sampledoc

Rules

The Rules plugin resolves the following Abstract Configuration Entities:

  • Service
  • Package
  • Path
  • Action
  • All SELinux entries
  • POSIXUser
  • POSIXGroup

to literal configuration entries suitable for the client drivers to consume.

For an entity specification to be included in the Literal configuration the name attribute from an abstract entity tag (from Bundler) must match the name attribute of an entity tag in Rules, along with the appropriate group associations of course.

Each file in the Rules directory has a priority. This allows the same Entities to be served by multiple files. The priorities can be used to break ties in the case that multiple files serve data for the same entity.

Tag Attributes in Rules

Running bcfg2-lint will check your configuration specification for the presence of any mandatory attributes that are necessary for the entry specified.

Rules Tag

element Rules
The top-level tag for concrete descriptions of entries in Rules.
Attributes:
Name Description Values Required Default
priority
Sets the priority for rules in this file for Rules. The higher value wins.
integer Yes None
lax_decryption
Override the global lax_decryption setting in bcfg2.conf.
true | false No None
Attribute groups:
Element groups:
  • rulesElements
  • Package Tag

    complexType PackageType

    Concrete specification of a package to be installed. A package can be specified in one of two ways:

    • A single Package tag that lists all of the attributes for the single instance of the package that should be installed.
    • A Package tag with any number of Instance children, each of which lists the attributes of an instance of the package that should be installed. In this case, the Package tag should only have name and type.

    Note that many of the attributes listed below are specific to one or a few package drivers.

    Attributes:
    Name Description Values Required Default
    name
    Package name.
    string Yes None
    type
    The package type, which determines which client driver will handle installation of this package.
    apk | ips | macport | opencsw | pacman | deb | rpm | blast | encap | sysv | ebuild | yum | freebsdpkg Yes None
    arch
    The architecture of the package to be installed.
    string No None
    bname
    The name of the package for installing (as opposed to the name when verifying) with the Blast and OpenCSW drivers.
    string No None
    file
    Package file name. Several other attributes (name, version) can be automatically defined based on regular expressions defined in the Pkgmgr plugin, which is the only plugin with which this is useful.
    string No None
    multiarch
    Comma-separated list of architectures of this package that should be installed. This is only used by the Pkgmgr plugin.
    string No None
    pkg_checks
    Whether or not to perform basic package checks (version, release, etc.) on this package with the YUM, YUM24, or RPM driver.
    true | false No None
    pkg_verify
    Whether or not to perform full package verification (file integrity, etc.) on this package with the YUM, YUM24, or RPM driver.
    true | false No true
    release
    The release of the package to be installed.
    string No None
    simplefile
    Package file name. No name parsing is performed, so no extra fields get set. This is only used for some edge cases with Pkgmgr.
    string No None
    srcs
    Filename creation rules for multiarch packages. This is only used by the Pkgmgr plugin.
    string No None
    verify
    Whether or not to perform package verification. This is not supported by the YUM driver.
    true | false No false
    verify_flags
    Flags to pass to the package verification routines of the YUM, YUM24, or RPM driver.
    string No None
    version

    The version of the package to be installed. This should only be the version, i.e., not the release. Release should be specified in release, and it is an error to append the release to this.

    This can also be one of two “special” values:

    • auto will select the newest version of the package available.
    • any will select any version of the package, and can be used to ensure that a package is installed without requiring any particular version.
    string No None
    Attribute groups:
    Child elements:
    • element Instance

      An Instance element describes a single instance of a package that may have several different versions, arches, etc., installed at once.

