Rules

The Rules plugin resolves the following Abstract Configuration Entities:

• Service
• Package
• Path
• Action
• All SELinux entries
• POSIXUser
• POSIXGroup

to literal configuration entries suitable for the client drivers to consume.

For an entity specification to be included in the Literal configuration the name attribute from an abstract entity tag (from Bundler) must match the name attribute of an entity tag in Rules, along with the appropriate group associations of course.

Each file in the Rules directory has a priority. This allows the same Entities to be served by multiple files. The priorities can be used to break ties in the case that multiple files serve data for the same entity.

Tag Attributes in Rules

Running bcfg2-lint will check your configuration specification for the presence of any mandatory attributes that are necessary for the entry specified.

Rules Tag

element Rules

The top-level tag for concrete descriptions of entries in Rules.

Attributes:

Name	Description	Values	Required	Default
priority	Sets the priority for rules in this file for Rules. The higher value wins.	integer	Yes	None
lax_decryption	Override the global lax_decryption setting in bcfg2.conf.	true | false	No	None

Attribute groups:

• py:genshiAttrs

Element groups:

rulesElements

Package Tag

complexType PackageType

Concrete specification of a package to be installed. A package can be specified in one of two ways:

• A single Package tag that lists all of the attributes for the single instance of the package that should be installed.
• A Package tag with any number of Instance children, each of which lists the attributes of an instance of the package that should be installed. In this case, the Package tag should only have name and type.

Note that many of the attributes listed below are specific to one or a few package drivers.

Attributes:

Name	Description	Values	Required	Default
name	Package name.	string	Yes	None
type	The package type, which determines which client driver will handle installation of this package.	apk | ips | macport | opencsw | pacman | deb | rpm | blast | encap | sysv | ebuild | yum | freebsdpkg	Yes	None
arch	The architecture of the package to be installed.	string	No	None
bname	The name of the package for installing (as opposed to the name when verifying) with the Blast and OpenCSW drivers.	string	No	None
file	Package file name. Several other attributes (name, version) can be automatically defined based on regular expressions defined in the Pkgmgr plugin, which is the only plugin with which this is useful.	string	No	None
multiarch	Comma-separated list of architectures of this package that should be installed. This is only used by the Pkgmgr plugin.	string	No	None
pkg_checks	Whether or not to perform basic package checks (version, release, etc.) on this package with the YUM, YUM24, or RPM driver.	true | false	No	None
pkg_verify	Whether or not to perform full package verification (file integrity, etc.) on this package with the YUM, YUM24, or RPM driver.	true | false	No	true
release	The release of the package to be installed.	string	No	None
simplefile	Package file name. No name parsing is performed, so no extra fields get set. This is only used for some edge cases with Pkgmgr.	string	No	None
srcs	Filename creation rules for multiarch packages. This is only used by the Pkgmgr plugin.	string	No	None
verify	Whether or not to perform package verification. This is not supported by the YUM driver.	true | false	No	false
verify_flags	Flags to pass to the package verification routines of the YUM, YUM24, or RPM driver.	string	No	None
version	The version of the package to be installed. This should only be the version, i.e., not the release. Release should be specified in release, and it is an error to append the release to this. This can also be one of two “special” values: auto will select the newest version of the package available. any will select any version of the package, and can be used to ensure that a package is installed without requiring any particular version.	string	No	None

Attribute groups:

• py:genshiAttrs

Child elements:

• element Instance

  An Instance element describes a single instance of a package that may have several different versions, arches, etc., installed at once.

