problem with client acces to masterfiles folder
55 views
Skip to first unread message
Sergey N. Vtorov
Sep 11, 2015, 11:42:26 AM9/11/15
to help-cfengine
Hello,
I have problem with bundle server_acces. I would like restrict acces to some folder to clients and admit only for specific hosts. My config bellow:
bundle server acces_rules
{
vars:
"client" slist => { "192.168.1.111", "192.168.1.176", "192.168.1.219", "192.168.1.207", "192.168.1.133" };
access:
"$(sys.workdir)/masterfiles/repo/datacenter/$(client)/"
admit => { "$(client)" };
}
Or this one:
bundle server acces_rules
{
access:
"$(sys.workdir)/masterfiles/repo/datacenter/host1"
admit => { "192.168.1.207" };
access:
"$(sys.workdir)/masterfiles/repo/datacenter/host2"
admit => { "192.168.1.220" };
...
}
But when i create this folders in $(sys.workdir)/masterfiles/repo/datacenter/ they will apload to all hosts. So config does not work. With hostnames it's also doesn't work. Maybe exist the different one way to do it?
The goal is that root folder (masterfiles) all of servers must see main contents and it will be contens global configurations like ntp sync, routes and etc, in one word - parameters that must configure in each host in network. But, folders like $(sys.workdir)/masterfiles/repo/datacenter/$(client)/ must be see only for this host. How i can do this? I understand that this structure is not good, but it needs for manage this hosts from own webinterface in future. How i can make (describe) classes in cfengine? Sorry for my english.
Neil Watson
Sep 11, 2015, 11:56:42 AM9/11/15
to help-cfengine
On Fri, Sep 11, 2015 at 08:42:26AM -0700, Sergey N. Vtorov wrote:
> access:
> "$(sys.workdir)/masterfiles/repo/datacenter/host1"
> admit => { "192.168.1.207" };
> access:
> "$(sys.workdir)/masterfiles/repo/datacenter/host2"
> admit => { "192.168.1.220" };
There is already a default rule to allow all hosts to connect to
> access:
> "$(sys.workdir)/masterfiles/repo/datacenter/host1"
> admit => { "192.168.1.207" };
> access:
> "$(sys.workdir)/masterfiles/repo/datacenter/host2"
> admit => { "192.168.1.220" };
workdir/masterfiles. You must use a higher directory:
workdir/mydir/repo/datacenter/hostn
You can't allow all to masterfiles and safely deny child dirs. That is
very dangerous.
--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com
Nick Anderson
Sep 11, 2015, 11:58:30 AM9/11/15
to Sergey N. Vtorov, help-cfengine
In addition to what Neil just said:
On 09/11/2015 10:42 AM, Sergey N. Vtorov wrote:
> "client" slist => { "192.168.1.111", "192.168.1.176", "192.168.1.219",
> "192.168.1.207", "192.168.1.133" };
>
> access:
>
> "$(sys.workdir)/masterfiles/repo/datacenter/$(client)/"
>
> admit => { "$(client)" };
"client"
slist => { "192.168.1.111", "192.168.1.176", "192.168.1.219",
"192.168.1.207", "192.168.1.133" };
access:
"$(sys.workdir)/masterfiles/repo/datacenter/$(client)/"
Sergey N. Vtorov
Sep 15, 2015, 11:24:42 AM9/15/15
to help-cfengine, cfen...@watson-wilson.ca
Thanks a lot.
Sorry for stupid questions, but i newbie in cfengine.
After reading book "Learning CFEngine 3" i still have a lot of questions. The main question is about file organization in cfe. I'm not found information about that in official documentation, and in the book.
Your answer was helpful - i really thought that trying to restrict children folders it is ok. But how i can say to the clients about folder workdir/mydir/repo/datacenter/host? In masterfiles/controls/cf_serverd.cf ?
i want make master-hub configuration like here: http://stackoverflow.com/questions/32395109/cfengine-configuration-for-each-host (my post from stackowerflow), but all configurations that i did failed.
If i try to use config like in my first message - folders are appears in hosts. If i try to use solution from your post (in higher directory workdir/mydir/repo/datacenter/host ) - clients does not see this folders (i did it in controls/cf_serverd.cf).
Neil Watson
Sep 15, 2015, 12:08:31 PM9/15/15
to help-cfengine
Is this data that you're trying to limit by host actually private, or
are is this an effort to make things neat and efficient?
It's best practice to have all agents copy and use all policy files
except when some policy files are private. But private files are very rare.
are is this an effort to make things neat and efficient?
It's best practice to have all agents copy and use all policy files
except when some policy files are private. But private files are very rare.
Sergey N. Vtorov
Sep 15, 2015, 2:05:40 PM9/15/15
to help-cfengine, cfen...@watson-wilson.ca
>effort to make things neat and efficient?
Yes.
I understand that it is best to have all agents have copy, but I do not want to see on each server copies of policies that these servers are not supposed. Of course, i could use classes like
files:
192_168_1_111::
but i think it is not so right.
We have old infrastructure and i want to deploy cfengine like "step by step". We can not follow cfengine concept in first day.
Nick Anderson
Sep 15, 2015, 2:15:32 PM9/15/15
to Sergey N. Vtorov, help-cfengine, cfen...@watson-wilson.ca
On 09/15/2015 01:05 PM, Sergey N. Vtorov wrote:
>> effort to make things neat and efficient?
> Yes.
>
> I understand that it is best to have all agents have copy, but I do not
> want to see on each server copies of policies that these servers are not
> supposed. Of course, i could use classes like
> files:
> 192_168_1_111::
the server to specific hosts.
You control what and who files are shared with using access[1] promises.
So you could have /var/cfengine/datacenter/dc1/ that you want to share
only with clients that are in dc1. Something similar to this may work
for you.
bundle common datacenter_hosts
{
vars:
# Define this in a common bundle because maybe we would want to use
# this same list in an agent bundle as well
"dc1_ips" slist => { "192.168.33.2", "192.168.33.3" };
}
bundle server my_datacenter_access_rules
{
access:
# We only want to share the files out on the policy server
policy_server::
"/var/cfengine/datacenter/dc1"
admit_ips => { @(datacenter_hosts.dc1_ips)};
}
[1] https://docs.cfengine.com/latest/reference-promise-types-access.html
Sergey N. Vtorov
Sep 24, 2015, 6:02:58 AM9/24/15
to help-cfengine, fto...@gmail.com, cfen...@watson-wilson.ca
Nick, thank for your answer. I did something like that:
in def.cf
# repo masterdir
any::
"dir_repo" string => translatepath("$(sys.workdir)/repo"),
comment => "Define repo path",
handle => "common_def_vars_dir_repo";
and in cf_serverd.cf
"$(def.dir_repo)"
handle => "server_access_rule_grant_access_repo",
comment => "Acces to test repo",
admit => { @(def.acl) };
and in policies:
files:
freebsd::
"/usr/local/etc/nginx/hosting/."
create => "true",
depth_search => recurse("inf"),
copy_from => sync_cp("$(sys.workdir)/repo/office/$(sys.fqhost)/hosting/.", "${sys.policy_hub}" );
And now all clients will use global policies and have own files with .sys variables. So your and Neil hint helped to come up with it. Thank you!
I have another two questions for beginners, i need create new topic, or i could write them here?
Reply all
Reply to author
Forward
0 new messages