help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Configuration now working... [Was Re: Configuration Nightmare]


From: Luke A. Kanies
Subject: Re: Configuration now working... [Was Re: Configuration Nightmare]
Date: Thu, 27 May 2004 00:37:36 -0500 (CDT)

On Wed, 26 May 2004, Cory Omand wrote:

So, in this case, I cannot import a file which defines groups which are
used in the file which did the import.  Is this still current for
2.1.3+, or is the doc out of date.

That is correct, and likely will be indefinitely.

I recommend you make your cfagent.conf look something like the following:

import:
        groups.cf
        imports.cf

Put all of your group definitions into groups.cf, and import all other important files (or just do the work) in imports.cf. This is essentially the only consistent way to make all classes available throughout the configuration.

Thanks -- your reply has got me back on track.  I was losing hope ;).
My next big issue is bootstrapping, which I realize is the topic of your
next ONLamp article.  This is my main concern, as I need this to happen
automatically on the last phase of a Solaris Jumpstart operation.

Heh, bootstrapping is for a "later" article. :) My next article will be a simple example of editfiles, mainly to add it to the crontab.

I would like to have the bootstrapping article done soon, though.

We frequently release new client OS images, and if we regenerated the
client key every time the image was changed, we would have to update the
public key on the server manually, correct?

Yes.

How do other people work around this?  As my setup is isolated, network
wise, from any outside attackers, I was considering just using trust to
allow any client to request updates from the server.  Of course, I say
that without really knowing how to do it -- I've just seen some
conversations regarding trust setups on this list, but have no
details...

You configure trust using 1) TrustKeysFrom in cfservd.conf (I think that's the variable, but the reference on cfengine.com seems not to mention it) 2) trustkey in copy. It's not terribly complicated, but know that once you have a server's public key, trust is never used again, which means that if a server gets rebuilt you _must_ remove the old public key (or restore the old private key to the server).

P.S. Is there somewhere to find examples of real-world configurations
*other* than the iu example in the reference material?

My ISconf tarball on sourceforge.net (under the isconf project) has sizeable example configuration. With prompting, I could make that available as a separate download.

I should probably just go ahead and make my configuration publicly available, even though it doesn't do much right now (I manage about 4 machines with it at home right now).

--
Like frozen sentries of the serengeti, the century-old termite mounds
had withstood all tests of time and foe - all tests, that is, except
the one involving drunken aardvarks and a stolen wrecking ball."
                -- Gary Larson
---------------------------------------------------------------------
Luke Kanies | http://abstractive.org | http://reductiveconsulting.com




reply via email to

[Prev in Thread] Current Thread [Next in Thread]