[ANNOUNCE] CFEngine Community 3.3.4 is released
Good day. CFEngine Community 3.3.4 is now available for download. Evaluation of policies: - Fix wrong classes set after installation of several packages using packages promises (Mantis #829). - Fix segfault using edit_template on existing file (Mantis #1155). Misc: - Fix memory leak during re-read of network interfaces' information in cf-execd/cf-serverd. Downloads: http://cfengine.com/source-code/download?file=cfengine-3.3.4.tar.gz Checksums: MD5 a8eb3391304116781148cfbdf6b27526 cfengine-3.3.4.tar.gz SHA1 143abe39b9ba2fb0b00a0f0ce69608787423 cfengine-3.3.4.tar.gz -- Mikhail Gusarov ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
when/how is masterfiles/cf_promises_validated updated?
Hello, I see that the stock `failsafe.cf` bundled with CFEngine Community updates the input files on the client only when `masterfiles/cf_promises_validated` on the server is updated. I also see that `masterfiles/cf_promises_validated` is periodically updated on the server by some CFEngine component. Questions: 1. What component of CFEngine is updating `masterfiles/cf_promises_validated`? 2. Is there a way to control the schedule of such updates? 3. Is there a way to manually "force" the update? (I've tried running `cf-promises`: the promise files validate OK but the file is untouched.) Thanks for any help! Riccardo ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
Cf-promises updates this when it executes successfully. -- Sent from my Android phone with probably ridiculous and involuntary spelling corrections. Riccardo Murri wrote: Hello, I see that the stock `failsafe.cf` bundled with CFEngine Community updates the input files on the client only when `masterfiles/cf_promises_validated` on the server is updated. I also see that `masterfiles/cf_promises_validated` is periodically updated on the server by some CFEngine component. Questions: 1. What component of CFEngine is updating `masterfiles/cf_promises_validated`? 2. Is there a way to control the schedule of such updates? 3. Is there a way to manually "force" the update? (I've tried running `cf-promises`: the promise files validate OK but the file is untouched.) Thanks for any help! Riccardo _ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
On Thu, Jun 21, 2012 at 01:08:10PM +0200, Mark Burgess wrote: > > Cf-promises updates this when it executes successfully. I think that this only happens when called via cf-execd. ettin:/var/cfengine/masterfiles# rm cf_promises_validated ettin:/var/cfengine/masterfiles# cf-promises ettin:/var/cfengine/masterfiles# ls -ltr cf_pro* ls: cannot access cf_pro*: No such file or directory -- Neil Watson Linux/UNIX Consultant http://watson-wilson.ca ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
which cfengine_stdlib.cf
Hello,
Question which cfengine_stdlib.cf to use? Is copbl repository the leading one
There is one in the copbl and one in the design-center repository and they
differ:
{{{
13:37 install2.lisa.sara.nl:/var/tmp/bas/cfengine
root#
-rw-r--r-- 1 root root 46675 Jun 20 09:26 copbl_github/cfengine_stdlib.cf
-rw-r--r-- 1 root root 21392 Mar 26 12:21
copbl_github/OrionCloudExamples/cfengine_stdlib.cf
-rw-r--r-- 1 root root 41020 Jun 1 09:07
design-center/sketches/libraries/copbl/cfengine_stdlib.cf
-rw-r--r-- 1 root root 41986 May 9 11:42
cfengine3_github/masterfiles/cfengine_stdlib.cf
}}}
So there are 4 different versions in the cfengine repositories!
