I am working on the CFEngine, but i am newbie to this concept. for my requirement i am using single server and i am using 10 clients, now all the ten clients pull the policy from the server and executing the polices.
But my requirement is, the policy is applicable for only one client from the 10, how could the particular client only pull the policies and execute it.
Pls provide me the suggestion, i am very confusing with that..
Thanks
The answer of maciejmrowiec is good, but incomplete; there is no obligation in CFEngine to have the same promises on ALL your nodes; but that's the default behaviour
There are two ways to achieve what you want to do :
Have different promises on different system. There are reason why you would not want all system to have the same promsies : secret you don't want to share, test/preprod/prod environement (messing with the test promises should not break the production). So you can have different sets of promises, and store them on different folders on the policy server (like /var/cfengine/masterfiles/folder1 and /var/cfengine/masterfiles/folder2); and configure the cf-server to share these folder only to the right hosts
bundle server access_rules() {
access:
"/var/cfengine/masterfiles/share/folder1"
admit => { "host1", "host2", "host3" };
"/var/cfengine/masterfiles/folder2"
admit => { "host55" };
}
And have the update.cf file copy the promise from the proper location
host55::
"$(sys.workdir)"
copy_from =>u_rcp("/var/cfengine/masterfiles/folder2", "$(sys.policy_hub)");
!host55::
"$(sys.workdir)"
copy_from =>u_rcp("/var/cfengine/masterfiles/folder1", "$(sys.policy_hub)");
As I understand correctly you want to control which policy should go to particular node to get executed?
CFEngine work in this way that ALL policies are distributed to ALL clients and executed. To control what is executed on what machine there is a mechanism in cfengine policy language that is called context classes.
Context classes are just system attributes that can have 2 states - exist or not. For example your machine is debian system then to execute policy on all your debian systems you would use this class to scope where it should apply. There are hard classes that are auto-discovered by cfengine and you can set your own. To point specific machine you can use IP, MAC, or hostname which are also set as classes.
Why do you need to distribute all policies to all clients? Well some system attributes are less constant than operating system or host name. Classes can depend of running service or CPU load, getting full your harddrive and etc. Then you need to have whole policy to know what to do with changing environment as classes are set every time when you want to run your policy.
How to use context classes? Here is example of simple policy:
bundle agent my_test
{
files:
debian:: #hardclass
"/tmp/file1"
create => "true";
redhat:: #hardclass
"/tmp/file2"
create => "true";
}
This policy will create /tmp/file1 on all debian systems and /tmp/file2 on all redhat systems.
You can use logical expressions like ipv4_192_168_122_116.cpu_high which say run on host with IP 192.168.122.116 AND CPU load on this machine is high.
To get some more interesting examples try here: https://github.com/cfengine/design-center/tree/master/examples
and reference manual is always a good reference point: http://cfengine.com/manuals/cf3-Reference#Decisions
To list classes that are being set on your current machine you can use 'cf-promises -v'
I hope this will help you out.
