CFEngine Help: Re: CFEngine Help: Re: distributing secrets

Forum: CFEngine Help Subject: Re: CFEngine Help: Re: distributing secrets Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,26196,26232#msg-26232 Neil Watson Wrote: --- > On Fri, Jun 15, 2012 at 07:16:40PM +0200, >

Re: CFEngine Help: Re: distributing secrets

On Fri, Jun 15, 2012 at 07:16:40PM +0200, no-re...@cfengine.com wrote: >modifying the list 20-100 times a day as transient test machines are >brought up and taken down would be a real pain - particularly since >that means cf-serverd needs to constantly be restarted. The server does not need to be

Re: distributing secrets

You could try this : bundle common acl_datas { vars: "listdirs" slist => lsdir( "/var/cache/", "[0-9]+.*", "false"); } bundle server access_rules { access: "/var/cache/$(acls_data.listdirs)" admit => { "$(acls_data.listdirs)" }; } Nicolas CHARLES O

CFEngine Help: Re: distributing secrets

Forum: CFEngine Help Subject: Re: distributing secrets Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,26196,26228#msg-26228 Neil Watson Wrote: --- > "/var/cache/${cls}" > admit => { "${cls}" };

CFEngine Help: Re: distributing secrets

Forum: CFEngine Help Subject: Re: distributing secrets Author: jtl Link to topic: https://cfengine.com/forum/read.php?3,26196,26207#msg-26207 Following up on Brian's suggestion of generating the secret on the client, I would have a GPG public key distributed along with the policy. Generat

Re: distributing secrets

This is interesting. Server bundles do allow list iteration. Consider this: body common control { bundlesequence => { "main", }; } bundle agent main { reports: cfengine:: "Main agent bundle"; } body server control { port => "

Re: distributing secrets

To answer your questions. The software in question is Bacula. A password is stored in the client's and server (director's) configuration. Each client should have its own password that the directory must also know. The password is normal ASCII inside a typical configuration file. In this case I

Re: distributing secrets

Where else is this password referenced? My inclination would be a promise that generates the password directly on the box (perhaps with pwgen). Something like this: files: "/etc/local/pass" create => "false", classes => if_notok("gen_pass"); commands: gen_pass:: "/usr/bin/pwgen -s >

Re: distributing secrets

Neil, With CF3 Enterprise, you could use remotescalar() or hubknowledge(), which allow you to fetch values from remote CFEngine hosts, then you could have the values stored only on the hub. https://cfengine.com/manuals/cf3-Reference#Function-hubknowledge https://cfengine.com/manuals/cf3-Referen