CFEngine Help: user management
Forum: CFEngine Help Subject: user management Author: bernhard.gl...@ecologic.eu Link to topic: https://cfengine.com/forum/read.php?3,26190,26190#msg-26190 Hi all, I browsed through a lot of the cfengine ressources and also just read the very excellent book by Diego Zamboni but still wondering if anybody has tried to manage local users on a darwin system with cfengine so far? (darwin_x86_64_11_4_0) Any hints, tipps or ideas (except of copying a cleartext password to feed it to dscl ;-) would be most welcome! TIA Bernhard ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
arrays with lists
I can't recall if this is now possible with 3.3.0. Can we define a list
in an array and then loop the list after passing it? E.g.
body common control {
bundlesequence => {
"main",
};
inputs => {
"cfengine_stdlib.cf",
};
}
bundle agent main {
vars:
"l[x]" slist => { "one", "two", "three" };
methods:
"any" usebundle => test( "main.l[x]" );
}
bundle agent test (list){
reports:
cfengine::
"l => ${list}";
}
[root@admin1 masterfiles]# cf-agent -IKf ./arlist.cf
R: l => main.l[x]
I was hoping to see list expansion in the report promise. Is this
possible?
--
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
On-site training available in Ohio or in New York the last week of September
Hi, If anybody on the East Coast of the US needs an on-site class on CFEngine 3, I will be in Columbus Ohio on 28 - 30 September for Ohio Linux Fest, and I could deliver my popular 4 day intro course on 24 - 27 Sep in Columbus or NYC or nearby. The course description is at http://www.verticalsysadmin.com/cfengine-class.htm Student Successes: "Thank you for such a great class. Been to lots of technical training and you are the best instructor I've had. Beyond standard lecture/lab your examples and willingness to help with non-class related questions pertaining to CFEngine is unmatched." --Thomas Nicholson, Sr. Systems Management Engineer "I was able to "unlearn" some of my bad habits that came with my legacy CFEngine 2 set up. A lot of the things that previously made CFEngine 3 daunting to me are now clear and approachable." --Brian Bennett, Systems Architect Email me to arrange this private training for your group. If you'd like, I'll even throw in a free evening class on vi fundamentals, to help you edit your CFEngine policies faster. :) Best, Aleksey ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: cfengine3.3.3 binaries no longer install in /usr/local/sbin
Forum: CFEngine Help
Subject: Re: cfengine3.3.3 binaries no longer install in /usr/local/sbin
Author: Jason Christy
Link to topic: https://cfengine.com/forum/read.php?3,26176,26193#msg-26193
If this was intentional, the following example in the rpm will need to be
updated: /var/cfengine/share/doc/example_config/update.cf
bundle agent update
{
vars:
"master_location" string => "/var/cfengine/masterfiles";
files:
"/var/cfengine/inputs"
perms => u_p("600"),
copy_from => mycopy("$(master_location)","localhost"),
depth_search => urecurse("inf"),
action => uimmediate;
"/var/cfengine/bin"
perms => u_p("700"),
copy_from => mycopy("/usr/local/sbin","localhost"),
file_select => cf3_files,
depth_search => urecurse("inf"),
action => uimmediate;
}
If others are using the above code in previous versions of cfengine, they'll
have to update the logic as well. A mention of this in the changelog would
have been nice.
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: separate dev/production environments
Forum: CFEngine Help Subject: Re: separate dev/production environments Author: Tim Link to topic: https://cfengine.com/forum/read.php?3,26169,26194#msg-26194 Thank you, Tom. I checked out your post. It is a clever solution, and very helpful. Our current Cfengine2 solution implements the same approach, though in a slightly different manner. Clients fetch /var/cfengine/inputs from different dev and prod directories on the server, based on a dev/prod flag file on the client. I'm now clear that I need to continue to focus on having clients read /var/cfengine/inputs from separate locations, instead of loading/altering separate .cf files. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
distributing secrets
Suppose you wish to install a piece of software on every host. Part of the software has password that is unique to each host. I do not want all passwords stored in the Cfengine policy. How do you go about distributing those secrets? I thought about having a secrets file and using CF access promises to allow each host to gather its needed file. Scale is a bit of an issue. If you have 500 hosts I think you need 500 rules unless iteration looping works in server bundles. All ideas welcome. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: distributing secrets
Neil, With CF3 Enterprise, you could use remotescalar() or hubknowledge(), which allow you to fetch values from remote CFEngine hosts, then you could have the values stored only on the hub. https://cfengine.com/manuals/cf3-Reference#Function-hubknowledge https://cfengine.com/manuals/cf3-Reference#Function-remotescalar --Diego On Jun 13, 2012, at 4:36 PM, Neil Watson wrote: > Suppose you wish to install a piece of software on every host. Part of > the software has password that is unique to each host. I do not want > all passwords stored in the Cfengine policy. How do you go about > distributing those secrets? > > I thought about having a secrets file and using CF access promises to > allow each host to gather its needed file. Scale is a bit of an issue. > If you have 500 hosts I think you need 500 rules unless iteration > looping works in server bundles. > > All ideas welcome. > > -- > Neil Watson > Linux/UNIX Consultant > http://watson-wilson.ca > ___ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: distributing secrets
Where else is this password referenced? My inclination would be a promise that
generates the password directly on the box (perhaps with pwgen).
