--- canonical: https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/safekituserguidehtml/documentation/safekituserguideen.htm --- # 8. SafeKit support If you haven’t found a solution to an issue encountered with SafeKit, either in section 7 or in the Troubleshooting part of the SafeKit training, you can request assistance from SafeKit support. To do so, follow these steps: 1.    Log in to the Support portal 2.    Create an incident, selecting the SafeKit product 3.    Provide a detailed description of the issue, including: ·         The scenario leading to the problem ·         The date and time of the incident ·         The SafeKit version and operating system version (retrievable using the safekit level command) 4.    Attach module snapshots taken from both SafeKit servers (see section 3.5)     # 9. Command line interface ![*](safekituserguideen_fichiers/image001.png)       Section 9.1 “Commands to control and setup SafeKit” ![*](safekituserguideen_fichiers/image001.png)       Section 9.2 “Command lines to configure and monitor the cluster” ![*](safekituserguideen_fichiers/image001.png)       Section 9.3 “Command lines to control application modules” ![*](safekituserguideen_fichiers/image001.png)       Section 9.4 “Command lines to monitor application modules” ![*](safekituserguideen_fichiers/image001.png)       Section 9.5 “Command lines to configure application modules” ![*](safekituserguideen_fichiers/image001.png)       Section 9.6 “Command lines for support” ![*](safekituserguideen_fichiers/image001.png)       Section 9.7 “Command lines during the maintenance of the module application” ![*](safekituserguideen_fichiers/image001.png)       Section 9.8 “Command lines distributed across multiple SafeKit servers” ![*](safekituserguideen_fichiers/image001.png)       Section 9.9 “Examples”   The SafeKit command-line interface is provided by the safekit command. To use it: | | | | --- | --- | | Windows | 1.    Open a PowerShell console as administrator 2.    Go to the root of the SafeKit installation directory SAFE (by default SAFE=C:\safekit if %SYSTEMDRIVE%=C:) cd c:\safekit 3.    Run .\safekit.exe for the local command 4.    Run .\safekit.exe -H "" for the command distributed across multiple nodes | | Linux | 1.    Open a Shell console as root 2.    Go to the root of the SafeKit installation directory SAFE (by default SAFE=/opt/safekit) cd /opt/safekit 3.    Run ./safekit for the local command 4.    Run ./safekit -H "" for the command distributed across multiple nodes |   | | | | --- | --- | | Commentaire important contour | This section presents other commands that also must be run as administrator/root. | ## 9.1             Commands to control and setup SafeKit Use the following commands for starting/stopping SafeKit services and their automatic boot start. ### 9.1.1         safeadmin service SafeKit main service mandatory and started automatically at boot.   | | | | --- | --- | | **Windows** net start safeadmin net stop safeadmin | safeadmin can also be controlled using the Windows Services Control Panel applet. To check the service status, run: ·         In command prompt sc query safeadmin ·         In PowerShell: Get-Service -name safeadmin | | **Linux** systemctl start safeadmin systemctl stop safeadmin | To check the service status, run: systemctl status safeadmin | ### 9.1.2         safewebserver service This service is used by the web console, module checkers and distributed command line interface. By default, it is started automatically at boot. For details, refer to section 10.9. The following commands are used to control this service: | | | | --- | --- | | safekit webserver start safekit webserver restart safekit webserver stop | Control the service via the safekit command. | | **Windows** net start safewebserver net stop safewebserver | Control the service via the net command. To check the service status, run: ·         In command prompt sc query safewebserver ·         In PowerShell: Get-Service -name safewebserver | | **Linux** systemctl start safewebserver systemctl restart safewebserver systemctl stop safewebserver | Control the service via the systemctl command. To check the service status, run: systemctl status safewebserver | | safekit boot [webon | weboff | webstatus] | Controls the automatic start at boot of the safewebserver service ("on" or "off") By default: "on" |   The default configuration of the SafeKit web service is HTTP with file-based authentication. During the setup initialization, described in section 11.2.1, two users are created by default: ·         the admin user to authenticate access to the SafeKit web console ·         the private rcmdadmin user to authenticate access to the safekit distributed command The following commands are used to change