Re: reloading pf through ansible easy hook

2016-11-23 Thread Antoine Jacoutot 
On Wed, Nov 23, 2016 at 09:40:48AM -0500, sven falempin wrote:
> On Mon, Nov 21, 2016 at 5:48 PM, Antoine Jacoutot  
> wrote:
> >
> > On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> > > Ansible is already managing pkg and service of openBSD , cool
> > >
> > > If one want to manage pf with it, and push or modify a few files,
> > > on must run - command: /sbin/pfctl -f {{ dank.config }}
> > >
> > > Yet - service could be use, if this glue was in the rc.d directory :
> >
> > You can easily create an ansible role|module to do that natively.
> > The rc.d framework is only meant to handle real daemons.
> > We don't want it to manage pf, quota, network, mounts...
> >
> > --
> > Antoine
> 
> I see your point and agree, OTH
> and not for the sake of arguing,
> 
> PF is inside rc.conf , so rcctl manages it, so rc.d
> could have a relation.

shlib_dirs is also in rc.conf, I don't see any relation to rc.d...

-- 
Antoine

Re: reloading pf through ansible easy hook

2016-11-23 Thread sven falempin 
On Mon, Nov 21, 2016 at 5:48 PM, Antoine Jacoutot  wrote:
>
> On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> > Ansible is already managing pkg and service of openBSD , cool
> >
> > If one want to manage pf with it, and push or modify a few files,
> > on must run - command: /sbin/pfctl -f {{ dank.config }}
> >
> > Yet - service could be use, if this glue was in the rc.d directory :
>
> You can easily create an ansible role|module to do that natively.
> The rc.d framework is only meant to handle real daemons.
> We don't want it to manage pf, quota, network, mounts...
>
> --
> Antoine

I see your point and agree, OTH
and not for the sake of arguing,

PF is inside rc.conf , so rcctl manages it, so rc.d
could have a relation.

So YES there is only daemon in rc.d NOW
but not in rc.conf.

Cheers

-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: reloading pf through ansible easy hook

2016-11-22 Thread gwes 

On 11/22/16 15:36, John Boeske wrote:

On Tue, Nov 22, 2016 at 10:46 AM, John Boeske wrote



I don't understand this philosophical point - why wouldn't you want
the rc.d framework to manage pf, quota, etc. whenever it's natural.
With pf, for example, it surely is.

One of the reasons I loved AIX's System Resource Controller (SRC)
was that it did present a unified management interface to all
system resources whether daemon or built in.



Using a consistent rc.d/rcctl framework to manage system services
and daemons - even pkg_add daemons - seems a good idea. Consistent
interfaces, fewer interfaces, less special-casing all simplify
management, thus minimize the chance of error and enhance security.

This is true whether management is local or through a remote tool
like ansible. Or?


Oops.  Meant "pkg_script daemons" above...

John


I designed a single-point-of-control management system for
AIX clusters. It was five software layers - three on the control
two on the controlled system. All of the layers were necessary
for reliable and reconfigurable operation.

As you may think it wasn't easy. It *did* work very well and
was configurable. It had to be since it rode on top of all
the normal Unix-like system control programs. It *was*
reconfigurable so it could track AIX updates (and IBM
requirement changes).

Before you advocate adding layers consider all the possible
error paths including hangs. Consider tracking interactions
between subsystems. Consider how you'll report
errors and status. To do it right isn't simple.

Geoff Steckel

Re: reloading pf through ansible easy hook

2016-11-22 Thread John Boeske 
On Tue, Nov 22, 2016 at 10:46 AM, John Boeske wrote
> On Mon, Nov 21, 2016 at 3:48 PM, Antoine Jacoutet wrote
> > On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> > > Ansible is already managing pkg and service of openBSD , cool
> > >
> > > If one want to manage pf with it, and push or modify a few files,
> > > on must run - command: /sbin/pfctl -f {{ dank.config }}
> > >
> > > Yet - service could be use, if this glue was in the rc.d directory :
> >
> > You can easily create an ansible role|module to do that natively.
> > The rc.d framework is only meant to handle real daemons.
> > We don't want it to manage pf, quota, network, mounts...
> 
> I don't understand this philosophical point - why wouldn't you want
> the rc.d framework to manage pf, quota, etc. whenever it's natural.
> With pf, for example, it surely is.
> 
> One of the reasons I loved AIX's System Resource Controller (SRC)
> was that it did present a unified management interface to all
> system resources whether daemon or built in.

