CFEngine Help: Darwin/OS X: cf-execd log entries
Forum: CFEngine Help Subject: Darwin/OS X: cf-execd log entries Author: bernhard.gl...@ecologic.eu Link to topic: https://cfengine.com/forum/read.php?3,27331,27331#msg-27331 Hi all, on my darwin systems I can't get rid of this annoying log entries each time cf-execd is calling the cf-agent: dnssd_clientstub write_all: SO_ISDEFUNCT failed 38 Socket operation on non-socket anybody an idea? TIA Bernhard ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31..... cfengine-3.2.4
Forum: CFEngine Help Subject: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31. cfengine-3.2.4 Author: cfengine2o12 Link to topic: https://cfengine.com/forum/read.php?3,27200,27334#msg-27334 I tried with qdbm depot. However i'm using cfengie tar ball for 3.3.4 and configure used manually..but getting error stating: QDBM not found ./configure --with-qdbm=/usr --with-pcre=/opt/cfengine --prefix=/opt/cfengine LDFLAGS="-L/usr/local/lib/hpux64" : : ./configure[13723]: pg_config: A test command parameter is not valid. checking for PQconnectdb in -lpq... no checking libpq-fe.h usability... no checking libpq-fe.h presence... no checking for libpq-fe.h... no checking for mysql_real_connect in -lmysqlclient... no checking mysql.h usability... yes checking mysql.h presence... yes checking for mysql.h... yes checking for dpopen in -lqdbm... no configure: error: Cannot find QDBM # swlist | grep qdbm qdbm 1.8.77 qdbm # find / -name qdbm /usr/local/doc/qdbm /usr/local/share/qdbm /var/adm/sw/products/qdbm Not sure what is going wrong here...? ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Registration is open for intensive CFEngine 3 training in Palo Alto in October
Hello, We still have a few spots available in our upcoming CFEngine 3 training in October in Palo Alto. This intensive four day course builds a solid foundation for understanding and using CFEngine 3. Student succeses from my training: The balance between theoretical and practical knowledge is just perfect. No bullshit. -- Bernard Brandl Thank you for such a great class. Been to lots of technical training and you are the best instructor I've had. Beyond standard lecture/lab your examples and willingness to help with non-class related questions pertaining to CFEngine is unmatched. -- Thomas Nicholson I was able to "unlearn" some of my bad habits that came with my legacy cfengine2 set up. A lot of the things that previously made cfengine3 daunting to me are now clear and approachable. -- Brian Bennett Sign up now at http://www.eventbrite.com/event/3388161081 Best, Aleksey ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31..... cfengine-3.2.4
Forum: CFEngine Help Subject: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31. cfengine-3.2.4 Author: Beto Link to topic: https://cfengine.com/forum/read.php?3,27200,27335#msg-27335 I've given you a step by step process that is tested and known to work - but you choose not to use it and instead want to reinvent the wheel??? Look at cfengine.src.install above. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31..... cfengine-3.2.4
Forum: CFEngine Help
Subject: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31.
cfengine-3.2.4
Author: cfengine2o12
Link to topic: https://cfengine.com/forum/read.php?3,27200,27337#msg-27337
Hi Beto,
Sorry.. I have tried that already..i have choosed ./configure option after
getting this..
# ./cf.src.install
Can't exec "automake": No such file or directory at /usr/local/bin/autoreconf
line 242.
Use of uninitialized value $automake in pattern match (m//) at
/usr/local/bin/autoreconf line 242.
