstances, there are mechanisms in place to prevent multiple, concurrent piktc program runs. However, using the -I option, as in [/pikt/bin/piktc -xI ...], makes concurrent runs possible. If you fail to use the -I option in your [/pikt/bin/piktc -x ...] process, the embedded piktc run will simply abort.
You kill remote piktd daemons using the -k option. The -r option both kills and restarts.
You kill the remote piktc_svc daemon with the -K option. The -R option both kills and restarts. (See the restart_piktc_svc_wait parameter in the PIKT.conf section below.)
The -l option lists config files on remote clients.
The -L option is used for generating command-line item lists.
To login to just your HP-UX machines, for example, you could
# for sys in `piktc -L +H hpux` > do > slogin $sys > donesince 'piktc -L +H hpux' simply outputs a list of hpux systems as specified in systems.cfg.
Or, you might put `piktc -L +H ... -H ...` statements in your shell (and other) scripts when you need to refer to custom system lists.
You can also list PIKT alerts/scripts, programs, files, and objects, for example
# piktc -Lv +S all +H vienna processing vienna... listing item(s)... EMERGENCY Urgent Critical ...Note that in the above example, those are Pikt scripts in the central configuration (the .cfg files), not scripts actually installed on the slave system (the .alt files).
The option -m[1-5] is used for doing checksum compares of slave alert/object/program/other files against the master's central configuration (the .cfg files). So you may do things like this:
vienna# piktc -m5v +A all +H kiev0 [uses the MD5 checksum] processing kiev0... checksumming file(s)... Admin.alt checksummed Critical.alt checksums differ Critical.alt checksummed Debug.alt checksummed EMERGENCY.alt checksums differ EMERGENCY.alt checksummed Info.alt not found Info.alt not checksummed Notice.alt checksummed Urgent.alt checksummed Warning.alt checksummedOmitting the '-v' verbose option:
vienna# piktc -m5 +A all +H kiev0 Critical.alt checksums differ EMERGENCY.alt checksums differ Info.alt not foundThe above examples show that both the Critical and EMERGENCY alert scripts differ from the central configuration, possibly because legitimately changed versions have yet to be installed, or possibly because a cracker has tampered with those script files. Info.alt is missing, even though it is present in the central configuration.
You may use -m1 through -m5 for any of the five supported checksums (BSD, SysV, POSIX, MD4, MD5).
You can use the -M and +M options to macro-expand any given string, for example
# piktc -M +M "=uptime; =dfk" +H kiev murmansk /usr/bin/uptime; /usr/bin/df -k /usr/ucb/uptime; /bin/df(where kiev is a Solaris machine and murmansk is a Debian system).
When used with the -M option, +M and +C are interchangeable, so the above piktc command is equivalent with
# piktc -M +C "=uptime; =dfk" +H kiev munichWith the '-p#' command-line option, you may insert an arbitrary pause of # seconds between any successive piktc operation (from system to system). So, for example, you might do this:
# piktc -xp15 +C "=rsyncd restart" +H serversWith that command, piktc would send the '=rsyncd restart' command to the first server, then pause for 15 seconds, then send the restart command to the second server, then pause 15 seconds, and so on.
You may add a '-p#' pause to any piktc operation, not just command execs ('-x' & '-X').
(Note that the before, '-p' was used for PIKT.conf installs. You would now use 'piktc -Q' for that operation.)
The -Q option installs PIKT.conf. See the keys.conf section of this Reference for further details.
The -r option both kills and restarts the piktd daemon.
The -s option reports whether an alert (or alerts) is (are) running on the remote client(s).
The -t option deletes files, as well as any history/log files associated with the deleted alert(s).
The -T option runs piktc in test mode. 'piktc -T' sets the global, built-in pikttest define (invariably) to TRUE; sets the =pikttest built-in macro to "test" (or some other string you set in PIKT.conf using the pikttest_substitution parameter; otherwise, the macro defaults to the null string); and appends '-T' to any pikt command string that piktc writes to piktd.conf.
The -U option runs piktc in so-called "urgent" (or "unblocked") mode.
In many of your alarm scripts, you might be running instances of piktc, either in the script 'input' statement, else in an 'exec' or 'exec wait' statement (or possibly other ways), each of which would apply a lock file to block other piktc runs. So your current command-line piktc operation might fail with the complaint
Jan 18 15:23:20 vienna piktc: [ID 2900 ERROR] (../../../src/piktc/piktc.c, line 408, main()) /pikt/etc/piktc.lock found! Another piktc session may be in progress.=nbsp Try again later (else rm the /pikt/etc/piktc.lock lockfile).But what if you have an urgent piktc operation that you needed to run, no matter what? Or what if you are confident that in no way should your current command-line piktc operation, say
# piktc -ivT +A Critical +H ankarainterfere with another piktc operation (including one launched by a fellow sysadmin elsewhere on the network)?