regards
--
* Bas van der Vliese-mail: b...@sara.nl *
* SARA - Academic Computing Services Amsterdam, The Netherlands *
smime.p7s
Description: S/MIME Cryptographic Signature
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
Hello, On Thu, Jun 21, 2012 at 1:23 PM, Neil Watson wrote: > On Thu, Jun 21, 2012 at 01:08:10PM +0200, Mark Burgess wrote: >> >> Cf-promises updates this when it executes successfully. > > I think that this only happens when called via cf-execd. > > ettin:/var/cfengine/masterfiles# rm cf_promises_validated > ettin:/var/cfengine/masterfiles# cf-promises > ettin:/var/cfengine/masterfiles# ls -ltr cf_pro* > ls: cannot access cf_pro*: No such file or directory > Indeed, looking at the C sources for v3.3.3, it seems that `masterfiles/cf_promises_validated` is only touched by functions NewPromiseProposals() and CheckPromises() in `generic_agent.c`. (Plus `bootstrap.c` but that does not count.) These functions are only called by `cf-execd` and `cf-serverd`. Would it be sensible to add a command-line switch to `cf-promises` to force update of `masterfiles/cf_promises_validated` ? ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: which cfengine_stdlib.cf
On Thu, 21 Jun 2012 13:46:15 +0200 Bas van der Vlies wrote: BvdV> Question which cfengine_stdlib.cf to use? Is copbl repository the leading one BvdV> There is one in the copbl and one in the design-center repository and they differ: I have not updated CFEngine::stdlib in Design Center from the copbl repository because the newer stdlib version has service promises, while Design Center supports 3.2.x, which doesn't have service promises. There are very exciting changes coming in 3.4 (see the cfengine core Github repository, and Mark Burgess tweeted about metadata and namespaces) so when that's out we're very likely to make it the minimum required version for Design Center, and to do minor sketch rewrites to make use of the new functionality. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
On Thu, 21 Jun 2012 14:17:53 +0200 Riccardo Murri wrote: RM> Would it be sensible to add a command-line switch to `cf-promises` to RM> force update of `masterfiles/cf_promises_validated` ? Would it work to just say "cf-promises ... && touch masterfiles/cf_promises_validated"? Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: To xdev or not to xdev
On Tue, 19 Jun 2012 15:59:36 -0500 Ron Parker wrote: RP> It's not clear to me from the reference manual. If I want to set RP> permissions on a directory and all of it's descendents that are not RP> (NFS) mounts, do I want xdev to be true or false? I think it's similar to the rsync -x flag: if true, you don't cross devices (NFS mounts). The manual doesn't state it clearly. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
Hi Ted, On Thu, Jun 21, 2012 at 3:02 PM, Ted Zlatanov wrote: > On Thu, 21 Jun 2012 14:17:53 +0200 Riccardo Murri > wrote: > > RM> Would it be sensible to add a command-line switch to `cf-promises` to > RM> force update of `masterfiles/cf_promises_validated` ? > > Would it work to just say "cf-promises ... && touch > masterfiles/cf_promises_validated"? Thanks for the suggestion! "cf_promises_validated" seems to contain the date of the last successful validation, so maybe this one instead? cf-promises ... && (date +'%a %b %d %H:%M:%S %Y' > masterfiles/cf_promises_validated) (BTW, it seems that the default contents of `cf_promises_validated` contain local time but without the time zone specification -- that's why I added the format string above.) ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
Ted Zlatanov wrote: >On Thu, 21 Jun 2012 14:17:53 +0200 Riccardo Murri > wrote: > >RM> Would it be sensible to add a command-line switch to `cf-promises` >to >RM> force update of `masterfiles/cf_promises_validated` ? > >Would it work to just say "cf-promises ... && touch >masterfiles/cf_promises_validated"? > >Ted >___ >Help-cfengine mailing list >Help-cfengine@cfengine.org >https://cfengine.org/mailman/listinfo/help-cfengine In newer versions cf_promises_validated contains a datestamp. -- Sent from Kaiten Mail for Android. Please excuse my brevity. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Reading lines into an array only if class matches
