Passing iteratted lists to append_if_no_lines
I am trying to create a bundle that will populate a users
.ssh/authorized_keys on machines where they have accounts. I
currently have:
bundle agent ssh {
vars:
"user[user123]" string => "ssh-dss ...== user@machine";
"username"slist => getindices("user");
"no_$(username)"int => getfields("^$(username):.*","/etc/passwd",":",
"pwent[$(username)]");
"home[$(username)]" string => "$(pwent[$(username)][6])";
files:
"$(home[$(username)])/.ssh/authorized_keys"
handle => "$(username)_ssh_pub",
comment => "Install public ssh keys for $(username)",
create => "true",
perms => mo("0600","$(username)"),
edit_line => append_if_no_line("$(user[$(username)])"),
classes => if_repaired("changed_$(username)_authorized_keys");
reports:
cfengine_3::
"Repaired ssh authorized_keys for $(username)",
ifvarclass => "changed_$(username)_authorized_keys";
}
This works as far as it goes, but my original form had an slist
instead of a string allowing for multiple keys per user, but the issue
was that no combination of append_if_no_lines("$(user[$(username)])")
would work whether I replaces $ with @ or added the ssh bundle name to
scope the variables. I think I went through all 16 combinations of
those things, but all I ever got was the given version of
$(user[$(username)]) inserted directly into authorized_keys and not
the value(s) assigned to it.
Yes I used the lines version for the slist.
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Problems editing /etc/exports
I have a bundle that contains
bundle agent cc_nfs_export(dir)
{
files:
"$(sys.exports)"
edit_line =>
cc_doexport("$(def.dir_cruisecontrol)/$(dir)","192.168.159.0/255.255.255.0(rw)"),
classes => if_repaired("exportfs_repaired"),
comment => "Add missing line(s) to the $(sys.exports) file for
CruiseControl",
handle => "agent_cc_nfs_export_files_exports";
}
In my cc_doexport I have tried using combinations of insert_lines and
delete_lines with delete_select. I have tried simply inserting with
whitespace_policy using various settings and the results have always
been the new line being added even when one exists with only
whitespace differences.
The worst case scenario was using whitespace_policy where a new line
was added for each export every single time cf-agent ran.
Giving up for the night, I'll check back here in the morning.
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: Problems editing /etc/exports
On Fri, Jun 8, 2012 at 6:41 PM, Nick Anderson wrote:
> Hey Ron, can you post a self contained example?
Here's my minimal test for the eternally growing exports file.
# begin test.sh
#! /bin/sh
printf '/export/dir1\t\t192.168.159.0/255.255.255.0(rw)\n' > /tmp/exports
cf-agent -KIf test.cf # duplicates, not matching above
cf-agent -KIf test.cf # duplicates, not even matching itself
cat /tmp/exports
# end test.sh
# begin test.cf
body common control
{
bundlesequence => { "test" };
}
bundle agent test
{
files:
"/tmp/exports"
edit_line =>
cc_doexport("/export/dir1 192.168.159.0/255.255.255.0(rw)"); # Single
tab in the middle of the string
}
bundle edit_line cc_doexport(line)
{
insert_lines:
"$(line)"
whitespace_policy => { "ignore_embedded" };
}
#end test.cf
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: Problems editing /etc/exports
By the way, if you take out the whitespace_policy line, as expected,
you get two lines that differ only in whitespace.
Due to the whitespace_policy issue, I also tried something that
distills down to:
bundle edit_line cc_doexport(line)
{
delete_lines:
"/export/dir1\s\s+192.168.159.0/255.255.255.0(rw)";
insert_lines:
"$(line)";
}
Here, the delete_lines fail to delete the line the test.sh script creates.
-rdp
On Mon, Jun 11, 2012 at 10:03 AM, Ron Parker wrote:
> On Fri, Jun 8, 2012 at 6:41 PM, Nick Anderson wrote:
>
>> Hey Ron, can you post a self contained example?
>
> Here's my minimal test for the eternally growing exports file.
