This may not be the Cf-approved way but based on some on other thread I
have been getting by doing the following:
files:
"/etc/mail/sendmail.mc"
copy_from =>
mycopy("${g.masterfiles}/farm/etc/mail/sendmail.mc","${g.phost}"),
classes => satisfied("sendmailmake");
comman
Is there a better method for chaining commands outside of dropping them
in a shell script? I've tried tried grouping them, separated by ";" but
that was rejected by cfagent.
Thanks,
Frans
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https
Hi-
I'm running cf-serverd 3.0.5p1 and have started (rather suddenly)
experiencing regular segmentation faults. I've run cf-serverd in both
debug and verbose mode and neither report anything useful.
The segfaults look like the following:
# grep segfault messages.1
Aug 9 18:21:18 cfengine3 ker
Hi-
I am frequently getting emails (and seeing syslog messages) from hosts
running cfengine3.
File descriptor 26 of child 13217 higher than MAX_FD, check for defunct children
File descriptor 26 of child higher than MAX_FD, check for defunct children
File descriptor 26 of child 13218 higher than
Hi,
I use execresult to poll a job management system. The results determine
a class based on some regex. Occasionally there are problems with the
job management system which result in the processes never completing.
With each subsequent cf-agent run the processes accumulate.
I was wondering i
I think you probably want the "contain" option to that command.
restartssh::
"/sbin/service sshd restart",
contain => "silent";
http://www.cfengine.org/manuals/cf3-reference.html#contain-in-commands
"This is equivalent to piping standard
cf-serverd on CentOS would segfault for me as well when many clients
attempted simultaneous connections. I've compiled the latest 3.1.0
release and this problem has seemingly gone away.
Frans
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
As far as I know this is a bug with cf-execd where it does not release
file descriptors and eventually runs out of them. I have a weekly cron
job to restart cfengine3 services as a work around (non-ideal).
I haven't upgraded to cf3-community 3.1.0 (Nova 2.0 for you) yet so am
not sure if it has b
Hi-
I recently implemented a "service cfengine3 restart" weekly cron job as a
workaround to the MAX_FD bug that others and myself have seen. I neglected
to except the master from the restart so when cf-serverd was killed a number
of hosts complained about in-flight transfers or not being able to
On 11/09/2010 05:46 AM, Seva Gluschenko wrote:
> No, definitely. A file isn't installed in place of older one until
> it's copied succefully.
>
Seva, that's what has me so alarmed. Like you and Neil pointed out, I
can take steps to minimize the odds of cf-serverd getting terminated
while e
Seva,
I wish I had been able to inspect the system but with limits.conf corrupted
I couldn't log in and opted to rebuild the OS as it was a production
server. Next time (I'm really hoping there won't be one) I will pull a
drive and mount it elsewhere.
The syslog messages the host sent indicated t
Mike,
cf-serverd was terminated by pkill during the cron restart of cf3 services.
pkill defaults to SIGTERM. I will attempt to reproduce using a test
environment and a looping cf-serverd / cf-agent script that sigterms
cf-serverd at increasing time intervals after cf-agent executes.
Frans
So you are quite right that there is more to the story. I dug around in my
bundles and found that there was overlap with respect to this file. A
generic "centos_5" promise included update of limits.conf whereas further
down in the bundle I had a more specific class "centos_5.special_hosts"
which
Hi,
It looks like cfengine3 masks the SIGPIPE signal. This mask gets
inherited by any processes cf3 invokes which can cause undesirable
behaviour.
I've noticed, for example, that if sshd gets restarted by cf3 it results
in shell behaviour as shown below.
cat somefile | head -10
[sn
> This morning my lastseen report (c3.0.5p1) showed that all clients had not
> checked in for a least 40 hours. The clients are running, I can run them
> manually and confirm connections yet the server's lastseen reportl, after
> running a new cf-report, shows no new checkins. Any ideas?
>
Th
> I experienced the same issue running on Solaris 10, cfengine v3.0.5p1.
> Any luck in finding out?
Deb & Jim, I've opened a bug report on this issue if you want to keep
track and/or chime in.
https://cfengine.com/bugtracker/view.php?id=445
Deb - I don't know if Nova (which is what I think you u
Hi-
This is part feature request but I expect someone will have some
insights on another way to accomplish what I'm asking with the existing
tools in cfengine.
It's very common, from examples I have seen, to use "execresult" to
store output in a variable after which "regcmp" will active a clas
> If the execresult, in the vars section, fails from time to time then I either
> have to live with that and know that it will be successful on a later run or
> write other promises to ensure success. The example is really to vague for
> me to offer anything else.
