Initial bootstrap determined by policy?

23 views
Skip to first unread message

Eli Taft

unread,
Apr 13, 2018, 10:16:35 AM4/13/18
to help-cfengine
Hi again.  One more weird question for you.

Is it possible to have a cfengine promise that bootstraps to another policy server?  In my local testing it doesn't seem possible.  Here's our scenario:

We've got four different environments (i.e. qa / uat / staging / prod).  Each one of those environments has its own policy hub.  There are thousands of machines.  We'd like an automated way for each CFengine instance to know where to bootstrap.  Sure I could easily write a shell script for this.  But we're wondering if we re-package the cfengine package so that the masterfiles contains an initial 'bootstrap" promise that determines, based on sys.fqhost, where to boostrap.  I have all the determine logic figured out.  But when I try to execute the bootstrap command, I get an interesting error:

inputs/controls/cf_agent.cf:28:22: warning: Removed constraint 'syslog' in promise type 'agent' [-Wremoved


Nick Anderson

unread,
Apr 13, 2018, 11:18:49 AM4/13/18
to Eli Taft, help-cfengine

Eli Taft <elim...@gmail.com> writes:

Is it possible to have a cfengine promise that bootstraps to another policy
server? In my local testing it doesn't seem possible. Here's our scenario:

Yes, it should be possible, but note that wipes and it's a one time operation so there is some risk here of orphaning yourself. There is noting native inside the agent to keep re-trying bootstrap until it's successful. What version are you running?

We've got four different environments (i.e. qa / uat / staging / prod).
Each one of those environments has its own policy hub. There are thousands
of machines. We'd like an automated way for each CFengine instance to know
where to bootstrap. Sure I could easily write a shell script for this.
But we're wondering if we re-package the cfengine package so that the
masterfiles contains an initial 'bootstrap" promise that determines, based
on sys.fqhost, where to boostrap. I have all the determine logic figured
out. But when I try to execute the bootstrap command, I get an interesting
error:

This warning is about syslog in body agent control being deprecated. It was
removed in 3.6.0, you should be able to suppress the error by remove the
syslog attribute from body agent control.

inputs/controls/cf_agent.cf:28:22: warning: Removed constraint 'syslog' in promise type 'agent' [-Wremoved

Instead of doing a different bootstrap to re-point which hub your using, have
you considered simply re-writing /var/cfengine/policy_server.dat?


Nick Anderson
Doer of things, CFEngine

Eli Taft

unread,
Apr 13, 2018, 11:34:25 AM4/13/18
to help-cfengine




Instead of doing a different bootstrap to re-point which hub your using, have

you considered simply re-writing /var/cfengine/policy_server.dat?







Yes I have, but in this scenario that's too soon because keys haven't been exchanged yet.

Eli Taft
unread,
Apr 13, 2018, 11:35:31 AM4/13/18
to help-cfengine








Yes, it should be possible, but note that
wipes
and it's a one time operation so there is some risk here of orphaning yourself.
There is noting native inside the agent to keep re-trying bootstrap until it's
successful.
What version are you running?

3.10 community
 





This warning is about syslog in body agent control being deprecated. It was

removed in 3.6.0, you should be able to suppress the error by remove the

syslog attribute from body agent control.

Ok thanks.  I'll try again.






Nick Anderson
unread,
Apr 13, 2018, 11:54:41 AM4/13/18
to Eli Taft, help-cfengine

Eli Taft <elim...@gmail.com> writes:














>>






Instead of doing a different bootstrap to re-point which hub your using,

have

you considered simply re-writing /var/cfengine/policy







?
>>













>>
>






Yes I have, but in this scenario that's too soon because keys haven't been

exchanged yet.









For custom bootstrap behavior, instead of using --bootstrap you can run a

custom policy. In fact bootstrap just runs the embedded failsafe policy.







.


Eli Taft
unread,
Apr 13, 2018, 12:17:13 PM4/13/18
to help-cfengine
Instead of doing a different bootstrap to re-point which hub your using,

have

you considered simply re-writing /var/cfengine/policy







?
>>





I had already replied to that above :)
 
 





>>
>






Yes I have, but in this scenario that's too soon because keys haven't been

exchanged yet.









For custom bootstrap behavior, instead of using --bootstrap you can run a

custom policy. In fact bootstrap just runs the embedded failsafe policy.








Thanks, I've got it working. 
Nick Anderson
unread,
Apr 13, 2018, 3:16:50 PM4/13/18
to Eli Taft, help-cfengine
Great! Glad you have it working.








-- 

You received this message because you are subscribed to the Google Groups "help-cfengine" group.

To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengine+unsubscribe@googlegroups.com.

To post to this group, send email to help-c...@googlegroups.com.

Visit this group at https://groups.google.com/group/help-cfengine.

For more options, visit https://groups.google.com/d/optout.





Reply all
Reply to author
Forward
0 new messages