Hi, Simon. I want to second Mark's welcome, and comment that doing things natively (like the password generation) will be a lot faster and use less resources. cf-agent has a very small footprint and won't need to fork/exec to run a new process -- also Cfengine can guarantee the policy will be convergent; whereas Cfengine can't make any promises about the behavior of external commands.
You could use a longer password (12 or 20 characters or more) to make up for it not being alphanumeric. A function that returns a random alphanum string might be useful. Just a thought. I'm not asking for it. :) cheers! Aleksey On Wed, Jul 27, 2011 at 10:38 AM, Mark Burgess <[email protected]> wrote: > > Hello Simon, > > welcome to the wonderful world of CFEngine. I'm afraid I don't have your > makekpassword function handy, but I can do this (taking away the policy > statement) > > body common control > { > bundlesequence => { "check_user_files" }; > inputs => { "cfengine_stdlib.cf" }; > } > > bundle agent check_user_files > { > vars: > > "newpass" int => randomint("1","8"), > policy => "free"; > > commands: > > "/bin/echo $(newpass)"; > > reports: > !kjsad:: > > "GOT $(newpass)"; > } > > And I see a consistent value, used only once. The multiple values you > see with "static" come about because CFEngine wants to re-call the same > function but it is not allowed to converge. I'll look into why this is > rather counter-intuitive and see if something needs changing. > > Good luck with CFEngine -- so much better than that other thing you > mentioned ;-) > > M > > > On 27/07/11 13:55, Simon Blake wrote: >> Hi all. First post from a cfengine n00b, please be gentle! >> >> I'm trying to set a random mysql root password, and write it to >> ~root/.my.cnf. >> >> My problem is that I set $(newpass) with a shell call to makepasswd, and >> then use it twice. My first use of $(newpass) is in a command, during >> pass 1. The second use of $(newpass) is in a file edit, during pass 2, >> in between $(newpass) has been set to a different value, which means >> that the password written to .my.cnf and the actual password in mysql >> now differ. >> >> So, is there some way to restrict a variable to only be set in pass 1? >> I've tried policy=constant, which doesn't appear to make any difference. >> Or am I going about it completely the wrong way - is there some more >> stable way to generate a password? >> >> My idea was something like >> >> set $newpass to be the output from 'makepasswd' >> run "/usr/bin/mysqladmin status", if it succeeds, exit, if it fails, >> run "/usr/bin/mysqladmin --password= password $newpass", if it succeeds, >> write $newpass to ~root/.my.cnf >> >> Essentially, I'm trying to do something like >> >> http://projects.puppetlabs.com/projects/1/wiki/My_Sql_Server_Patterns >> >> but with a randomly generated password. >> >> I'm server and client on Debian squeeze, with the cfengine packages from >> testing (v3.1.5). My code looks like: >> >> bundle agent app_db_mysql_mycnf >> { >> vars: >> "mycnf" string => "root/.my.cnf"; >> >> "newpass" string => execresult("/usr/bin/makepasswd --chars >> 12","noshell"), >> policy => "constant"; >> >> commands: >> >> "/usr/bin/mysqladmin status" >> handle => "check_mysql_root_pwd", >> comment => "Check mysql root password", >> repair_failed => { "set_mysql_root_from_null" }; >> >> set_mysql_root_from_null:: >> "/usr/bin/mysqladmin --password= password $(newpass)" >> handle => "set_mysql_root_from_null", >> comment => "Set Mysql root password if it is null to $(newpass)"; >> promise_repaired => { "update_mycnf" }; >> >> files: >> >> update_mycnf:: >> "/$(mycnf)" >> handle => "update_mycnf", >> comment => "Add the new password to my_cnf", >> perms => mog("0600", "root", "root"), >> edit_line => section_config("client","password","$(newpass)"); >> } >> >> A typical run looks like: >> >> cf3> Promise handle: set_mysql_root_from_null >> cf3> Promise made by: /usr/bin/mysqladmin --password= password >> LCtCv8XDpmJM >> cf3> >> cf3> Comment: Set Mysql root password if it is null to LCtCv8XDpmJM >> cf3> ......................................................... >> cf3> >> cf3> -> Executing '/usr/bin/mysqladmin --password= password LCtCv8XDpmJM' >> ...(timeout=-678,owner=-1,group=-1) >> cf3> -> (Setting umask to 77) >> cf3> -> Finished command related to promiser "/usr/bin/mysqladmin >> --password= password LCtCv8XDpmJM" -- succeeded >> cf3> -> Completed execution of /usr/bin/mysqladmin --password= password >> LCtCv8XDpmJM >> cf3> >> cf3> ========================================================= >> cf3> vars in bundle app_db_mysql_mycnf (2) >> cf3> ========================================================= >> cf3> >> cf3> !! Duplicate selection of value for variable "newpass" in scope >> app_db_mysql_mycnf >> cf3> !! Rule from /var/lib/cfengine3/inputs/site/app_db_mysql_mycnf.cf >> at/before line 45 >> cf3> >> cf3> + Private classes augmented: >> cf3> >> cf3> - Private classes diminished: >> cf3> >> cf3> >> cf3> >> cf3> ========================================================= >> cf3> files in bundle app_db_mysql_mycnf (2) >> cf3> ========================================================= >> cf3> >> cf3> >> cf3> ......................................................... >> cf3> Promise handle: update_mycnf >> cf3> Promise made by: /root/.my.cnf >> cf3> >> cf3> Comment: Add the new password to my_cnf >> cf3> ......................................................... >> cf3> >> cf3> -> Using literal pathtype for /root/.my.cnf >> cf3> -> Handling file existence constraints on /root/.my.cnf >> cf3> -> File permissions on /root/.my.cnf as promised >> cf3> -> Handling file existence constraints on /root/.my.cnf >> cf3> -> File permissions on /root/.my.cnf as promised >> cf3> -> Handling file edits in edit_line bundle section_config >> cf3> >> cf3> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * >> cf3> BUNDLE section_config( {'client','password','CxKRfeHX0Fp3'} ) >> cf3> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * >> cf3> >> >> Cheers >> Simon >> _______________________________________________ >> Help-cfengine mailing list >> [email protected] >> https://cfengine.org/mailman/listinfo/help-cfengine > _______________________________________________ > Help-cfengine mailing list > [email protected] > https://cfengine.org/mailman/listinfo/help-cfengine > _______________________________________________ Help-cfengine mailing list [email protected] https://cfengine.org/mailman/listinfo/help-cfengine
