guarding hostinnetgroup

[Neil Watson]

Greetings,

I have a policy that uses hostinnetgroup. In certain conditions the host
cannot determine the netgroups and long RPC timeouts happen. The policy
will never finish. I haven't dealt with NIS and similar services in many
years. How can I prevent this?

FYI:
https://docs.cfengine.com/latest/reference-functions-hostinnetgroup.html

--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com

[Alex Georgopoulos]

We create a class called nis_functioning and gate all of our netgroup calls behind that.  We also use persistent classes to only check the netgroups once an hour.  Something like this

bundle common hostin_mynetgroup_common

{

  vars:

      "check_time" string => "60";

  classes:

      "checked_mynetgroup" or => { 

                                 "host_in_mynetgroup"

                                 "host_not_in_mynetgroup"

                                 };

    nis_functioning.!checked_mynetgroup:: 

      "host_in_mynetgroup"

        expression => hostinnetgroup("mynetgroup"),

        persistence => "$(check_time)";

      "host_not_in_mynetgroup"

        not => hostinnetgroup("mynetgroup"),

        persistence => "$(check_time)";