I'm writing a policy that will test network firewall rules to make sure
basic pieces of infrastructure work. Here's an example of something I
have written in policy.
vars:
"ntp_service_hosts" slist => {"box1-linkedin.com",
"box2-linkedin.com," };
classes:
"ntp_udp_failure_$(ntp_service_hosts)" not =>
returnszero("$(netcat_binary) -u $(ntp_service_hosts) $(udp_port[ntp]) >
/dev/null 2>&1","useshell");
So, if this test fails and does not return zero, I want to raise the class
"ntp_udp_failure_box1_linkedin_com"
So, the $(ntp_service_hosts) is a slist that I loop though. I want the
classname on the lefthand side to be canonified.
Both Canonify:
https://cfengine.com/manuals/cf3-Reference#Function-canonify
And Classify:
https://cfengine.com/manuals/cf3-Reference#Function-classify
Are meant to be used on the RHS of a promise, or in a "ifvarclass"
statement.
When the policy executes, it does automatically turn it into canonical
form, which I can see during verbose execution:
cf3> =========================================================
cf3> classes in bundle verify_network_access (1)
cf3> =========================================================
cf3>
cf3> ?> defining explicit local bundle class network_testing_active
cf3> Class identifier "ntp_udp_failure_box1-linkedin.com" contains illegal
characters - canonifying
Š.
Š.
f3> Initiate variable convergence...
cf3>
cf3> + Private classes augmented:
cf3> + kpasswd_udp_failure_box1_linkedin_com
But, havingg the policy detect an uncanonified class and then converting
it to canonical form actually slows the policy down on Linux dramatically.
It doesn't on Solaris. I'm not sure why, but I'm guessing the internal
parser is churning. I'd rather just do this right.
Any suggestions?
Thanks
Mike
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