      Attributes:

      Name

      Description

      Values

      Required

      Default

      arch

      The architecture of the package to be installed.

      string

      No

      None

      epoch

      The epoch of the package to be installed.

      integer

      No

      None

      fix_version

      Whether or not to upgrade or downgrade packages that are installed, but have the wrong version. This is only honored by the RPM driver.

      true | false

      No

      true

      install_missing

      Whether or not to install missing packages. This is only honored by the the RPM driver.

      true | false

      No

      true

      pkg_verify

      Whether or not to perform full package verification (file integrity, etc.) on this package with the YUM, YUM24, or RPM driver.

      true | false

      No

      None

      reinstall_broken

      Whether or not to reinstall packages that fail verification. This is only honored by the RPM driver.

      true | false

      No

      true

      release

      The release of the package to be installed.

      string

      No

      None

      simplefile

      Package file name. No name parsing is performed, so no extra fields get set. This is only used for manual maintenance of gpg-pubkey packages with the YUM, YUM24, or RPM driver.

      string

      No

      None

      verify_flags

      Comma-separated list of flags to pass to the package verification routines of the YUM, YUM24, or RPM driver. See man rpm for details on the flags.

      string

      No

      None

      version

      The version of the package to be installed. See version for details.

      string

      No

      None

      Attribute groups:
    Element groups:
  • py:genshiElements
  • group py:genshiElements
    Most Genshi templating directives can be used either as standalone elements or as attributes on existing elements. This element group defines the standalone tags.
    Elements:

    element py:with

    Attributes:
    Name Description Values Required Default
    py:vars
    A semicolon-delimited list of variables to define and their values.
    string Yes None

    Any arbitrary child elements allowed

    Text content:
    Any

    element py:replace

    Attributes:
    Name Description Values Required Default
    py:value
    The value to replace the contents with.
    string Yes None

    Any arbitrary child elements allowed

    Text content:
    Any

    element py:choose

    Attributes:
    Name Description Values Required Default
    py:test
    If test is set, the child py:when directives are tested for equality to the value of the expression.
    string No None
    Child elements:
    • element py:when

      The when directive is used inside py:chooseType or choose to handle a single specific condition.

      Attributes:

      Name

      Description

      Values

      Required

      Default

      py:test

      The statement giving the value to test

      string

      Yes

      None

      Any arbitrary child elements allowed

      Text content:

      Any

    • element py:otherwise

      Any arbitrary child elements allowed

      Text content:

      Any

    Text content:
    Any

    element py:for

    Attributes:
    Name Description Values Required Default
    py:each
    The loop iterator
    string Yes None

    Any arbitrary child elements allowed

    Text content:
    Any

    element py:if

    Attributes:
    Name Description Values Required Default
    py:test
    The statement giving the value to test
    string Yes None

    Any arbitrary child elements allowed

    Text content:
    Any

    element py:match

    Attributes:
    Name Description Values Required Default
    py:path
    XPath expression to search for in the template.
    string Yes None
    py:buffer
    Whether the matched content should be buffered in memory. Buffering can improve performance a bit at the cost of needing more memory during rendering. Buffering is required for match templates that contain more than one invocation of the select() function. If there is only one call, and the matched content can potentially be very long, consider disabling buffering to avoid excessive memory use.
    true | false No true
    py:once
    Whether the engine should stop looking for more matching elements after the first match. Use this on match templates that match elements that can only occur once in the stream, such as the <head> or <body> elements in an HTML template, or elements with a specific ID.
    true | false No false
    py:recursive
    Whether the match template should be applied to its own output. Note that once implies non-recursive behavior, so this attribute only needs to be set for match templates that don’t also have once set.
    true | false No true

    Any arbitrary child elements allowed

    Text content:
    Any

    element py:def

    Attributes:
    Name Description Values Required Default
    py:function
    The function prototype
    string Yes None

    Any arbitrary child elements allowed

    Text content:
    Any

    Action Tag

    complexType ActionType
    Action entries are external shell commands that are executed either before bundle installation, after bundle installation or both.
    Attributes:
    Name Description Values Required Default
    command
    The command to run.
    string Yes None
    name
    The freeform name of the action.
    string Yes None
    build
    Also execute the action in build mode.
    true | false No true
    shell
    Whether the command string should be executeed within a shell. If enabled flow control and other shell-specific things can be used.
    true | false No None
    status
    Whether or not to check the return code of the action. If this is “check”, then a non-zero return code will result in the entry being flagged as bad.
    ignore | check No None
    timing
    When the action is run. Actions with “pre” timing are run after important entries have been installed and before bundle entries are installed. Actions with “post” timing are run after bundle entries are installed.
    both | pre | post No None
    when
    If the action is always run, or is only run when a bundle has been modified.
    modified | always No None
    Attribute groups:

    See also Actions.