Something like this:
files:
"/etc/local/pass"
create => "false",
classes => if_notok("gen_pass");
commands:
gen_pass::
"/usr/bin/pwgen -s > /etc/local/pass";
But I would need to know more about what the password is for...
On Jun 13, 2012, at 2:36 PM, Neil Watson wrote:
> Suppose you wish to install a piece of software on every host. Part of
> the software has password that is unique to each host. I do not want
> all passwords stored in the Cfengine policy. How do you go about
> distributing those secrets?
>
> I thought about having a secrets file and using CF access promises to
> allow each host to gather its needed file. Scale is a bit of an issue.
> If you have 500 hosts I think you need 500 rules unless iteration
> looping works in server bundles.
>
> All ideas welcome.
>
> --
> Neil Watson
> Linux/UNIX Consultant
> http://watson-wilson.ca
> ___
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
smime.p7s
Description: S/MIME cryptographic signature
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: cfengine3.3.3 binaries no longer install in /usr/local/sbin
Forum: CFEngine Help Subject: Re: cfengine3.3.3 binaries no longer install in /usr/local/sbin Author: timw077 Link to topic: https://cfengine.com/forum/read.php?3,26176,26199#msg-26199 This is a bug. It is not in the change log, and the examples still point the old way. If I could find the bug report URL, I'd fill out a bug report. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: cfengine3.3.3 binaries no longer install in /usr/local/sbin
no-re...@cfengine.com wrote: >Forum: CFEngine Help >Subject: Re: cfengine3.3.3 binaries no longer install in >/usr/local/sbin >Author: timw077 >Link to topic: >https://cfengine.com/forum/read.php?3,26176,26199#msg-26199 > >This is a bug. It is not in the change log, and the examples still >point the old way. If I could find the bug report URL, I'd fill out a >bug report. > >___ >Help-cfengine mailing list >Help-cfengine@cfengine.org >https://cfengine.org/mailman/listinfo/help-cfengine https://cfengine.com/bugtracker -- Sent from Kaiten Mail for Android. Please excuse my brevity. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: distributing secrets
To answer your questions. The software in question is Bacula. A password is stored in the client's and server (director's) configuration. Each client should have its own password that the directory must also know. The password is normal ASCII inside a typical configuration file. In this case I am using Core rather than Enterprise. I have used remote scalars in the past. The results were very disappointing and it is my understanding that remote scalars have not been fixed in this release of Enterprise. -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: distributing secrets
This is interesting. Server bundles do allow list iteration. Consider
this:
body common control {
bundlesequence => { "main", };
}
bundle agent main {
reports:
cfengine::
"Main agent bundle";
}
body server control {
port => "5309";
}
bundle server access {
vars:
"cls" slist => {
"192.168.9.1",
"192.168.9.2",
"192.168.9.3",
"192.168.9.4",
"192.168.9.5",
"192.168.9.6",
"192.168.9.7",
};
access:
"/var/cache/${cls}"
admit => { "${cls}" };
}
Now run
cf-serverd -Fvf ./server.cf
Interesting output:
cf3> BUNDLE access
cf3> *
cf3>
cf3>
cf3>=
cf3>access in bundle access (0)
cf3>=
cf3>
cf3> Summarize control promises
cf3> Granted access to paths :
cf3> Path: /var/cache/192.168.9.1 (encrypt=0)
cf3>Admit: 192.168.9.1 root=
cf3> Path: /var/cache/192.168.9.2 (encrypt=0)
cf3>Admit: 192.168.9.2 root=
cf3> Path: /var/cache/192.168.9.3 (encrypt=0)
cf3>Admit: 192.168.9.3 root=
cf3> Path: /var/cache/192.168.9.4 (encrypt=0)
cf3>Admit: 192.168.9.4 root=
cf3> Path: /var/cache/192.168.9.5 (encrypt=0)
cf3>Admit: 192.168.9.5 root=
cf3> Path: /var/cache/192.168.9.6 (encrypt=0)
cf3>Admit: 192.168.9.6 root=
cf3> Path: /var/cache/192.168.9.7 (encrypt=0)
cf3>Admit: 192.168.9.7 root=
--
Neil Watson
Linux/UNIX Consultant
http://watson-wilson.ca
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