On Fri, 15 Jun 2012 21:39:46 +0200 (CEST) sauer wrote: n> So, I have a couple of situations where I want to populate an exclude n> list from an external file. For example, I want to remove the n> suid/sgid bits from executable files which are group or n> world-writeable, unless the file is in an approved list. I'd like to n> maintain the file in an external file formatted like n> class:filename n> I only want "filename" to be an excluded file if the class is a class n> which is set on the current system. What I'm currently thinking is n> that I could read the whole file into an array like array = class, n> make an slist of all the elements in array, then make a second array n> like n> "skipfiles[$(files)]" string => $(files), ifvarclass => allfiles[$(files)] ... n> I don't know. I'd appreciate any input on solutions to this problem, n> including completely different directions. :) Maybe I should have a n> scond promise to make a copy of the first file which only contains n> lines that match currently-defined classes? I'm not sure exactly how n> I'd do that, either... :) This is a hard problem for thousands of entries, as you suggested. I know of another use case where the customer wants to write templates that look like your example, except it's "class: content" so you only want the content that matches your class. A cfengine context syntax parser is very easy to write so the customer chose to write their own filter in Perl. I think it makes sense to treat this as a templating problem and provide support for it in the template language, but that's just my opinion... I can write a Perl-based filter, if that will help you. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
On Thu, 21 Jun 2012 15:07:58 +0200 Riccardo Murri wrote: RM> On Thu, Jun 21, 2012 at 3:02 PM, Ted Zlatanov wrote: >> On Thu, 21 Jun 2012 14:17:53 +0200 Riccardo Murri >> wrote: >> RM> Would it be sensible to add a command-line switch to `cf-promises` to RM> force update of `masterfiles/cf_promises_validated` ? >> >> Would it work to just say "cf-promises ... && touch >> masterfiles/cf_promises_validated"? RM> Thanks for the suggestion! RM> "cf_promises_validated" seems to contain the date of the last RM> successful validation, so maybe this one instead? RM> cf-promises ... && (date +'%a %b %d %H:%M:%S %Y' > RM> masterfiles/cf_promises_validated) RM> (BTW, it seems that the default contents of `cf_promises_validated` RM> contain local time but without the time zone specification -- that's RM> why I added the format string above.) I don't know if the timestamp is necessary, sorry. Try it with the timestamp and without it :) I would have used UTC in an ISO string with the timezone, or simply an epoch timestamp. But that's all academic if the file contents don't matter. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
On 06/21/2012 08:07 AM, Riccardo Murri wrote: > Hi Ted, > "cf_promises_validated" seems to contain the date of the last > successful validation, so maybe this one instead? I was under the impression that it worked like this. When policy has changed and then been successfully validated /var/cfengine/masterfiles/cf_promises_validated is updated. Previously just touched, as of 3.3 it contains the date time stamp of the validation. This helps if remote agents clocks get skewed. On a 3.3.0 system if I remove /var/cfengine/masterfiles/cf_promises_validated then run cf-agent -K the file is re-created with a new date time stamp. If I run cf-agent -K again there is no change. It only seems to be updated if policy changes in /var/cfengine/inputs. For example I add a blank line to promises.cf and run cf-agent -K and the date time stamp in /var/cfengine/masterfiles/cf_promises_validated gets updated. Perhaps I have missed something in the policy that does some of that but I thought cf_promises_validated being updated was internal to CFEngine and was independent of the policy. Remote agents updating based on the "newness" of cf_promises_validated is of course policy dependent. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: when/how is masterfiles/cf_promises_validated updated?
