介绍用于系统管理的 cfengine

/etc/cfengine/cfengine.conf



# note that only some of the possible sections are used here;

# refer to the cfengine documentation for the full list of sections

# you can have.  Comments, as you can see, are like shell or Perl

# comments.



# see the tutorial and reference for any unexplained phenomena



import:

 any::

  cf.groups

groups:



# all groups are defined in cf.groups, imported above, but you can

# define extras here.  The format is simple:



class = ( machine1 machine2 )



# and then any machine named machine1 or machine2 will have that class

# defined.

# the control section sets up how cfengine will behave

control:

 any::

# you have to state in AddInstallable what classes unknown to cfengine

# by default you will be using.  Run cfengine as "cfengine -v" to see

# the built-in classes you don't have to define.  Here we divide

# machines into the ones that run inetd and the ones that run xinetd,

# as an example.

  AddInstallable = ( inetd xinetd )

  editfilesize   = ( 300000 )

  moduledirectory = ( /etc/cfengine/modules )

  domain    = ( yourdomain.com )

 any::

  LogDirectory  = ( /etc/cfengine/log )

  netmask   = ( 255.255.255.0 )

  Repository    = ( /etc/cfengine/repository )

  sysadm    = ( "tzz@iglou.com" )

  # Bug in cfengine: actionsequence must follow LogDirectory and Repository 

  actionsequence = ( directories files editfiles copy links processes disable 

                               shellcommands )

directories:

# this ensures that these directories will be created when cfengine runs

 /etc/cfengine/log

 /etc/cfengine/repository

 /etc/cfengine/cfcollector

files:

 any::

# set the permissions for these files

  /etc/sudoers mode=0440 owner=root group=root action=fixall

  /etc/hosts.allow mode=0644 owner=root group=root action=fixall

  /etc/hosts.deny mode=0644 owner=root group=root action=fixall

# just warn if this file's permissions are wrong

  /etc/shadow mode=0400 owner=root action=warnall inform=true

# CERT advisory CA-2001-05, for Solaris only

 solaris::

  /usr/lib/dmi/snmpXdmid mode=0000 owner=root group=root action=fixall

# example of setting permissions differently for different OS types

# (not Linux and Linux), and negating classes

 !linux::

  /.ssh mode=0700 owner=root action=fixall inform=true

 linux::

  /root/.ssh mode=0700 owner=root action=fixall inform=true

editfiles:

 any::

# add the rsync service to /etc/services and /etc/inetd.conf

  { /etc/services

    SetLine "rsync  873/tcp # rsync"

    AppendIfNoLineMatching "rsync.*"

  }

  { /etc/inetd.conf

    # add rsync

    SetLine "rsync stream tcp nowait root /usr/local/bin/rsync rsyncd --daemon"

    AppendIfNoLineMatching "rsync.*"

  }

copy:

# set up sshd startup script, from trusted master distribution in /etc/cfengine

  /etc/cfengine/sshd dest=/etc/init.d/sshd repository=/etc/cfengine/repository

links:

 any::

# link the sshd init.d script to /etc/rc3.d, overwriting existing

# links if they exist

  /etc/rc3.d/S72local_sshd ->! /etc/init.d/sshd

processes:

# invoke cfengine with "cfengine -DHupInetd" to define this class and

# send inetd the HUP signal (the machine has to be in the inetd class

# discussed above, too).  This is an example of compound classes.

 inetd.HupInetd::

  "inetd" signal=hup

disable:

# empty this file (this can also be used to rotate logs, with

# different rotate options)

  /etc/rc3.d/S77dmi rotate=empty

shellcommands:

 any::

# always put the contents of the $domain variable in this file.

# note that all the cfengine variables can be interpolated inside strings.

  "/bin/echo $(domain) > /etc/cfengine/cfdomainname"