How do you figure out if a file is Cfengine managed?
59 views
Skip to first unread message
Mike Svoboda
Jun 1, 2015, 7:42:05 PM6/1/15
to help-c...@googlegroups.com
Other than modifying a file and seeing if Cfengine converges it back, how does everyone communicate that a file is under automation control?
Or do you even do this?
For every Cfengine managed file, we have a shell script that crawls our VCS repository and inserts a
# filesource <path in repo where the file lives>
This lets us communicate to our customers that Cfengine is controlling the file, and where we need to go in the VCS system to screw with it. The problem we're running into, is that not every type of file uses # as a comment. For example, Java or XML can use /*. We'd more or less have to maintain a database of the different file types, and the comments those file types expected. Right now we don't do that. We insert comments using a # symbol and hope nothing breaks. Sometimes, things do break and we end up figuring out what the comment symbol is for that configuration..
Instead of the "insert comments with filesource", this would be a cool feature..
What if Cfengine could produce a file called /var/cfengine/automation_managed.txt. For every file copy, cf-agent would insert an entry with something like....
/etc/snmpd.conf ---> /var/cfengine/inputs/configs/snmpd.conf
This would at least have Cfengine communicate in one place everything that its touching, and where under /var/cfengine it grabbed it from.
Thoughts?
Brian Bennett
Jun 1, 2015, 9:47:40 PM6/1/15
to Mike Svoboda, help-c...@googlegroups.com
My practic in times past was to include a header comment at the beginning of the file warning users that a file is cfengine managed.
--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.
Erik S
Jun 2, 2015, 11:26:44 PM6/2/15
to help-c...@googlegroups.com
On Monday, June 1, 2015 at 6:42:05 PM UTC-5, Mike Svoboda wrote:
Other than modifying a file and seeing if Cfengine converges it back, how does everyone communicate that a file is under automation control?Or do you even do this?
Mike, we also use a simple comment at the top of each file indicating it's CFE managed.
For every Cfengine managed file, we have a shell script that crawls our VCS repository and inserts a# filesource <path in repo where the file lives>This lets us communicate to our customers that Cfengine is controlling the file, and where we need to go in the VCS system to screw with it. The problem we're running into, is that not every type of file uses # as a comment. For example, Java or XML can use /*. We'd more or less have to maintain a database of the different file types, and the comments those file types expected. Right now we don't do that. We insert comments using a # symbol and hope nothing breaks. Sometimes, things do break and we end up figuring out what the comment symbol is for that configuration..
That's exactly the problem. Many config files use # for comments, but some use semicolon, some use a single quote (a la vimrc), and so on... Actually a database of file types isn't such a bad idea.
Instead of the "insert comments with filesource", this would be a cool feature..What if Cfengine could produce a file called /var/cfengine/automation_managed.txt. For every file copy, cf-agent would insert an entry with something like..../etc/snmpd.conf ---> /var/cfengine/inputs/configs/snmpd.confThis would at least have Cfengine communicate in one place everything that its touching, and where under /var/cfengine it grabbed it from.Thoughts?
I like the idea very much - especially since we occasionally have files that are removed from CFEngine management (yet still sit on the filesystem with an erroneous comment in it stating that it's CFE managed). Would be nice to have a known-good, centralized, current place to look for managed file names.
Neil Watson
Jun 3, 2015, 8:19:14 AM6/3/15
to help-c...@googlegroups.com
I think comments would cover most files, even recursive if you are
diligent. Other options:
1. Put a CFEngine-managed file in any directory covered by a recursive
promise.
2. With a reporting engine like Delta Reporting you can query using
expanded promisers (that look like $(myvar) in policy. For example,
let's assume that CFEngine is popular enough that I can afford an
intern. Asok, my intern, wants to know if /var/www/cottage/app (my
cottage rental site http://thewavesbeachhouse.ca) is managed by
CFEngine. Asok is new and I haven't given him policy access yet, but he
can query for the latest record in Delta Reporting for the promiser
/var/www/cottage/app.
/opt/delta_reporting/app/script/query -pr "/var/www/cottage/app%" -l
Promiser Promisee Promise handle Promise outcome Timestamp Hostname IP address Policy server
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/var/www/cottage/app/. thewavesbeachhouse.c efl_service_recurse_dir kept 2015-06-03 07:53:27-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_copy kept 2015-06-03 07:53:27-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_perms kept 2015-06-03 07:53:27-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_perms repaired 2015-05-28 09:57:47-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_copy repaired 2015-05-28 09:52:41-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
And now he knows that CFEngine manages that directory and even which promises
(see handles) are involved. Since DR reports on all promisers Asok can also
test processes, packages, commands, even live sysctl settings.