Can't exec "aclocal": No such file or directory at
/usr/local/share/autoconf/Autom4te/FileUtils.pm line 326.
autoreconf: failed to run aclocal: No such file or directory
#cat cf.src.install
#!/usr/bin/sh
BUILD_ROOT=/opt/cf
DEST_ROOT=/opt/cfengine
CFE_VERSION=3.3.4
CFE_SRC=cfengine-${CFE_VERSION}.tar.gz
CFE_DIR=${BUILD_ROOT}/cfengine-${CFE_VERSION}
./autogen.sh--prefix="${DEST_ROOT}/cfengine-${CFE_VERSION}" \
--with-qdbm \
--disable-shared\
CFLAGS="-Agcc -O -I/usr/local/include" \
LDFLAGS="-L/usr/local/lib/hpux32"
[ $? -eq 0 ] || exit 1
gmake
[ $? -eq 0 ] || exit 1
gmake install
[ $? -eq 0 ] || exit 1
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Convert soft class name to variable
Forum: CFEngine Help Subject: Convert soft class name to variable Author: davinken Link to topic: https://cfengine.com/forum/read.php?3,27338,27338#msg-27338 Is there any workaround to get the soft-class that would reflect the architecture of my system, 64_bit or 32_bit assigned to a variable ? I have many configuration files or executables that depend on this, and are named e.g.: /usr/local/bin/myfile.64_bit /usr/local/bin/myfile.32_bit as they reside in a golden files server referenced by $(def.goldenfilessrv) elsewhere. So I would like to have CF3 copy my file in a promise such as: vars: "myfile" string => " "/usr/local/bin/myfile"; file: "$(myfile)" copy_from => remote_dcp( "$(def.fcfdir)$(myfile).$(architecture)", "$(def.goldenfilessrv)" ), perms => mog( "755", "root", "root" ); where the variable "architecture" is set to either "64_bit" or "32_bit" according to the soft-detected class with those same values. Any hints ? Thanks ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Convert soft class name to variable
Forum: CFEngine Help Subject: Re: Convert soft class name to variable Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,27338,27339#msg-27339 Already exists. See sys.vars http://cfengine.com/manuals/cf3-Reference#Variable-sys_002earch ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Auto reloading of cf-execd and cf-serverd after policy change Author: aleksey_c Link to topic: https://cfengine.com/forum/read.php?3,27340,27340#msg-27340 Hello, I want to reload cf-execd and cf-serverd automatically after policy change. After some googling I found the following commit https://github.com/cfengine/core/pull/21. But if I try to change schedule parameter in body executor control cf-execd does not change its scheduling interval until restart. Also seems like bundle server access_rules() does not reloads automatically. Please share your experience, how to safely reload cf-execd and cf-serverd automatically on policy change? ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Re: Auto reloading of cf-execd and cf-serverd after policy change Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,27340,27341#msg-27341 If you run cf-serverd -vF you can see it reload policy very frequently. I agree that cf-execd is not likely to reload until its next preconfigured schedule interval. I do not believe that cf-execd watches files like Vixiecron does. I'm in the habit of reloading cf3 programs, when inputs are updated, in a custom built failsafe. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Re: Auto reloading of cf-execd and cf-serverd after policy change Author: aleksey_c Link to topic: https://cfengine.com/forum/read.php?3,27340,27342#msg-27342 Is it safe to restart cf-execd from running cf-agent? Have you had any problems with broken policies that prevented start of cf-execd after update? ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Re: Auto reloading of cf-execd and cf-serverd after policy change Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,27340,27343#msg-27343 AFAIK cf-agent is free from cf-execd such that if you kill cf-execd cf-agent will continue. I have never seen a problem from this. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Re: Auto reloading of cf-execd and cf-serverd after policy change Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,27340,27345#msg-27345 neilhwatson Wrote: --- > AFAIK cf-agent is free from cf-execd such that if > you kill cf-execd cf-agent will continue. I have > never seen a problem from this. Does cf-execd connect cf-agent's STDOUT to the log file directly and then read it later, or does it gather the output from cf-agent so it can put that into an email and log file later? ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Namespace change
