Cfengine Help: Re: installing particular package versions
Forum: Cfengine Help Subject: Re: installing particular package versions Author: Metabaron Link to topic: https://cfengine.com/forum/read.php?3,18643,18648#msg-18648 *If* you are using a Debian based distribution it might be a good idea to take a look at apt-pinning. This will make sure that the packages get installed correctly even if it's done in other ways. -- Emil ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: cf-serverd on local zone dies running cf-agent from global zone
Forum: Cfengine Help Subject: cf-serverd on local zone dies running cf-agent from global zone Author: steffenf Link to topic: https://cfengine.com/forum/read.php?3,18649,18649#msg-18649 Hi all! I use solaris 10 on SPARC. I am in the process of setting up cfengine (it's nice! :)). In that process we happen to have the cf-serverd running on a solaris 10 non-global zone. We have set up about 20 clients in other non-global zones and it all works like a dream. They are all on the same physical machine. Today I needed to set up the global zone as a client. When running "cf-agent -K" from the global zone, the cf-serverd in the local zone dies with the following output (cf-serverd -v): ... ...cf3 Received: on socket 6 cf3 Received signal 15 (SIGTERM) while doing cf3 Logical start time Thu Oct 7 09:36:58 2010 cf3 This sub-task started really at Thu Oct 7 09:37:53 2010 cf3 Trying to remove lock - try lock.independent.server_cfengine..the_server_daemon_214_MD5=5b2c904169606aa9b27ec369fd13e016 cf3 Outcome of version (not specified): No checks were scheduled ... ... The process is not restarted. I really need some help on this, as I am not able to extract more information about the error. Best regards, Steffen Fiksdal ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: cf-serverd on local zone dies running cf-agent from global zone
Forum: Cfengine Help Subject: Re: cf-serverd on local zone dies running cf-agent from global zone Author: mark Link to topic: https://cfengine.com/forum/read.php?3,18649,18650#msg-18650 Would you be good enough to bake a backtrace for us, please? See http://www.cfengine.org/pages/troubleshoot ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: I'm exploiting usemodule. There has got to be a better way to define global classes?
Forum: Cfengine Help Subject: Re: I'm exploiting usemodule. There has got to be a better way to define global classes? Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,18623,18651#msg-18651 Metabaron, do you setup the file cfclass.conf yourself? If so how is that different than hard coding global classes in Cfengine's policy? At some point everyone has to define some global classes. Any method I can think if is going to involve some manual work to setup and maintain them. Typically I create my global classes by hand. I have not needed to do anything automatically at this time. If I did have to I would use Seva's method. Seva, IIRC, bases his global classes on what is found on the host but not what he has put there manually. For instance a public web server must have the httpd or apache daemon file and perhaps be a member of a specific subnet. I would not create a classes file to distribute to my hosts and have the agent read it later to determine classes. In terms of resources, hand coding takes the least computer resources, but might take more human resources. The latter method of automatic class determination is going to take more of the agent's time to do. Either method is useful. In a complex environment both might be used. Mike asked about defining global classes in normal agent bundles. I would try to avoid this. This type of policy would be more difficult to maintain. Using the methods I described I know where to find all of my global class definitions. Sprinkling them throughout the policy as Mike described might drive me mental trying to find and maintain them. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: I'm exploiting usemodule. There has got to be a better way to define global classes?
Forum: Cfengine Help
Subject: Re: I'm exploiting usemodule. There has got to be a better way to
define global classes?
Author: Seva Gluschenko
Link to topic: https://cfengine.com/forum/read.php?3,18623,18652#msg-18652
Well, actually, my approach differs a bit.
First, my servers are grouped into certain roles, and that grouping is
reflected in our internal management databases. Since the community edition of
Cfengine does not provide any database connectors, I'm using a Perl script
which updates groups list on a regular basis (well, it's called via Cfengine
itself on the policy host). The script writes groups.cf file which is nothing
else as
bundle common grp
{
classes:
"webserver" or => { "serverX", "serverY" };
...
}
The body common control then utilises those classes definitions to alter
bunldesequence. Accordingly, my promises are packed into more or less self
contained bundles which initially accept just "on" or "off" as their runtime
argument, so typically it looks like
body common control
{
webserver::
bundlesequence => { @(g.bstrap), apache("on"), iptables("on"),
mysql("off") };
database::
bundlesequence => { @(g.bstrap), apache("off"), iptables("off"),
mysql("on") };
}
Using such an approach, servers can be moved from group to group by simplest
change in groups configuration, so that Cfengine takes care about all the rest.
Of course, in generic database servers aren't interchangeable with webservers
due to hardware specifics, but there are indeed groups, which allow such
movements.
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: I'm exploiting usemodule. There has got to be a better way to define global classes?
Forum: Cfengine Help Subject: Re: I'm exploiting usemodule. There has got to be a better way to define global classes? Author: msvob...@linkedin.com Link to topic: https://cfengine.com/forum/read.php?3,18623,18653#msg-18653 So, maybe the question I should be asking Cfengine is an incredibly powerful tool, and its possible to break things very quickly.I'm writing and testing all my policies in a test environment, but I feel like once I unleash a policy into production then I have the ability to see behavior that I wasn't able to simulate in my test area. I'm just trying to limit execution of policies without modifying the policies themselves. If there is a better method of going about this, or someone else has a better solution -- I'm down. Let me know how you've solved this problem, and if its a better solution than what I've hacked together -- super. I'm already going to have to modify all my policies to take advantage of the "restricted" and "unrestricted" global classes. The only other solution I could think of would be to individually point cf-agents at a different master policy server with the updated code. That doesn't scale. Maybe a feature request to build into the product down the line? It seems like this would be a super handy feature that lots of folks would appreciate. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: I'm exploiting usemodule. There has got to be a better way to define global classes?
