Luke Youngblood wrote:
I read your discussion link before I did my setup, and was put off a little bit by the strange hostnames (no offense intended, but it's much easier to understand an example configuration when the hostnames are similar to the server role, eg. DNS servers are called ns1 and ns2, etc.) Also, the script was called cf-customize-me-harder-baby.sh!!! :-)
Ha. No sense of humour. .-) OK, I was lazy. I did not edit the hostnames to be friendly.
Anyway, I would be very much interested in seeing the scripts you use on the master server to generate the master overlay for each host. This seems like a very nice solution which allows you to verify file integrity for each server, without having to hand-code a copy statement for each file, and also not sharing passwd/shadow information with servers in other departments that shouldn't see that information.
Exactly. The trick is, we are using cfagent on the master server(!) to produce each overlay tree.
I have split our cfagent.conf into several files, and cfagent.conf just says
--- 8< --- import: any:: groups.conf any:: control.conf any:: profiles.conf any:: default.conf --- 8< ---
Then, my script called update-magic.sh is:
--- 8< --- #!/bin/sh PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin export PATH
cfdir=/var/cfengine srcdir=/data/Linuxlandia/cfengine dstdir=$cfdir/master/
# Some sanity checks [ `uname -n` = "aarpora" ] || exit 1 [ `id -u` -eq 0 ] || exit 1
cd $srcdir || exit 1
rsync -var --exclude CVS --delete --delete-excluded \
magic-files scripts $dstdir/
rsync -var --exclude CVS --delete --delete-excluded \
inputs $cfdir/cd $cfdir/ppkeys || exit 1
for k in root-*.pub
do
ip=`echo $k | sed -e 's/^root-//' | sed -e 's/\.pub$//'`
h=`host $ip | awk '{print $5}' | cut -d. -f 1 | sed -e 's/g$//'`
mkdir -p $dstdir/magic/$h/overlay || exit 1
cd $cfdir/inputs || exit 1
echo "control:" > hostname.conf
echo " myhostname = ( $h )" >> hostname.conf
cfagent --file customize.conf --no-hard-classes --define $h
done
exit 0
--- 8< ---The trick is that I generate a new hostname.conf on each loop run. I dig the slave hosts from the ppkeys directory and use reverse DNS lookup to find the hostnames. If anyone can come up with a more elegant and as lazy solution, I am grateful.
This update-magic.sh script must be run each time something is changed inside the overlay directory tree called "magic-files".
My customize.conf input for cfagent is like this:
--- 8< --- import: any:: hostname.conf any:: groups.conf any:: profiles.conf any:: customizerun.conf
control: actionsequence = ( shellcommands files )
... and some mandatory variable definitions. --- 8< ---
The nice thing here is that we are using the same groups.conf and profiles.conf on the central server and the clients.
The real magic is in customizerun.conf, like this:
--- 8< ---
shellcommands:
any::
"/bin/sh -c 'echo $(host_profile) > $(dstdir)/$(myhostname)/host_profile'"
timeout=2
"/bin/sh -c 'echo $(net_profile) > $(dstdir)/$(myhostname)/net_profile'"
timeout=2
"/bin/sh -c 'echo $(flavor_profile) >
$(dstdir)/$(myhostname)/flavor_profile'" timeout=2 any::
"$(workdir)/master/scripts/cf-customize-them-gently.sh $(myhostname)"
timeout=10files:
any::
$(dstdir)/$(myhostname)/overlay/etc/passwd mode=444 o=root g=root
action=fixall
$(dstdir)/$(myhostname)/overlay/etc/shadow mode=400 o=root g=root
action=fixall
$(dstdir)/$(myhostname)/overlay/etc/group mode=444 o=root
g=root action=fixall
$(dstdir)/$(myhostname)/overlay/etc/gshadow mode=400 o=root
g=root action=fixall
$(dstdir)/$(myhostname)/overlay/etc/sudoers mode=440 o=root
g=root action=fixall--- 8< ---
Are you more satisfied with the script names here? No more customize-me-harder, customize-them-gently instead. That was put forward by a colleague, to be honest. :)
Awwww, I would be stoopid to include the rest of the shellscripts here, please have a look here instead:
http://almamedia.fi/~sjm/cfengine/contrib/new/
Then, you have to configure each host to retrieve the overlay tree from the master server. You could use either a "copy:" section in cfagent.conf or rsync -e ssh. It's your call.
I see a potential security hole here. You should automagically generate a suitable cfservd.conf to allow each host to copy only its own overlay tree, not others. Otherwise, a knowledgeable person is able to read any other host's files on any cfengine client. Just reconfigure cfagent a bit.
Regards from a maniac sysadmin,
-sjm
_______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