>
> # begin test.sh
> #! /bin/sh
> printf '/export/dir1\t\t192.168.159.0/255.255.255.0(rw)\n' > /tmp/exports
>
> cf-agent -KIf test.cf # duplicates, not matching above
> cf-agent -KIf test.cf # duplicates, not even matching itself
>
> cat /tmp/exports
> # end test.sh
>
> # begin test.cf
> body common control
> {
> bundlesequence => { "test" };
> }
>
> bundle agent test
> {
> files:
> "/tmp/exports"
> edit_line =>
> cc_doexport("/export/dir1 192.168.159.0/255.255.255.0(rw)"); # Single
> tab in the middle of the string
> }
>
> bundle edit_line cc_doexport(line)
> {
> insert_lines:
> "$(line)"
> whitespace_policy => { "ignore_embedded" };
> }
> #end test.cf
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Authentication problems with multiple interfaces
I have a client machine that is attempting to copy some logs from another client machine. They same public keys that the policy hub has for the clients have been installed on each of the machines. Here is how their IP's are setup: cf-agent bge0: 10.6.8.200 vnic0: 192.168.69.1 cf-server eth0: 10.6.8.207 eth0:0: 10.6.8.53 eth1: 192.168.159.101 In both cases the first IP is the physical interface, the last IP is a host-only interface used for virtualization. The eth0:0 is a secondary IP for the server, I am transitioning systems from DHCP to static IP's and will maintain both for awhile. >From cf-agent I get: cf3> -> Copy file /export/backup/servers/us-stl-cc1/artifacts from /var/spool/cruisecontrol/artifacts check cf3> No existing connection to 10.6.8.53 is established... cf3> Set cfengine port number to 5308 = 5308 cf3> Set connection timeout to 10 cf3> -> Connect to us-stl-cc1 = 10.6.8.53 on port 5308 cf3> skipidentify was promised, so we are trusting and simply announcing the identity as (us-hop-dev1) for this host cf3> -> Did not find new key format /var/cfengine/ppkeys/root-.pub cf3> -> Trying old style /var/cfengine/ppkeys/root-10.6.8.53.pub cf3> !! Not authorized to trust the server=us-stl-cc1's public key (trustkey=false) ... cf3> !! Authentication dialogue with us-stl-cc1 failed cf3> Unable to establish connection with us-stl-cc1 cf3> ?> defining promise result class cc_backup_failed_artifacts cf3> -> No suitable server responded to hail cf3> ?> defining promise result class cc_backup_failed_artifacts And from the server on us-stl-c1, I get: cf3> Listening for connections ... cf3> -> Accepting a connection cf3> Accepting connection from ":::10.6.8.200" cf3> New connection...(from :::10.6.8.200:sd 4) cf3> Spawning new thread... cf3> Allowing 192.168.69.1 to connect without (re)checking ID cf3> Non-verified Host ID is us-hop-dev1 (Using skipverify) cf3> Non-verified User ID seems to be root (Using skipverify) cf3> -> Public key identity of host ":::10.6.8.200" is "MD5=987b169fdccbee8236d444a5ea017795" cf3> A public key was already known from us-hop-dev1/:::10.6.8.200 - no trust required cf3> Adding IP :::10.6.8.200 to SkipVerify - no need to check this if we have a key cf3> The public key identity was confirmed as root@us-hop-dev1 cf3> Challenge response from client :::10.6.8.200 was incorrect - ID false? cf3> Auth dialogue error cf3> From (host=us-hop-dev1,user=root,ip=:::10.6.8.200) cf3> -> Accepting a connection cf3> Accepting connection from ":::10.6.8.200" cf3> New connection...(from :::10.6.8.200:sd 4) cf3> Spawning new thread... cf3> Allowing 192.168.69.1 to connect without (re)checking ID cf3> Non-verified Host ID is us-hop-dev1 (Using skipverify) cf3> Non-verified User ID seems to be root (Using skipverify) cf3> -> Public key identity of host ":::10.6.8.200" is "MD5=987b169fdccbee8236d444a5ea017795" cf3> A public key was already known from us-hop-dev1/:::10.6.8.200 - no trust required cf3> Adding IP :::10.6.8.200 to SkipVerify - no need to check this if we have a key cf3> The public key identity was confirmed as root@us-hop-dev1 cf3> Challenge response from client :::10.6.8.200 was incorrect - ID false? cf3> Auth dialogue error cf3> From (host=us-hop-dev1,user=root,ip=:::10.6.8.200) cf3> -> Accepting a connection cf3> Accepting connection from ":::10.6.8.200" cf3> New connection...(from :::10.6.8.200:sd 4) cf3> Spawning new thread... cf3> Allowing 192.168.69.1 to connect without (re)checking ID cf3> Non-verified Host ID is us-hop-dev1 (Using skipverify) cf3> Non-verified User ID seems to be root (Using skipverify) cf3> -> Public key identity of host ":::10.6.8.200" is "MD5=987b169fdccbee8236d444a5ea017795" cf3> A public key was already known from us-hop-dev1/:::10.6.8.200 - no trust required cf3> Adding IP :::10.6.8.200 to SkipVerify - no need to check this if we have a key cf3> The public key identity was confirmed as root@us-hop-dev1 cf3> Challenge response from client :::10.6.8.200 was incorrect - ID false? cf3> Auth dialogue error cf3> From (host=us-hop-dev1,user=root,ip=:::10.6.8.200) So, how do I get them to play nicely? I notice that the server mentions the agents VNIC IP in a couple places and its public IP in others. Also odd is the attempt by the client to access a file named /var/cfengine/ppkeys/root-.pub. On a sidenote the secondary IP on eth0:0 never shows up in the sys variables: R: sys.interface = eth0 R: sys.interfaces = eth0 R: sys.interfaces = eth1 R: sys.ip_addresses = 10.6.8.207 R: sys.ip_addresses = 192.168.159.101 R: sys.ipv4 = 10.6.8.207 R: sys.ipv4[eth0] = 10.6.8.207 R: sys.ipv4[eth1] = 192.168.159.101 This strikes me as a bug. -- Ron Parker ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
Re: Authentication problems with multiple interfaces
On Tue, Jun 12, 2012 at 8:53 AM, Ron Parker wrote:
> I have a client machine that is attempting to copy some logs from
> another client machine. They same public keys that the policy hub has
> for the clients have been installed on each of the machines.
