Note that every unqualified variable is automatically considered to be in context this, so that a reference to the variable $(foo) is identical to referencing. CFEngine Homepage. Version Design Center ยท Enterprise API Reference; Syntax, identifiers and names The CFEngine 3 language has a few simple rules. The purpose of the cfengine reference manual is to collect together and document the raw facts about the different components of cfengine. Once you have.

Author: Torisar Faurn
Country: Egypt
Language: English (Spanish)
Genre: Science
Published (Last): 25 June 2007
Pages: 109
PDF File Size: 13.69 Mb
ePub File Size: 19.60 Mb
ISBN: 600-7-35863-225-5
Downloads: 74184
Price: Free* [*Free Regsitration Required]
Uploader: Nijora

Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies.

Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the section entitled “GNU General Public License” is included exactly as in the original, and provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions, except that the section entitled “GNU General Public License” may be included in a translation approved by the author instead of in the original English.

Command reference In this section you will find each facet of a cfengine program listed together with an appropriate explanation. The commands are presented in alphabetical order for ease of lookup. Use this section in conjunction with the example program See section 5. An access control list is an extended file permission. It allows you to open or close a file to a named list of users without having to create a group for those users ; similarly, it allows you to open or close a file for a list of groups.

Several operating systems have access control lists, but each typically has a different syntax and different user interface to this facility, making it very awkward to use.

This part of a cfengine configuration simplifies the management of ACLs by providing a more convenient user interface for controlling them and–as far as possible–a common syntax. An ACL may, by its very nature, contain a lot of information.

Normally you would set ACLs in a files command, See section 1. It would be too cumbersome to repeat all of the information in every command in your configuration, so cfengine simplifies this by first associating an alias together with a complex list of ACL information. This alias is then used to represent the whole bundle of ACL entries in a files or copy command.

The form of an ACL is similar to the form of an editfiles command.

It is a bundle of information concerning a file’s permissions. The name acl-alias can be any identifier containing alphanumeric characters and underscores. This is what you will use to refer to the ACL entries in practice. The method entry tells cfengine how to interpret the entries: Since the filesystems from different developers all use different models for ACLs, you must also tell cfengine reerence kind of filesystem the file resides on.

The ACEs has the following general syntax:. For an explanation of ACL types and their use, refer to your local manual page.

GNU cfengine

However, note that for each type of filesystem, there are certain entries which must exist in an ACL. If you are creating a new ACL from scratch, you must specify these. For example, in solaris Teference you must have entries for usergroup and other. Cfenginw cfengine syntax these are called user: If you are appending to an existing entry, you do not have to re-specify these unless you want to change them.


This sets the ACL according to the specified entries which follow.

CFEngine Documentation – Syntax, identifiers and names

The existing ACL will be overwritten completely. The individual bits in an ACE may be either added subtracted or set equal to a specified mask.

Here are some examples: The keyword noaccess means set all access bits to zero for cfegnine user, i. The keyword default means remove the named user from the access crontrol list altogether, so that the default permissions apply. It is not possible to set ACLs in foreign cells currently using cfengine, but you can still have all of your ACL definitions in the same file.

You must however arrange for the file to be executed on the server for the cell concerned. This is because you must have a valid security ticket. NT ACEs are written as follows: The actual reverence consists of the extra field containing the access type.

However this functionality is as of today not yet implemented. NT comes with some standard, predefined permissions. The standards are only a predefined combination of the different bits rreference above and are provided with cfengine as well. You can use the standards by setting the permission to readchange or all.

The bit implementation of each standard is as on NT: NT defines several different access types, of which only two are used in connection with the ACL type that is implemented in cfengine for NT.

The access type can be one of the following: If no access type is specified, the default is allowed. This enables cfengine’s behaviour as on UNIX systems without any changes to the configuration file. If the permissions noaccess or default is used, the access type will be irrelevant.

This declaration informs hosts of which other hosts on the network possess filesystems containing software binary files which client hosts should mount. A host may have several binary servers, since there may be several machines to which disks are physically attached.

The meaning of this declaration is the following. All hosts of type sun4 which are members of the group physics should mount any binaries declared in the mountables resource list which belong to hosts sunserver or sunserver2.

Similarly all linux machines should mount binary filesystems in the mountables list from linuxserver. Cfengine knows the difference between binaries and home directories in the mountables list, because home directories match the pattern given by homepattern. Note that every host refference a binary server for itself, so that the referencf binary server and that with highest priority is always the current host.

This ensures that local filesystems are always used in preference to NFS mounted filesystems. Every local area network has a convention for determining which internet address is used for broadcast referehce. Normally this is an address of the form aaa. The difference between these two forms is whether all of the bits in the last number are ones or zeroes respectively. You must find out which convention is used at your establishment and tell cfengine using a declaration of the form:.

In most cases you can use the generic class anysince all of the hosts on the same subnet have to referende the same convention. If your configuration file encompasses several different subnets with different conventions then you will need to use a more specific. Cfengine computes the actual value of the broadcast address using the value specified above and the netmask See section 1. If you omit this part of a cfengine script, it will not do anything!


The control section is used to define certain variables, set default values and define the order in cfengihe the various actions you have defined will be carried out. Because cfengine is a declarative or descriptive language, the order in refeerence actions appear in the file does not necessarily reflect cfenggine order in which they are executed. The syntax of declarations here is:. The control section is a sequence of declarations which looks something like the following example:.

Parentheses are required when making a declaring information in cfengine. If the list does not exist then all users are allowed to run a program. The list may consist of either numerical user identifiers or valid usernames from the password database. Here is an example containing the full list of possibilities:. This includes editing the filesystem table, creating the mount-directory, if required.

This command relies on information provided by mountinfoso it should normally only be called after mountinfo. If the filesystem already appears to be in the filesystem table, a warning is issued. It builds new directories.

The name of the mail spool directory is defined in the mailserver section of the cfengine program. If the current host is the same as the mailserver the host which has the physical spool directory disk nothing is done.

Otherwise the filesystem table is edited so as to include the mail directory. Classes may be switched on as a result of actions cfengine takes to correct a problem.

To increase the flexibility of cfengine, a mechanism has been introduced in version 1. Classes returned by the module must be declared cfenggine that cfengine knows to pay attention to rules which use these classes when parsing. Note might actually be preferable to define classes returned by modules under AddInstallables which is equivalent. If arguments are passed to the referfnce, the whole string must be quoted like a shellcommand. Whether or not these classes become set or not depends on the behaviour of your module.

The classes continue to apply for all actions which occur after the module’s cfwngine. This causes new NFS filesystems added by addmounts and mailcheck to be actually mounted.

This should probably be called both before mountinfo and after addmounts etc. Cfengine assumes that required-filesystems which are not found need to be mounted.

CFEngine reference manual

If this times out, no further mount operations are considered reliable and are summarily cancelled. The correct values for the netmask and broadcast address are set if there is an error.

The defaultroute is also added to the static routing table. This does not apply to DHCP clients. It checks for the absence of important NFS resources. The filesystem table is edited so as to remove the unwanted filesystems and the unmount operation is executed.

Under normal circumstances this coarse ordering is enough to suit most purposes. In some cases you might want to, say, only perform half the link operations before mounting filesystems and then, say, perform the remainder.

You can do this and similar things by using the idea of defining and undefining classes. Later it executes links with secondpass defined.