You may overcome these lock file blocks using the '-U' option. So, for example, you might do
# piktc -ivTU +A Critical +H ankaraand piktc would run, regardless of any other PIKT activity elsewhere on the network.
Note that you should not get in the habit of using '-U' in a knee-jerk fashion or unthinkingly. Often there are good reasons to block concurrent piktc operations. Try to use '-U' only in situations of special urgency or where you are fully confident that forging full speed ahead will not get you into trouble.
There is another PIKT utility, piktx, akin to piktc, for remote command execution. Unlike piktc, which should only be run on the piktmaster system, piktx can run anywhere, and should never be blocked by another concurrent piktc or piktx operation.
The -v option turns on verbose mode, telling the client-side piktc_svc to provide feedback as to the success or failure of an operation.
The -V option will output version information, e.g., "PIKT piktc version 1.19.0".
The -w option allows you to view files (alerts, programs, objects, etc.) as they actually appear on clients.
The -W option allows you to view files (alerts, programs, objects, etc.) as they are specified in the PIKT configuration (in the piktmaster's .cfg file). You may also redirect 'piktc -W' output to a different file name or pipe, say to scp or do something else with it.
The -x option tells piktc to direct the client-side piktc_svc to execute the indicated scripts or alerts. This is useful, for example, for restarting inetd after installing a new inetd.conf.
The -X option is like -x except that piktc doesn't wait for any feedback from a client before proceeding to the next. You would use -X when you are in a hurry, and -x when you need to know the result of a piktc command.
You may install and execute in a single piktc command as follows:
# piktc -ixv +F =aliases +C "=newaliases" +H vienna ... processing vienna... installing file(s)... /etc/aliases installed executing command(s)... "=newaliases" executed ...'-x' (also '-X') may be combined with many other piktc options, such as '-B' (for restoring from backup), '-e' (for enabling alerts), '-t' (deleting files), and so on. Note that, when combined with other piktc operations in this way, commands are always exec'ed after the other operation. (So, for example, 'newaliases' would always be exec'ed after the aliases file install.)
The -z option runs piktc in 'make check' mode. You ordinarily wouldn't do this outside the installation 'make check'.
Using the -Z option, you can have piktc list all config file elements (stanza identifiers).
You can use piktc for remote program execution as an alternative to rsh or ssh. The command
# piktc -xv +C "<command string(s)>" +H <systems>executes the <command string(s)> on the specified <systems>, with command feedback, while
# piktc -Xv +C "<command string(s)>" +H <systems>does the same thing but without on-screen feedback (and without any wait).
You can insert PIKT macros within +C command strings. Because this forces piktc to parse the macros.cfg file, using macros in this way is slower than doing without. So, this
# piktc -xv +C "ls -l /var/spool/mail" +H allwould be faster than this
# piktc -xv +C "=ll =maildir" +H allOf course, in the first example, if some of your systems have the mail spool directory as /var/mail, the command will fail--hence the advantage of the second example.
You can execute more than one command at a time, either by separating them by a semicolon within a single command string, else by separating them into more than one distinct command string. In other words, both
# piktc -xv +C "=rm -rf /tmp/SAS*; =du -sk /tmp" +H perfand
# piktc -xv +C "=rm -rf /tmp/SAS*" "=du -sk /tmp" +H perfachieve the same thing.
# piktc -xv +C "cd /var/tmp; =ll" +H perfis not the same as this
# piktc -xv +C "cd /var/tmp" "=ll" +H perfbecause in the second case the commands are executed in two separate subshells, and the directory change in the first command would not apply to the 'ls -l' command of the second (so the listing you would get in the second command string would be unpredictable).
You can combine, in a single 'piktc -x|X' command, +C and +|- A|S. For example, on the machine warsaw,
# piktc -xv +C "=rm =logdir/* =hstdir/*" +S TouchPiktVarFiles +H warsawwill empty the contents of the PIKT log and histories directories, then create empty (zero-length) files for all registered log and histories files (if you you wanted to start afresh after installing new PIKT binaries, say).
Note, however, that +C command strings are always executed before +A or +S (or -A or -S) Pikt scripts.
Here is a sample 'piktc -xv +C' command with feedback:
# piktc -xv +C "=ll /etc/nologin" +H fac processing kiev... executing command(s)... /etc/nologin: No such file or directory "/bin/ls -l /etc/nologin" executed processing kiev2... remote piktc_svc not running processing kiev0... executing command(s)... -rw-r--r-- 1 root staff 0 Jul 24 15:47 /etc/nologin "/bin/ls -l /etc/nologin" executedHere is an alternative form (without '-v' and adding =hostname and echo to the command line) resulting in reduced clutter (but note the absence of feedback about piktc_svc not running on kiev2, because we have turned off verbose mode):
# piktc -x +C "=hostname; =ll /etc/nologin; echo ''" +H fac kiev kiev0 -rw-r--r-- 1 root staff 0 Jul 24 15:47 /etc/nologinYou set (to TRUE) defines with the +D <defines> option, and unset them (to FALSE with -D <defines>. Command-line +D defines and -D undefines override any defines.cfg settings, but #def(ine) and #undef(ine) directives in the config files have the highest precedence overall.