the usernames and passwords for these users when necessary: | | | | --- | --- | | safekit webservercfg -passwd *pwd* [-user *username*] | Setup the password *pwd* for the user who accesses the web console. Optionally, setup its *username* that is *admin* by default. | | safekit webservercfg -rcmdpasswd *pwd* [-rcmduser *username*] | Setup the password *pwd* for the private user who accesses the distributed command. Optionally, setup its *username* that is rcmdadmin by default. |   | | | | --- | --- | | Commentaire, ajouter contour | ·         The script SAFE/private/bin/webservercfg can also be called directly ·         Options -user and -rcmduser are available since SafeKit 8.2.4 | ### 9.1.3         Email notification agent Since SafeKit 8.2.4, SafeKit offers a notification agent to send emails for major modules events. The notification agent is not enabled by default. To configure and enable it, refer to the section 10.10. The following commands are used to control this agent: | | | | --- | --- | | safekit notification enable safekit notification disable | Enable/disable the notification agent. | | safekit notification status | Display the status of the notification agent. |   | | | | --- | --- | | **Windows** | Control the safenotif task via the Windows Task scheduler. To check the task status, run: ·         In command prompt schtasks /query /tn "safenotif" ·         In PowerShell Get-ScheduledTask -TaskName "safenotif" | Select-Object TaskName, State | | **Linux** systemctl start safenotif systemctl restart safenotif systemctl stop safenotif | Control the service via the systemctl command. To check the service status, run: systemctl status safenotif |     ### 9.1.4         SNMP service Net-SNMP Agent service in Windows SNMP monitoring for SafeKit is not enabled by default. To enable and configure it, refer to the section 10.11. In Windows, SNMP monitoring is provided by Net-SNMP Agent service. | | | | --- | --- | | safekit safeagent [start | stop | restart | check] | Control the service via the safekit command. | | net start "Net-SNMP Agent" net stop "Net-SNMP Agent" | Control the service via the net command. To check the service status, run: ·         In command prompt sc query "Net-SNMP Agent" ·         In PowerShell: Get-Service -name "Net-SNMP Agent" | | safekit boot [snmpon | snmpoff | snmpstatus] | Controls the automatic start at boot of the Net-SNMP Agent service ("on" or "off") By default: "off" | Standard snmpd service in Linux SNMP monitoring for SafeKit is not enabled by default. To enable and configure it, refer to the section 10.11. In Linux, SNMP monitoring is provided by the standard snmpd Linux agent. | | | | --- | --- | | systemctl start snmpd systemctl stop snmpd | To check the service status, run: systemctl status snmpd | ## 9.2             Command lines to configure and monitor the cluster | | | | | | | --- | --- | --- | --- | --- | | safekit cluster config [*filepath .xml or .zip*] [lock | unlock] | Apply the new SafeKit cluster configuration with the content of the file passed as argument, cluster.xml or cluster.zip: ·     cluster.xml Configure with new cluster.xml and generate new cryptographic keys ·     cluster.zip Configure with the new cluster.xml and cryptographic keys stored into the zip file When called with no argument, this command keeps the current configuration but generates new cryptographic keys. Ex: safekit cluster config /tmp/newcluster.xml | | | | --- | --- | | Commentaire, ajouter contour | Use with great care:  the new cluster configuration and cryptographic key must then be copied to all cluster nodes to have the same cluster configuration on all nodes. | If the command is called with the parameter lock, future safekit cluster config commands will not be granted until they are called with the unlock parameter. | | | safekit cluster confcheck *filepath* | Check the cluster configuration, with the content of the xml file passed as argument, without applying it | | | safekit cluster confinfo | Return, for each active cluster node: ·         the date of last cluster configuration, ·         the digital signature of last cluster configuration ·         the state: locked (1) or unlocked (0) status for the cluster configuration This command allows checking if all node of a cluster have the same configuration. Ex: safekit cluster conf info Node        Signature              Date                Lock rh6server7  6f1032b11a7b2 … 33e67c 2016-05-20T17:06:45  0 rh7server7  6f1032b11a4e0 … 33e67c 2016-05-20T17:06:45  0 | | | | --- | --- | | Commentaire, ajouter contour | The SafeKit cluster configuration must be the same on all nodes of a cluster. Asymmetric cluster configurations are not supported. | | | | safekit cluster deconfig | Remove the cluster