Forum: CFEngine Help
Subject: Updates to an SVN repository not being detected automatically but OK
on manual run
Author: raymondcox
Link to topic: https://cfengine.com/forum/read.php?3,24701,24701#msg-24701
Hello,
I keep my global sudoers file in a Subversion repository. The idea of this
configuration is to allow various support groups the ability to update the
sudoers file, and still be able to run a sanity check on the file before
pushing it out to all of the servers in our environment.
I can update the sudoers file from any system and sync the changes via svn and
when I go to my master CF server and run cf-agent -KI it does exactly what I
expect it to do.
The problem that I am having is that it will not do this automatically. I have
tried adding a cron entry to run cf-agent -F every 5 minutes, thinking perhaps
there was something wrong with my timing, but the problem persists.
I started out using a small perl script as a front end for visudo and svn, but
there were a few occasions where someone ignored the errors from visudo and
commited a bad file anyway. This method should make it more bullet proof
assuming I can get it to run correctly.
I am including a copy of my promise file, hopefully there is something
glaringly obvious that I have just overlooked.
bundle agent sudoers
{
classes:
"phost" or => { classmatch("govcftest05"), };
vars:
any::
"sudoers" string => "/var/cfengine/cache/etc/sudoers";
"dist_sudoers" string => "/var/cfengine/cache/sudoers";
linux::
"hname" string => execresult("/bin/hostname -s","useshell");
"visudo" string => "/usr/sbin/visudo";
"svn" string => "/usr/bin/svn";
aix::
"hname" string => execresult("/usr/bin/hostname -s","useshell");
"visudo" string => "/usr/local/sbin/visudo";
commands:
phost::
# Tell Subversion to update the sudoers file to the latest level
"$(svn) update $(sudoers)"
contain => in_shell,
comment => "Ensure sudoers is up to date",
classes => if_repaired("sudoers_updated");
"$(visudo) -c -f $(sudoers) | grep --silent 'OK' && echo +sudoers_ok"
contain => in_shell,
module => "true",
comment => "Ensure sudoers checks out OK",
ifvarclass => "sudoers_updated";
files:
phost::
"$(dist_sudoers)"
handle => "svn_sudoers_checkout",
comment => "Only update the enterprise with a new version of sudoers if it
passes the visudo -c check",
copy_from => remote_cp("$(sudoers)","$(g.phost)"),
perms => mog("0440","root","$(g.zerogroup)"),
ifvarclass => "sudoers_ok";
any::
#This promise keeps the sudoers file up to date
"/etc/sudoers"
handle => "update_sudoers",
comment => "Copy the global sudoers file down to the clients",
copy_from => remote_cp("$(dist_sudoers)","$(g.phost)"),
classes => if_repaired("updated_sudoers"),
perms => mog("440","root","$(g.zerogroup)");
reports:
sudoers_updated&!sudoers_ok&phost::
"The sudoers file failed a visudo test. No sudoers files will be moved into
place until corrected!!";
}
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
