Re: Bootstrapping

[Luke A. Kanies]

On Wed, 18 Feb 2004, John Sechrest wrote:

>
>
> "Luke A. Kanies" <luke@madstop.com> writes:
>
>
>  % That's basically what I'm doing right now.  I keep the hosts in LDAP, and
>  % I generate an import file every time cfagent runs (yes, it's generated
>  % idempotently).
>
>  How do you generate it? An external script?

Yep.  It's just a pretty simple ldapsearch, wrapped in a cfengine
statement.  Written in ruby. :)

>  % This is functional, and I didn't mean to imply that there aren't methods
>  % of solving these problems.  The problem with my setup is that there is a
>  % manual step (add the host to ldap), and then two automatic steps that can
>  % take up to 15 minutes each.  This delay isn't a technical problem, it's a
>  % human problem; people begin thinking of the LDAP repository as the place
>  % from where cfservd is getting its access list, so they expect immediate
>  % results.
>
>  Ahhh. Click. If it is in LDAP , then it should be immediate...

Yup.  And they just look in LDAP again, saying, "but it's in LDAP..."

>  % Now that Marc has accepted a patch to support returning lists from
>  % ExecResult, I will be able to have cfservd get the list directly from LDAP
>  % (rather than having to import it), but I'll still have to HUP cfservd to
>  % force it to reload the list.
>
>  Ok. I see. What would it take for cfservd to use a dynamic structure?

Well, in the case of retrieving data from LDAP or a database, I think
cfservd (and, I guess by extension, cfagent) should just query directly:

control:
  AllowConnectionsFrom = (
    LdapExists(objectclass=iphost&iphostnumber=$ip)
  )

That doesn't work for a bunch of reasons (cfagent has no mechanism for
specifying where to fill in a variable, for instance), but that's the
basic requirement.

>  % Basically, this is a classic case of a leaky abstraction.  I've built my
>  % environment so that it behaves as though cfservd is directly getting
>  % information from LDAP, but the truth is leaking through in the delays and
>  % HUPping, and that leakiness confuses my users.  Really, really confuses
>  % them.  That, and it's often inconvenient.
>
>  In what cicumstances do your users notice things about system
>  configurations?
>
>  All the vital things like passwords are in ldap... Right?
>
>  So what do they notice being slow?

I've got a script called 'newhost' that adds the host information to LDAP.
The user runs that script, ssh's to the appropriate machine, runs 'sudo
cfagent -vq', and the update fails.  The configuration is totally correct,
but they need to wait at least 15 minutes for it to propagate.  Leaky
abstractions.

Luke

-- 
2.  If 2 + 2 is 4 and 2 x 2 is also 4, what's the big deal
    about multiplication anyway?
                -- from the Dogbert's New Ruling Class quiz