On 06/21/2012 08:21 AM, Ted Zlatanov wrote: > I don't know if the timestamp is necessary, sorry. Try it with the > timestamp and without it:) > > I would have used UTC in an ISO string with the timezone, or simply an > epoch timestamp. But that's all academic if the file contents don't > matter. It depends on the policy. Prior to 3.3 the default generated update policy only looked at mtime. Remote agent clock skew would prevent them from getting policy updates so the stamp was added so that you can use digest comparison. At least thats my understanding. In any case, its policy dependent on weather cf_promises_validated is actually used as an update trigger for remote agents and if so weather its digest or mtime comparison. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: which cfengine_stdlib.cf
On 06/21/2012 02:50 PM, Ted Zlatanov wrote: > On Thu, 21 Jun 2012 13:46:15 +0200 Bas van der Vlies wrote: > > BvdV> Question which cfengine_stdlib.cf to use? Is copbl repository the > leading one > > BvdV> There is one in the copbl and one in the design-center repository and > they differ: > > I have not updated CFEngine::stdlib in Design Center from the copbl > repository because the newer stdlib version has service promises, while > Design Center supports 3.2.x, which doesn't have service promises. > > There are very exciting changes coming in 3.4 (see the cfengine core > Github repository, and Mark Burgess tweeted about metadata and > namespaces) so when that's out we're very likely to make it the minimum > required version for Design Center, and to do minor sketch rewrites to > make use of the new functionality. > I have seen and read them ;-). So the copbl will be the leading one. Then i will use this one and forget the others. Will the metadata or name space solve the problem of multiple includes of copbl library or is this senario impossible with cf-sketch? -- * Bas van der Vliese-mail: b...@sara.nl * * SARA - Academic Computing Services Amsterdam, The Netherlands * smime.p7s Description: S/MIME Cryptographic Signature ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
180+ instances of cf-execd and cf-agent
In testing that the promises for a given machine were sufficient to
reconfigure it from scratch, I did a fresh OS install to a VM,
bootstrapped CFE and manually started cf-agent. After about 30
minutes and the fourth email from the system, it had converged. I
noted a few things that were missing, e.g. ssh configuration. So I
made the policy changes over the course of the day.
Last night before leaving I rolled the VM back to the baseline OS
install and bootstrapped CFE to test my changes. After about 10
minutes I got an email reporting what happened during initial run but
no reports thereafter. This morning I get in and find the machine has
182 (and climbing) copies of cf-execd and cf-agent. Other than my
seemingly minor tweaks the only difference I am aware of is that the
second time I did not run cf-agent manually at all, I let cf-execd
start the processes.
I suspect it is somehow related to initial package installation and
there is a possibly related discussion on the list from last year
https://cfengine.com/forum/read.php?3,19505,19598, but I saw no clear
resolution.
My questions are, how can I see what the active copy of cf-agent is
doing that it did not complete? It does not have any child processes
showing up in pstree.
The second question is how may I prevent this in the future but still
have the system converge in a reasonable amount of time?
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: 180+ instances of cf-execd and cf-agent
Hey Ron
I have the following in a promise. You may want to adjust the values of
"ago" there. I execute cf-agent once an hour. If I see a cf-agent
process older than 2 hours old, I have the current execution kill that
process and I raise a class that I report on. You could use this same
thing to kill cf-exced.
Hope this helps. Really, you should look at the verbose output of
cf-agent -v to determine what the agent is hanging on. I've usually found
this to be something like a stale NFS mount point.
Cheers
Mike
processes:
linux|sunos_5_10::
"cf-agent"
handle => "verify_cf_agent_doesnt_pile_up",
process_select => cfagent_cruft,
signals => {"kill"},
classes => if_repaired("cfagent_haywire");
###
#
body process_select cfagent_cruft
{
command => ".*cf-agent$";
# argments for the ago function
# arg1 : Years, in the range 0,1000
# arg2 : Months, in the range 0,1000
# arg3 : Days, in the range 0,1000
# arg4 : Hours, in the range 0,1000
# arg5 : Minutes, in the range 0,1000
# arg6 : Seconds, in the range 0,4
# Kill any cf-agent process thats been lingering around, but stop from -2
hours ago so we dont kill our current execution.
stime_range => irange(0,ago(0,0,0,2,0,0));
process_result => "command.stime";
}
On 6/21/12 11:01 AM, "Ron Parker" wrote:
>In testing that the promises for a given machine were sufficient to
>reconfigure it from scratch, I did a fresh OS install to a VM,
>bootstrapped CFE and manually started cf-agent. After about 30
>minutes and the fourth email from the system, it had converged. I
>noted a few things that were missing, e.g. ssh configuration. So I
>made the policy changes over the course of the day.