configuration and the cryptographic key. | | | safekit cluster state | Return the global SafeKit modules configuration state For each installed module on each cluster node, this commands list: ·         the node name, ·         module name, ·         module mode (farm or mirror) ·         internal module id number, ·         date of last module configuration, ·         digital signature of last configuration This command list which modules are installed on which nodes of the cluster. Signature and date of last configuration on each node allow checking that a module has the same configuration on all nodes, and if not, which node has the most recent configuration. | | | safekit cluster genkey | Create cryptographic key for global SafeKit communication (implemented in the safeadmin process). The cluster configuration must be deployed again (with safekit -G) for this command to take effect. | | | safekit cluster delkey | Suppress cryptographic keys for global SafeKit communication. The cluster configuration must be applied again (with safekit -G) for this command to take effect. | | | safekit -H "\*" -G | Distributes the local cluster configuration and associated cryptographic key if it exists, on all cluster nodes. Redo a name resolution for all names specified in cluster.xml and userconfig.xml of modules, without stopping modules (when possible). See section 9.8 for details on this distributed command. | | ## 9.3             Command lines to control application modules The commands apply to the module named *AM*, passed as an argument with the -m option. | | | | --- | --- | | Commentaire, ajouter contour | When the SAFEMODULE environment variable is set with the module name, -m argument not required. It is set during the execution of the module scripts (see section 14.2). | | | | | --- | --- | | safekit start -m *AM* | Starts the module | | safekit waitstart -m *AM* | Waits for the end of the module start | | safekit stop -m *AM* | Stops the module | | safekit shutdown | Stops all running modules | | safekit waitstop -m *AM* | Waits for the end of the module stop | | safekit waitstate -m *AM* STOP | ALONE | UP | PRIM | SECOND | Wait for the required stable state (NotReady or Ready). | | safekit restart -m *AM* | Executes only application stop and start scripts | | | | --- | --- | | Commentaire, ajouter contour | ·         For a mirror module equivalent to stop\_prim ; start\_prim ·         For a farm module equivalent to stop\_both ; start\_both | | | safekit stopstart -m *AM* | Unlike the restart, the stopstart causes a complete stop of the module followed by an automatic start. If the module was PRIM, there is a failover of the PRIM module on the other server. | | | | --- | --- | | Commentaire, ajouter contour | Equivalent to safekit stop -m *AM*; safekit start -m *AM*. | | | safekit forcestop -m *AM* | Forces the module stop to use when the stop has no effect | | safekit swap [nosync] -m *AM* | **Mirror modules only** Swaps the roles of primary and secondary nodes. Use nosync to swap without synchronizing the replicated directories. | | safekit prim [fullsync] -m *AM* | **Mirror modules only** Forces the module to start as primary. It fails if the other server is already primary. Use fullsync to force the full synchronization of the replicated directories on the secondary node at startup. | | | | --- | --- | | Commentaire, ajouter contour | fullsync option supported since SafeKit version 8.2.5. | The main use case of this command is described in section 5.3. | | safekit second [fullsync] -m *AM* | **Mirror modules only** Forces the module to start as secondary. It fails if the other server is not primary. Use fullsync to force the full synchronization of the replicated directories. | | safekit primforce -m *AM* | **Mirror modules only** Forces the module to start as primary when the usual prim command fails due to potential data inconsistency during file reintegration. primforce should be used with caution as it can lead to replicated data inconsistency, but it enables recovery from situations where normal failover/startup commands fail due to partial synchronization. The main use case of this command is described in section 5.9. |   | | | | --- | --- | | Commentaire important contour | The commands restart, stop, stopstart and swap also accept the argument -i identity. This argument is set when the action is called by checkers or the failover machine for logging purpose and to increment the maxloop counter. When not set, the maxloop counter is reset. |   The following commands are used to get and set module resource states. | | | | --- | --- | | safekit get -m *AM* -r *resource* | Gets the state of one resource: safekit get -r custom.myresource -m *AM* safekit get -r state.local -m *AM* | | safekit