I am currently in Paris where we were having the discussion last night about
"what is
simple?" when it comes to configuration. There are so many answers -- there is
always a
tradeoff between abstraction and reusability. Sometimes more lines are an aid
to seeing
what is going on, and sometimes you want to reduce the lines to a minimum.
For me the main thing has been to provide mechanisms - take them or leave them
- for
expressing complex patterns in different ways. You pick the approach that
floats your
particular boat.
I'm sure cf3 will yield a number of styles. The standardization effort will
hopefully
minimize these to a common set of idioms.
M
Ed Brown wrote:
> Neil,
>
> I've not made the leap yet from cf2, but so far your practical use cases
> and examples and questions on cf3 have been more useful even than the
> reference guide in starting to "get" cf3. Thank you.
>
> Maybe it's just that this is only an example, but I have to wonder about
> the value or economy of all this. Six variables set to "root"?
> Defining the owner/group/mode strings as separate variables for every
> file? Where is the power or leverage in this? In cf2, the 'files:'
> action could be completely defined for any file in basically less space
> than is used here to create the array entry. Am I missing a bigger picture?
>
> thanks again,
> Ed
>
>
>
> nwat...@symcor.com wrote:
>> I've made good progress is producing reusable policies with CF3. Consider
>> a security policy that checks the permissions of a motley group of files.
>> At first one might consider setting a a list or two and going from there.
>>
>> vars:
>>
>> "644-mode" string => "0644";
>> "644-usr" string => "root";
>> "644-grp" string => "root";
>>
>> linux::
>>
>> "644-file" slist => {
>> "/var/log/messages.*",
>> "/var/log/cfengine.*",
>> "/root/.ssh/authorized_keys"
>> };
>>
>> files:
>>
>> linux::
>>
>> "${644-file}"
>> perms => system(
>> "${644-mode}",
>> "${644-usr}",
>> "${644-grp}"
>> ),
>> action => warn_now,
>> classes => cdefine(
>> "${644-file}_kept",
>> "${644-file}_repaired",
>> "${644-file}_failed"
>> ),
>> comment => "Sec policy for mode 644 files";
>>
>> Expanding this promise to files with different modes or owners quickly
>> becomes difficult to manage. Fortunately using arrays and methods allows
>> for something much better.
>>
>> vars:
>>
>> redhat|suse::
>>
>> ##################
>> # File attirbutes are listed here as arrays.
>> "msgs[trg]" string => "/var/log/messages.*";
>> "msgs[mod]" string => "0644";
>> "msgs[usr]" string => "root";
>> "msgs[grp]" string => "root";
>>
>> "cflogs[trg]" string => "/var/log/cfengine.*";
>> "cflogs[mod]" string => "0644";
>> "cflogs[usr]" string => "root";
>> "cflogs[grp]" string => "root";
>>
>> "raks[trg]" string => "/root/.ssh/authorized_keys";
>> "raks[mod]" string => "0644";
>> "raks[usr]" string => "root";
>> "raks[grp]" string => "root";
>>
>> ##################
>> # The files above are now presented in a list that will be used to index
>> the arrays.
>>
>> redhat|suse::
>>
>> "files" slist => {
>> "msgs",
>> "cflogs",
>> "raks",
>> "root",
>> "rcd"
>> },
>> comment => "List of arrays (below) to index.";
>>
>> ##################
>> # Pass file information above to a files promise
>>
>> redhat|suse|sunos_5_10::
>>
>> "any" usebundle => fileperms(
>> "${${files}[trg]}",
>> "${${files}[mod]}",
>> "${${files}[usr]}",
>> "${${files}[grp]}"
>> );
>> }
>>
>> In this policy there is a clear list of files and associated modes and
>> owners. It is easy for the less CF savvy administrator to expand. All of
>> the heavy lifting is being done by the 'fileperms' bundle in the library
>> and can be called from anywhere.
>>
>> bundle agent fileperms (trg, mod, usr, grp){
>> # Bundle to set file permissions.
>>
>> files:
>> "${trg}"
>> perms => mode( "${mod}" ),
>> action => warn_now, # Passive only at this point.
>> classes => cdefine(
>> "${trg}_mode_kept",
>> "${trg}_mode_repaired",
>> "${trg}_mode_failed"
>> ),
>> comment => "Check mode for ${trg}";
>>
>> "${trg}"
>> perms => chown( "${usr}", "${grp}" ),
>> action => warn_now, # Passive only at this point.
>> classes => cdefine(
>> "${trg}_chown_kept",
>> "${trg}_chown_repaired",
>> "${trg}_chown_failed"
>> ),
>> comment => "Check owner and group for ${trg}";
>>
>> reports:
>>
>> all::
>> "WARNING: ${trg} fixed mode to ${mod}.",
>> ifvarclass => canonify("${trg}_mode_repaired");
>>
>> "${trg} correct mode ${mod}.",
>> ifvarclass => canonify("${trg}_mode_kept");
>>
>> "ALARM: ${trg} wrong mode ${mod}.",
>> ifvarclass => canonify("${trg}_mode_failed");
>>
>> "WARNING: ${trg} fixed owner and group to ${usr}:${grp}.",
>> ifvarclass => canonify("${trg}_chown_repaired");
>>
>> "${trg} correct owner and group ${usr}:${grp}.",
>> ifvarclass => canonify("${trg}_chown_kept");
>>
>> "ALARM: ${trg} wrong owner or group ${usr}:${grp}.",
>> ifvarclass => canonify("${trg}_chown_failed");
>> }
>>
>> Sincerely,
>> --
>> Neil Watson
>> 416-673-3465
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> CONFIDENTIALITY WARNING
>> This communication, including any attachments, is for the exclusive use of
>> addressee and may contain proprietary and/or confidential information. If
>> you are not the intended recipient, any use, copying, disclosure,
>> dissemination or distribution is strictly prohibited. If you are not the
>> intended recipient, please notify the sender immediately by return e-mail,
>> delete this communication and destroy all copies.
>>
>> AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ
>> Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage
>> exclusif de la personne à laquelle il s’adresse et peut contenir de
>> l’information personnelle ou confidentielle. Si le lecteur de ce message
>> n’en est pas le destinataire, nous l’avisons par la présente que toute
>> diffusion, distribution, reproduction ou utilisation de son contenu est
>> strictement interdite. Veuillez avertir sur-le-champ l’expéditeur par retour
>> de courrier électronique et supprimez ce message ainsi que toutes les pièces
>> jointes.
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@cfengine.org
>> https://cfengine.org/mailman/listinfo/help-cfengine
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
--
Mark Burgess
-------------------------------------------------
Professor of Network and System Administration
Oslo University College, Norway
Personal Web: http://www.iu.hio.no/~mark
Office Telf : +47 22453272
-------------------------------------------------
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