>
> Here is how their IP's are setup:
>
> cf-agent bge0: 10.6.8.200 vnic0: 192.168.69.1
> cf-server eth0: 10.6.8.207 eth0:0: 10.6.8.53 eth1: 192.168.159.101
...
> From cf-agent I get:
>
> cf3> -> Copy file /export/backup/servers/us-stl-cc1/artifacts from
> /var/spool/cruisecontrol/artifacts check
> cf3> No existing connection to 10.6.8.53 is established...
> cf3> Set cfengine port number to 5308 = 5308
> cf3> Set connection timeout to 10
> cf3> -> Connect to us-stl-cc1 = 10.6.8.53 on port 5308
> cf3> skipidentify was promised, so we are trusting and simply
> announcing the identity as (us-hop-dev1) for this host
> cf3> -> Did not find new key format /var/cfengine/ppkeys/root-.pub
> cf3> -> Trying old style /var/cfengine/ppkeys/root-10.6.8.53.pub
> cf3> !! Not authorized to trust the server=us-stl-cc1's public key
> (trustkey=false)
> ...
> cf3> !! Authentication dialogue with us-stl-cc1 failed
> cf3> Unable to establish connection with us-stl-cc1
> cf3> ?> defining promise result class cc_backup_failed_artifacts
> cf3> -> No suitable server responded to hail
> cf3> ?> defining promise result class cc_backup_failed_artifacts
...
> So, how do I get them to play nicely? I notice that the server
> mentions the agents VNIC IP in a couple places and its public IP in
> others. Also odd is the attempt by the client to access a file named
> /var/cfengine/ppkeys/root-.pub.
My workaround was to copy the root-MD5*.pub key to the old-style IP
based name. Short of logging into each client and looking at it's
localhost.pub, is there a convenient way to correlate the new-style
names with the machines or IP's they came from?
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: feature proposal for cfengine.el
On Fri, Jun 15, 2012 at 9:57 AM, Marco Marongiu wrote:
> Hi all
>
> I found that having the promises laid out in normal order in the bundles
> can help a lot in understanding how things actually go on when the
> policy is run.
>
> It would be nice if we had a key combination that, once pressed, detects
> the bundle the cursor is in, and sets out the correspondent promises.
> E.g., in an agent bundle it would produce something like:
This is really orthogonal to cfengine-mode. A number of emacs
packages support the functionality you are seeking including skeleton,
auto-insert, yasnippet, srecode. See
http://www.emacswiki.org/emacs/CategoryTemplates lists most of them,
however auto-insert is conspicuously absent,
http://www.emacswiki.org/emacs/AutoInsertMode.
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
To xdev or not to xdev
It's not clear to me from the reference manual. If I want to set
permissions on a directory and all of it's descendents that are not
(NFS) mounts, do I want xdev to be true or false?
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
180+ instances of cf-execd and cf-agent
In testing that the promises for a given machine were sufficient to
reconfigure it from scratch, I did a fresh OS install to a VM,
bootstrapped CFE and manually started cf-agent. After about 30
minutes and the fourth email from the system, it had converged. I
noted a few things that were missing, e.g. ssh configuration. So I
made the policy changes over the course of the day.
Last night before leaving I rolled the VM back to the baseline OS
install and bootstrapped CFE to test my changes. After about 10
minutes I got an email reporting what happened during initial run but
no reports thereafter. This morning I get in and find the machine has
182 (and climbing) copies of cf-execd and cf-agent. Other than my
seemingly minor tweaks the only difference I am aware of is that the
second time I did not run cf-agent manually at all, I let cf-execd
start the processes.
I suspect it is somehow related to initial package installation and
there is a possibly related discussion on the list from last year
https://cfengine.com/forum/read.php?3,19505,19598, but I saw no clear
resolution.