The example is intentionally
>
> Is it possible to get the spec file that is used to create the RPM I
> currently download from the engine room for the free version of cfengine. I
> would rather roll my own RPM's, however i do not want to attempt to reinvent
> the wheel creating a new spec file. Or even letting us download t
>
> The extended change log should be online within a few days, so will also
> the Linux packages.
>
When generating the CentOS5 RPMs, might I request that the post-install
logic be fixed to ensure binaries are in place in both /usr/local/sbin/ and
/var/cfengine/bin?
I filed a bug regarding such:
>
> Please don't do this. RPMs should not install anything under /usr/local
> as that's reserved for local modifications of the system. rpmlint warns
> you if your RPM makes this mistake.
>
>
I see your point however this is the existing behavior of the community
RPMs.
# rpm -ql cfengine-communi
> The promise is to edit a plain file at a specific location. Editing a file
> after following a symlink is not the same thing to the agent. I think you'll
> need a separate promise for the other location. Or place the file in the
> same location everywhere and add a link afterward.
>
It's
> I look at Cftimes on occasion but I don't care for the format. It is too
> difficult to navigate. The multi-column layout is particularly confusing.
> This is unfortunate because the content, while infrequent, is of interest to
> me.
>
I concur on the format of CfTimes being unhelpful.
You probably want something like the following. "restart_ssh" will only
be activated as a class if the file needs to be copied.
files:
"/etc/ssh/sshd_config"
perms => mog("644", "root", "wheel"),
copy_from =>
secure_cp("$(g.masterfiles)/config/etc/ssh/sshd_c
I understand that cfengine's normal ordering is: vars, classes,
outputs, and so on. What I'm trying to do is restrict an "execresult"
call in the "vars:" section of a bundle to a particular class.
I've tried defining the class globally as well as implementing a
depends_on / handle dependency
> Then, when I run it on a host, I see this (via 'cf-agent -I'):
When debugging cf-agent behaviour you pretty much always want to run it
in verbose mode with "-v". I usually do something like
cf-agent -Kv | tee /tmp/cf
which lets you see the live output but also saves a copy for review.
This
Has anyone else experienced sporadic, random, ongoing authentication
failures related to cf-serverd seemingly misidentifying a client as not
belonging to an authorized network? The frequency of these failures,
based on estimated successful execution, is extremely low. ~.01% or
so. The client
> that looks pretty similar to the static buffer overlap problem which I'd
> discovered in the cf-serverd as of 3.0.4p2. Mark corrected the mutex lock
> since then, so the problem ceased to exist in 3.0.5, but I won't be surprised
> much if it was reintroduced in later versions.
>
Interesting,
David,
The community library has functions for handling switching services on
and off. Here's an example.
vars:
"enabled_services" slist => { "sendmail", "snmpd", "sshd",
"syslog", "sysstat", "xinetd", "ypbind" };
methods:
"any" usebundle => enable_xinetd("$(
What version are you running? It looks like you might be hitting this bug:
https://cfengine.com/bugtracker/view.php?id=456
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
> Any updates on this issue? I am experiencing the same problem on a RHEL
> 5.3 host running 3.1.2.
>
There's a bug report that's being looked into.
https://cfengine.com/bugtracker/view.php?id=445
Feel free to add your own observations.
Frans
___
Help
> Did you see this problem before 3.1.2? It would help tremendously if
> anyone could figure out (by binary search) exact revision that
> introduced this bug.
>
>
Neil indicated he saw it in 3.0.5p1. It's interesting that, for me at
least, the only host that reliably updates is the host running cf
On Fri, Mar 11, 2011 at 2:44 PM, Mark Burgess wrote:
>
> Do you replicate the cfengine key between multiple hosts? I had a
> discussion about this earlier this week. Cfengine expects every host to
> have a unique public/private key pair.
>
I do not. The only key that gets copied is that of the h
> community> -> Going to secondary storage for key
> community> !! Unspecified srver refusal (see verbose server
> output)community> Couldn't recv
> community> !!! System error for recv: "Connection reset by peer"
> community> -> Writing last-seen observations
>
>
> Has anybody had this same
It happens from time to time that a NFS file system which cfengine uses
becomes unavailable. This usually results in cf-agent processes
building up until such time as connectivity is restored. In an attempt
to thwart this accumulation I implemented an abortclass as follows:
In promises.cf:
> If you have multiple agents running will the promise kill unrelated
> processes? I agent might not kill itself, the parent or child processes.
>
I'm not expecting it to kill other cf-agent processes, I simply want it
to bail out if it detects there are other cf-agent runs in progress. A
"st
> If you set such an abort class does that not prevent any promises from being
> kept? I worry that this might put CF into a state of never working until NFS
> is fixed.
