Brians cf-primer >> Edit a File

31 views
Skip to first unread message

Christian Linden

unread,
Dec 14, 2016, 6:14:16 AM12/14/16
to help-cfengine
Hi,

<<
bundle agent example {
  files:
    "/etc/ssh/sshd_config"     edit_line => deny_root_ssh;
}

bundle edit_line deny_root_ssh {
  delete_lines:
    "^PermitRootLogin.*"
  insert_lines:
    "PermitRootLogin no"
}
  • CFEngine is smart enough to know not to edit the file if the end result is already converged.
>>

I would think that in each future agent run "PermitRootLogin no" will be deleted first and then inserted again.
Error in reasoning respectively in understanding how CFEngine works?
Up to here I did first delete_lines: and then append_if_no_line.

Thanks!
Chris



Aleksey Tsalolikhin

unread,
Dec 14, 2016, 9:01:10 AM12/14/16
to Christian Linden, help-cfengine
I can't find it in the documentation but file editing works by CFEngine constructing a model of the desired content and then comparing it to the actual content.  If they don't match, then CFEngine will replace file.  Otherwise, it will discard its model.

-- 
Need training on CFEngine, Git or Time Management?  Email trai...@verticalsysadmin.com.

--
You received this message because you are subscribed to the Google Groups "help-cfengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.
To post to this group, send email to help-c...@googlegroups.com.
Visit this group at https://groups.google.com/group/help-cfengine.
For more options, visit https://groups.google.com/d/optout.

Nick Anderson

unread,
Dec 14, 2016, 9:22:28 AM12/14/16
to Aleksey Tsalolikhin, Christian Linden, help-cfengine

Aleksey Tsalolikhin writes:

> I can't find it in the documentation but file editing works by CFEngine
> constructing a model of the desired content and then comparing it to the
> actual content. If they don't match, then CFEngine will replace file.
> Otherwise, it will discard its model.

The edit_line docs say:

  • CFEngine makes a copy of the file you you want to edit.
  • CFEngine makes all the edits in the copy of the file. The filename is the same
    as your original file with the extension .cf-after-edit appended.
  • After all edits are complete (the deletelines, fieldedits, insertlines, and
    finally replacepatterns promises), CFEngine checks to see if the new file is
    the same as the original one. If there are no differences, the promises have
    converged, so it deletes the copy, and the original is left completely
    unmodified.
  • If there are any differences, CFEngine makes a copy of your original file with
    the extension .cf-before-edit (so you always have the most recent backup
    available), and then renames the edited version to your original filename.

Because file rename is an atomic operation (guaranteed by the operating system),
any application program will either see the old version of the file or the new
one. There is no "window of opportunity" where a partially edited file can be
seen (unless an application intentionally looks for the .cf-after-edit file).
Problems during editing (such as disk-full or permission errors) are likewise
detected, and CFEngine will not rename a partial file over your original.

Aleksey Tsalolikhin

unread,
Dec 14, 2016, 10:27:35 AM12/14/16
to Nick Anderson, Christian Linden, help-cfengine
Perfect, thanks, Nick!

-- 
Need training on CFEngine, Git or Time Management?  Email trai...@verticalsysadmin.com.

Christian Linden

unread,
Dec 14, 2016, 10:40:31 AM12/14/16
to Aleksey Tsalolikhin, Nick Anderson, help-cfengine
Thanks Nick & Aleksey for explaining =)

I still was thinking too sequencially/imperative == not declarative enough.

c
Reply all
Reply to author
Forward
0 new messages