set -m *AM* -r *resource* -v *state*     [-n] [-l]   [-i identity] | Sets the state of one resource: safekit set -r custom.myresource -v up -m *AM* safekit set -r custom.myresource -v down -m *AM* Each assignment of the main resources is stored in a log to keep track of their status. Use -n to disable this logging or -l to force it. Use -i to specify the identity of the component, which affects the resource, in the logged message. The use case of this command in a custom checker is described in section 15.7.2. | ## 9.4             Command lines to monitor application modules The commands apply to the module named *AM*, passed as an argument with the -m option. | | | | --- | --- | | Commentaire, ajouter contour | When the SAFEMODULE environment variable is set with the module name, -m argument not required. It is set during the execution of the module scripts (see section 14.2). |   | | | | --- | --- | | safekit level [-m *AM*] | Indicates the version of SafeKit and the license With the *AM* parameter, the module script level is called if exists, and its results displayed | | safekit state | Displays the status of all modules | | safekit state -m *AM* [-v | -lq] | Displays the status of the *AM* module With the verbose option -v, status of all the module resources are listed: see the usefulness of resources in section 7.10. With the option -lq, the command returns status (and exit code): STOP (0), WAIT (1), ALONE (2), UP (2), PRIM (3), SECOND (4) | | safekit log -m *AM* [-s nb]   [ -A ] [-l en|fr] | Displays the last nb messages of the *AM* module log. Use -A for displaying the verbose log (all messages including debug ones). Use -l option for choosing the language, en(glish) or fr(ench).   Default: -s 300 | | safekit logview -m *AM* [-A] [-l en|fr] | View in real time the last main messages of the *AM* module log. Use -A for displaying all messages (including debug ones). Use -l option for choosing the language, en(glish) or fr(ench). | | safekit logview -m *AM* -s 300 [-A ] [-l en|fr] | View in real time the *AM* module log messages starting from the last 300 messages | | safekit logsave -m *AM* [-A] [-l en|fr|ja] */tmp/f.txt* | See section 9.6.1. | | safekit printi|printe -m *AM* "*message*" | Application start/stop scripts can write messages in the module log with I or E level. | ## 9.5             Command lines to configure application modules The commands apply to the module named *AM*, passed as an argument with the -m option. | | | | --- | --- | | Commentaire, ajouter contour | When the SAFEMODULE environment variable is set with the module name, -m argument not required. It is set during the execution of the module scripts (see section 14.2). |   | | | | --- | --- | | safekit config -m *AM* | Apply changes made in files under SAFE/modules/*AM*in such as userconfig.xml, start\_prim/both or stop\_prim/both (mirror/farm). It is recommended to run this command when the module is stopped. However, it is allowed in stable states ALONE (Ready)or WAIT (NotReady). But only some configuration parameters can be changed while the module is in these states. This feature is called *dynamic configuration*. Parameters that could be dynamically changed are reported into section 13 that describes all configuration parameters. | | safekit module genkey -m *AM* | Generates cryptographic keys for the module instances network exchanges encryption. Considered after the next configuration of the module. | | safekit module delkey -m *AM* | Erase cryptographic keys associated with the module. After the next configuration, module instances network exchanges will be performed without encryption. | | safekit -H "\*" -E *AM* | Distributes the local configuration for the module *AM* and associated cryptographic key if it exists, to all cluster nodes. See section 9.8 for details on this distributed command. | | safekit confinfo -m *AM* | Display information on the active and current configuration of the module *AM*. ·         the active configuration is the last configuration successfully applied. It is in SAFE/private/modules/*AM* ·         the current configuration is the one located in SAFE/modules/*AM*. It may be different from the active one when it has been modified and not yet been applied   This command is useful for checking the configuration of the module. It displays: ·         the signature value and a last modification date (Unix timestamp) for the active configuration ·         the signature value and last modification date (Unix timestamp) for the current configuration   When the signature values are different, it means that the configurations are not identical and that you may have to apply the current configuration. You can run this command on all the cluster nodes that implement the module to check that the configuration of the module is identical on all nodes. | | safekit confcheck -m *AM* | Check the module configuration under SAFE/modules/*AM* without applying | | safekit module install -m *AM* [-M id] [-r] [*AM.safe*] | Installs the *AM.