> Using a consistent rc.d/rcctl framework to manage system services
> and daemons - even pkg_add daemons - seems a good idea. Consistent
> interfaces, fewer interfaces, less special-casing all simplify
> management, thus minimize the chance of error and enhance security.
> 
> This is true whether management is local or through a remote tool
> like ansible. Or?

Oops.  Meant "pkg_script daemons" above...

John

Re: reloading pf through ansible easy hook

2016-11-22 Thread John Boeske 
On Mon, Nov 21, 2016 at 3:48 PM, Antoine Jacoutet wrote
> On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> > Ansible is already managing pkg and service of openBSD , cool
> >
> > If one want to manage pf with it, and push or modify a few files,
> > on must run - command: /sbin/pfctl -f {{ dank.config }}
> >
> > Yet - service could be use, if this glue was in the rc.d directory :
>
> You can easily create an ansible role|module to do that natively.
> The rc.d framework is only meant to handle real daemons.
> We don't want it to manage pf, quota, network, mounts...

I don't understand this philosophical point - why wouldn't you want
the rc.d framework to manage pf, quota, etc. whenever it's natural.
With pf, for example, it surely is.

One of the reasons I loved AIX's System Resource Controller (SRC) 
was that it did present a unified management interface to all
system resources whether daemon or built in.

Using a consistent rc.d/rcctl framework to manage system services 
and daemons - even pkg_add daemons - seems a good idea. Consistent 
interfaces, fewer interfaces, less special-casing all simplify 
management, thus minimize the chance of error and enhance security.
 
This is true whether management is local or through a remote tool
like ansible. Or?

John

Re: reloading pf through ansible easy hook

2016-11-22 Thread BARDOU Pierre 
I know the official validate command is pfctl -nf, but if you do so, you need 
to register the result of this task, then make one more conditional task to 
apply.
This doubles your playbook execution time, which is not acceptable for me.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] De la part de 
Landry Breuil
Envoyé : mardi 22 novembre 2016 14:53
À : tech@openbsd.org
Objet : Re: reloading pf through ansible easy hook

On Tue, Nov 22, 2016 at 11:15:01AM +, BARDOU Pierre wrote:
> Hello,
> 
> - name: "Loading pf.conf"
>   template: src=pf.conf dest=/etc/ validate="pfctl -f %s"

Fwiw, i find it nicer to validate with 'pfctl -nf' ..

Landry

Re: reloading pf through ansible easy hook

2016-11-22 Thread Landry Breuil 
On Tue, Nov 22, 2016 at 11:15:01AM +, BARDOU Pierre wrote:
> Hello,
> 
> - name: "Loading pf.conf"
>   template: src=pf.conf dest=/etc/ validate="pfctl -f %s"

Fwiw, i find it nicer to validate with 'pfctl -nf' ..

Landry

Re: reloading pf through ansible easy hook

2016-11-22 Thread BARDOU Pierre 
Hello,

- name: "Loading pf.conf"
  template: src=pf.conf dest=/etc/ validate="pfctl -f %s"

Works fine for me.
Configuration is copied and loaded if correct, otherwise the rule file is not 
modified and not loaded (and the playbook fails with error).

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] De la part de 
Antoine Jacoutot
Envoyé : lundi 21 novembre 2016 23:48
À : sven falempin <sven.falem...@gmail.com>
Cc : tech@openbsd.org
Objet : Re: reloading pf through ansible easy hook

On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> Ansible is already managing pkg and service of openBSD , cool
> 
> If one want to manage pf with it, and push or modify a few files, on 
> must run - command: /sbin/pfctl -f {{ dank.config }}
> 
> Yet - service could be use, if this glue was in the rc.d directory :

You can easily create an ansible role|module to do that natively.
The rc.d framework is only meant to handle real daemons.
We don't want it to manage pf, quota, network, mounts...

--
Antoine

Re: reloading pf through ansible easy hook

2016-11-21 Thread Antoine Jacoutot 
On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> Ansible is already managing pkg and service of openBSD , cool
> 
> If one want to manage pf with it, and push or modify a few files,
> on must run - command: /sbin/pfctl -f {{ dank.config }}
> 
> Yet - service could be use, if this glue was in the rc.d directory :

You can easily create an ansible role|module to do that natively.
The rc.d framework is only meant to handle real daemons.
We don't want it to manage pf, quota, network, mounts...

-- 
Antoine