dominator

README

dominator

The dominator daemon is the heart of the Dominator system. It continuously polls all the known subs and directs them to make corrections if needed.

The list of known subs is read from a local file (/var/lib/Dominator/mdb by default). This file is updated by the mdbd companion daemon.

Status page

The dominator provides a web interface on port 6970 which provides a status page, links to built-in dashboards and access to performance metrics and logs. If dominator is running on host myhost then the URL of the main status page is http://myhost:6970/.

Startup

Dominator is started at boot time, usually by one of the provided init scripts. The dominator process is baby-sat by the init script; if the process dies the init script will re-start it. It may be stopped with the command:

service dominator stop

which also kills the baby-sitting init script. It may be started with the comand:

service dominator start

There are many command-line flags which may change the behaviour of dominator but many have defaults which should be adequate for most deployments. Built-in help is available with the command:

dominator -h

Key configuration parameters

The init script reads configuration parameters from the /etc/default/dominator file. The following is the minimum likely set of parameters that will need to be configured.

The IMAGE_SERVER_HOSTNAME variable specifies the hostname where the imageserver is running. This hostname must be resolvable by the dominator and all the subs. In a multi-zone deployment, it is recommended to use a geoDNS name, as it makes dominator configuration uniform across zones.

The USERNAME variable specifies the username that dominator should run as. Since dominator does not need root privileges, the init script runs dominator as this user.

Security

RPC access is restricted using TLS client authentication. Dominator expects a root certificate in the file /etc/ssl/CA.pem which it trusts to sign certificates which grant access.

Dominator will require signed SSL certificates in order to communicate with subd and the imageserver. The certificate and key should be in the files /etc/ssl/dominator/cert.pem and /etc/ssl/dominator/key.pem, respectively.

If any of these files are missing, dominator will refuse to start. This prevents accidental deployments without access control.

Control

The domtool utility may be used to manipulate various operating parameters of a running dominator and perform RPC requests. The most important controls are described below for convenience.

Emergency Stop

To disable automated updates, issue the following command:

domtool -domHostname=mydom.zone disable-updates "my stop reason"

This will prevent the dominator running on the host mydom.zone from performing automated updates. The reason for the emergency stop along with the username of the person issuing the stop is logged.

Restart

To enable automated updates, issue the following command:

domtool -domHostname=mydom.zone enable-updates "my restart reason"

This will restart automated updates. The reason for the restart (typically an explanation of why the emergency stop is no longer needed) along with the username of the person issuing the restart is logged.