[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tiered admins with cfengine
|
From: |
Mark McCullough |
|
Subject: |
Re: Tiered admins with cfengine |
|
Date: |
Thu, 13 Oct 2005 09:22:57 -0500 |
On Thu, 2005-10-13 at 09:56 -0400, Jason Edgecombe wrote:
> Basically, how can we partition the cfengine set up between admins, but
> still inherit a config from central it? Do we have to use different
> cfengine servers for this?
I've used two different approaches...
1. Totally unrelated cfengine repositories.
2. Assume there are a small number of truly trusted admins who are
authorized to have root on all the systems in question, but are not the
primary SAs. Create a master cfengine config file that imports a groups
file and a "imports" file like so:
cfagent.conf...
import:
cf.grouplist.main
cf.imports
In your cf.imports list, you can then specify by group which servers
import which files...
cf.imports...
import:
college1::
cf.college1
group2::
cf.group2
Then it is simply a matter of giving write access to the source files of
those specific files. I try hard to keep my source files in a directory
outside of /var/cfengine/inputs/. In my case, I
use /usr/depot/cfengine/. That way cfengine does not get picky that
someone other than root can write to the file. It is explicit who can
write to the file by group membership on the trusted central host.
--
mmccul@earthlink.net Mark McCullough
"To announce that there must be no criticism of the President, or that
we are to stand by the President, right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public." (Theodore Roosevelt, 1918)
signature.asc
Description: This is a digitally signed message part