help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfengine and revision control

From: Josh Lothian
Subject: Re: cfengine and revision control
Date: Thu, 12 May 2005 14:50:28 -0400
User-agent: Mutt/1.5.6i 
On Wed, May 11, 2005 at 12:16:37AM +0300, "Sami J. M?kinen" wrote:
> Exactly. The trick is, we are using cfagent on the master server(!)
> to produce each overlay tree.
>
> I have split our cfagent.conf into several files,
> and cfagent.conf just says
>
> --- 8< ---
> import:
>   any:: groups.conf
>   any:: control.conf
>   any:: profiles.conf
>   any:: default.conf
> --- 8< ---
>
> The trick is that I generate a new hostname.conf on each loop run.
> I dig the slave hosts from the ppkeys directory and use reverse
> DNS lookup to find the hostnames. If anyone can come up with a more
> elegant and as lazy solution, I am grateful.
>
> This update-magic.sh script must be run each time something is changed
> inside the overlay directory tree called "magic-files".
>
> Then, you have to configure each host to retrieve the overlay tree
> from the master server. You could use either a "copy:" section
> in cfagent.conf or rsync -e ssh. It's your call.
>
> I see a potential security hole here. You should automagically generate
> a suitable cfservd.conf to allow each host to copy only its own overlay
> tree,
> not others. Otherwise, a knowledgeable person is able to read any other
> host's
> files on any cfengine client. Just reconfigure cfagent a bit.

This is an extremely cool idea.  The only two problems I have with it:

1) On new host installs, you'd have to run cfagent on the client once
to generate the key, then run the script that generates the overlay on
the server, then re-run cfagent.  That could easily be fixed by having
a script you run before installing a host.

2) This is the bigger problem in our environment.  Defining myhostname
will get you the user-defined classes, however you'll miss out on all the
operating system based classes.  We've got a bunch of AIX and a bunch of
Linux here, and I'd like to have some files that are different between
them, without having to specify somewhere that host X is running OS Y.
I don't know of any good way to solve this problem, unless you already
generate that information and store it centrally.

-jkl
reply via email to
[Prev in Thread] Current Thread [Next in Thread]