module:groups provides Unix group management when run as a CFEngine module. See also module:users for user account management, and module:authkey for OpenSSH authorized_key management.
Advantages of module:groups include extensbility to support new operating systems, assuming appropriate list, add, and remove command interfaces. Also, systems are not slaved to a mandatory directory service. This allows support for laptops.
Disadvantages of module:groups include scalability problems, and the need to run scripts everywhere.
With the no_modify class set in the CFALLCLASSES environment variable, module:groups will only display what changes would be made to the system. This simplifies rollouts to previously unmanaged systems.
The source code for module:groups is only available by request.
Configuration
main.ini
main.ini contains module defaults, and configuration classes that define how to list, add, modify, and remove groups on various Operating Systems.
[defaults]
missing_file = /var/cfengine/etc/module/groups/missing
unaccounted_file = /var/cfengine/etc/module/groups/unaccounted
cf_dir = /var/cfengine/etc/module/groups/os-base↵
/var/cfengine/etc/module/groups/site
# Define classes if something happens. Must be listed under
# AddInstallable in CFEngine configuration. Can also be set under
# class specific blocks, below.
cf_class_add = action_group_added
cf_class_remove = action_group_removed
[macosx]
install_cmd = /usr/sbin/groupadd -g %{id} %{name}
list_cmd = /usr/bin/nidump group /
modify_cmd = /usr/sbin/groupmembers %{name} %{members}
remove_cmd = /usr/sbin/groupdel %{name}
[openbsd]
install_cmd = /usr/sbin/groupadd -g %{id} %{name}
list_cmd = /bin/cat /etc/group
modify_cmd = /usr/sbin/groupmembers %{name} %{members}
remove_cmd = /usr/sbin/groupdel %{name}
[redhat]
install_cmd = /usr/sbin/groupadd -f -g %{id} %{name}
list_cmd = /bin/cat /etc/group
modify_cmd = /usr/sbin/groupmembers %{name} %{members}
remove_cmd = /usr/sbin/groupdel %{name}
The special groupmembers command modifies group memberships. Sample scripts are available for Mac OS X and RedHat Linux.
*.ini
Group memberships are determined CFEngine classes, and associated files group information is read from. Either use a filename based on the class, such as os-base/centos_4_2.cf, or use a generic site/any.cf and set classes statements to determine whether the group definitions apply to the system in question.
- Sample from os-base/macosx_10_4.cf file.
- Sample from a site/any.cf file.
[nobody]
id = -2
[nogroup]
id = -1
[wheel]
id = 0
members = root
[daemon]
id = 1
members = root
…
[sysadmin]
classes = any
id = 256
members = jmates
[tomcat]
classes = role_tomcat
id = 400
Convert Existing Groups
Use group2ini and initidy to convert existing Unix group data into *.ini files used by module:groups. For example, on Mac OS X:
$ nidump group / | group2ini | initidy > macosx_10_4.cf
Groups should be extracted from new operating systems, when the base group information has not been added to by other utilities.