  Attributes:

  Name	Description	Values	Required	Default
  arch	The architecture of the package to be installed.	string	No	None
  epoch	The epoch of the package to be installed.	integer	No	None
  fix_version	Whether or not to upgrade or downgrade packages that are installed, but have the wrong version. This is only honored by the RPM driver.	true | false	No	true
  install_missing	Whether or not to install missing packages. This is only honored by the the RPM driver.	true | false	No	true
  pkg_verify	Whether or not to perform full package verification (file integrity, etc.) on this package with the YUM, YUM24, or RPM driver.	true | false	No	None
  reinstall_broken	Whether or not to reinstall packages that fail verification. This is only honored by the RPM driver.	true | false	No	true
  release	The release of the package to be installed.	string	No	None
  simplefile	Package file name. No name parsing is performed, so no extra fields get set. This is only used for manual maintenance of gpg-pubkey packages with the YUM, YUM24, or RPM driver.	string	No	None
  verify_flags	Comma-separated list of flags to pass to the package verification routines of the YUM, YUM24, or RPM driver. See man rpm for details on the flags.	string	No	None
  version	The version of the package to be installed. See version for details.	string	No	None

  Attribute groups:

  • py:genshiAttrs

Element groups:

py:genshiElements

group py:genshiElements

Most Genshi templating directives can be used either as standalone elements or as attributes on existing elements. This element group defines the standalone tags.

Elements:

element py:with

Attributes:

Name	Description	Values	Required	Default
py:vars	A semicolon-delimited list of variables to define and their values.	string	Yes	None

Any arbitrary child elements allowed

Text content:

Any

element py:replace

Attributes:

Name	Description	Values	Required	Default
py:value	The value to replace the contents with.	string	Yes	None

Any arbitrary child elements allowed

Text content:

Any

element py:choose

Attributes:

Name	Description	Values	Required	Default
py:test	If test is set, the child py:when directives are tested for equality to the value of the expression.	string	No	None

Child elements:

• element py:when

  The when directive is used inside py:chooseType or choose to handle a single specific condition.

  Attributes:

  Name	Description	Values	Required	Default
  py:test	The statement giving the value to test	string	Yes	None

  Any arbitrary child elements allowed

  Text content:

  Any

• element py:otherwise

  Any arbitrary child elements allowed

  Text content:

  Any

Text content:

Any

element py:for

Attributes:

Name	Description	Values	Required	Default
py:each	The loop iterator	string	Yes	None

Any arbitrary child elements allowed

Text content:

Any

element py:if

Attributes:

Name	Description	Values	Required	Default
py:test	The statement giving the value to test	string	Yes	None

Any arbitrary child elements allowed

Text content:

Any

element py:match

Attributes:

Name	Description	Values	Required	Default
py:path	XPath expression to search for in the template.	string	Yes	None
py:buffer	Whether the matched content should be buffered in memory. Buffering can improve performance a bit at the cost of needing more memory during rendering. Buffering is required for match templates that contain more than one invocation of the select() function. If there is only one call, and the matched content can potentially be very long, consider disabling buffering to avoid excessive memory use.	true | false	No	true
py:once	Whether the engine should stop looking for more matching elements after the first match. Use this on match templates that match elements that can only occur once in the stream, such as the <head> or <body> elements in an HTML template, or elements with a specific ID.	true | false	No	false
py:recursive	Whether the match template should be applied to its own output. Note that once implies non-recursive behavior, so this attribute only needs to be set for match templates that don’t also have once set.	true | false	No	true

Any arbitrary child elements allowed

Text content:

Any

element py:def

Attributes:

Name	Description	Values	Required	Default
py:function	The function prototype	string	Yes	None

Any arbitrary child elements allowed

Text content:

Any

Action Tag

complexType ActionType

Action entries are external shell commands that are executed either before bundle installation, after bundle installation or both.

Attributes:

Name	Description	Values	Required	Default
command	The command to run.	string	Yes	None
name	The freeform name of the action.	string	Yes	None
build	Also execute the action in build mode.	true | false	No	true
shell	Whether the command string should be executeed within a shell. If enabled flow control and other shell-specific things can be used.	true | false	No	None
status	Whether or not to check the return code of the action. If this is “check”, then a non-zero return code will result in the entry being flagged as bad.	ignore | check	No	None
timing	When the action is run. Actions with “pre” timing are run after important entries have been installed and before bundle entries are installed. Actions with “post” timing are run after bundle entries are installed.	both | pre | post	No	None
when	If the action is always run, or is only run when a bundle has been modified.	modified | always	No	None

Attribute groups:

• py:genshiAttrs

See also Actions.