>
>Last night before leaving I rolled the VM back to the baseline OS
>install and bootstrapped CFE to test my changes. After about 10
>minutes I got an email reporting what happened during initial run but
>no reports thereafter. This morning I get in and find the machine has
>182 (and climbing) copies of cf-execd and cf-agent. Other than my
>seemingly minor tweaks the only difference I am aware of is that the
>second time I did not run cf-agent manually at all, I let cf-execd
>start the processes.
>
>I suspect it is somehow related to initial package installation and
>there is a possibly related discussion on the list from last year
>https://cfengine.com/forum/read.php?3,19505,19598, but I saw no clear
>resolution.
>
>My questions are, how can I see what the active copy of cf-agent is
>doing that it did not complete? It does not have any child processes
>showing up in pstree.
>
>The second question is how may I prevent this in the future but still
>have the system converge in a reasonable amount of time?
>
>--
>Ron Parker
>Don't type things you find on the Internet into your computer!
>:(){ :|:&};:
>___
>Help-cfengine mailing list
>Help-cfengine@cfengine.org
>https://cfengine.org/mailman/listinfo/help-cfengine
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: 180+ instances of cf-execd and cf-agent
Ron,
It looks to me like you have a promise that's getting hung on something. Run
`cf-agent -KIv` (cap k, cap i, little v) and watch the output. You should be
able to see where it's hanging.
--
Brian
On Jun 21, 2012, at 8:01 AM, Ron Parker wrote:
> In testing that the promises for a given machine were sufficient to
> reconfigure it from scratch, I did a fresh OS install to a VM,
> bootstrapped CFE and manually started cf-agent. After about 30
> minutes and the fourth email from the system, it had converged. I
> noted a few things that were missing, e.g. ssh configuration. So I
> made the policy changes over the course of the day.
>
> Last night before leaving I rolled the VM back to the baseline OS
> install and bootstrapped CFE to test my changes. After about 10
> minutes I got an email reporting what happened during initial run but
> no reports thereafter. This morning I get in and find the machine has
> 182 (and climbing) copies of cf-execd and cf-agent. Other than my
> seemingly minor tweaks the only difference I am aware of is that the
> second time I did not run cf-agent manually at all, I let cf-execd
> start the processes.
>
> I suspect it is somehow related to initial package installation and
> there is a possibly related discussion on the list from last year
> https://cfengine.com/forum/read.php?3,19505,19598, but I saw no clear
> resolution.
>
> My questions are, how can I see what the active copy of cf-agent is
> doing that it did not complete? It does not have any child processes
> showing up in pstree.
>
> The second question is how may I prevent this in the future but still
> have the system converge in a reasonable amount of time?
>
> --
> Ron Parker
> Don't type things you find on the Internet into your computer!
> :(){ :|:&};:
> ___
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
smime.p7s
Description: S/MIME cryptographic signature
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: 180+ instances of cf-execd and cf-agent
As Mike pointed out NFS is a usual culprit.
--
Sent from my Android phone with probably ridiculous and involuntary spelling
corrections.
Brian Bennett wrote:
Ron,
It looks to me like you have a promise that's getting hung on something. Run
`cf-agent -KIv` (cap k, cap i, little v) and watch the output. You should be
able to see where it's hanging.
--
Brian
On Jun 21, 2012, at 8:01 AM, Ron Parker wrote:
> In testing that the promises for a given machine were sufficient to
> reconfigure it from scratch, I did a fresh OS install to a VM,
> bootstrapped CFE and manually started cf-agent. After about 30
> minutes and the fourth email from the system, it had converged. I
> noted a few things that were missing, e.g. ssh configuration. So I
> made the policy changes over the course of the day.