    Service Tag

    complexType ServiceType
    Concrete description of a service entry. Note that, due to the great proliferation of init systems, many of the attributes listed only apply to one or a few client tools.
    Attributes:
    Name Description Values Required Default
    name
    The name of the service.
    string Yes None
    FMRI
    The resource identifier for SMF services.
    string No None
    bootstatus
    Whether the service should start at boot. The default value corresponds to the value of the status attribute.
    on | off No off
    install
    Whether or not to install the service initially. (New in 1.3; replaces “mode” attribute.)
    true | false No true
    parameters
    Parameters to pass to the service. Only meaningful for Upstart services.
    string No None
    restart
    Whether or not to restart the service when the bundle is modified. (New in 1.3; replaces “mode” attribute.)
    true | false | interactive No true
    sequence
    Order for service startup. Only meaningful for DebInit services.
    string No None
    status
    Whether the service should be on or off when the bcfg2 client is run. This attribute may have different behavior depending on the characteristics of the client tool. If set to “ignore”, then the status of the service will not be checked.
    on | off | ignore No off
    target
    Command to pass to the service management system when restarting a service.
    string No restart
    type
    Driver to use on the client to manage this service.
    chkconfig | deb | rc-update | smf | upstart | systemd | launchd | freebsd No None
    Attribute groups:

    Service mode specification

    New in version 1.3.0.

    In the 1.3.0 release, the “mode” attribute has been replaced by a pair of attributes, restart and install, which control how a service is handled more granularly than the old “mode” attribute. The old “mode” attribute values are equivalent as follows:

    Mode attribute Equivalent
    mode="default" restart="true" install="true"
    mode="interactive_only" restart="interactive" install="true"
    mode="supervised" restart="true" install="true"
    mode="manual" restart="false" install="false"

    The default is restart="true" install="true"

    Previously, “supervised” could be used to start a service during the verification phase; this is no longer supported. Services that have been stopped on a client will be started during the install phase.

    Path Tag

    The Path tag has different values depending on the type attribute of the path specified in your configuration. Below is a set of tables which describe the attributes available for various Path types.

    Note that secontext below expects a full context, not just the type. For instance, “system_u:object_r:etc_t:s0”, not just etc_t. You can also specify “__default__”, which will restore the context of the file to the default set by policy. If a file has no default context rule, and you don’t wish to set one, you can specify secontext='' (i.e., an empty secontext), in which case the client will not try to manage the SELinux context of the file at all.

    See SELinux for more information.

    Attributes common to all Path tags:

    Attributes:
    Name Description Values Required Default
    name
    Full path.
    string Yes None
    type
    Type of path to manage.
    augeas | device | directory | file | hardlink | ignore | nonexistent | permissions | symlink | vcs No None

    augeas

    Run Augeas commands. See Augeas for more details.

    Attributes:
    Name Description Values Required Default
    group
    Group name or GID number
    string Yes None
    mode
    Permissions mode in octal format.
    nonNegativeInteger Yes None
    owner
    Owner username or UID number
    string Yes None
    lens
    The Augeas lens to use when editing files in a non-standard (according to Augeas) location.
    token No None
    secontext
    SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.
    string No __default__

    device

    Manage devices.