Service Tag

complexType ServiceType

Concrete description of a service entry. Note that, due to the great proliferation of init systems, many of the attributes listed only apply to one or a few client tools.

Attributes:

Name	Description	Values	Required	Default
name	The name of the service.	string	Yes	None
FMRI	The resource identifier for SMF services.	string	No	None
bootstatus	Whether the service should start at boot. The default value corresponds to the value of the status attribute.	on | off	No	off
install	Whether or not to install the service initially. (New in 1.3; replaces “mode” attribute.)	true | false	No	true
parameters	Parameters to pass to the service. Only meaningful for Upstart services.	string	No	None
restart	Whether or not to restart the service when the bundle is modified. (New in 1.3; replaces “mode” attribute.)	true | false | interactive	No	true
sequence	Order for service startup. Only meaningful for DebInit services.	string	No	None
status	Whether the service should be on or off when the bcfg2 client is run. This attribute may have different behavior depending on the characteristics of the client tool. If set to “ignore”, then the status of the service will not be checked.	on | off | ignore	No	off
target	Command to pass to the service management system when restarting a service.	string	No	restart
type	Driver to use on the client to manage this service.	chkconfig | deb | rc-update | smf | upstart | systemd | launchd | freebsd	No	None

Attribute groups:

• py:genshiAttrs

Service mode specification

New in version 1.3.0.

In the 1.3.0 release, the “mode” attribute has been replaced by a pair of attributes, restart and install, which control how a service is handled more granularly than the old “mode” attribute. The old “mode” attribute values are equivalent as follows:

Mode attribute	Equivalent
mode="default"	restart="true" install="true"
mode="interactive_only"	restart="interactive" install="true"
mode="supervised"	restart="true" install="true"
mode="manual"	restart="false" install="false"

The default is restart="true" install="true"

Previously, “supervised” could be used to start a service during the verification phase; this is no longer supported. Services that have been stopped on a client will be started during the install phase.

Path Tag

The Path tag has different values depending on the type attribute of the path specified in your configuration. Below is a set of tables which describe the attributes available for various Path types.

Note that secontext below expects a full context, not just the type. For instance, “system_u:object_r:etc_t:s0”, not just etc_t. You can also specify “__default__”, which will restore the context of the file to the default set by policy. If a file has no default context rule, and you don’t wish to set one, you can specify secontext='' (i.e., an empty secontext), in which case the client will not try to manage the SELinux context of the file at all.

See SELinux for more information.

Attributes common to all Path tags:

Attributes:

Name	Description	Values	Required	Default
name	Full path.	string	Yes	None
type	Type of path to manage.	augeas | device | directory | file | hardlink | ignore | nonexistent | permissions | symlink | vcs	No	None

augeas

Run Augeas commands. See Augeas for more details.

Attributes:

Name	Description	Values	Required	Default
group	Group name or GID number	string	Yes	None
mode	Permissions mode in octal format.	nonNegativeInteger	Yes	None
owner	Owner username or UID number	string	Yes	None
lens	The Augeas lens to use when editing files in a non-standard (according to Augeas) location.	token	No	None
secontext	SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.	string	No	__default__

device

Manage devices.

Attributes:

Name	Description	Values	Required	Default
dev_type	Type of device.	block | char | fifo	Yes	None
group	Group name or GID number	string	Yes	None
mode	Permissions mode in octal format.	nonNegativeInteger	Yes	None
owner	Owner username or UID number	string	Yes	None
major	Major device number (block and char devices only).	nonNegativeInteger	No	None
minor	Minor device number (block and char devices only).	nonNegativeInteger	No	None
secontext	SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.	string	No	__default__

directory

Entry represents a directory. prune can be set to remove all contents from the directory that are not explicitly specified in Bcfg2.

