[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bootstrapping <= LDAP and authority

From: Chip Seraphine
Subject: Re: Bootstrapping <= LDAP and authority
Date: Thu, 19 Feb 2004 13:33:29 -0600
User-agent: KMail/1.5

On Thursday 19 February 2004 11:13, Luke A. Kanies wrote:
> At my last client, I had something like 40 unique host types, and the
> heirarchy was probably about 5 levels deep.  This was an organization with
> less than 100 hosts.  These host classes were used for all decision making
> -- what packages to install, what processes to start, what filesystems to
> create, what config files to load, etc.
> Yes, I could build an equivalent logic system outside of cfengine, but why
> would I?  I would then have to maintain a different interpreter; I know,
> because that's what I was doing.  I have complete cross-pollination
> between cfengine and ISconf -- cfengine got all of ISconf's types via a
> module, and ISconf received all of cfengine's types on the CLI.

We're shooting at the notion of having such information living in LDAP, and 
cfengine gets it via a module query.   The reason for this is twofold:

a) Authority.  (Example:  Do I know machine X is a DNS because it is running 
BIND, or do I know it should be running BIND because my cfagent.conf says 
its "dnsserver" class is set?)   Always a big problem; cfengine likes being 
an authority source and is good at it.  So does/is LDAP, but LDAP is more 
flexible and understanding of hierarchy.  (Cfengine code degenerates into 
spaghetti and sequence-of-events hell if you try to get too abstract, IME.)  
Besides, having cfengine convey the information in it's groups: section to 
an LDAP server is less cumbersome than the other way around, so if you have 
both cfengine and LDAP but only want one to be authoritative the easiest 
way is to make your LDAP database the ubermaster from which all data 

b) Interface.  Unfortunately, if you have a lot of detail in your configs 
you also see a lot of changes.  Cfengine's syntax is good for what it does, 
but a single RCS'd cfengine file does not make an ideal enterprise 
configuration interface for a large team of admins (especially if a few of 
them tend to be prone to injecting syntax errors).   There are some nice 
tools out there for updating/adding to LDAP databases, and it is easy to 
whip up your own web-gui or whatever.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]