    Attributes:
    Name Description Values Required Default
    dev_type
    Type of device.
    block | char | fifo Yes None
    group
    Group name or GID number
    string Yes None
    mode
    Permissions mode in octal format.
    nonNegativeInteger Yes None
    owner
    Owner username or UID number
    string Yes None
    major
    Major device number (block and char devices only).
    nonNegativeInteger No None
    minor
    Minor device number (block and char devices only).
    nonNegativeInteger No None
    secontext
    SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.
    string No __default__

    directory

    Entry represents a directory. prune can be set to remove all contents from the directory that are not explicitly specified in Bcfg2.

    Attributes:
    Name Description Values Required Default
    group
    Group name or GID number
    string Yes None
    mode
    Permissions mode in octal format.
    nonNegativeInteger Yes None
    owner
    Owner username or UID number
    string Yes None
    prune
    Remove entries that are not in the Bcfg2 specification from the directory.
    true | false No None
    secontext
    SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.
    string No __default__

    file

    Distribute an file with content explicitly specified in-line (i.e., as opposed to using Cfg for this file). If the file has no content, empty must be set to true.

    Attributes:
    Name Description Values Required Default
    group
    Group name or GID number
    string Yes None
    mode
    Permissions mode in octal format.
    nonNegativeInteger Yes None
    owner
    Owner username or UID number
    string Yes None
    empty
    The file entry has no content. This must be set as a safeguard against accidentally empty content.
    true | false No None
    secontext
    SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.
    string No __default__
    Text content:
    Any

    ignore

    ignore lets you flag files that are distributed by system software packages, but have been modified locally, to be ignored by package verification routines. This is useful for, e.g., a package that installs an initial version of a file and then modifies it automatically.

    Attributes:
    Name Description Values Required Default
    name
    Full path.
    string Yes None

    nonexistent

    Remove the specified file or directory. If recursive is set, remove the directory recursively (i.e., rm -rf).

    Attributes:
    Name Description Values Required Default
    recursive
    Recursively remove files or set permissions, as appropriate.
    true | false No None

    permissions

    Merely set permissions on the specified path, which is presumed to already exist.

    Attributes:
    Name Description Values Required Default
    group
    Group name or GID number
    string Yes None
    mode
    Permissions mode in octal format.
    nonNegativeInteger Yes None
    owner
    Owner username or UID number
    string Yes None
    recursive
    Recursively remove files or set permissions, as appropriate.
    true | false No None
    secontext
    SELinux context for the path. This should be a full context, not just the type. E.g., system_u:object_r:etc_t:s0, not just etc_t. You can also specify __default__, which will restore the context of the file to the default set by policy. See SELinux for more information.
    string No __default__

    vcs

    Check out the specified VCS repository to the given path. See VCS Client Tool for more details.

    Attributes:
    Name Description Values Required Default
    revision
    The revision to checkout.
    string Yes None
    sourceurl
    The VCS URL to checkout.
    anyURI Yes None
    vcstype
    The VCS backend to checkout contents from.
    svn | git Yes None

    ACLs

    New in version 1.3.0.

    ACLs on a Path entry are specified not by attributes on the tag but by child <ACL> tags. For instance:

    <Path name="/etc/foo" type="directory" owner="root" group="root"
          mode="0775">
      <ACL type="default" scope="user" user="foouser" perms="rw"/>
      <ACL type="default" scope="group" group="users" perms="rx"/>
      <ACL type="default" scope="other" perms="r"/>
    </Path>
    
    element ACL

    Attributes:
    Name Description Values Required Default
    perms

    Permissions for the ACL. This can either be a single octal digit (e.g., 6 would indicate read and write, but not execute), or a symbolic mode including ‘r’, ‘w’, and ‘x’. You can include ‘-‘ for operations that are not permitted, but it’s not required. I.e., all of the following are identical:

    perms="5"
    perms="rx"
    perms="r-x"
    
    string Yes None
    type
    ACL type
    default | access Yes None
    group
    Group the ACL applies to (with scope = group).
    string No None
    scope
    ACL scope. This is omitted for type = default.
    user | group | other No None
    user
    User the ACL applies to (with scope = user).
    string No None
    Attribute groups:

    It is not currently possible to manually set an effective rights mask; the mask will be automatically calculated from the given ACLs when they are applied.