Attributes:

Name	Description	Values	Required	Default
group	Group name or GID number	string	Yes	None
mode	Permissions mode in octal format.	nonNegativeInteger	Yes	None
owner	Owner username or UID number	string	Yes	None
prune	Remove entries that are not in the Bcfg2 specification from the directory.	true | false	No	None
secontext	SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.	string	No	__default__

file

Distribute an file with content explicitly specified in-line (i.e., as opposed to using Cfg for this file). If the file has no content, empty must be set to true.

Attributes:

Name	Description	Values	Required	Default
group	Group name or GID number	string	Yes	None
mode	Permissions mode in octal format.	nonNegativeInteger	Yes	None
owner	Owner username or UID number	string	Yes	None
empty	The file entry has no content. This must be set as a safeguard against accidentally empty content.	true | false	No	None
secontext	SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.	string	No	__default__

Text content:

Any

hardlink

Manage a hard link.

Attributes:

Name	Description	Values	Required	Default
group	Group name or GID number	string	Yes	None
mode	Permissions mode in octal format.	nonNegativeInteger	Yes	None
owner	Owner username or UID number	string	Yes	None
to	File to link to	string	Yes	None
secontext	SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.	string	No	__default__

ignore

ignore lets you flag files that are distributed by system software packages, but have been modified locally, to be ignored by package verification routines. This is useful for, e.g., a package that installs an initial version of a file and then modifies it automatically.

Attributes:

Name	Description	Values	Required	Default
name	Full path.	string	Yes	None

nonexistent

Remove the specified file or directory. If recursive is set, remove the directory recursively (i.e., rm -rf).

Attributes:

Name	Description	Values	Required	Default
recursive	Recursively remove files or set permissions, as appropriate.	true | false	No	None

permissions

Merely set permissions on the specified path, which is presumed to already exist.

Attributes:

Name	Description	Values	Required	Default
group	Group name or GID number	string	Yes	None
mode	Permissions mode in octal format.	nonNegativeInteger	Yes	None
owner	Owner username or UID number	string	Yes	None
recursive	Recursively remove files or set permissions, as appropriate.	true | false	No	None
secontext	SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.	string	No	__default__

symlink

Manage symlinks.

Attributes:

Name	Description	Values	Required	Default
to	File to link to	string	Yes	None

vcs

Check out the specified VCS repository to the given path. See VCS Client Tool for more details.

Attributes:

Name	Description	Values	Required	Default
revision	The revision to checkout.	string	Yes	None
sourceurl	The VCS URL to checkout.	anyURI	Yes	None
vcstype	The VCS backend to checkout contents from.	svn | git	Yes	None

ACLs

New in version 1.3.0.

ACLs on a Path entry are specified not by attributes on the tag but by child <ACL> tags. For instance:

<Path name="/etc/foo" type="directory" owner="root" group="root"
      mode="0775">
  <ACL type="default" scope="user" user="foouser" perms="rw"/>
  <ACL type="default" scope="group" group="users" perms="rx"/>
  <ACL type="default" scope="other" perms="r"/>
</Path>

element ACL

Attributes:

Name	Description	Values	Required	Default
perms	Permissions for the ACL. This can either be a single octal digit (e.g., 6 would indicate read and write, but not execute), or a symbolic mode including ‘r’, ‘w’, and ‘x’. You can include ‘-‘ for operations that are not permitted, but it’s not required. I.e., all of the following are identical: perms="5" perms="rx" perms="r-x"	string	Yes	None
type	ACL type	default | access	Yes	None
group	Group the ACL applies to (with scope = group).	string	No	None
scope	ACL scope. This is omitted for type = default.	user | group | other	No	None
user	User the ACL applies to (with scope = user).	string	No	None

Attribute groups:

• py:genshiAttrs

It is not currently possible to manually set an effective rights mask; the mask will be automatically calculated from the given ACLs when they are applied.