>
> Last night before leaving I rolled the VM back to the baseline OS
> install and bootstrapped CFE to test my changes. After about 10
> minutes I got an email reporting what happened during initial run but
> no reports thereafter. This morning I get in and find the machine has
> 182 (and climbing) copies of cf-execd and cf-agent. Other than my
> seemingly minor tweaks the only difference I am aware of is that the
> second time I did not run cf-agent manually at all, I let cf-execd
> start the processes.
>
> I suspect it is somehow related to initial package installation and
> there is a possibly related discussion on the list from last year
> https://cfengine.com/forum/read.php?3,19505,19598, but I saw no clear
> resolution.
>
> My questions are, how can I see what the active copy of cf-agent is
> doing that it did not complete? It does not have any child processes
> showing up in pstree.
>
> The second question is how may I prevent this in the future but still
> have the system converge in a reasonable amount of time?
>
> --
> Ron Parker
> Don't type things you find on the Internet into your computer!
> :(){ :|:&};:
>_
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
_
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: 180+ instances of cf-execd and cf-agent
Forum: CFEngine Help Subject: Re: 180+ instances of cf-execd and cf-agent Author: davidlee Link to topic: https://cfengine.com/forum/read.php?3,26261,26265#msg-26265 What version of cfengine? This might matter... see below. Over the last 15 months or so, our cfengine3 installation has grown from zero to about 30 machines (RHEL 5.x), running version 3.1.4 of cfengine-community. I have seen such a pile up of cf-execd and cf-agent processes on one occasion, and it was on a heavily loaded machine. So for us it was a rare event. I suspect that one of the internal locking databases (BerkeleyDB) had got corrupted. Simply restarting cfengine (with a clearout of residual processes) didn't help; the processes started to pile up again. I can't remember the exact cure, but I think it involved wiping the various "/var/cfengine/state/*.db" files between stopping and restarting cfengine. cfengine has moved on since 3.1.4; it is now at 3.3.4. One of the major changes has been to use a different database backend, not BerkeleyDB. Indeed, I understand that a major reason for this decision was precisely BerkeleyDB's poor resilience under certain load and error conditions. For problems such as the one I saw (which sounds like yours), the advice would almost certainly be to migrate to a newer version of cfengine, rather than spend too much time trying to debug this problem on this older version with its known-problematic backend database. (Your mileage may vary, of course!) ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: 180+ instances of cf-execd and cf-agent
Forum: CFEngine Help Subject: Re: 180+ instances of cf-execd and cf-agent Author: davidlee Link to topic: https://cfengine.com/forum/read.php?3,26261,26266#msg-26266 Sorry, my previous message may have confused two distinct things about managing this: Assuming 3.1.4 (or thereabouts) with BerkeleyDB: 1. For the current, live "incident" (to use ITIL terminology), you may need to look at wiping "/var/cfengine/state/*.db" while cfengine is shutdown. 2. For the longer-term strategy, plan a transition to a more recent version of cfengine. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: which cfengine_stdlib.cf
Hi Bas, Indeed, the version in github.com/cfengine/copbl/ is the master copy, from which the others are (sometimes inconsistently) updated. We are working on cleaning up some of this to reduce confusion. Namespace support will help reduce a lot of potential name collisions among Design Center sketches. I am not sure yet how we will solve the problem of multiple stdlib inclusions, still thinking about it. --Diego On Jun 21, 2012, at 8:44 AM, Bas van der Vlies wrote: > On 06/21/2012 02:50 PM, Ted Zlatanov wrote: >> On Thu, 21 Jun 2012 13:46:15 +0200 Bas van der Vlies wrote: >> >> BvdV> Question which cfengine_stdlib.cf to use? Is copbl repository the >> leading one >> >> BvdV> There is