Forum: CFEngine Help
Subject: Re: About "new" templates correct usage or limitations
Author: th
Link to topic: https://cfengine.com/forum/read.php?3,26723,26835#msg-26835
zzamboni Wrote:
-------------------------------------------------------
> This could work as well - although what I was
> describing was using a separate, "master" file or
> template in the first step, rather than the
> already-existing file.
Yes, you're right. Better secure_cp a "master" file (stored on the policy
server for instance) than assume the "factory" file exists.
> If you want to have non-CFEngine-managed edits
> (why would you want that?)
For instance we've got the following problem :
For some reason we "have to" dump ldap PosixAccount entries into local
/etc/passwd and /etc/shadow files. Same for /etc/group. So we've got a
generated file storing around 4000 entries which represents a /etc/passwd
section.
In such a case, installing - even throuh CFEngine - a package (let's say apache
for instance) would dynamically add the apache user.
Obviously a template would not work here.
Besides, to preserve convergence (or idempotence), you cannot just append the
dump ldap entries into the local /etc/passwd file. So you've got to _insert_ a
file into /etc/passwd (let's say between 2 fake users used as delimiters).
This case, although not involving any template, underlines some issues I was
trying to describe :
- the limitation of large files manipulation, which in its turn underlines the
same limitation with templates (slow with edit_template or from the second run
of expand_template, too large for preserve_block)
- a case where you cannot control everything through CFEngine (although you
could add the apache user with a promise, granted)
To sum up the ideas I evoked in this thread. From my point of view :
- I don't speak for edit_template since I at first misunderstood its philosophy
- understood now thanks to Mark
- expand_template :
. why doesn't it empty the file first ? (as edit_template does). The cost
here is a longer run time starting from the second run.
. it misses the [% CFEngine class:: %] tags, the consequence being you've got
to define all the to-be-expanded variables in all the classes in your .cf file,
even in the classes where you don't want some of these variables defined
- promising a whole file :
. seems to be a good approach since an incomplete file would not be service
ready.
. 2 options, same strategy (3 stages) :
. copy a template/expand it/copy or rename
. or copy a "master" file/edit/copy or rename. This second option seems to
be the best since it has the flexibility the expand_template misses (as
described above) : using an array (as in your sshd_config promises), you can
define additionnal array entries for some classes only instead of defining
every variable for every classes with expand_template. The drawback being :
. with insert_lines, non-existing inserted lines are append at the end
. indentation not controlled by you
. harder to code than a template, especially if you insert lines into a
section (think Host section in ssh config file)
Thanks
--
TH
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
