Ways to simplify configs?

Michael Ströder michael at stroeder.com
Thu Jul 27 18:28:53 CEST 2017


Alan DeKok wrote:
> On Jul 27, 2017, at 8:21 AM, adrian.p.smith at bt.com wrote:
>> 3. We use another tool called Ansible (similar to Puppet) that the uploads and uzips
>> to the production servers after first backing up the existing config. FreeRadius is
>> then automatically restarted.
> 
> I've used Salt with good success.  But it handles subdirectories. :(  I just create
> the config I want in a subdirectory in salt, and then tell it to sync the subdirectory
> to another machine.

Your config dir might need different user/group ownership and permissions for certain
files within your directory structure. While puppet/ansible/whatever config management
can all of course "handle" subdirectories it's tricky to get ownership/permissions right
while strictly preserving idempotency.

Reason:
In environments with high security requirements you might have file integrity monitoring
running on all systems (with DB directories or similar excluded). So you definitely aim
to avoid every unnecessary write access during config run because a security auditor has
to manually acknowledge every change, even if only the mtime changed. Copying files
recursively and fixing ownership/permissions afterwards is an anti-pattern in such an
environment.

So I tend to let the config management write only very few config files without too much
sophisticated include dir structure.

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170727/af44bf13/attachment-0001.bin>


More information about the Freeradius-Users mailing list