RE: Editfiles convergence bug

[Jamie Wilkinson]

Quoting "Andrews, Martin" <mandrews@cle.lionbioscience.com>:

> I still vote for something more generic if we go this route, say:
> 
> tabfile:
>   /etc/passwd
>     delim=:
>     fields="user passwd uid gid comment home shell"
>     index=user
>     key=root
>     set=password:big-secret
> 
> 
> Then you could also do:
> 
> tabfile:
>   /etc/vfstab
>     delim=tab
>     fields="dev rdev path type fsck boot options"
>     index=path
>     key=/
>     options=logging
> 
> The latter is a bit contrived, but I think the idea is clear.

But that's nothing you can't already do with editfiles.  The value an "account"
sectino would add is that using the system tools to creat users means that it
would get "for free" stuff like NSS, so that you could keep all your users in
LDAP, for example, and creating that user would do the right thing (this assumes
that the system tools work properly :-)

Ok, here's a simple example:

I have a few dedicated servers for big clients, they want statistics generated
for their websites, so we use webalizer.  The default setup on Red Hat is for 
webalizer to run as root on /var/log/httpd/access_log and spit it out $somewhere
(i forget exactly...).  We don't want unnecessary stuff running as root, so we
create a webalizer user that has rights to read the logs and spit the results 
out.

Now, we don't care much about the webalizer user, only that it isn't root and it
has no special privileges, and that it's a system account.  I don't even care
what UID it is, really.  So for each machine, I have to run "useradd -r
webalizer" to create the system user so that later when cfengine fiddles with
the webalizer configs, the right things happen.

Currenlty, that's easiest to set up a test in control: to check for the
existence of the user (getent passwd webalizer) and then a shellcommand to
create theuser if not found.

Of course, the test and the shell command is going to be different for each OS
that this needs to be done on, right?  I'm "lucky" that I only have to support 2
flavours of Linux, each with their own ways of handling this -- but isn't the
point of cfengine to abstract away all this OS specific tailoring when it can be
automated?

That's a pretty simple example.  I can imagine there are instances where you may
want more or less control over what settings the user has, down to login
controls in the shadow password.  group maintenance would also be good.

Okay, enough talk.  I'll put my editor where my mouth is and start writing a 
patch.

Jamie