For directories either no default ACL entries or at least an entry for the owner, owning group and other must be defined.

Note that it is possible to set ACLs that demand different permissions on a file than those specified in the perms attribute on the Path tag. For instance:

<Path name="/etc/foo" mode="0644" group="root" owner="root">
  <ACL type="access" scope="user" user="foouser" perms="rwx"/>
</Path>

In this case, we’ve specified permissions of 0644, but the effective rights mask will be “rwx,” so setting the ACL will change the permissions to 0674. When this happens, Bcfg2 will change the permissions and set the ACLs on every run and the entry will be eternally marked as bad.

SELinux Entries

New in version 1.3.0.

Note

In order to use these entries, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

Below is a set of tables which describe the attributes available for various SELinux types. The entry types (except for module) correspond to semanage subcommands.

Note that the selinuxtype attribute takes only an SELinux type, not a full context; e.g., “etc_t”, not “system_u:object_r:etc_t:s0”.

As it can be very tedious to create a baseline of all existing SELinux entries, you can use selinux_baseline.py located in the tools/ directory to do that for you.

See SELinux for more information.

SEBoolean Tag

complexType SEBooleanType

Concrete SELinux boolean entry

Attributes:

Name	Description	Values	Required	Default
name	Name of the boolean	string	Yes	None
value	Value of the boolean	on | off	Yes	None

Attribute groups:

• py:genshiAttrs

SEPort Tag

complexType SEPortType

Concrete SELinux port entry

Attributes:

Name	Description	Values	Required	Default
name	Port number or range and protocol	<port>/<proto> or <start>-<end>/<proto>	Yes	None
selinuxtype	SELinux type to apply to this port	token	Yes	None
mlsrange	SELinux MLS range to apply to this port	token	No	None

Attribute groups:

• py:genshiAttrs

SEFcontext Tag

complexType SEFcontextType

Concrete SELinux file context (“fcontext”) entry

Attributes:

Name	Description	Values	Required	Default
name	Regular expression file specification	string	Yes	None
selinuxtype	SELinux type to apply to files matching this specification	token	Yes	None
filetype	File type to match	all | regular | directory | symlink | pipe | socket | block | char	No	all
mlsrange	SELinux MLS range to apply to files matching this specification	token	No	None

Attribute groups:

• py:genshiAttrs

SENode Tag

complexType SENodeType

Concrete SELinux node entry

Attributes:

Name	Description	Values	Required	Default
name	IP address and netmask of node	<addr>/<netmask>. Netmask can be numeric (/16) or dotted-quad (/255.255.0.0).	Yes	None
selinuxtype	SELinux type to apply to this node	token	Yes	None
mlsrange	SELinux MLS range to apply to this node	token	No	None
proto	Protocol	ipv4 | ipv6	No	None

Attribute groups:

• py:genshiAttrs

SELogin Tag

complexType SELoginType

Concrete SELinux login entry

Attributes:

Name	Description	Values	Required	Default
name	Unix username	token	Yes	None
selinuxuser	SELinux username	token	Yes	None
mlsrange	SELinux MLS range to apply to this user	token	No	None

Attribute groups:

• py:genshiAttrs

SEUser Tag

complexType SEUserType

Concrete SELinux user entry

Attributes:

Name	Description	Values	Required	Default
name	SELinux username	token	Yes	None
prefix	Home directory context prefix	token	Yes	None
roles	Space-separated list of rules	string	Yes	None
mlsrange	SELinux MLS range to apply to this user	token	No	None

Attribute groups:

• py:genshiAttrs

SEInterface Tag

complexType SEInterfaceType

Concrete SELinux interface entry

Attributes:

