I have a file which has rules for managing Solaris services, and the
rules are apparently being applied selectively. Here's a cut-down
version of the file. /usr/site/sbin/check-service is a script that
makes sure that a service is enabled and running properly (and sends
email if it's not).
shellcommands:
(solaris|solarisx86)::
"/usr/site/sbin/check-service svc:/network/nis/client:default"
"/usr/site/sbin/check-service
svc:/system/filesystem/autofs:default"
"/usr/sbin/svcadm enable
svc:/network/security/ktkt_warn:default"
"/usr/sbin/svcadm enable svc:/network/smtp-local:sendmail"
stunnelservers.(solaris|solarisx86)::
"/usr/site/sbin/check-service svc:/network/stunnel:default"
... (more services to enable follow)
# Here begin services that must be disabled
(solaris|solarisx86)::
"/usr/sbin/svcadm disable
svc:/network/rpc/cde-calendar-manager:default"
!stunnelservers.(solaris|solarisx86)::
"/usr/sbin/svcadm disable svc:/network/CSEEstunnel:default"
and output from "cfagent -qv" on a machine in the stunnelservers group:
Defined Classes = ( 130_85_36 130_85_36_80 32_bit Day13 Friday Hr14
Hr14_Q3 June Min35_40 Min38 Q3 SUNW_UltraAX_i2 Yr2008 anubis_cs
anubis_cs_umbc_edu any cfengine_2 cfengine_2_2 cfengine_2_2_1
compiled_on_solaris2_10 cs_umbc_edu cseesystems diskfree_high_normal
edu entropy_cfengine_in_low entropy_dns_in_low entropy_dns_out_low
entropy_ftp_in_low entropy_ftp_out_low entropy_icmp_in_low
entropy_icmp_out_low entropy_irc_in_low entropy_irc_out_low
entropy_misc_in_low entropy_misc_out_low entropy_netbiosdgm_in_low
entropy_netbiosdgm_out_low entropy_netbiosns_in_low
entropy_netbiosns_out_low entropy_netbiosssn_in_low
entropy_netbiosssn_out_low entropy_smtp_in_low entropy_smtp_out_low
entropy_ssh_out_low entropy_tcpack_in_low entropy_tcpack_out_low
entropy_tcpfin_in_low entropy_tcpfin_out_low entropy_tcpsyn_in_low
entropy_tcpsyn_out_low entropy_udp_in_low entropy_udp_out_low
entropy_wwws_in_low fe80__203_baff_fe10_5577 greylistconfexists
haveraid ipv4_130 ipv4_130_85 ipv4_130_85_36 ipv4_130_85_36_80
loadavg_high_anomaly net_iface_dmfe0 net_iface_lo0 nfsservers
nisclients nofirewall nrpemonitored otherprocs_high_normal servers
solaris sparc stunnelservers sun4u sunos_5_10 sunos_sun4u
sunos_sun4u_5_10 sunos_sun4u_5_10_Generic_127111_06 umbc_edu
users_high_ldt web1 web1_cs web1_cs_umbc_edu webservers
www_in_normal_normal wwws_in_high_ldt )
Note that 'solaris' and 'stunnelservers' are in this output, which is
all that matters; the rest is there for completeness. Then here's
some output from later on in the execution:
cfengine:web1:
Executing script /usr/sbin/svcadm enable
svc:/network/smtp-local:sendmail...(timeout=0,uid=-1,gid=-1)
(Setting umask to 77)
cfengine:web1: Finished script /usr/sbin/svcadm enable
svc:/network/smtp-local:sendmail
Performance(Exec(/usr/sbin/svcadm enable
svc:/network/smtp-local:sendmail)): time=0.00 secs, av=0.00 +/- 0.00
cfengine:web1:
Executing script /usr/sbin/svcadm disable
svc:/network/rpc/cde-calendar-manager:default...(timeout=0,uid=-1,gid=-1)
(Setting umask to 77)
cfengine:web1: Finished script /usr/sbin/svcadm disable
svc:/network/rpc/cde-calendar-manager:default
Performance(Exec(/usr/sbin/svcadm disable
svc:/network/rpc/cde-calendar-manager:default)): time=0.00 secs,
av=0.00 +/- 0.00
So this obviously raises some questions. Why does cfagent decide that
the stunnel line need not be executed? Should the commands listed
under "shellcommands" be executed in order? Am I not making my
intentions clear with the rules? Basically, I want every Solaris
machine to start nis/client et al, and iff a solaris machine is in the
"stunnelservers" group, make the stunnel service enabled.
Trimming down the entire config file to the following:
groups:
s = ( web1 )
shellcommands:
s::
"/usr/site/sbin/check-service svc:/network/CSEEstunnel:default"
control:
domain = ( cs.umbc.edu )
workdir = ( /var/cfengine )
fileshost = ( ds4.cs.umbc.edu )
filesdir = ( /var/cfengine/master/files )
editfilesize = ( 0 )
IfElapsed = ( 0 )
SplayTime = ( 45 )
actionsequence = (
directories
copy
links
files
editfiles
disable
tidy
shellcommands
processes
)
lets it work when I run as a user (i.e., it runs that command when
web1 is defined and not otherwise) but still not as root!
Any suggestions are welcome. I'm running cfagent version 2.2.1, and
if anyone wants to see my config files verbatim I'd be glad to send a
copy via private mail. Please CC me with any answers, as I'm not
subscribed to any cfengine lists.
Thanks!
Will
_______________________________________________
Bug-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/bug-cfengine
