On 09/15/2015 01:05 PM, Sergey N. Vtorov wrote:
>> effort to make things neat and efficient?
> Yes.
>
> I understand that it is best to have all agents have copy, but I do not
> want to see on each server copies of policies that these servers are not
> supposed. Of course, i could use classes like
> files:
> 192_168_1_111::
So if I understand correctly, you want to restrict some files shared by
the server to specific hosts.
You control what and who files are shared with using access[1] promises.
So you could have /var/cfengine/datacenter/dc1/ that you want to share
only with clients that are in dc1. Something similar to this may work
for you.
bundle common datacenter_hosts
{
vars:
# Define this in a common bundle because maybe we would want to use
# this same list in an agent bundle as well
"dc1_ips" slist => { "192.168.33.2", "192.168.33.3" };
}
bundle server my_datacenter_access_rules
{
access:
# We only want to share the files out on the policy server
policy_server::
"/var/cfengine/datacenter/dc1"
admit_ips => { @(datacenter_hosts.dc1_ips)};
}
[1]
https://docs.cfengine.com/latest/reference-promise-types-access.html