Name	Description	Values	Required	Default
name	Interface name	token	Yes	None
selinuxtype	SELinux type to apply to this interface	token	Yes	None
mlsrange	SELinux MLS range to apply to this interface	token	No	None

Attribute groups:

• py:genshiAttrs

SEPermissive Tag

complexType SEPermissiveType

Concrete SELinux permissive domain entry

Attributes:

Name	Description	Values	Required	Default
name	SELinux type to make permissive	token	Yes	None

Attribute groups:

• py:genshiAttrs

SEModule Tag

complexType SEModuleType

Concrete SELinux module entry

Attributes:

Name	Description	Values	Required	Default
name	SELinux module name or filename	string	Yes	None
disabled	Disable this module	true | false	No	None

Attribute groups:

• py:genshiAttrs

Text content:

Any

See also SEModules.

POSIXUser Tag

New in version 1.3.0.

Note

In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

complexType POSIXUserType

The POSIXUser tag allows you to create users on client machines.

Attributes:

Name	Description	Values	Required	Default
name	Username	token	Yes	None
gecos	This field is typically used to record general information about the account or its user(s) such as their real name and phone number. If this is not set, the GECOS will be the same as the username.	string	No	None
group	Name of the user’s primary group. If this is not set, the user’s primary group will be the same as the username.	token	No	None
home	User’s home directory. Default is /root for the root user, /home/<username> otherwise.	string	No	None
shell	User’s shell	string	No	/bin/bash
uid	User ID number. If this is not specified, each client is allowed to set the UID.	integer	No	None

Attribute groups:

• py:genshiAttrs

Child elements:

• element MemberOf

  Attributes:

  Name	Description	Values	Required	Default
  group	The name of the supplementary group. This can also be specified as content of the tag, although that is deprecated.	token	No	None

  Text content:

  token

• element Group

  Attributes:

  Name	Description	Values	Required	Default
  name		string	Yes	None
  negate		true | false	No	None

  Child elements:

  • MemberOf

  • element Client

    Attributes:

    Name	Description	Values	Required	Default
    name		string	Yes	None
    negate		true | false	No	None

    Child elements:

    • MemberOf
    • Client
    • Group

  • Group

• Client

For example:

<POSIXUser name="daemon" home="/sbin" shell="/sbin/nologin"
           gecos="daemon" uid="2" group="daemon">
  <MemberOf group="lp"/>
  <MemberOf group="adm"/>
  <MemberOf group="bin/>
</POSIXUser>

The group specified will automatically be created if it does not exist, even if there is no POSIXGroup tag for it. If you need to specify a particular GID for the group, you must specify that in a POSIXGroup tag.

If you with to change the default shell, you can do so with the Defaults plugin.

See POSIXUsers for more information on managing users and groups.

POSIXGroup Tag

New in version 1.3.0.

Note

In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

complexType POSIXGroupType

The POSIXGroup tag allows you to create groups on client machines.

Attributes:

Name	Description	Values	Required	Default
name	Username	token	Yes	None
gid	Group ID number. If this is not specified, each client is allowed to set the GID.	integer	No	None

Attribute groups:

• py:genshiAttrs

See POSIXUsers for more information on managing users and groups.

Rules Directory

The Rules/ directory keeps the XML files that define what rules are available for a host. All the files in the directory are processed.

The names of the XML files have no special meaning to Bcfg2; they are simply named so it’s easy for the administrator to know what the contents hold. All Rules could be kept in a single file if so desired. Bcfg2 simply uses the Groups in the files and priorities to determine how to assign Rules to a host’s literal configuration.

