Re: Bootstrapping

[Luke A. Kanies]

On Wed, 18 Feb 2004, John Sechrest wrote:

>
> What would happen if the list of hosts that you want to trust
> was distributed in some other tool. A mysql database query?
> An ldap query? A file with a list of machines?
>
> Would that be better than
>        TrustKeysFrom = ( 10.0.0.0/8 )
>        DynamicAddresses = ( 10.0.0.0/8 )
>
>
> IE:
>        TrustKeysFrom = ( ReadFile (/var/mln/TrustedHosts,10000))
>        DynamicAddresses = ( ReadFile (/var/mln/TrustedHosts,10000))
>
> Does that help the process at all?

That's basically what I'm doing right now.  I keep the hosts in LDAP, and
I generate an import file every time cfagent runs (yes, it's generated
idempotently).

This is functional, and I didn't mean to imply that there aren't methods
of solving these problems.  The problem with my setup is that there is a
manual step (add the host to ldap), and then two automatic steps that can
take up to 15 minutes each.  This delay isn't a technical problem, it's a
human problem; people begin thinking of the LDAP repository as the place
from where cfservd is getting its access list, so they expect immediate
results.

Now that Marc has accepted a patch to support returning lists from
ExecResult, I will be able to have cfservd get the list directly from LDAP
(rather than having to import it), but I'll still have to HUP cfservd to
force it to reload the list.

Basically, this is a classic case of a leaky abstraction.  I've built my
environment so that it behaves as though cfservd is directly getting
information from LDAP, but the truth is leaking through in the delays and
HUPping, and that leakiness confuses my users.  Really, really confuses
them.  That, and it's often inconvenient.

Luke

-- 
Should I say "I believe in physics", or "I know that physics is true"?
                -- Ludwig Wittgenstein, On Certainty, 602.