Sincerely,
--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com
diligent. Other options:
1. Put a CFEngine-managed file in any directory covered by a recursive
promise.
2. With a reporting engine like Delta Reporting you can query using
expanded promisers (that look like $(myvar) in policy. For example,
let's assume that CFEngine is popular enough that I can afford an
intern. Asok, my intern, wants to know if /var/www/cottage/app (my
cottage rental site http://thewavesbeachhouse.ca) is managed by
CFEngine. Asok is new and I haven't given him policy access yet, but he
can query for the latest record in Delta Reporting for the promiser
/var/www/cottage/app.
/opt/delta_reporting/app/script/query -pr "/var/www/cottage/app%" -l
Promiser Promisee Promise handle Promise outcome Timestamp Hostname IP address Policy server
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/var/www/cottage/app/. thewavesbeachhouse.c efl_service_recurse_dir kept 2015-06-03 07:53:27-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_copy kept 2015-06-03 07:53:27-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_perms kept 2015-06-03 07:53:27-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_perms repaired 2015-05-28 09:57:47-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
/var/www/cottage/app thewavesbeachhouse.c efl_service_recurse_copy repaired 2015-05-28 09:52:41-04 mercury.watson- 2a02:2770:5:0:21a:4aff:f ettin.watson-wilson.ca
And now he knows that CFEngine manages that directory and even which promises
(see handles) are involved. Since DR reports on all promisers Asok can also
test processes, packages, commands, even live sysctl settings.
Sincerely,
--
Neil H Watson
Sr. Partner, Architecture and Infrastructure
CFEngine reporting: https://github.com/evolvethinking/delta_reporting
CFEngine policy: https://github.com/evolvethinking/evolve_cfengine_freelib
CFEngine and vim: https://github.com/neilhwatson/vim_cf3
CFEngine support: http://evolvethinking.com
Danny Sauer
Jun 23, 2015, 5:52:28 PM6/23/15
to help-c...@googlegroups.com
On Monday, June 1, 2015 at 6:42:05 PM UTC-5, Mike Svoboda wrote:
Other than modifying a file and seeing if Cfengine converges it back, how does everyone communicate that a file is under automation control?
We have a standard that all file modifications include a standard action body which kept/failed/repaired logging. In the cases where a new promise requires an action body that does something else, we append the new action body name to the logging body name, thus creating a new body which logs and does whatever else. All of those actions go into one include file so that someone who tweaks the logging sees all the places which need tweaked at once. We also have a standard covering the structure of the log message so that it can be relatively easily parsed.
Then Splunk (or whatever processes those resulting log files) then fairly easily generates a report listing all of the files which CFEngine is manipulating.
I also do the comment-in-the-file thing usually, except for the files which don't support comments. Many "important" files get a huge ascii-art "Managed by CFEngine" banner at the top; there are some neat ASCII-art word generators on line, and adding 20 lines of comments to the top of a file generally ensures that it won't be missed. :)
################################################################################
#
# '||\ /||` ||` '||
# ||\\.//|| || ||
# || || '''|.`||''|, '''|. .|''|,.|''|,.|''|| ||''|,'|| ||`
# || || .|''|| || || .|''|| || ||||..|||| || || || `|..||
# .|| ||.`|..||.|| ||.`|..||.`|..||`|... `|..||. .||..|' ||
# || , |'
# `..|' ''
# .|'''','||''''|'||''''|
# || || . || . ''
# || ||''| ||'''| `||''|, .|''|, ||`||''|, .|''|,
# || || || || || || || || || || ||..||
# `|....'.||. .||....|.|| ||.`|..||.||.|| ||.`|...
# ||
# `..|'
#
################################################################################
# $Id: somefile.sh 9381 2014-07-02 21:32:56Z danny $
################################################################################
Neil Watson
Jun 23, 2015, 6:02:32 PM6/23/15
to help-c...@googlegroups.com
______________________________________
< Managed by CFEngine. Do not moodify. >
--------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
Nick Anderson
Jun 23, 2015, 6:04:01 PM6/23/15
to help-c...@googlegroups.com, Neil Watson
ROFL!
Sent from my mobile device.
Sent from my mobile device.
Reply all
Reply to author
Forward
0 new messages