Forum: CFEngine Help Subject: Re: Namespace change Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,27302,27346#msg-27346 Is there a link somewhere with a little more context around this? I've not seen a lot of the design center discussions, but more controlled namespacing is something I've been hoping for. Right now, I've just got some strict procedures for naming conventions, and some pre-commit automation to half-heartedly ensure that a distributed development team actually follows the naming convention. If there's a upcoming cleaner way to address the problem, I'd like to read more about it. :) ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Re: Auto reloading of cf-execd and cf-serverd after policy change Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,27340,27347#msg-27347 That I do not know. You could write a test policy to see if stdout is lost after cf-execd is killed. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Namespace change
Forum: CFEngine Help Subject: Re: Namespace change Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,27302,27348#msg-27348 Small discussion here. https://cfengine.com/forum/read.php?3,26394,26416#msg-26416 ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Namespace change
Forum: CFEngine Help Subject: Re: Namespace change Author: zzamboni Link to topic: https://cfengine.com/forum/read.php?3,27302,27349#msg-27349 sauer: name spaces are already in the documentation: https://cfengine.com/manuals/cf3-Reference#Name-spaces ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Bootstrapping / Files copied
Forum: CFEngine Help Subject: Re: Bootstrapping / Files copied Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,27314,27344#msg-27344 All I put in the hard-coded "masterfiles" is a minimal failsafe.cf (and a promises.cf, which gets overwritten) that knows how to pull down the "real" policy from another location. Partially because I have a collection of host-specific policies and files which include things like admin passwords for the individual host, private SSL & SSH keys, etc. The other reason is to facilitate a longer-term structure where I can eventually allow any host access to the "general" policy, while only specifically trusted hosts are allowed access to the "real" policy. The idea's to trust any keys that come in on the first stage system, and have an automated process approve keys which came from systems which were expected to be rebuilt, while unexpected new keys trigger a manual approval process. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: log_* in action bodies created duplicate entries
Forum: CFEngine Help
Subject: log_* in action bodies created duplicate entries
Author: neilhwatson
Link to topic: https://cfengine.com/forum/read.php?3,27350,27350#msg-27350
Consider this:
body common control
{
bundlesequence => { "test" };
inputs => { "cfengine_stdlib.cf" };
}
bundle agent test
{
vars:
"software" slist => { "/tmp/123", "/tmp/xyz" };
files:
"$(software)"
create => "true",
perms => m("644"),
action => logme("$(software)");
}
body action logme(x)
{
log_kept => "/tmp/private_keptlog.log";
log_failed => "/tmp/private_faillog.log";
log_repaired => "/tmp/private_replog.log";
log_string => "$(sys.date) $(x) promise status";
}
Now we run it.
-> Created file /tmp/123, mode = 420
-> Created file /tmp/xyz, mode = 420
$ date
Thu Sep 13 14:24:56 EDT 2012
$ ls -l /tmp/123
-rw-r--r-- 1 newatson cad 0 Sep 13 14:24 /tmp/123
$ ls -l /tmp/xyz
-rw-r--r-- 1 newatson cad 0 Sep 13 14:24 /tmp/xyz
$ ls -l /tmp/private_*
-rw-rw-rw- 1 newatson cad 294 Sep 13 14:24 /tmp/private_keptlog.log
-rw-rw-rw- 1 newatson cad 98 Sep 13 14:24 /tmp/private_replog.log
$ cat /tmp/private_keptlog.log
Thu Sep 13 14:24:38 2012 /tmp/123 promise status
Thu Sep 13 14:24:38 2012 /tmp/123 promise status
Thu Sep 13 14:24:38 2012 /tmp/123 promise status
Thu Sep 13 14:24:38 2012 /tmp/xyz promise status
Thu Sep 13 14:24:38 2012 /tmp/xyz promise status
Thu Sep 13 14:24:38 2012 /tmp/xyz promise status
$ cat /tmp/private_replog.log
Thu Sep 13 14:24:38 2012 /tmp/123 promise status
Thu Sep 13 14:24:38 2012 /tmp/xyz promise status
How did eight log entries come from this? Ideally I should see just one for
each promiser. At worst I might expect to see two, one for create and one for
chmod for each promiser.
