Hi all,
I finally got an issue resolved regarding some of my systems not
trusting a particular server's Cfengine public key, but I wanted to see
if anyone has a better solution.
Currently we maintain our master sudoers file on a server whose
cf-serverd provides all systems with access to retrieve the master file.
Here's the promise (with some simplification for readability):
linux|(solaris.zone_global.!usr_local_is_nfs)::
"$(local_sudoers_file)" # Linux=/etc/sudoers,
Solaris=/usr/local/etc/sudoers
perms => mo("440", "root"),
copy_from => remote_copy("/usr/local/etc/sudoers", "lum");
This is the only promise I have that retrieves a file from lum and thus
the only promise that would initiate key exchange with lum, meaning that
all Solaris non-global zones and the Solaris global zones that NFS mount
/usr/local would NEVER retrieve lum's public key and thus never get this
file.
To work around this, I created the following bundle:
bundle agent ensure_lum_is_trusted {
classes:
"have_lum_public_key" expression => fileexists(
"$(sys.workdir)/ppkeys/root-10.148.44.121.pub"
);
files:
!have_lum_public_key::
"/tmp/lum.motd"
copy_from => remote_copy("/etc/motd", "lum");
}
It just tries to copy a dummy file down from lum. Ironically the dummy
file will never actually be copied since the first attempt will fail but
key exchange will occur, and then there would never be another attempt
since the key would then exist on the "client".
So, can anyone see a better way of handling this kind of issue, or is
this dummy bundle probably the best solution?
Thanks,
Justin
--
Justin C. Lloyd
Unix Infrastructure Engineer
DigitalGlobe, An Imaging and Information Company
This electronic communication and any attachments may contain confidential and
proprietary
information of DigitalGlobe, Inc. If you are not the intended recipient, or an
agent or employee
responsible for delivering this communication to the intended recipient, or if
you have received
this communication in error, please do not print, copy, retransmit, disseminate
or
otherwise use the information. Please indicate to the sender that you have
received this
communication in error, and delete the copy you received. DigitalGlobe reserves
the
right to monitor any electronic communication sent or received by its
employees, agents
or representatives.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