<Rules priority="0">
    <Path type='directory' group="root" name="/autonfs" owner="root" mode="0755"/>
    <Path type='directory' group="utmp" name="/var/run/screen" owner="root" mode="0775"/>
    <Path type='directory' group="root" name="/autonfs/stage" owner="root" mode="0755"/>
    <Path type='directory' group="root" name="/exports" owner="root" mode="0755"/>
    <Path type='directory' name="/etc/condor" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/logs" group="wwwtrans" owner="root" mode="0775"/>
    <Path type='directory' name="/mnt" group="root" owner="root" mode="0755"/>
    <Path type='directory' name="/my" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/my/bin" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/nfs" owner="root" group="root" mode="0755"/>
    <Path type='directory' name="/sandbox" mode="0777" owner="root" group="root"/>
    <Path type='directory' name="/software" group="root" owner="root" mode="0755"/>
    <Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/dsp"/>
    <Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/mixer"/>
    <Path type='symlink' name="/bin/whatami" to="/mcs/adm/bin/whatami"/>
    <Path type='symlink' name="/chibahomes" to="/nfs/chiba-homefarm"/>
    <Path type='symlink' name="/home" to="/nfs/mcs-homefarm"/>
    <Path type='symlink' name="/homes" to="/home"/>
    <Path type='symlink' name="/mcs" to="/nfs/mcs"/>
    <Path type='symlink' name="/my/bin/bash" to="/bin/bash"/>
    <Path type='symlink' name="/my/bin/tcsh" to="/bin/tcsh"/>
    <Path type='symlink' name="/my/bin/zsh" to="/bin/zsh"/>
    <Path type='symlink' name="/software/common" to="/nfs/software-common"/>
    <Path type='symlink' name="/software/linux" to="/nfs/software-linux"/>
    <Path type='symlink' name="/software/linux-debian_sarge" to="/nfs/linux-debian_sarge"/>
    <Path type='symlink' name="/usr/bin/passwd" to="/usr/bin/yppasswd"/>
    <Path type='symlink' name="/usr/bin/yppasswd" to="/mcs/bin/passwd"/>
    <Path type='symlink' name="/usr/lib/libgd.so.1.8" to="/usr/lib/libgd.so.1.8.4"/>
    <Path type='symlink' name="/usr/lib/libtermcap.so.2" to="/usr/lib/libtermcap.so"/>
    <Path type='symlink' name="/usr/local/bin/perl" to="/usr/bin/perl"/>
    <Path type='symlink' name="/usr/local/bin/perl5" to="/usr/bin/perl"/>
    <Path type='symlink' name="/usr/local/bin/tcsh" to="/bin/tcsh"/>
    <Service name='ntpd' status='on' type='chkconfig'/>
    <Service name='haldaemon' status='on' type='chkconfig'/>
    <Service name='messagebus' status='on' type='chkconfig'/>
    <Service name='netfs' status='on' type='chkconfig'/>
    <Service name='network' status='on' type='chkconfig'/>
    <Service name='rawdevices' status='on' type='chkconfig'/>
    <Service name='sshd' status='on' type='chkconfig'/>
    <Service name='syslog' status='on' type='chkconfig'/>
    <Service name='vmware-tools' status='on' type='chkconfig'/>
</Rules>

Using Regular Expressions in Rules

If you wish, you can configure the Rules plugin to support regular expressions. This entails a small performance and memory usage penalty. To do so, add the following setting to bcfg2.conf:

[rules]
regex = yes

With regular expressions enabled, you can use a regex in the name attribute to match multiple abstract configuration entries.

Regular expressions are anchored at both ends, so <Service name="bcfg2".../> will not match a Service named bcfg2-server; you’d have to explicitly specify <Service name="bcfg2.*".../>.

Note that only one Rule can apply to any abstract entry, so you cannot specify multiple regexes to match the same rule.

Replacing the name of the Entry in Attributes

If you are using regular expressions to match the abstract configuration entries, you may need the concrete name of the entry in some attributes. To use this feature, you have to enable it. It is only useful, if used together with regex matching.

[rules]
regex = yes
replace_name = yes

You now can write something like that in your xml file:

<POSIXUser name='.*' home='/somewhere/%{name}'/>

%{name} will be correctly replaced with the username for each POSIXUser.