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Darwin/OS X: cf-execd log entries
On Thu, 13 Sep 2012 09:23:18 +0200 (CEST) bernhard.gl...@ecologic.eu wrote: b> on my darwin systems I can't get rid of this annoying log entries each time cf-execd is calling the cf-agent: b> dnssd_clientstub write_all: SO_ISDEFUNCT failed 38 Socket operation on non-socket b> anybody an idea? How did you compile cfengine? I use Homebrew to make Community on Mac OS X Mountain Lion and don't get this error. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31..... cfengine-3.2.4
Forum: CFEngine Help Subject: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31. cfengine-3.2.4 Author: Beto Link to topic: https://cfengine.com/forum/read.php?3,27200,27351#msg-27351 You need to install automake, gmake and all of their run-time dependencies from the Porting and Archive Centre. There are quite a few dependencies but these packages but they install easily and are only needed on the system you build cfengine on. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: Why it's necessary to restart defined service one time.
On Wed, 5 Sep 2012 20:28:49 +0200 (CEST) juriskrumins wrote: j> mikesphar Wrote: >> I believe that is a violation of the Linux >> Standard Base specifications. j> 100% agree. But it's obvious we're not in an ideal world. So violation/bugs happens. "In theory, theory and practice are the same. In practice, they are not." --Author unknown, but attributed to Yogi Berra and Einstein among others ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: passing lists to external body parts
On Mon, 10 Sep 2012 22:22:30 +0200 (CEST) sauer wrote: > as long as we're wishing for anonymous structures. :) Design Center (through cf-sketch) attempts to alleviate this problem by feeding a unique prefix to the sketch "entry point" bundle, and prefixing every variable with it. Thus you can call a bundle multiple times with unique parameters. I know it's not exactly what you are requesting :) Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31..... cfengine-3.2.4
Forum: CFEngine Help Subject: Re: configure:14448: error: Cannot find OpenSSL on HP-UX 11.31. cfengine-3.2.4 Author: Beto Link to topic: https://cfengine.com/forum/read.php?3,27200,27355#msg-27355 You'll also need gmake from the Portuing and Archive Centre. It's listed on the PAC as "make". At a minimum you'll also need autoconf, gettext, libtool and m4 and all their run-time dependencies from PAC There are quite a few but most of this is only needed on the system you build cfengine on. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Policy distribution
On Sat, 1 Sep 2012 11:08:13 +0200 (CEST) mpr wrote: > Currently our policy is kept in git and distributed using > cf-serverd. Since we already have public/private key authentication > for git why not use git to distribute the files instead of cf-serverd > (running "git pull" from update.cf)? Any ideas or suggestions on this? As Nick mentioned, VCS::vcs_mirror in Design Center addresses this. `git pull' alone may attempt a merge, which will leave your file tree in a bizarro state that, unless you are very comfortable with Git, will be hard to resolve. So at least check out the `git' commands in VCS::vcs_mirror to see how to do a safer pull without the merge risk. Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: List element extraction fails
On Fri, 31 Aug 2012 20:00:22 +0200 (CEST) neilhwatson wrote: > AFAIK it is not possible to call out a single element in a list. I don't endorse it, but I've heard you can use a file with grep/head/tail to do this ;) Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Policy distribution
On 09/13/2012 02:38 PM, Ted Zlatanov wrote: > As Nick mentioned, VCS::vcs_mirror in Design Center addresses this. There is a git_failsafe.cf or something similar in contrib that Ted has been working on. I haven't tried it out. I have just inlined the vcs_mirror sketch to failsafe.cf manually. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Auto reloading of cf-execd and cf-serverd after policy change
Forum: CFEngine Help Subject: Re: Auto reloading of cf-execd and cf-serverd after policy change Author: aleksey_c Link to topic: https://cfengine.com/forum/read.php?3,27340,27357#msg-27357 Can someone explain the purpose of the following patch https://github.com/cfengine/core/pull/21? The description says "Add automatic reloading of promises to cf-execd". I looked at source code. These changes included in the current Community version. But I do not fully understand the meaning. At least, changing of "schedule" parameter does not work. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Policy distribution
On Thu, 13 Sep 2012 14:43:47 -0500 Nick Anderson wrote: NA> On 09/13/2012 02:38 PM, Ted Zlatanov wrote: >> As Nick mentioned, VCS::vcs_mirror in Design Center addresses this. NA> There is a git_failsafe.cf or something similar in contrib that Ted has NA> been working on. I haven't tried it out. I have just inlined the NA> vcs_mirror sketch to failsafe.cf manually. They are surprisingly similar. Almost as if they were written by the same guy ;) Ted ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Convert soft class name to variable
Forum: CFEngine Help
Subject: Re: Convert soft class name to variable
Author: davinken
Link to topic: https://cfengine.com/forum/read.php?3,27338,27361#msg-27361
This implied some renaming/copying in the file server, but did the job well.