    For directories either no default ACL entries or at least an entry for the owner, owning group and other must be defined.

    Note that it is possible to set ACLs that demand different permissions on a file than those specified in the perms attribute on the Path tag. For instance:

    <Path name="/etc/foo" mode="0644" group="root" owner="root">
      <ACL type="access" scope="user" user="foouser" perms="rwx"/>
    </Path>
    

    In this case, we’ve specified permissions of 0644, but the effective rights mask will be “rwx,” so setting the ACL will change the permissions to 0674. When this happens, Bcfg2 will change the permissions and set the ACLs on every run and the entry will be eternally marked as bad.

    SELinux Entries

    New in version 1.3.0.

    Note

    In order to use these entries, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

    Below is a set of tables which describe the attributes available for various SELinux types. The entry types (except for module) correspond to semanage subcommands.

    Note that the selinuxtype attribute takes only an SELinux type, not a full context; e.g., “etc_t”, not “system_u:object_r:etc_t:s0”.

    As it can be very tedious to create a baseline of all existing SELinux entries, you can use selinux_baseline.py located in the tools/ directory to do that for you.

    See SELinux for more information.

    SEBoolean Tag

    complexType SEBooleanType
    Concrete SELinux boolean entry
    Attributes:
    Name Description Values Required Default
    name
    Name of the boolean
    string Yes None
    value
    Value of the boolean
    on | off Yes None
    Attribute groups:

    SEPort Tag

    complexType SEPortType
    Concrete SELinux port entry
    Attributes:
    Name Description Values Required Default
    name
    Port number or range and protocol
    <port>/<proto> or <start>-<end>/<proto>
    Yes None
    selinuxtype
    SELinux type to apply to this port
    token Yes None
    mlsrange
    SELinux MLS range to apply to this port
    token No None
    Attribute groups:

    SEFcontext Tag

    complexType SEFcontextType
    Concrete SELinux file context (“fcontext”) entry
    Attributes:
    Name Description Values Required Default
    name
    Regular expression file specification
    string Yes None
    selinuxtype
    SELinux type to apply to files matching this specification
    token Yes None
    filetype
    File type to match
    all | regular | directory | symlink | pipe | socket | block | char No all
    mlsrange
    SELinux MLS range to apply to files matching this specification
    token No None
    Attribute groups:

    SENode Tag

    complexType SENodeType
    Concrete SELinux node entry
    Attributes:
    Name Description Values Required Default
    name
    IP address and netmask of node
    <addr>/<netmask>. Netmask can be numeric (/16) or dotted-quad (/255.255.0.0).
    Yes None
    selinuxtype
    SELinux type to apply to this node
    token Yes None
    mlsrange
    SELinux MLS range to apply to this node
    token No None
    proto
    Protocol
    ipv4 | ipv6 No None
    Attribute groups:

    SELogin Tag

    complexType SELoginType
    Concrete SELinux login entry
    Attributes:
    Name Description Values Required Default
    name
    Unix username
    token Yes None
    selinuxuser
    SELinux username
    token Yes None
    mlsrange
    SELinux MLS range to apply to this user
    token No None
    Attribute groups:

    SEUser Tag

    complexType SEUserType
    Concrete SELinux user entry
    Attributes:
    Name Description Values Required Default
    name
    SELinux username
    token Yes None
    prefix
    Home directory context prefix
    token Yes None
    roles
    Space-separated list of rules
    string Yes None
    mlsrange
    SELinux MLS range to apply to this user
    token No None
    Attribute groups:

    SEInterface Tag

    complexType SEInterfaceType
    Concrete SELinux interface entry
    Attributes:
    Name Description Values Required Default
    name
    Interface name
    token Yes None
    selinuxtype
    SELinux type to apply to this interface
    token Yes None
    mlsrange
    SELinux MLS range to apply to this interface
    token No None
    Attribute groups:

    SEPermissive Tag

    complexType SEPermissiveType
    Concrete SELinux permissive domain entry
    Attributes:
    Name Description Values Required Default
    name
    SELinux type to make permissive
    token Yes None
    Attribute groups:

    SEModule Tag

    complexType SEModuleType
    Concrete SELinux module entry
    Attributes:
    Name Description Values Required Default
    name
    SELinux module name or filename
    string Yes None
    disabled
    Disable this module
    true | false No None
    Attribute groups:
    Text content:
    Any

    See also SEModules.