**safe* module file under the *AM* name [-r] force reinstallation of the module [-M id] forces the installation of the module with the id specified as module id ·         *AM.safe* default location is SAFE/Application\_Modules/ and its subdirectories ·         An absolute path could be used too ·         If no *AM.safe* is given, the command search for file *AM*.safe in /Application\_Modules/ and its subdirectories | | safekit module package -m *AM* */…/newAM.safe* | Packages the *AM* module in */…/newAM.safe* (absolute path mandatory) Used by the console to create a backup in SAFE/Application\_Modules/backup/ | | safekit module uninstall -m *AM* | Uninstalls the *AM* module. Deletes the module configuration directory SAFE/modules/*AM* | | safekit module list | Lists the names of the installed modules | | safekit module listid | Lists the names and ids of the installed modules | | safekit module getports -m *AM* (or -i id) | Lists the communication ports used by the module to communicate between servers | ## 9.6             Command lines for support The commands apply to the module named *AM*, passed as an argument with the -m option. | | | | --- | --- | | Commentaire, ajouter contour | When the SAFEMODULE environment variable is set with the module name, -m argument not required. It is set during the execution of the module scripts (see section 14.2). | ### 9.6.1         Application module log Use the following command to save the module log. | | | | --- | --- | | safekit logsave -m *AM* [-A] [-l en|fr|ja] */tmp/f.txt* | Save main messages of the *AM* module log in */tmp/f.txt* (absolute path mandatory). **Verbose log** Use -A for saving all messages (including debug ones). **Language** Use -l option for choosing the language, en(glish), fr(ench) or ja(ponise). By default, the operating system language is used. |   Anonymised log Starting with SafeKit version 8.2.6, SafeKit supports anonymization of module snapshots, including the module log. To build the anonymized snapshot and extract the anonymized module log, see section 9.9.4.2.   ### 9.6.2         Application module snapshot #### 9.6.2.1      Full snapshot | | | | | | --- | --- | --- | --- | | safekit snapshot -m *AM* */tmp/snapshot\_xx.zip* | Saves the snapshot of the *AM* module in */tmp/snapshot\_xx.zip* (absolute path mandatory) A snapshot creates a dump and gathers under SAFEVAR/snapshot/modules/*AM* the last 3 dumps and last 3 configurations to collect them in a .zip file To analyze snapshots, see section 7.18. To get support assistance, create an incident via the Support portal, making sure to attach the snapshots. | | | | --- | --- | | Commentaire important contour | Since SafeKit 8.2.4, the zips generated for snapshots are protected by the password safekit. This allows the snapshot to be received in its entirety when sent via email. | | | safekit dump -m *AM* | To solve a problem in real time on a server, make a dump of the *AM* module A dump creates a directory dump dump\_year\_month\_day\_hour\_mn\_sec on the server side under SAFEVAR/snapshot/modules/*AM*. The dump directory contains the module log and status, as well as information on the system state and SafeKit processes at the time of the dump |   The snapshot content is described in section 7.18. #### 9.6.2.2      Anonymised snapshot Since SafeKit 8.2.6, SafeKit provides the anontool utility, which allows generating a filtered and anonymized snapshot from a full snapshot. This snapshot can then be shared with third parties, such as SafeKit support, while limiting the disclosure of sensitive information about the cluster. | | | | --- | --- | | Sous-titres contour | See the example in section 9.9.4.2. | The filtered snapshot contains the minimal subset necessary to analyse an issue: ·         the configuration of the cluster and module ·         the module log, the module script logs, and the SafeKit command log If necessary, the anontool utility provides the option to exclude additional files from the filtered snapshot (parameter -fileexclusionpattern). Each of these files is anonymized. The sensitive values they contain (IP addresses, hostnames, etc.) are replaced with a structured identifier, which masks the real data while still allowing analysis by support. The mappings between the original values detected in the snapshot and their anonymized identifiers are stored in the xx\_catalog.xml file. This catalog must be kept locally but is not included in the filtered snapshot. It allows the user to: ·         link anonymized