sampledoc

Decisions

This page describes the Decisions plugin. The client has support for a centralized set of per-entry installation decisions. This approach is needed when particular changes are deemed “high risk”; this gives the ability to centrally specify these changes, but only install them on clients when administrator supervision is available. Because collaborative configuration is one of the remaining hard issues in configuration management, these issues typically crop up in environments with several administrators and much configuration variety.

In these cases, the client can be configured to run in either a whitelist or blacklist mode, wherein a list of entries is downloaded from the server. The client uses this list to determine which incorrect entries should be corrected during the current run of the installation tool. The Decisions plugin is the only stock plugin that generates entries for client’s whitelists or blacklists.

Note

If the client is not explicitly configured to run in whitelist or blacklist mode, the list of entries is not downloaded and decisions is not used. See Decision Mode below.

The Decisions plugin uses a directory in the Bcfg2 repository called Decisions, which may contain two files: whitelist.xml and blacklist.xml. These files have a simple format:

complexType DecisionsType

Attributes:
Name Description Values Required Default
lax_decryption
Override the global lax_decryption setting in bcfg2.conf.
true | false No None
Attribute groups:
Child elements:
Element groups:
  • py:genshiElements
  • DecisionsType

    complexType DecisionType

    Attributes:
    Name Description Values Required Default
    name string Yes None
    type string Yes None
    Attribute groups:
    complexType DecisionsGroupType
    A DecisionsGroupType is a tag used to provide logic. Child entries of a DecisionsGroupType tag only apply to machines that match the condition specified – either membership in a group, or a matching client name. negate can be set to negate the sense of the match.
    Attributes:
    Name Description Values Required Default
    name
    The name of the client or group to match on. Child entries will only apply to this client or group (unless negate is set).
    string No None
    negate
    Negate the sense of the match, so that child entries only apply to a client if it is not a member of the given group or does not have the given name.
    true | false No None
    Attribute groups:
    Child elements:
    Element groups:
  • py:genshiElements
  • For example:

    $ cat Decisions/whitelist.xml
    <Decisions>
      <Decision type='Service' name='*'/>
      <Group name="debian">
        <Decision type='Path' name='/etc/apt/apt.conf'/>
      </Group>
    </Decisions>
    

    This example, included as a whitelist due to its name, enables all services, and the path entry named /etc/apt/apt.conf. All these entries must already be present in your repository, the Decisions plugin just references them. In whitelist mode, only the given items are applied to the client; all other entry installation will be surpressed.

    In blacklist mode, every entry that is not blacklisted will be installed.

    When a client asks for its whitelist or blacklist, all of the files pertaining to that client of the correct type are aggregated into a single list. This list is sent to the client.

    Note

    Using this plugin does not present additional prompts or safety nets to the administrator running the client, you have to control these via their respective options (-I or -n, for example).

    Decision Mode

    The whitelist or blacklist is only generated when a client is run in whitelist or blacklist mode. This can either be set at the command line with the appropriate option (-l (whitelist|blacklist)), or in bcfg2.conf by setting decision in the client section to whitelist or blacklist).

    Client behavior is not controlled unless the decision mode is set. If you do not use Decisions, all your entries will be installed normally.

    Table Of Contents

    Previous topic

    Basic Jinja2 Templates

    Next topic

    NagiosGen

    This Page