On Wed, May 11, 2005 at 12:16:37AM +0300, "Sami J. M?kinen" wrote: > Exactly. The trick is, we are using cfagent on the master server(!) > to produce each overlay tree. > > I have split our cfagent.conf into several files, > and cfagent.conf just says > > --- 8< --- > import: > any:: groups.conf > any:: control.conf > any:: profiles.conf > any:: default.conf > --- 8< --- > > The trick is that I generate a new hostname.conf on each loop run. > I dig the slave hosts from the ppkeys directory and use reverse > DNS lookup to find the hostnames. If anyone can come up with a more > elegant and as lazy solution, I am grateful. > > This update-magic.sh script must be run each time something is changed > inside the overlay directory tree called "magic-files". > > Then, you have to configure each host to retrieve the overlay tree > from the master server. You could use either a "copy:" section > in cfagent.conf or rsync -e ssh. It's your call. > > I see a potential security hole here. You should automagically generate > a suitable cfservd.conf to allow each host to copy only its own overlay > tree, > not others. Otherwise, a knowledgeable person is able to read any other > host's > files on any cfengine client. Just reconfigure cfagent a bit.
This is an extremely cool idea. The only two problems I have with it: 1) On new host installs, you'd have to run cfagent on the client once to generate the key, then run the script that generates the overlay on the server, then re-run cfagent. That could easily be fixed by having a script you run before installing a host. 2) This is the bigger problem in our environment. Defining myhostname will get you the user-defined classes, however you'll miss out on all the operating system based classes. We've got a bunch of AIX and a bunch of Linux here, and I'd like to have some files that are different between them, without having to specify somewhere that host X is running OS Y. I don't know of any good way to solve this problem, unless you already generate that information and store it centrally. -jkl _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