Combining -|+ D switches with +C command strings is perfectly legal (e.g., to toggle the effect of a macro within the command string). (Combining +C with +O, +F or +P is illegal, since you exec +C commands, but you don't exec +O, +F, or +P files. You can't combine exec'ing with file installation or other file management in the same piktc command.)
Using the +E <envar> option, you set the environment variable <envar> (by default to 1). +E <envar>=<value> sets <envar> to <value>. +E <envar> = "<string>" sets <envar> to the character string <string>. (Note the mandatory quote marks, also the spaces around the '=' sign, when assigning a multi-word string.) -E <envar> unsets <envar>. You may unset and set environment variables in the same piktc command, for example:
# piktc ... -E fee fie +E fo fum foo=bar flim = "flam man" ...(Note that legal environment variable names begin with a letter, followed by any sequence of letters, digits, and/or _ (underscore).)
When specifying alerts/objects/programs, you include items using the "+" option, and exclude using the "-" option. "+A all" includes all alerts. "+A all -A EMERGENCY Info" includes all alerts except EMERGENCY and Info. Another way to achieve the same effect is with just "-A EMERGENCY Info" (leaving out the "+A all", which is implicit).
In piktc commands, 'A' (for alerts) and 'S' (for scripts) are effectively synonymous. You might prefer to use 'A' when processing alerts, and 'S' when processing non-alert scripts.
hosts may refer to operating systems, host aliases, and host groups defined in the systems.cfg file.
"ALL" on the piktc command-line translates to "+A all +S all +P all +F all +O all +H all". So,
# piktc -ierv ALLwill install, enable, and restart everything on all systems. You may combine ALL with the -<A|S|P|F|O> options to exclude certain items. This command, for example, does everything on all systems except the solaris systems:
# piktc -ierv ALL -H solarisThis command reports the status of all alerts except EMERGENCY on all machine except the linux machines:
# piktc -sv ALL -A EMERGENCY -H linuxYou may use item macros in your piktc commands, for example
# piktc -iv +F =apacheconf +H webserverSo, in your macros.cfg file (or some appropriate macro #include file), you might have
apacheconf access.conf httpd.conf magic mailman.conf [and so on...]The above piktc command would be equivalent to
# piktc -iv +F access.conf httpd.conf magic mailman.conf [...] +H webserverIn your macros.cfg files, you might define file subsets, including for example
somestuff somestuff1 somestuff2 [and so on...] otherstuff =somestuff otherstuff1 otherstuff2 [and so on...] morestuff morestuff1 morestuff2 [and so on...] [and so on...] allstuff =otherstuff // includes =somestuff =morestuff [and so on...] stillmorestuff1 stillmorestuff2 [and so on...]To update all of your "stuff", you might then use
# piktc -iv +F =allstuff +H [...]To diff all of your "stuff", except for the "morestuff", you might use
# piktc -fv +F =allstuff -F =morestuff +H [...]You may use similar macros in your piktc +/-A, +/-O, and +/-P specifications. (Macros are not permitted in +/-H specifications, since you already have the needed functionality by means of host aliases and groups in systems.cfg. Nor are macros allowed in +/-D or any other piktc item specifications.)
Note that by means of command-line item macros, you may effectively alias alert, program, file, and object names (much like you can alias hostnames in systems.cfg).
When piktc launches, it creates a lock file in the =piktdir/etc directory, and removes that file upon completion. The lock file mechanism is to prevent concurrent piktc program runs. In cases of abnormal piktc termination, it will be necessary to manually remove the lock file.
Before shipping a .alt, .obj, or program file to a client, piktc: strips out any // and /* */ comments from the central config file; preprocesses the #if and #ifdef directives in the config file; and performs macro substitutions. In addition, the resultant client-side file loses much of the line and space formatting in the original central config file, and may bear little resemblance to its parent file.
The "f" option suffix tells piktc to "fix" (or "freeze") a file, which leaves all // and /* */ comments in place. (The #fix-#unfix preprocessor directives have a similar effect.) This is especially relevant to programs.cfg, which might possibly include //, /*, and/or */ character sequences. If you choose not to fix a file, you can still include // and /* */ character sequences, but additional backslash escapes may be necessary. (See Regular Expressions.)
Note that the "f" option does not pertain to PIKT #if preprocessing, or to macro substitutions. piktc always honors #if preprocessing directives and macros where present.
|prev page||1st page||next page|