>
I'm ok with cf3 bailing out until NFS (or whatever is blocking the
existing processes) is fixed. A lot of my promises are
> Everyday i get several messages with communication errors with the policy
> server. This is complete random which node reports the problem. The size of
> the cluster is 600 nodes. We use splaytime of 5 minutes so the load is
> spread for the policy server.
>
> Are more people experiencing this p
> Is it something that I miss or things are not working the way the
> documentation says?
>
Were I to hazard a guess I'd say it has to do with cfengine's normal
ordering. See section 2.8.1 in the manual. Specifically, "In general
it is wise to avoid class-variable dependency as much as poss
I can't seem to figure out why a particular promise isn't activating
universally. A few days ago I implemented the following promises:
commands:
day_splay.vmhost::
"/some/executable.sh",
contain => silent,
module => "true";
day_splay.
> I'm interested in hearing feedback from the development team and community
> about using Cfengine with network file systems. Here's the specific problem
> that prompts the request:
>
> I'm writing policy that creates directories and files on an NFS share if and
> only if they do not already
Michael,
I don't have a cf3-specific tip for you but you might want to consider
yum's package groups. Look into yum-groups-manager. I have a base
package group with over a thousand RPMs in it. I then have cf3 do a
"yum clean all; yum groupinstall basegroup" when needed and it will add
any p
Hi,
In executing the following bundle:
bundle agent test {
vars:
"junkvar" int =>
readintarray("loadaverage","/proc/loadavg","^ "," ","2","99");
classes:
"loadavgsafe" expression =>
islessthan("$(loadaverage[1])","1");
reports:
loa
You should run cf-monitord and then simply use $(mon.loadavg) variables
(see ref manual)
Mark,
Maybe you can provide some insight on these vars. I actually did look
into using them first but could not interpret their values in a manner
that made them suitable as a replacement for standard l
There is an "occurrences" option to line edit promises.
cfengine_stdlib.cf has the following:
body replace_with value(x)
{
replace_value => "$(x)";
occurrences => "all";
}
Try setting it to just "first".
Frans
___
Help-cfengine mailing list
Help-cfen
Hi,
There are regrettable instances when one can not simply dictate a
promise but must hand off its implementation to others due to necessary
coordination with other hominids, manual processes, and the like. I'm
trying to use cf3 to nag people regarding things not being in the agreed
upon st
You want to have the class set if the promise need to be repaired (if
the file content is not right). So it's not *if_notkept* that you need
to use, but *if_repaired*
That doesn't seem to work either.. The promise wasn't legitimately
repaired so I would not expect cf3 to execute down that
Thanks, Neil, I will give that a try.
Does anyone else see the worth in having a "mailto" override in reports:
? If so I'll file a feature request.
Cheers,
Frans
___
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/l
I rely on the lastseen database to validate whether or not cf-agent is
running across the farm. I cross-reference the cf3 output with a list
of hosts produced by our build system and diff out any stragglers for
manual inspection. I think the lastseen database expires hosts that
haven't been s
> Bug 584 has been submitted for this.
>
> If given a promise to install a package with multiple architectures, If the
> first architecture already exists then the second does not get properly
> marked for installation.
>
Huh... This was reported already and marked resolved.
https://cfengine.com
I have a weekly cron restart of cf-execd as there is a bug that seems to
leak file descriptors until none are available. See:
https://cfengine.com/forum/read.php?3,19424,19990#msg-19990
I started with 3.0.5 so can not agree with the report that it was fixed in
that rev. I've left the weekly cron
> Is there a better way? Has someone already done this, and if so, would you
> be willing to share? I am not sure how to do this - It must be done only
> once, and since the encrypted string will be different on each host, you
> can't check for a static value that has been replaced on subsequ
Also thinking out loud.. Why not make use of the public keys that reside on
every host in order to store the password in host-specific files at some
common NFS location? I tried getting OpenSSL to work with cfengine's keys
(seeing as they're already stored on the cf-serverd host) but it steadfastl
This came up as a request a year ago and it didn't get any traction at
the time so I figured I'd try again.. Is there any way to suppress cf3's
warning of a file's permissions being SETUID?
>> NEW SETUID root PROGRAM
One can quiet commands with contain => silent. I really don't want to
be n
> Im just wondering if any one has managed this or anything similar. Im
> currently researching patch management solutions, and have had a few people
> suggest CFengine, but CFengine is so sparse im not sure where to start. any
> one know any useful post or mind sharing some of their scripts?
>
The reference manual states that classes are local to a bundle unless
defined in a common bundle. I just noticed some unexpected behaviour on
some hosts where a class defined in one bundle was seemingly active in
another bundle.
Heavily redacted bundle below..
bundle agent base {
file
56 matches
Mail list logo