values potentially referenced by support to their original values ·         verify which values have been anonymized If the user considers that other values should also be anonymized, the anontool utility accepts an additional catalog to supplement the default anonymization (parameter -additionalcatalogfile). The original snapshot must also be retained. Since the content of the snapshot sent to support is filtered, certain analyses cannot be performed solely based on it (notably regarding file replication or network configuration). Support may therefore ask the user to perform additional checks directly using the original snapshot. | | | | --- | --- | | safekit -r anontool anonymize-snapshot -insnapshotfile snapshot.zip   [-outsnapshotfile snapshot-anon.zip]   [-additionalcatalogfile extracatalog.xml] [-fileexclusionpattern 'pattern.\*'] | Build the filtered and anonymized snapshot from the full snapshot snapshot.zip. It also generates the associated XML anonymization catalog. Running the command requires entering the password that protects the snapshot (safekit). The generated snapshot is itself protected with the same password. ·         -insnapshotfile snapshot.zip Required parameter to specify the input snapshot file. ·         -outsnapshotfile snapshot-anon.zip Optional parameter to specify the name of the generated snapshot. It is also used as prefix for the XML catalog name. By default, the suffix -anon is added to the input snapshot name: snapshot-anon.zip and snapshot-anon-catalog.xml ·         -additionalcatalogfile extracatalog.xml Optional parameter to specify an additional catalog to supplement the default anonymization. For example, to anonymize the OS version:                This option can also be useful when the cluster node names have changed since the initial production deployment. To ensure that the former names, server1 and server2, do not appear in the logs, use an additional catalog such as the following:                     ·         -fileexclusionpattern 'pattern.\*' Optional parameter to specify a regular expression for file or directory names to exclude from the snapshot. For example, to exclude all module script logs: -fileexclusionpattern 'userlog.\*' To additionally exclude the module scripts: -fileexclusionpattern 'userlog.\*'  -fileexclusionpattern 'bin' Or -fileexclusionpattern 'userlog.\*|module/bin' The evaluation of regular expressions relies on the PCRE2 library (Perl Compatible Regular Expressions 2) and employs a DFA-based algorithm. | | safekit -r anontool -help | List all usages of anontool. |   ### 9.6.3         Other commands | | | | --- | --- | | safekit -r "*specialcommand*" | Calls the special command in SAFEBIN with SafeKit environment variables set. | | safekit clean [all | log | process | resource] [-m *AM*] | Clean the logs, the resource file, and the main processes of the module *AM*. | | | | --- | --- | | Commentaire important contour | This command must be used with caution since it deletes working files and kills processes. | ·         safekit clean log -m *AM* Clean the logs (verbose and not verbose logs) of the module. To be used when these logs are corrupted (e.g.: errors in log view). ·         safekit clean resource -m *AM* Reinitialize the resource file of the module. To be used when this file is corrupted (e.g.: errors in resources display) ·         safekit clean process -m *AM* Kill the main processes (heart) of the module. To be used when the stop and forcestop of the module did not achieve to kill these processes. ·         safekit clean all -m *AM* Default value. Clean log, resource, and process. |   ## 9.7             Command lines during the maintenance of the module application During maintenance or testing of the application, it may be necessary to stop or restart the associated services. But if the module is configured to monitor the application (processes/services monitoring, checkers), these operations will cause false error detection and automatic restart or failover. To avoid this, follow one of the two solutions described below. ### 9.7.1         Application module control for maintenance The following commands allow the module's behaviour to be dynamically modified without the need for reconfiguration. They apply to the module named *AM*, passed as an argument with the -m option. | | | | --- | --- | | Commentaire, ajouter contour | When the SAFEMODULE environment variable is set with the module name, -m argument not required. It is set during the execution of the module scripts (see section 14.2). |   | | | | | | --- | --- | --- | --- | | safekit errd off -m *AM* safekit errd on -m *AM* | Disable/enable the processes/services monitoring defined in the module configuration. The resource variable *usersetting.errd* reflects the current setting. | | | | --- | --- | | Commentaire important contour | With SafeKit < 8.2, use safekit errd suspend|resume -m *AM* | | | safekit checker off -m *AM* safekit checker on -m *AM* | Disable/enable all checkers (interface, TCP, IP, custom, etc.) defined in the module configuration.   