    POSIXUser Tag

    New in version 1.3.0.

    Note

    In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

    complexType POSIXUserType
    The POSIXUser tag allows you to create users on client machines.
    Attributes:
    Name Description Values Required Default
    name
    Username
    token Yes None
    gecos
    This field is typically used to record general information about the account or its user(s) such as their real name and phone number. If this is not set, the GECOS will be the same as the username.
    string No None
    group
    Name of the user’s primary group. If this is not set, the user’s primary group will be the same as the username.
    token No None
    home
    User’s home directory. Default is /root for the root user, /home/<username> otherwise.
    string No None
    shell
    User’s shell
    string No /bin/bash
    uid
    User ID number. If this is not specified, each client is allowed to set the UID.
    integer No None
    Attribute groups:
    Child elements:
    • element MemberOf

      Attributes:

      Name

      Description

      Values

      Required

      Default

      group

      The name of the supplementary group. This can also be specified as content of the tag, although that is deprecated.

      token

      No

      None

      Text content:

      token

    • element Group

      Attributes:

      Name

      Description

      Values

      Required

      Default

      name

      string

      Yes

      None

      negate

      true | false

      No

      None

      Child elements:
    • Client

    For example:

    <POSIXUser name="daemon" home="/sbin" shell="/sbin/nologin"
               gecos="daemon" uid="2" group="daemon">
      <MemberOf group="lp"/>
      <MemberOf group="adm"/>
      <MemberOf group="bin/>
    </POSIXUser>
    

    The group specified will automatically be created if it does not exist, even if there is no POSIXGroup tag for it. If you need to specify a particular GID for the group, you must specify that in a POSIXGroup tag.

    If you with to change the default shell, you can do so with the Defaults plugin.

    See POSIXUsers for more information on managing users and groups.

    POSIXGroup Tag

    New in version 1.3.0.

    Note

    In order to use this, the client also needs to be at least version 1.3.0 since they require a client tool which is unavailable in previous versions.

    complexType POSIXGroupType
    The POSIXGroup tag allows you to create groups on client machines.
    Attributes:
    Name Description Values Required Default
    name
    Username
    token Yes None
    gid
    Group ID number. If this is not specified, each client is allowed to set the GID.
    integer No None
    Attribute groups:

    See POSIXUsers for more information on managing users and groups.

    Rules Directory

    The Rules/ directory keeps the XML files that define what rules are available for a host. All the files in the directory are processed.

    The names of the XML files have no special meaning to Bcfg2; they are simply named so it’s easy for the administrator to know what the contents hold. All Rules could be kept in a single file if so desired. Bcfg2 simply uses the Groups in the files and priorities to determine how to assign Rules to a host’s literal configuration.