(Those files are being also distributed by a concurrent CF2 server still
attending part of the network)
Just FYI, the next snippet now works:
vars:
"brudir" string => "/usr/local/bru-server";
"bru_executables" slist =>
{
"$(brudir)/agent",
"$(brudir)/bru",
"$(brudir)/bru-server.cmd",
"$(brudir)/lzop"
};
files:
"$(bru_executables)"
comment => "BRU binaries, dependent on system architecture.",
copy_from => remote_dcp(
"$(def.fcfdir)$(bru_executables).$(sys.arch)", "$(def.goldenfilessrv)" ),
perms => mog( "750", "root", "root" ),
handle => "bru_binaries_distribution";
In the file server, those files have been just just named agent.x86_64 /
agent.i386; bru.x86_64 / bru.i386 and so on.
Thanks
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Shellcommands get SIGTERM'ed. ExpireAfter not working.
Hi! I'm running CFEngine2 (2.2.10-4build2, Ubuntu Precise). I have this server which boots from PXE. There's foo to bootstrap it, then a cron-job runs a shell scripted for-loop: | for i in 1 2 3 4 5 | do | /usr/sbin/cfagent -qKvf cfagent.conf >>/var/log/pxeboot.log 2>&1 | sleep 5 | done This is done to speed up configuration of the server. The first iteration of this loop, also the first time cfagent runs on the system, CFEngine runs a Perl script which in turn runs apt-get. The apt-get process is now taking more than five minutes to complete and gets sent a TERM signal which kills it instantly leaving packages in broken state. Five minutes is also when cfexecd fires off its own cfagent process, and i found this second cfagent is sending TERM signals to the subprocesses of the first (looped) cfagent instance. This is documented behaviour, prevents 'runaway' processes, though i could not find the seemingly preconfigured ~300 second runtime limit in the reference. It should be configurable through the ExpireAfter and timeout settings but they seem to be ignored? The relevant cfengine bits read: | control: | any:: | actionsequence = ( shellcommands ) | | shellcommands:: | class1.class2:: | "/etc/foo/installpkg.pl $(AllClasses)" I tried changing the actionsequence to include ExpireAfter: | control: | any:: | actionsequence = ( shellcommands.ExpireAfter30 ) I also tried adding 'timeout=3600 expireafter=3600' to the shellcommand: | shellcommands:: | class1.class2:: | "/etc/foo/installpkg.pl $(AllClasses)" | timeout=3600 expireafter=3600 and i tried setting ExpireAfter in control: | control: | any:: | ExpireAfter = ( 30 ) And combinations of the above. None seem to work. At this moment i switch off cfexecd during the looped cfagent runs but i'd rather not. Any light on why i cant seem to put an end to the brutal killings? :/ With regards, -Sander. -- | 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down, | pass it around, 4294967295 bottles of beer on the wall. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
editing iptables under Linux.... tested on CentOS 5... can somebody give it a whirl, please?
Hi. I'd like to contribute the following to the COPBL. Could
somebody try it out for me please and let me know if you run into any
issues?
