Mark, I agree with you 100%. I'm absolutely for "voluntary cooperation", I've been working hard to explain the benefits to everyone involved and getting them to want this. Even groups outside our department and our Director and CIO have a high interest getting this going.
I bring up the issue not to ask how to force Cfengine on people and make them work a certain way, but rather to illustrate the problem of knowledge and process. My team is on board with using it but right now I'm the only person who understands Cfengine and how to create and modify the policy. But for example, if it's 3 AM and the Unix on-call person needs to make an emergency fix just to get a system functional again, they may not know if the change they're making will be wiped out by Cfengine in the next 5 minutes, but they may also not yet know how to update or extend the policy to manage the change they need to make. As I laid out in my original email, I can see several ways to educate my team so I can hand this off to them entirely. (Technically, they're my former team since I’m not on our Unix team any more but now a parallel "Infrastructure Engineer" team of my own.) I just wanted to hear from others how they've handled this sort of coordination. On a side note, to speak to your response about managing NFS filesystems, that was just one approach. I like the idea of Cfengine enforcing only "approved" mounts in /etc/fstab and automounter files (or netgroups in /etc/passwd, etc.) but we certainly may need to give more latitude in such configurations. Thanks, Justin -----Original Message----- From: Mark Burgess [mailto:mark.burg...@iu.hio.no] Sent: Monday, February 01, 2010 12:20 PM To: Justin Lloyd Cc: help-cfengine@cfengine.org Subject: Re: Team-based Cfengine Management To paraphrase Mr Krizak on a different occasion, "think voluntary cooperation". It works for politics as well as technical work. This is how cfengine began the notion of autonomy in the first place -- at a university where everyone wanted to control their own box. When you have people who need to feel in control, you give the them power to override and engage them with voluntary cooperation. No one want to feel they are being overrun by "The Man", but controlling everything yourself is exhausting and most people lose interest in the end. You could present cfengine as something that helps them in their lives, reduces their burdens, and brings order and documentation. There are many ways to use cfengine. If I could just count the number of times I've read that "Cfengine forces you to...." and cringed. Cfengine doesn't force you to do anything, but admins often have poor imaginations and use it to carpet bomb their systems into compliance. I tend to believe in a lighter touch - less is more. Unless you have mandatory compliance issues (The Law -- did you say the Lieu?), I don't recommend controlling anything that doesn't show signs of running wild. You can insert new mounts without destroying old ones, for instance. Justin, you are a skilled power-user. With great power ... ;-) Mark Justin Lloyd wrote: > Hi all, > > > > For those of you who are part of a team that manage a Cfengine-based > environment, how do you prevent people from making local changes to > things that are managed by Cfengine, thus causing local changes to get > wiped out? For example, if Cfengine manages all NFS mounts in /etc/fstab > on Linux systems and someone manually adds such an entry to a host which > Cfengine later wipes out when enforcing just its specified NFS mounts. > Things that come to mind are: > > > > · Change Control - well-defined dept/company procedures for > change approval, and all changes to systems should be done only through > Cfengine policy, never locally on any system > > · Automated Comments - have Cfengine add comment headers to > files it manages > > · Documentation - thoroughly and clearly comment the policy > files and also create external documentation, such as an easily > searchable wiki, that people can read to find out what is managed by > Cfengine > > · Training and Communications - teach the team what is managed > by Cfengine and have good communications channels (email list, team > meetings, etc.) to review when the policy is updated to manage new things > > > > Let me know if you have other ideas and how well they’ve worked for you. > > > > Thanks, > > Justin > > > > This electronic communication and any attachments may contain confidential > and proprietary > information of DigitalGlobe, Inc. If you are not the intended recipient, or > an agent or employee > responsible for delivering this communication to the intended recipient, or > if you have received > this communication in error, please do not print, copy, retransmit, > disseminate or > otherwise use the information. Please indicate to the sender that you have > received this > communication in error, and delete the copy you received. DigitalGlobe > reserves the > right to monitor any electronic communication sent or received by its > employees, agents > or representatives. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine -- Mark Burgess ------------------------------------------------- Professor of Network and System Administration Oslo University College, Norway Personal Web: http://www.iu.hio.no/~mark Office Telf : +47 22453272 ------------------------------------------------- This electronic communication and any attachments may contain confidential and proprietary information of DigitalGlobe, Inc. If you are not the intended recipient, or an agent or employee responsible for delivering this communication to the intended recipient, or if you have received this communication in error, please do not print, copy, retransmit, disseminate or otherwise use the information. Please indicate to the sender that you have received this communication in error, and delete the copy you received. DigitalGlobe reserves the right to monitor any electronic communication sent or received by its employees, agents or representatives. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
