Aleksey, you are the BOMB!
Thank you my friend. We should meet up for beers in the near future. I
hear its good for "social networking." ;-)
Cheers! (no pun intended)
Mike
On 10/5/12 5:20 AM, "Aleksey Tsalolikhin" <atsaloli.t...@gmail.com> wrote:
>On Thu, Oct 4, 2012 at 4:19 PM, Mike Svoboda <msvob...@linkedin.com>
>wrote:
>> I'm writing a policy that will test network firewall rules to make sure
>> basic pieces of infrastructure work. Here's an example of something I
>> have written in policy.
>>
>>
>> vars:
>> "ntp_service_hosts" slist => {"box1-linkedin.com",
>> "box2-linkedin.com," };
>>
>> classes:
>> "ntp_udp_failure_$(ntp_service_hosts)" not =>
>> returnszero("$(netcat_binary) -u $(ntp_service_hosts) $(udp_port[ntp]) >
>> /dev/null 2>&1","useshell");
>
>You could use a commands promise to run netcat. Then set a class
>based on the outcome (exit status). That would give you a chance to
>canonify the class on the RHS.
>
>
>Reference manual says:
>If none of the attributes kept_returncodes, repaired_returncodes, or
>failed_returncodes are set, the default is to consider a return code
>zero as promise repaired, and nonzero as promise failed.
>
>
>So look into
>
>kept_returncodes
>repaired_returncodes
>failed_returncodes
>
>netcat returning 0 could be added to "failed_returncodes", as that's a
>deviation from policy that CFEngine cannot repair.
>
>Here is a working example:
>
>{{{
>
>body common control {
>
> inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" };
>
>}
>
>bundle agent example {
>
>commands:
>
> "/bin/true"
>
> classes => success_is_failure("monkey brains"),
> comment => "probe the firewall to make sure holes are plugged.
>probes should *not* succeed!";
>
>reports:
> monkey_brains::
> "DANGER!!!";
>}
>
>body classes success_is_failure(x)
>{
>failed_returncodes => { "0" };
>repair_failed => { canonify("$(x)") };
>}
>
>}}}
>
>
>Best,
>Aleksey
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