one in the copbl and one in the design-center repository and >> they differ: >> >> I have not updated CFEngine::stdlib in Design Center from the copbl >> repository because the newer stdlib version has service promises, while >> Design Center supports 3.2.x, which doesn't have service promises. >> >> There are very exciting changes coming in 3.4 (see the cfengine core >> Github repository, and Mark Burgess tweeted about metadata and >> namespaces) so when that's out we're very likely to make it the minimum >> required version for Design Center, and to do minor sketch rewrites to >> make use of the new functionality. >> > I have seen and read them ;-). So the copbl will be the leading one. Then i > will use this one and forget the others. > > Will the metadata or name space solve the problem of multiple includes of > copbl library or is this senario impossible with cf-sketch? > > > -- > > * Bas van der Vliese-mail: b...@sara.nl * > * SARA - Academic Computing Services Amsterdam, The Netherlands * > > > > > ___ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Problem accessing list variables in hash
I want to have a bundle that creates system user accounts, and adds a
list of authorised ssh keys to those accounts. So, what I have is:-
bundle agent do_config
{
vars:
"users[www-user][gecos]" string => "Web server user";
"users[www-user][home]"string => "/var/lib/www";
"users[www-user][group]" string => "www-user";
"users[www-user][sshkeys]" slist => { "fred", "bill", "mary" };
methods:
"users" usebundle => create_system_users("streamer_config.users");
}
bundle agent create_system_users(info)
{
vars:
"addgroup" string => "/usr/sbin/addgroup";
"adduser" string => "/usr/sbin/adduser";
"user" slist => getindices("$(info)");
classes:
"add_$(user)" not => userexists("$(user)");
"add_$(user)_group" not => groupexists("$($(info)[$(user)][group])");
commands:
"$(addgroup)"
args => "--system --quiet $($(info)[$(user)][group])",
comment=> "Add the private group",
ifvarclass => canonify("add_$(user)_group");
"$(adduser)"
args => "--system --ingroup $($(info)[$(user)][group])
--home \"$($(info)[$(user)][home])\" --disabled-password --quiet --gecos
\"$($(info)[$(user)][gecos])\" $(user)",
comment=> "Add the user account",
ifvarclass => canonify("add_$(user)");
}
I want to find a way inside the create_system_users bundle to access the
list of key owners, so I can add those keys into the authorised file.
However, I can't find a construction that works to iterate across the
list. I have tried numerous ways to achieve this, without any luck. Most
recently, I have tried declaring a new variable in the
create_system_users bundle, like this:-
"keys" slist => { "@($(info)[$(user)][sshkeys])" };
I am now just following a twisty maze of brackets in a random fashion
:-(. Can anyone offer some help?
Thanks,
Mike
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: 180+ instances of cf-execd and cf-agent
The machine in question was running 3.3.3.
On Thu, Jun 21, 2012 at 11:11 AM, wrote:
> Forum: CFEngine Help
> Subject: Re: 180+ instances of cf-execd and cf-agent
> Author: davidlee
> Link to topic: https://cfengine.com/forum/read.php?3,26261,26266#msg-26266
>
> Sorry, my previous message may have confused two distinct things about
> managing this:
>
> Assuming 3.1.4 (or thereabouts) with BerkeleyDB:
>
> 1. For the current, live "incident" (to use ITIL terminology), you may need
> to look at wiping "/var/cfengine/state/*.db" while cfengine is shutdown.
>
> 2. For the longer-term strategy, plan a transition to a more recent version
> of cfengine.
>
> ___
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
--
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Problem accessing list variables in hash
Forum: CFEngine Help
Subject: Re: Problem accessing list variables in hash
Author: zzamboni
Link to topic: https://cfengine.com/forum/read.php?3,26268,26270#msg-26270
Hi Mike,
Due to the way variable convergence works in CFEngine, looping over
multi-dimensional arrays doesn't work as one would expect. I've encountered
this many times myself, and need to remind myself that CFEngine is *not* a
conventional programming language.
