This has been an ongoing problem in our environment. Local admins need to make a change to a system (for example, start httpd) and cfengine goes in and blows away the changes. Traditionally, the local administrator had no choice at that point but to disable cfengine on the box to allow their config to stick around.
We're working on some new policy now that splits our systems into different "levels" of cfengine "awareness". "Standard" systems run all of the available policy. But there are three other classes we can assign systems to that shutdown cfengine's awareness of certain services. That way, we can keep cfengine enabled, but have it ignore certain "chunks" of policy to allow for some degree of local autonomy on one-off boxes. It's certainly not a perfect solution, but it's the best we could come up with in the time we had to implement it. Paul Krizak 7171 Southwest Pkwy MS B200.3A Senior Systems Engineer Austin, TX 78735 Advanced Micro Devices Desk: (512) 602-8775 Linux/Unix Systems Engineering Cell: (512) 791-0686 Silicon Design Division Fax: (512) 602-0468 On 02/01/10 11:47, Justin Lloyd wrote: > Hi all, > > For those of you who are part of a team that manage a Cfengine-based > environment, how do you prevent people from making local changes to > things that are managed by Cfengine, thus causing local changes to get > wiped out? For example, if Cfengine manages all NFS mounts in /etc/fstab > on Linux systems and someone manually adds such an entry to a host which > Cfengine later wipes out when enforcing just its specified NFS mounts. > Things that come to mind are: > > · Change Control - well-defined dept/company procedures for change > approval, and all changes to systems should be done only through > Cfengine policy, never locally on any system > > · Automated Comments - have Cfengine add comment headers to files it manages > > · Documentation - thoroughly and clearly comment the policy files and > also create external documentation, such as an easily searchable wiki, > that people can read to find out what is managed by Cfengine > > · Training and Communications - teach the team what is managed by > Cfengine and have good communications channels (email list, team > meetings, etc.) to review when the policy is updated to manage new things > > Let me know if you have other ideas and how well they’ve worked for you. > > Thanks, > > Justin > > This electronic communication and any attachments may contain confidential > and proprietary > information of DigitalGlobe, Inc. If you are not the intended recipient, or > an agent or employee > responsible for delivering this communication to the intended recipient, or > if you have received > this communication in error, please do not print, copy, retransmit, > disseminate or > otherwise use the information. Please indicate to the sender that you have > received this > communication in error, and delete the copy you received. DigitalGlobe > reserves the > right to monitor any electronic communication sent or received by its > employees, agents > or representatives. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
