On Tue, Nov 22, 2011 at 8:40 PM, <no-re...@cfengine.com> wrote: > Forum: CFEngine Help > Subject: Re: Applying a promise to all hosts in a network from a single > policy server. > Author: phnakarin > Link to topic: https://cfengine.com/forum/read.php?3,24036,24041#msg-24041 > > You should have a promise to pull the files from the hub. This process > considers to be done before executing your main policy. > > For example, I put an update promise in a file called failsafe.cf and my > client will pull the latest policy from hub:/var/lib/cfengine3/masterfiles > to clients:/var/lib/cfengine3/inputs > > > # Example contents of failsafe.cf > body common control > { > bundlesequence => { "update" }; > } > > bundle agent update > { > files: > "/var/lib/cfengine3/inputs" > comment => "Copy policy updates from master source on policy > server", > copy_from => > u_rcp("/var/lib/cfengine3/masterfiles","10.130.221.138"), > depth_search => u_recurse("inf"), > file_select => u_input_files; > } > > ### > > body file_select u_input_files > { > leaf_name => { ".*.cf",".*.dat",".*.txt" }; > file_result => "leaf_name"; > } > > body copy_from u_rcp(from,server) > { > source => "$(from)"; > compare => "digest"; > trustkey => "true"; > > !am_policy_hub:: > > servers => { "$(server)" }; > } > > body depth_search u_recurse(d) > { > depth => "$(d)"; > exclude_dirs => { "\.svn" }; > } > > > and run it such "cf-agent -f failsafe.cf && cf-agent -f promises.cf" > > I don't use a package provided by Ubuntu, but CFEngine AS ( > http://www.cfengine.com). I notice that a working directory is different. > (confusing for me indeeds) Anyhow, I would suggest to use a package from > the site because they introduce a simple way to bootstrap clients to the > hub. You would probably have your system (client-server) running in 5 > minutes. > > Cheers, > --Nakarin > >
Hi Nakarin, Thanks for the reply it was helpful. I am now able to copy the filecreate.cf promise from the /var/lib/cfengine3/masterfiles directory on the cf engine policy server to the /var/lib/cfengine3/inputs/ on the client. I am left with a few questions. 1) Is it possible for the cfengine3 server to choose which policies it needs to give to a particular client ? This is to ensure that any client does not pull more promises than what it needs to know (about other promises meant for other clients) that exists on the policy server. I am looking at some kind of Server Level Access control meant to restrict access to set of promises to only one client or one group of clients. or in other words. 1) How does the cfengine3 server secure itself against un-authorised client access as well as un-authorised access to promises not meant for that particular client while the same promise may be applicable to another client ? 2) How can cf-agent can be scheduled on the clients to periodically poll the server to access promise files only meant for it Regards, -- Vivek Varghese Cherian
_______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
