[Gllug] Production system - Linux 2.4.24, LVM and cciss
Bruce Richardson
itsbruce at uklinux.net
Mon Jan 12 17:09:34 UTC 2004
On Mon, Jan 12, 2004 at 04:46:45PM +0000, Rickey wrote:
> Couldnt agree more. When it gets too complicated, gets something like
> those packages in. I'm just trying to think of a setup in which just 200
> machines require such specific setup that one of those config management
> setups is justified (to me).
With cfengine you describe the state your machines *should* be in and it
makes such changes are as necessary to achieve that. It makes it a
useful tool for imposing security policy.
To take a simple example, consider the /home directory. Linux systems
often configure the permissions on these in eccentric ways and admin
tampering can leave a network with a range of /home set-ups across the
network. cfengine (assuming it is already installed) lets you tidy that
up quite simply. You just add a line to the config file on the cfengine
master describing what the permissions on /home and all the machines on
the network will change to match.
This is already simpler than the only practical alternative (in the
absence of cfengine or a similar tool), which is to use ssh to change
the permissions on each host. Now consider that cfengine is typically
run in a regular cronjob, which means that it will correct any tampering
(malicious or absent-minded) within hours. Then consider that cfengine
allows you to place hosts into multiple, arbitrary classes, allowing you
to specify different /home permissions for the different classes. You
can use cfengine to associate a huge range of configuration options with
different classes. Done properly, reconfiguring a server to reflect a
change in function becomes as simple as changing the class(es) of the
host and waiting.
--
Bruce
If the universe were simple enough to be understood, we would be too
simple to understand it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040112/9e2249be/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list