The resource variable *usersetting.checker* reflects the current setting. | | safekit boot off -m *AM* safekit boot on -m *AM*     safekit boot status [-m AM*]* | Disable/enable the automatic startup at boot of the module. The resource variable *usersetting.boot* reflects the current setting. Without the option -m *AM*, lists the boot status of all modules. | | safekit failover off -m *AM* safekit failover on -m *AM* | Disable/enable the module automatic failover (see section 13.3.3). The resource variable *usersetting.failover* reflects the current setting. | | | | --- | --- | | Commentaire, ajouter contour | This command must be issued on all nodes belonging to the same cluster to not have unexpected results. | |   To check the state of resources, see section 7.4. | | | | --- | --- | | Commentaire, ajouter contour | If the module is running, a side effect of these commands (except safekit boot) is the execution of the update of the module to apply the new setting. |   | | | | --- | --- | | Commentaire important contour | With SafeKit < 8.2, these commands (except safekit boot) could only be executed when the module was started and in a stable state. Additionally, the module's configuration options were restored once the module was stopped and then restarted. Since SafeKit 8.2, these commands can be performed while the module is stopped and are not reset when the module stops then starts. To restore the initial state, you must either execute the corresponding command or reapply the module configuration. | ### 9.7.2         Running the application without the module Rather than starting the module and disabling the checkers, you might want to launch only the application without the module processes. For this, stop the module and run the wrapper scripts described below. They are generated during each configuration of the module into the directory SAFE/private/modules/*AM*/bin. | | | | --- | --- | | *AM*\_start\_wrapper | ·         set the virtual IP address(es) defined into the module configuration ·         start the application by calling the scripts start\_prim or start\_both | | *AM*\_stop\_wrapper | ·         stop the application by calling the scripts stop\_prim or stop\_both ·         reset the virtual IP address(es) defined into the module configuration |   | | | | --- | --- | | Commentaire, ajouter contour | Wrappers filename extension is .ps1 in Windows; .sh in Linux. | ## 9.8             Command lines distributed across multiple SafeKit servers SafeKit provides a command-line interface for running it on multiple SafeKit servers. Each server must be running the SafeKit web service (see section 10.9).  | | | | --- | --- | | Commentaire important contour | The password assigned during the initialization of the SafeKit web service must be the same on all servers, even if they do not belong to the same SafeKit cluster. |   The distributed command applies to the servers specified with the -H "" argument described below. | | | | --- | --- | | -H "\*"   -H "" | Apply the command on nodes defined into the local cluster configuration (see section 12). The protocol and port are those defined in the local configuration of the SafeKit web service. By default, the protocol is http and the port is 9010. ·         -H "\*" for all cluster nodes ·         -H "" list of node names as defined in the cluster configuration, separated by coma. For example: -H "node1,node2" | | -H "[[protocol:port],] " | Apply the command to the listed servers, which may not necessarily belong to the local cluster. ·         Optional specification of the protocol (http or https) and the port to use. If not specified, the protocol and port are those defined in the local configuration of the SafeKit web service. By default, the protocol is http and the port is 9010. ·         List of SafeKit servers (IP address or name) with a comma as the separator. Examples: -H "[http:9500],10.0.0.107,10.0.0.108" -H "[https],S1.company.com,S2.company.com" | | -H "" | Apply the command to the listed URLs, which may not necessarily belong to the local cluster. Example: -H "http://192.16.0.2:9010,http://192.16.0.3:9010" |     The distributed commands are as follows. | | | | --- | --- | | Sous-titres contour | Voir les exemples dans la section 9.9.1, section 9.9.2, la section 9.9.3. | | | | | --- | --- | | safekit -H ""   | Executes the safekit command on the servers specified by -H. Almost all safekit commands can be applied on a list of cluster nodes. Exceptions are safekit logview, safekit -p and safekit -r commands which can be used only locally.   