[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bootstrapping
From: |
Eric Sorenson |
Subject: |
Re: Bootstrapping |
Date: |
Wed, 18 Feb 2004 14:00:27 -0800 (PST) |
On Wed, 18 Feb 2004, Luke A. Kanies wrote:
> > > [ Binaries ]
> So you have a system outside of cfengine which actually installs the
> cfengine package, then? That certainly simplifies the bootstrapping
> problem within cfengine, although I'd imagine it just moves it into the
> packaging system.
Yes. We use 'yum' http://www.linux.duke.edu/projects/yum/ with a little
pre-processing, which pretends to be the client installing itself to get
a kickstart.cfg, and compares the list of packages it gets with what's
currently installed, adding missing ones and updating versions as needed.
It runs nightly with an hour "splaytime" -- this works out very nicely
as it keeps everything converged on the order of one day, and if we
reinstall a given machine or clone a group, we know they'll end up the
same as the currently-installed systems.
> > > [ Public Keys ]
> That's an option, but it's not a terribly appealing one. It moves
> management of cfengine outside of cfengine, which I have a problem with.
> One of my main goals in all automation is to make all information
> accessible to all systems, but using a firewall to do access control
> requires that you set up two groupings of servers, one in the firewall and
> one in the cfengine configs. This will almost definitely have duplication
> of information, and attempts at normalization of that info will likely be
> frustrated by any number of factors.
Well, I manage the firewall configs via cfengine, does that count? :-)
Honestly -- I hear ya, and in a different environment, say a uni where
everything had a real internet-routed IP address and the routers couldn't
be relied upon to filter stuff out, I doubt I would be this open
with the TrustKeysFrom/DynamicAddresses combo.
> Similar to the NIS vs. anything else struggle, though, is security really
> worth the effort in this case, considering how much more effort it is?
And the really hard part is that to come to the right answer for a given site,
the admin has to engage in an analysis exercise for which we're just learning
the vocabulary. Geoff Halprin has a great quantification equation for threats,
along the lines of
(exposure) * (likelihood) = (risk)
which suggests that there's no blanket solution, just a continuum of
effort<->payoff compromises.
--
Eric Sorenson - EXPLOSIVE Networking - http://explosive.net
- Re: Bootstrapping, (continued)
- Re: Bootstrapping, Luke A. Kanies, 2004/02/18
- Re: Bootstrapping, John Sechrest, 2004/02/18
- Re: Bootstrapping, Luke A. Kanies, 2004/02/18
- Re: Bootstrapping, Mark . Burgess, 2004/02/19
- Re: Bootstrapping, Luke A. Kanies, 2004/02/19
- Re: Bootstrapping, John Sechrest, 2004/02/19
- Re: Bootstrapping,
Eric Sorenson <=
- Re: Bootstrapping, Nate Campi, 2004/02/18
- Re: Bootstrapping, John Sechrest, 2004/02/18
- Re: Bootstrapping, Tim Nelson, 2004/02/18
- Re: Bootstrapping, Nate Campi, 2004/02/18
- Re: Bootstrapping, John Sechrest, 2004/02/18
- Re: Bootstrapping, Tim Nelson, 2004/02/18
- Re: Bootstrapping, Nate Campi, 2004/02/18
- Re: Bootstrapping, John Sechrest, 2004/02/18
- mln (was: Re: Bootstrapping), Tim Nelson, 2004/02/18
- Re: mln (was: Re: Bootstrapping), John Sechrest, 2004/02/18