#
# add_to_iptables_ACL is used to edit Linux iptables config files.
#
# Purpose: make it easier to add white-list rules to iptables host firewall.
#
# Aleksey Tsalolikhin, 13 Sep 2012
#
# Example of how to use it:
#
# files:
#"/etc/sysconfig/iptables"
#
# edit_line => add_to_iptables_ACL("-A RH-Firewall-1-INPUT
-m state --state NEW -m tcp -p tcp --dport 5432 -s 1.2.3.4/32 -j
ACCEPT -m comment --comment \"Allow Web server to connect to
Postgres\""),
# classes => if_repaired("restart_iptables"),
# comment => "Allow Web server to connect to Postgres database";
bundle edit_line add_to_iptables_ACL(line) {
insert_lines:
"$(line)"
select_region => between_ACCEPT_established_and_REJECT_everything_else;
}
body select_region between_ACCEPT_established_and_REJECT_everything_else
{
select_start => "-A RH-Firewall-1-INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT";
select_end => "-A RH-Firewall-1-INPUT -j REJEC.*";
}
Best,
Aleksey
--
Upcoming Trainings:
"Time Management for System Administrators" 28 Sep 2012 at Ohio Linux
Fest (http://ohiolinux.org/register)
"Editing with vi" 28 Sep 2012 at Ohio Linux Fest (http://ohiolinux.org/register)
"Automating System Administration with CFEngine 3" 22-25 Oct 2012 in
Palo Alto, CA (http://www.eventbrite.com/event/3388161081)
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: editing iptables under Linux.... tested on CentOS 5... can somebody give it a whirl, please?
Hi Aleksey,
Thank you very much for the contribution!
I think this might be a better fit for the Design Center than to the COPBL,
given that it performs a specific, higher-level task (rather than a generic,
lower-level task, which is what we try to keep in the stdlib).
We are in the process of redefining the structure that a sketch must have for
the design center, but once this is done, it should be fairly simple to convert
this bundle to a sketch.
Cheers,
--Diego
On Sep 13, 2012, at 7:17 PM, Aleksey Tsalolikhin
wrote:
> Hi. I'd like to contribute the following to the COPBL. Could
> somebody try it out for me please and let me know if you run into any
> issues?
>
> #
>
> # add_to_iptables_ACL is used to edit Linux iptables config files.
> #
> # Purpose: make it easier to add white-list rules to iptables host firewall.
> #
> # Aleksey Tsalolikhin, 13 Sep 2012
> #
> # Example of how to use it:
> #
> # files:
> #"/etc/sysconfig/iptables"
> #
> # edit_line => add_to_iptables_ACL("-A RH-Firewall-1-INPUT
> -m state --state NEW -m tcp -p tcp --dport 5432 -s 1.2.3.4/32 -j
> ACCEPT -m comment --comment \"Allow Web server to connect to
> Postgres\""),
> # classes => if_repaired("restart_iptables"),
> # comment => "Allow Web server to connect to Postgres database";
>
>
> bundle edit_line add_to_iptables_ACL(line) {
>
> insert_lines:
>
> "$(line)"
>
> select_region => between_ACCEPT_established_and_REJECT_everything_else;
>
> }
>
>
> body select_region between_ACCEPT_established_and_REJECT_everything_else
> {
> select_start => "-A RH-Firewall-1-INPUT -m state --state
> ESTABLISHED,RELATED -j ACCEPT";
> select_end => "-A RH-Firewall-1-INPUT -j REJEC.*";
> }
>
>
>
> Best,
> Aleksey
>
>
> --
> Upcoming Trainings:
> "Time Management for System Administrators" 28 Sep 2012 at Ohio Linux
> Fest (http://ohiolinux.org/register)
> "Editing with vi" 28 Sep 2012 at Ohio Linux Fest
> (http://ohiolinux.org/register)
> "Automating System Administration with CFEngine 3" 22-25 Oct 2012 in
> Palo Alto, CA (http://www.eventbrite.com/event/3388161081)
> ___
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
CFEngine Help: Re: Darwin/OS X: cf-execd log entries
Forum: CFEngine Help Subject: Re: Darwin/OS X: cf-execd log entries Author: zzamboni Link to topic: https://cfengine.com/forum/read.php?3,27331,27367#msg-27367 Hi, I have never seen this message on my Mac (currently running Nova 2.2.2). Which version are you using? --Diego ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