    <Rules priority="0">
        <Path type='directory' group="root" name="/autonfs" owner="root" mode="0755"/>
        <Path type='directory' group="utmp" name="/var/run/screen" owner="root" mode="0775"/>
        <Path type='directory' group="root" name="/autonfs/stage" owner="root" mode="0755"/>
        <Path type='directory' group="root" name="/exports" owner="root" mode="0755"/>
        <Path type='directory' name="/etc/condor" owner="root" group="root" mode="0755"/>
        <Path type='directory' name="/logs" group="wwwtrans" owner="root" mode="0775"/>
        <Path type='directory' name="/mnt" group="root" owner="root" mode="0755"/>
        <Path type='directory' name="/my" owner="root" group="root" mode="0755"/>
        <Path type='directory' name="/my/bin" owner="root" group="root" mode="0755"/>
        <Path type='directory' name="/nfs" owner="root" group="root" mode="0755"/>
        <Path type='directory' name="/sandbox" mode="0777" owner="root" group="root"/>
        <Path type='directory' name="/software" group="root" owner="root" mode="0755"/>
        <Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/dsp"/>
        <Path type='permissions' mode="0555" group="audio" owner="root" name="/dev/mixer"/>
        <Path type='symlink' name="/bin/whatami" to="/mcs/adm/bin/whatami"/>
        <Path type='symlink' name="/chibahomes" to="/nfs/chiba-homefarm"/>
        <Path type='symlink' name="/home" to="/nfs/mcs-homefarm"/>
        <Path type='symlink' name="/homes" to="/home"/>
        <Path type='symlink' name="/mcs" to="/nfs/mcs"/>
        <Path type='symlink' name="/my/bin/bash" to="/bin/bash"/>
        <Path type='symlink' name="/my/bin/tcsh" to="/bin/tcsh"/>
        <Path type='symlink' name="/my/bin/zsh" to="/bin/zsh"/>
        <Path type='symlink' name="/software/common" to="/nfs/software-common"/>
        <Path type='symlink' name="/software/linux" to="/nfs/software-linux"/>
        <Path type='symlink' name="/software/linux-debian_sarge" to="/nfs/linux-debian_sarge"/>
        <Path type='symlink' name="/usr/bin/passwd" to="/usr/bin/yppasswd"/>
        <Path type='symlink' name="/usr/bin/yppasswd" to="/mcs/bin/passwd"/>
        <Path type='symlink' name="/usr/lib/libgd.so.1.8" to="/usr/lib/libgd.so.1.8.4"/>
        <Path type='symlink' name="/usr/lib/libtermcap.so.2" to="/usr/lib/libtermcap.so"/>
        <Path type='symlink' name="/usr/local/bin/perl" to="/usr/bin/perl"/>
        <Path type='symlink' name="/usr/local/bin/perl5" to="/usr/bin/perl"/>
        <Path type='symlink' name="/usr/local/bin/tcsh" to="/bin/tcsh"/>
        <Service name='ntpd' status='on' type='chkconfig'/>
        <Service name='haldaemon' status='on' type='chkconfig'/>
        <Service name='messagebus' status='on' type='chkconfig'/>
        <Service name='netfs' status='on' type='chkconfig'/>
        <Service name='network' status='on' type='chkconfig'/>
        <Service name='rawdevices' status='on' type='chkconfig'/>
        <Service name='sshd' status='on' type='chkconfig'/>
        <Service name='syslog' status='on' type='chkconfig'/>
        <Service name='vmware-tools' status='on' type='chkconfig'/>
    </Rules>
    

    Using Regular Expressions in Rules

    If you wish, you can configure the Rules plugin to support regular expressions. This entails a small performance and memory usage penalty. To do so, add the following setting to bcfg2.conf:

    [rules]
    regex = yes
    

    With regular expressions enabled, you can use a regex in the name attribute to match multiple abstract configuration entries.

    Regular expressions are anchored at both ends, so <Service name="bcfg2".../> will not match a Service named bcfg2-server; you’d have to explicitly specify <Service name="bcfg2.*".../>.

    Note that only one Rule can apply to any abstract entry, so you cannot specify multiple regexes to match the same rule.

    Replacing the name of the Entry in Attributes

    If you are using regular expressions to match the abstract configuration entries, you may need the concrete name of the entry in some attributes. To use this feature, you have to enable it. It is only useful, if used together with regex matching.

    [rules]
    regex = yes
    replace_name = yes
    

    You now can write something like that in your xml file:

    <POSIXUser name='.*' home='/somewhere/%{name}'/>
    

    %{name} will be correctly replaced with the username for each POSIXUser.