[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfengine and revision control

From: Sami J. Mäkinen
Subject: Re: cfengine and revision control
Date: Wed, 11 May 2005 00:16:37 +0300
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041217

Luke Youngblood wrote:
I read your discussion link before I did my setup, and was put off a little
bit by the strange hostnames (no offense intended, but it's much easier to
understand an example configuration when the hostnames are similar to the
server role, eg. DNS servers are called ns1 and ns2, etc.)  Also, the script
was called!!! :-)

Ha. No sense of humour. .-)
OK, I was lazy. I did not edit the hostnames to be friendly.

Anyway, I would be very much interested in seeing the scripts you use on the
master server to generate the master overlay for each host.  This seems like
a very nice solution which allows you to verify file integrity for each
server, without having to hand-code a copy statement for each file, and also
not sharing passwd/shadow information with servers in other departments that
shouldn't see that information.

Exactly. The trick is, we are using cfagent on the master server(!)
to produce each overlay tree.

I have split our cfagent.conf into several files,
and cfagent.conf just says

--- 8< ---
  any:: groups.conf
  any:: control.conf
  any:: profiles.conf
  any:: default.conf
--- 8< ---

Then, my script called is:

--- 8< ---
export PATH


# Some sanity checks
[ `uname -n` = "aarpora" ] || exit 1
[ `id -u` -eq 0 ] || exit 1

cd $srcdir || exit 1
rsync -var --exclude CVS --delete --delete-excluded \
    magic-files scripts $dstdir/
rsync -var --exclude CVS --delete --delete-excluded \
    inputs $cfdir/

cd $cfdir/ppkeys || exit 1
for k in root-*.pub
    ip=`echo $k | sed -e 's/^root-//' | sed -e 's/\.pub$//'`
    h=`host $ip | awk '{print $5}' | cut -d. -f 1 | sed -e 's/g$//'`
    mkdir -p $dstdir/magic/$h/overlay || exit 1
    cd $cfdir/inputs || exit 1
    echo "control:" > hostname.conf
    echo "  myhostname = ( $h )" >> hostname.conf
    cfagent --file customize.conf --no-hard-classes --define $h
exit 0
--- 8< ---

The trick is that I generate a new hostname.conf on each loop run.
I dig the slave hosts from the ppkeys directory and use reverse
DNS lookup to find the hostnames. If anyone can come up with a more
elegant and as lazy solution, I am grateful.

This script must be run each time something is changed
inside the overlay directory tree called "magic-files".

My customize.conf input for cfagent is like this:

--- 8< ---
  any:: hostname.conf
  any:: groups.conf
  any:: profiles.conf
  any:: customizerun.conf

  actionsequence = ( shellcommands files )

... and some mandatory variable definitions.
--- 8< ---

The nice thing here is that we are using the same groups.conf
and profiles.conf on the central server and the clients.

The real magic is in customizerun.conf, like this:

--- 8< ---
    "/bin/sh -c 'echo $(host_profile) > $(dstdir)/$(myhostname)/host_profile'" 
    "/bin/sh -c 'echo $(net_profile) > $(dstdir)/$(myhostname)/net_profile'" 
    "/bin/sh -c 'echo $(flavor_profile) > 
$(dstdir)/$(myhostname)/flavor_profile'" timeout=2

    "$(workdir)/master/scripts/ $(myhostname)" 

     $(dstdir)/$(myhostname)/overlay/etc/passwd         mode=444 o=root g=root 
     $(dstdir)/$(myhostname)/overlay/etc/shadow         mode=400 o=root g=root 
     $(dstdir)/$(myhostname)/overlay/etc/group                  mode=444 o=root 
g=root action=fixall
     $(dstdir)/$(myhostname)/overlay/etc/gshadow                mode=400 o=root 
g=root action=fixall
     $(dstdir)/$(myhostname)/overlay/etc/sudoers                mode=440 o=root 
g=root action=fixall

--- 8< ---

Are you more satisfied with the script names here?
No more customize-me-harder, customize-them-gently instead.
That was put forward by a colleague, to be honest. :)

Awwww, I would be stoopid to include the rest of the shellscripts here,
please have a look here instead:

Then, you have to configure each host to retrieve the overlay tree
from the master server. You could use either a "copy:" section
in cfagent.conf or rsync -e ssh. It's your call.

I see a potential security hole here. You should automagically generate
a suitable cfservd.conf to allow each host to copy only its own overlay tree,
not others. Otherwise, a knowledgeable person is able to read any other host's
files on any cfengine client. Just reconfigure cfagent a bit.

Regards from a maniac sysadmin,


reply via email to

[Prev in Thread] Current Thread [Next in Thread]