Differences

This shows you the differences between two versions of the page.

--- docpublic:systemes:linux:cfengine3 [2013/07/19 13:03]
PROCACCIA [directory access rules]
+++ docpublic:systemes:linux:cfengine3 [2013/12/24 15:14] (current)
procacci@tem-tsp.eu [references]
@@ Line 18: / Line 18: @@
   * http://pix-mania.dyndns.org/mediawiki/index.php/Cfengine_-_tutoriels
   * http://www.k-tux.com/cfengine-cet-outil-qui-facilite-la-vie-des-asr/2
+  * https://cfengine.com/blog/ten-reasons-for-5-minute-configuration-repair
 ===== install server =====
@@ Line 93: / Line 94: @@
 ===== install client =====
-here we install manually cfengine package on the client (next we'll do it automatically via cobbler)
+here we install manually cfengine package on the client (next we'll do it  [[.:cfengine3&#bootstrap_cfengine_from_cobbler|automatically via cobbler)]]
 <code>
@@ Line 318: / Line 319: @@
 ==== bundlesequence ====
-finally we need to tell cfengine server bundlesequance to use our promises above through promises.cf file
+finally we need to tell cfengine server bundlesequence to use our promises above through promises.cf file
 <code>
@@ Line 396: / Line 397: @@
 </code>
+Now that "$(sys.workdir)/master_disi_files" is a defined variable, we can use it in the acces rules of cf_served :
+<code>
+[root@cfengine3 masterfiles]# vim controls/cf_serverd.cf
+bundle server access_rules()
+{
+ access:
+  any::
+  # disi
+   "$(def.dir_master_disi_files)"
+       handle => "server_access_rule_grant_access_disi_policy",
+      comment => "Grant access to the policy disi updates",
+        admit => { ".*\.$(def.domain)", @(def.acl) };
+</code>
 otherwise you get an error on the client telling you
@@ Line 404: / Line 418: @@
 </code>
+==== secure_cp ====
+I first used remote_cp instaed of secure_cp to ciopy files, howerver when the file changed on the server it wasn't replaced on the client because it was more recent !
+indeed from libraries/cfengine_stdlib.cf we can read the definitions :
+<code>
+body copy_from secure_cp(from,server)
+{
+source      => "$(from)";
+servers     => { "$(server)" };
+compare     => "digest";
+encrypt     => "true";
+verify      => "true";
+}
+##
+body copy_from remote_cp(from,server)
+{
+servers     => { "$(server)" };
+source      => "$(from)";
+compare     => "mtime";
+}
+</code>
+and from https://cfengine.com/docs/3.5/reference-promise-types-files.html reference we learn that what we needed was a compare based on digest and not mtime in our case !
+===== bootstrap cfengine from cobbler =====
+we use cobbler to install +100 stations (fedora) via PXEboot + kickstart.
+in order to fully automate the install + configuration of those stations we need to tell cobbler in its post install process to install cfengine and bootstrap the client station on the cfengine server
+reference
+  * https://lists.fedorahosted.org/pipermail/cobbler/2011-July/006553.html
+  * https://groups.google.com/forum/?fromgroups&hl=en#!topic/help-cfengine/bQRv0vHpWLs
+in our kickstart template we call 2 snippets to do the job
+<code>
+[root@cobbler2 cobbler]# grep disi kickstarts/basef19.ks
+$SNIPPET('disi_post_install_packages')
+$SNIPPET('disi_cfengine_bootstrap')
+</code>
+those snippet repectlively install cfengine and then bootstrap the client the easy way since the version 3.2.0, if you are willing to automatically accept keys from the clients , cf http://blog.normation.com/en/2012/01/03/interactive-key-exchange-with-cfengine/
+<code>
+[root@cobbler2 snippets]# cat disi_post_install_packages
+yum -y install cfengine-community
+yum -y install autofs
+[root@cobbler2 snippets]# cat disi_cfengine_bootstrap
+# start cfengine3 registration
+/var/cfengine/bin/cf-agent -B --policy-server 157.157.211.144 > /root/disi_cfengine3_bootstraped.txt
+# end cfengine3 registration
+</code>

docpublic/systemes/linux/cfengine3.1374239025.txt.gz · Last modified: 2013/07/19 13:03 by PROCACCIA

Show page Old revisions

[unknown link type]Back to top