My questions are, how can I see what the active copy of cf-agent is
doing that it did not complete? It does not have any child processes
showing up in pstree.
The second question is how may I prevent this in the future but still
have the system converge in a reasonable amount of time?
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: 180+ instances of cf-execd and cf-agent
The machine in question was running 3.3.3.
On Thu, Jun 21, 2012 at 11:11 AM, wrote:
> Forum: CFEngine Help
> Subject: Re: 180+ instances of cf-execd and cf-agent
> Author: davidlee
> Link to topic: https://cfengine.com/forum/read.php?3,26261,26266#msg-26266
>
> Sorry, my previous message may have confused two distinct things about
> managing this:
>
> Assuming 3.1.4 (or thereabouts) with BerkeleyDB:
>
> 1. For the current, live "incident" (to use ITIL terminology), you may need
> to look at wiping "/var/cfengine/state/*.db" while cfengine is shutdown.
>
> 2. For the longer-term strategy, plan a transition to a more recent version
> of cfengine.
>
> ___
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
--
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Removed packages treated as installed by stdlib
I ran in to an issue with a package that got removed but not
reinstalled by CFE. The dpkg-related patterns were matching anything
in the output as installed. But if you remove or purge a package after
installing it, it still shows up in the output of 'dpkg -l'. I just
threw a pull request over the wall that corrected it on the Ubuntu box
I was working with, https://github.com/cfengine/copbl/pull/10.
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Directory is controlled by another user - trusting its content is potentially risky (possible race)
We have a system that sometimes leaves stray subversion locks laying
around and are trying to clean those up. I'm getting the warning
mentioned in the subject and attempted tho workaround mentioned in
http://cfengine.org/pipermail/help-cfengine/2010-February/007638.html.
But in my case its not enough, I am assuming its because the
wildcarding is at the grandparent directory level, but I'm at a loss
as to how to work around it.
files:
no_svn_running::
"$(dir_projects)/.*/\.svn/."
depth_search => recurse(1),
file_select => by_name("lock"),
delete => tidy;
processes:
"svn" restart_class => "no_svn_running";
I know there's a potential race between setting the class and
performing the deletion on the next pass, but in this specific case it
would cause no problems.
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: Directory is controlled by another user - trusting its content is potentially risky (possible race)
Thanks for the response Neil,
On Wed, Jun 27, 2012 at 12:05 PM, neilwatson wrote:
> What does the '.*' mean in your mind? Can that be replaced with a different
> recurse depth in the depth_search?
In this case the '.*' means all immediate sub-directories of the
projects directory which also contain a .svn subdirectory.
I could use a different recurse depth, but if so how would I limit it
to lock files in the .svn subdirectories? I didn't see a way to build
a list of directories and then iterate over those to find a specific
file within them.
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: Directory is controlled by another user - trusting its content is potentially risky (possible race)
Looking back at these systems, I actually need to remove all .svn/lock
files from anywhere they occur below the projects directory. So
anything short of an "inf" recurse depth will be insufficient. But I
still have the question of how to only pickup lock files inside .svn
directories and nowhere else.
On Wed, Jun 27, 2012 at 2:23 PM, Ron Parker wrote:
> Thanks for the response Neil,
>
> On Wed, Jun 27, 2012 at 12:05 PM, neilwatson wrote:
>
>> What does the '.*' mean in your mind? Can that be replaced with a different
>> recurse depth in the depth_search?
>
> In this case the '.*' means all immediate sub-directories of the
> projects directory which also contain a .svn subdirectory.
>
> I could use a different recurse depth, but if so how would I limit it
> to lock files in the .svn subdirectories? I didn't see a way to build
> a list of directories and then iterate over those to find a specific
> file within them.
>
> --
> Ron Parker
> Don't type things you find on the Internet into your computer!
> :(){ :|:&};:
--
--
Ron Parker
Don't type things you find on the Internet into your computer!
:(){ :|:&};:
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
Re: CFEngine Help: Re: Directory is controlled by another user - trusting its content is potentially risky (possible race)
On Wed, Jun 27, 2012 at 2:30 PM, Jesse Becker wrote: > Could you use a module to generate an slist of ".svn directories with > lock files", and then iterate over that? My original implementation used an execresult to do that but I was trying to keep it all in CFEngine. I may have to revert to that approach. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
File access granted only when cf-serverd is manually started
I frequently get messages from the client like: Can't stat /var/cfengine/.../somefile in files.copyfrom promise when cf-serverd is started normally, by which I mean started at boot or by cf-agent from a promise. But, if I run it as root on the hub, "cf-serverd -v", then those messages go away and access is granted. And yes, it normally runs under root if I look at the process table. -- Ron Parker Never plug a non-switching power supply into 208V. ___ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
