On Jan 29, 2015, at 10:10 AM, Theo de Raadt dera...@cvs.openbsd.org
wrote:
Basically for the sake of automated deployments it would be nice / clean
to be able to do :
includeservers /path/to/file
And then read them all from the file. And the same file would be used
as a table in pf.conf for NTP FW rules. One server per line.
This would make initial deployments easier to automate (no need to
programmatically alter the config file), and then if you need to change
your NTP servers post-deployment it is cleaner as well with less chance
of human error. i.e. changing pf.conf is riskier than changing ntpd.conf
I do not see much value in these nested include mechanisms. Honestly,
OpenBSD is now shipping without a ntpd.conf file. You create this
file, thus you own it. Having you create a file (ntpd.conf) which
points to another file (/etc/serverlist?) you also create, that is
kind of crazy.
/etc/pf.conf is also on my list for removal as well, so that it
becomes more of a user-owned file. The idea here is that you would
look at the examples, and then create your own, and upgrades /
sysmerge would not touch your file.
I believe if we do this right, it will prod people towards creating
narrower role-specific configurations for their machines.
having simpler config models, and narrow roles would be a good thing.
-Nex6
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