One way to achieve what you want is to move the loop over the users to the
caller bundle, i.e. call the bundle one per user. This way, the inner bundle is
only dealing with a plain array. This snippet works:
body common control
{
bundlesequence => { "test" };
}
bundle agent test
{
vars:
"users" string => "Web server user";
"users"string => "/var/lib/www";
"users" string => "www-user";
"users" slist => { "fred", "bill", "mary" };
# User loop moved from the inner bundle to the caller
"userlist" slist => getindices("users");
methods:
# Bundle called once per user, with the username and its corresponding
part of the array
"users" usebundle => create_system_user("$(userlist)",
"test.users[$(userlist)]");
}
bundle agent create_system_user(u, p)
{
vars:
"keys" slist => { "@($(p))" };
reports:
cfengine::
"user: $(u)";
"keys: $(keys)";
}
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: which cfengine_stdlib.cf
On Thu, 21 Jun 2012 11:40:32 -0500 Diego Zamboni wrote: DZ> Indeed, the version in github.com/cfengine/copbl/ is the master DZ> copy, from which the others are (sometimes inconsistently) DZ> updated. We are working on cleaning up some of this to reduce DZ> confusion. DZ> Namespace support will help reduce a lot of potential name collisions DZ> among Design Center sketches. I am not sure yet how we will solve the DZ> problem of multiple stdlib inclusions, still thinking about it. I was thinking about this, and what makes the most sense to me is to have: CFEngine::stdlib => latest from Git, requires at least 3.3.x in sketch.json, but there's no max version CFEngine::stdlib::3_2_0 => works with versions from 3.1.1 up to 3.2.0, and sketch.json specifies the supported version interval CFEngine::stdlib::3_1_0 => works with versions from 3.0.0 up to 3.1.0, and sketch.json specifies the supported version interval I am proposing this scheme because so many things validate the policy syntax before we ever get to run bundles, and namespaces don't prevent the syntax checks. We really need to do the separation at the sketch level. My assumptions are that bugfixes in the mainline will be backported to every version-bound stdlib sketch; that we will only make new stdlib forks when absolutely necessary; that we don't have holes in the version coverage; that stdlib changes are backwards compatible; and that this kind of manual segregation is most useful to the cfengine community. Obviously it's a pain to maintain, but the stdlib benefits everyone so it's worth a little effort. Let me know what you think. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Problem accessing list variables in hash
Forum: CFEngine Help
Subject: Re: Problem accessing list variables in hash
Author: nickanderson
Link to topic: https://cfengine.com/forum/read.php?3,26268,26272#msg-26272
Hi Mike,
I think I would do it in a different way.
You seem to have a user creation bundle already. Perhaps you could consider
installing ssh keys as a different function.
You could define it the same way you have now. You could use the Design Center
style prefix parameter.
body common control {
bundlesequence => {"main",};
inputs => {"cfengine_stdlib.cf",};
}
bundle agent main{
vars:
"users" string => "Web server user";
"users"string => "/var/lib/www";
"users" string => "www-user";
"users" slist => { "fred", "bill" };
methods:
"users"
usebundle => create_system_users("streamerconfig.users"),
comment=> "This would do your user creation part";
"sshkeys"
usebundle => install_ssh_keys("main.users"),
comment => "Install specified ssh keys for user";
}
bundle agent install_ssh_keys(prefix){
# read in contents of $(keystore)/$(keyname).pub and ensure they are in
# the specified users authorized_keys file
# expects prefix style passing
# vars:
#"users" slist => { "key1", "key2" };
vars:
"keystore"
string => "/tmp/sshkeystore",
comment => "Directory where we expect to find ssh public keys
in the form keyname.pub";
"keylist" slist => { "@($(prefix))" };
# im blanking on how to get the contents of each file into an element of a
list
# This works, but prevents you from using edit_defaults => empty
# since each line is effectively a separate promise. Passing in a list
# to edit_line append_if_no_lines would be superior i think.
"key[$(keylist)]" string => readfile( "$(keystore)/$(keylist).pub", "1024");
files:
"/tmp/authorized_keys"
create => "true",
edit_line => append_if_no_line("$(key[$(keylist)])"),
comment => "Make sure the key is included in authorized_keys";
}
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