Forum: Cfengine Help Subject: Re: I'm exploiting usemodule. There has got to be a better way to define global classes? Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,18623,18654#msg-18654 Cfengine is complicated enough that it should be treated just as you would treat code promotions to production. Policies should be thoroughly tested in full dev and qa environments before being promoted to production. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Force variables to be defined after classes?
I’m trying to define a variable if it matches a class. The below code doesn’t
work.
$ cat test.cf
body common control
{
bundlesequence => { testit };
}
bundle agent testit
{
vars:
class_to_test_on::
"testfile" string => "/var/tmp/testfile";
"test_list" slist => {
readstringlist("$(testfile)","#[^\n]*","[\n]",,) };
classes:
"class_to_test_on" expression =>
strcmp("cfengine","cfengine");
reports:
class_to_test_on::
"contents of test_list was $(test_list)";
}
Classes are interpreted by Cfengine after variables.
$ /var/cfengine/bin/cf-agent -I -K -f /var/tmp/test.cf
R: contents of test_list was $(test_list)
If I comment out the class from the variable definition, it works.
$ /var/cfengine/bin/cf-agent -I -K -f /var/tmp/test.cf
R: contents of test_list was cfengine is the best product ever!
R: contents of test_list was i just wish i could force classes to be defined
before variables
My solution to this problem is to define a class in global scope, and then
execute a method: usebundle statement to dive down in scope. I then define
variables in that lower scope based off the global class. This kind of sucks.
Is there a better work around?
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: I'm exploiting usemodule. There has got to be a better way to define global classes?
Forum: Cfengine Help Subject: Re: I'm exploiting usemodule. There has got to be a better way to define global classes? Author: msvob...@linkedin.com Link to topic: https://cfengine.com/forum/read.php?3,18623,18655#msg-18655 I agree. I'm currently pointing all master policy servers for all environments at the same point in my SVN tree. The only way for me to apply a policy on "DEV" or "STG" environments would be to modify the classes in the policies themselves. We want to be able to write a policy, test it, and be hands off. Then tweak where that policy gets applied to through some external method. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: Force variables to be defined after classes?
Forum: Cfengine Help Subject: Re: Force variables to be defined after classes? Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,18656,18657#msg-18657 On rare occasions normal ordering can hamper you. When this happens to me a usually go back and look at what I'm trying to accomplish and look for another way. You really don't want to try and change normal ordering. Really you don't. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: Cfengine Help: Re: I'm exploiting usemodule. There has got to be abetter way to define global classes?
On 10/7/10 8:25 AM, "no-re...@cfengine.com" wrote: > I agree. > > I'm currently pointing all master policy servers for all environments at the > same point in my SVN tree. The only way for me to apply a policy on "DEV" or > "STG" environments would be to modify the classes in the policies themselves. > > We want to be able to write a policy, test it, and be hands off. Then tweak > where that policy gets applied to through some external method. Why not point different environments at different tags, branches, whatever? Then your revision control system is your "external method" by which you control where a policy is applied. Similar to what's detailed here (though you might do it slightly differently based upon your needs): http://sial.org/howto/cfengine/repository/ This has been pointed to many times on this list, and was written when cf2 was all the rage...but applies equally well to cf3/whatever. -- Mike Hoskins : micho...@cisco.com : +1 (415) 506-UNIX (8649) He knows not how to know who knows not also how to unknow. -- Sir Richard Burton ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Restarting service after changing the config
How do you tell CFEngine to restart a service if it had to update the config?
(copied below: roughly, since I don't have access to email on the same system).
What I have successfully copies the sshd_config, but I can't seem to find how
to restart sshd.
Thanks,
TimW
bundle agent CPPredhat_c_5_ssh
{
classes:
"CPPredhat_c_5_ssh" expression => "any";
files:
"/etc/issue.net"
copy_from =>
secure_cp("/srv/common/etc/issue.net","fileserver.cpp"),
perms => mog("644","root","root");
"/etc/ssh/ssh_config"
copy_from =>
secure_cp("/srv/common/etc/ssh/ssh_config","fileserver.cpp"),
perms => mog("644","root","root");
"/etc/ssh/sshd_config"
copy_from =>
secure_cp("/srv/common/etc/ssh/sshd_config","fileserver.cpp"),
perms => mog("600","root","root");
command:
sshd_restart_needed::
}
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Cfengine Help: Re: Restarting service after changing the config
Forum: Cfengine Help
Subject: Re: Restarting service after changing the config
Author: zzamboni
Link to topic: https://cfengine.com/forum/read.php?3,18659,18660#msg-18660
You need to define the class when the promise is repaired (i.e. if the file was
modified). For example:
"/etc/ssh/sshd_config"
copy_from => secure_cp("/srv/common/etc/ssh/sshd_config","fileserver.cpp"),
perms => mog("600","root","root"),
classes => if_repaired("sshd_restart_needed");
if_repaired is defined in cfengine_stdlib.cf:
body classes if_repaired(x)
{
promise_repaired => { "$(x)" };
}
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
