On 04/30/2012 09:24 AM, no-re...@cfengine.com wrote: > Giving developers root access to development machines is a known evil. > I would rather not give root access to people who aren't > administrators, but in reality, this doesn't happen. > > Folks that run QA, performance environments, etc. want to be able to > do basic administration to infrastructure they "own." Cfengine still > runs on these machines, because ultimately, we still own them as well.
I have environments with similar situation. I have those attached to a different policyhub and its basically a dev environment. I try to accept that business thinks its important for them to have root access so business must trust them or give me sufficient information to let them do what they need without getting root access. I haven't convinced myself yet but thats what I chant :) > By splitting poilcies up to a per-host level, I just see the huge > additional load in Cfengine administration. The power of using > automation is that you write policies as generically as possible and > bring your entire datacenter into convergance. If you split > configuration up into small identicial chunks, administration overhead > goes way up on where changes need to be made in policy files + > complexity. I dont think this is the right approach.. My environments are largely heterogeneous. For that and to make things easier for other people to understand I have a configuration policy file per node. Thats where I configure the network settings for the host and it gives me a convenient place to put node specific information or other node-specific one off configurations. It works for my environments but it can be painful if I change a swath of nodes since I need to edit multiple files. Can you break your policy into groups and achieve similar? Even without going to the host specific level? I am interested in what you are doing now. And I think some mechanism to obfuscate the policy from a casual browser could be a useful option. -- Nick Anderson <n...@cmdln.org> _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