Examples: safekit -H "http://192.168.0.2:9010,http://192.168.0.3:9010" level   safekit -H "\*" cluster confinfo   safekit -H "node2" module list   safekit -H "[http:9500],server1,server2" start -m AM | | safekit -H "" -E *AM* | Exports the configuration of the module named AM on the servers specified by -H. The *AM* module must be installed locally. This command performs the following actions: ·     creates *AM*.safe from local SAFE/modules/*AM* ·     transfers and installs *AM*.safe on the list of servers ·     installs the module on remote servers with the local module id ·     if the module was configured locally, configures it on remote servers See the usage example in section 9.9.3. | | safekit -H "" -G | Exports the local cluster configuration on the servers specified by -H. This command performs the following actions: ·         collect the content of the SAFEVAR/cluster directory ·         transfer and copy the collected files into the target servers’ SAFEVAR/cluster directory ·         trigger safeadmin configuration reload See the usage example in section 12.2.2 | ## 9.9             Examples ### 9.9.1         Local and distributed command For instance, to display the levels (SafeKit, OS…): ·         for the local host safekit level ·         for all hosts configured in the SafeKit cluster safekit -H "\*" level ### 9.9.2         Cluster configuration with command line See section 12.2.2. ### 9.9.3         Application module configuration with command line In the following, replace *AM* by your module name; replace node1 and node2 by the name of your cluster nodes set during the SafeKit cluster configuration. 1.    Log in as administrator/root and open a command shell window on one node For instance, log-in node1 2.    Optional Only during the first configuration, run safekit module install -m *AM* SAFE/Application\_Modules/generic/mirror.safe to install a new module named *AM*, from mirror.safe template. This is not necessary when reconfiguring an already installed module. 3.    Edit the module configuration and scripts in SAFE/modules/*AM*/conf and SAFE/modules/*AM*/bin 4.    Optional Run safekit module genkey -m *AM* or safekit module delkey -m *AM* to create or delete cryptographic key for the module. You do not have to create new cryptographic key on each reconfiguration of the module. 5.    Run safekit -H "node1,node2" -E *AM* to (re)install the module *AM* and apply its configuration, which is get from the node running the command (node1 in this example). It applies it on all listed nodes (node1 and node2). ### 9.9.4         Application module snapshot with command line #### 9.9.4.1      Full snapshot Replace *AM* by your module name, and node1 and node2 with the names of your SafeKit cluster nodes. 1.    Log in as administrator/root and open a command shell window on one node For instance, log-in node1 2.    Change directory to SAFE where SAFE=C:\safekit in Windows (if %SYSTEMDRIVE%=C:), and SAFE=/opt/safekit in Linux 3.    Run safekit snapshot -m *AM* /tmp/snapshot\_node1\_*AM*.zip To save the full snapshot of the *AM* module in /tmp/snapshot\_node1\_*AM*.zip (absolute path mandatory) locally (that is on node1).   **Repeat** all these commands on the other nodes in the cluster. #### 9.9.4.2      Anonymised snapshot Replace *AM* by your module name, and node1 and node2 with the names of your SafeKit cluster nodes. 1.    Log in as administrator/root and open a command shell window on one node For instance, log-in node1 2.    Change directory to SAFE where SAFE=C:\safekit in Windows (if %SYSTEMDRIVE%=C:), and SAFE=/opt/safekit in Linux. 3.    Run safekit snapshot -m *AM* /tmp/snapshot\_node1\_*AM*.zip To save locally the full snapshot of the *AM* module. 4.    Run safekit -r anontool anonymize-snapshot -insnapshotfile /tmp/snapshot\_node1\_AM.zip To build the anonymized snapshot in the current directory with the default name snapshot\_node1\_AM-anon.zip. Running this command requires entering the password that protects the full snapshot (safekit). The generated snapshot is itself protected with the same password. Keep both the full snapshot and the catalog containing the mappings between the original and anonymized values. See section 9.6.2.2 for a description of the anonymised snapshots.   **Repeat** all these commands on the other nodes in the cluster. If you only wish to send the anonymized module log to support, follow this procedure and extract the files logverbose.txt and anoncatalog.xml from the generated ZIP archive. This extract of the anonymization catalog (without the original values) allows support to better interpret the anonymized values contained in the log