RE: Newbie help with how to implement update andcfagent.conffiles

[Luke Youngblood]

I do have experience with Solaris, although I'm somewhat new to cfengine as
well.  I came up with a procedure to add new Solaris hosts to my cfengine
setup.  This is how I do it.  It might not be the best way, but it works:

1. Install Blastwave pkg-get on the Solaris host.  You can get this at
http://www.blastwave.org.

2. pkg-get -i cfengine (First I do a (pkg-get -i gpgme;pkg-get -i
textutils;wget http://blastwave.org/mirrors.html;gpg --import mirrors.html)
in order to enable GPG signature checking of downloaded packages)

3. cfkey

4. scp -p /var/cfengine/ppkeys/localhost.pub
masterserver:/var/cfengine/ppkeys/root-xxx.xxx.xxx.xxx.pub (client's IP
address goes in the filename)

5. scp -p masterserver:/var/cfengine/ppkeys/localhost.pub
/var/cfengine/ppkeys/root-xxx.xxx.xxx.xxx.pub (server's IP address goes in
the filename)

6. scp -p masterserver:/etc/cfengine/*.conf /tmp (this is where I store the
master cfagent.conf and update.conf)

7. export CFINPUTS=/tmp

8. cfagent

9. Add 0 * * * * /opt/csw/sbin/cfexecd -F to cron

I have to admit I'm a little jealous of the Linux sysadmins out there for
having such a great installer script.  Perhaps someone could share the
script that does this?  I bet it's just an /etc/rc.local or /etc/rcX.d
script that only runs the first time you boot your system, similar to the
script that does an ssh-keygen on your server the first time you boot it.

Hope this helps,

Luke

-----Original Message-----
From: help-cfengine-bounces+lyoungblood=phonechargeinc.com@gnu.org
[mailto:help-cfengine-bounces+lyoungblood=phonechargeinc.com@gnu.org] On
Behalf Of Edward F. Brown
Sent: Wednesday, May 18, 2005 9:40 PM
To: PAUL WILLIAMSON
Cc: help-cfengine@gnu.org
Subject: Re: Newbie help with how to implement update andcfagent.conffiles

> So, from what I gather, this is the what I need to have a
> successful minimalist cfengine environemt in this specific order:

Paul,

Starting simply is a good focus, and your efforts to summarize your
experience may fill a gap in the documentation.

It might be possible to pare your list even more.  I don't have experience
with cfengine on solaris, but on linux anyway, you don't have to run
cfenvd, and you don't need to bother with cfkey, or manually copying keys.
 That is because the init script for cfservd will check for and create
keys if they don't exist.  Also the cfengine package installation scripts
will create keys when the package is installed.  (Hopefully you don't have
to install from source or a tarball everywhere...)  Anyway, whether or not
you have to create keys, you can allow an initial exchange of keys by
using TrustKeysFrom in your cfservd.conf, and trustkey in your very first
copy action in update.conf.  (This really isn't a significant security
issue, as Mark has described here in the past, and is really worthwhile in
terms of making things easier for you.)

Your list places generating cfservd.conf a few steps after starting
cfservd, of course the config file comes first.

As you suggest, getting cfservd running on the policy server, and getting
cfagent working on the same machine, so that it copies from the Master
area to cfengine's working area, is a good first step.  That is, starting
cfagent with just an update.conf and successfully copying and running a
cfagent.conf file.  Then, cfagent running on a remote client.  After that,
you're somewhere beyond writing the Complete Newbie's Guide!

-Ed


_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://lists.gnu.org/mailman/listinfo/help-cfengine