Ok, take 3. It turns out, due to how Cfengine does changes in memory and compares that to the on-disk file, I don't even need to do the class check. Just comment all of the pam_password lines out and then do the uncomment_first_occurrence. The two replace_patterns promises together ARE convergent. :)
Justin -----Original Message----- From: help-cfengine-boun...@cfengine.org [mailto:help-cfengine-boun...@cfengine.org] On Behalf Of Justin Lloyd Sent: Friday, March 05, 2010 6:23 PM To: help-cfengine@cfengine.org Subject: RE: edit_line replace_with convergence issue Never mind, I solved my own problem. After I wrote it up and sent it, I started an email to my team about this issue, and it was then the solution dawned on me. To avoid the convergence issue, I just needed a class to restrict when the non-convergent replacement could happen by first reading the file to determine if the correct pam_password entry was already in place, i.e. something like this (I've tested it with a complete, more robust version): vars: "ldap_conf" slist => { readstringlist("/etc/ldap.conf", "#.*", "[\n]", 300, 10000) }; classes: "pam_password_method_is_correct" or => { reglist("@(ldap_conf)", "pam_password clear" }; Then I just use !pam_password_method_is_correct on the replace_patterns promise. I do something similar in determining whether a Solaris system is automounting /usr/local (I know, I know...) by reading /etc/auto_direct, which is where I got this inspiration. Hope this helps others in the future. :) Justin -----Original Message----- From: help-cfengine-boun...@cfengine.org [mailto:help-cfengine-boun...@cfengine.org] On Behalf Of Justin Lloyd Sent: Friday, March 05, 2010 5:14 PM To: help-cfengine@cfengine.org Subject: edit_line replace_with convergence issue According to the documentation, the following is not convergent: bundle agent ensure_pam_passwords_clear { files: "/etc/ldap.conf" edit_line => pam_password("clear"); } bundle edit_line pam_password(method) { replace_patterns: # haven't tested whether PCRE zero-width negative lookahead assertions work in Nova "(pam_password (?!$(method)))" replace_with => comment_lines_matching; # in cfengine_stdlib.cf replace_patterns: "#\s*(pam_password\s+$(method))\b.*" replace_with => uncomment_first_occurrence; } body replace_with uncomment_first_occurrence { replace_with => "$(match.1)"; occurrences => "first"; # NOT CONVERGENT! } Multiple applications of the uncomment_first_occurrence body could match a different line in the file each time. So here's my problem. [r...@gdcscf3lgmt01 masterfiles.devel]# grep pam_password /etc/ldap.conf #pam_password clear #pam_password crypt #pam_password clear_remove_old #pam_password nds #pam_password racf #pam_password ad #pam_password exop #pam_password_prohibit_message Please visit http://internal to change your password. #pam_password ad #pam_password ad #pam_password ad #pam_password clear pam_password clear [r...@gdcscf3lgmt01 masterfiles.devel]# This /etc/ldap.conf file is correct for our environment since it has a "pam_password clear" line uncommented, and that is the only pam_password line that is uncommented. However, not all systems, especially new ones, will have this correct configuration. Many will have "pam_password md5" uncommented by default. (In fact, the line that is uncommented used to say md5 but we had a script edit the line.) So how do I implement a convergent policy to ensure a single pam_password line is uncommented and reads "pam_password clear"? My preference is to just modify the standard file as little as needed since I prefer to avoid fully controlling files in order to stay with defaults where possible, and we never know when a vendor will make important changes to a file that we could wipe out unintentionally. -- Justin C. Lloyd Unix Infrastructure Engineer DigitalGlobe, An Imaging and Information Company This electronic communication and any attachments may contain confidential and proprietary information of DigitalGlobe, Inc. If you are not the intended recipient, or an agent or employee responsible for delivering this communication to the intended recipient, or if you have received this communication in error, please do not print, copy, retransmit, disseminate or otherwise use the information. Please indicate to the sender that you have received this communication in error, and delete the copy you received. DigitalGlobe reserves the right to monitor any electronic communication sent or received by its employees, agents or representatives. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
