On 03/03/2011 12:25, Max Ivanov wrote:
> Hi all!
> I am newbie to cfengine and have probably silly question: do I
> understand right that every host receives all policies for every other
> host managed by cfengine on each update? Which means that my notebook
> contains all rules to configure my servers?
>
> Is there any way to avoid that? If I manage bunch of VMs and some of
> them are in DMZ, some not I dont like an idea that every node have
> access to configuration of every other server. I understand that it
> cant edit it, but still it worries me :)
Interesting question :)
I have considered the same question from a different point of view: a
company that manages servers for several different customers. In this
case, you're almost certain that one company should not see the rules
from others.
Our approach to this is simply to store the promises in different
directories, and use the server configuration to allow access to each
directory only by servers that are to use those promises.
For example :
/srv/cfengine/client1/<promise files here>
/srv/cfengine/client2/<other promise files here>
And for the cf-serverd promises :
bundle server access_rules {
"/srv/cfengine/client1/"
admit => { "*.client1.com" };
"/srv/cfengine/client2/"
admit => { "*.client2.com" };
}
Hope this helps,
Jonathan
--
==========================================
Jonathan CLARKE
------------------------------------------
Normation
44 rue Cauchy, 94110 Arcueil, France
------------------------------------------
Telephone: +33 (0)1 83 62 41 24
------------------------------------------
Web: http://www.normation.com/
==========================================
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
