Sophie

Sophie

distrib > Fedora > 17 > i386 > media > updates > by-pkgid > b50d8ee6d7871fcc13c0677a9364ed59 > files > 446

bcfg2-doc-1.3.0-1.fc17.noarch.rpm



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Cfg &mdash; Bcfg2 1.3.0 documentation</title>
    
    <link rel="stylesheet" href="../../../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../../../',
        VERSION:     '1.3.0',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../../../_static/jquery.js"></script>
    <script type="text/javascript" src="../../../_static/underscore.js"></script>
    <script type="text/javascript" src="../../../_static/doctools.js"></script>
    <script type="text/javascript" src="../../../_static/sidebar.js"></script>
    <link rel="shortcut icon" href="../../../_static/favicon.ico"/>
    <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../index.html" />
    <link rel="up" title="Plugins" href="../index.html" />
    <link rel="next" title="bcfg2-cron" href="examples/genshi/bcfg2-cron.html" />
    <link rel="prev" title="Account" href="account.html" />
 
<link rel="stylesheet" href="../../../_static/bcfg2.css" type=""/>

  </head>
  <body>

<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../../index.html"><img src="../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>

    <div class="related">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../../genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="../../../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="examples/genshi/bcfg2-cron.html" title="bcfg2-cron"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="account.html" title="Account"
             accesskey="P">previous</a> |</li>
	<li><a href="../../../index.html">home</a> |&nbsp;</li>
	<!--<li><a href="../../../search.html">search</a> |&nbsp;</li>-->
	<li><a href="../../../help/index.html">help</a> |&nbsp;</li>
	<li><a href="../../../contents.html">documentation </a> &raquo;</li>

          <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> &raquo;</li>
          <li><a href="../../index.html" >The Bcfg2 Server</a> &raquo;</li>
          <li><a href="../index.html" accesskey="U">Plugins</a> &raquo;</li> 
      </ul>
    </div>
  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body">
            
  <div class="section" id="cfg">
<span id="server-plugins-generators-cfg"></span><h1>Cfg<a class="headerlink" href="#cfg" title="Permalink to this headline">¶</a></h1>
<p>The Cfg plugin provides a repository to describe configuration file
contents for clients. In its simplest form, the Cfg repository is just a
directory tree modeled off of the directory tree on your client machines.</p>
<div class="section" id="the-cfg-repository">
<h2>The Cfg Repository<a class="headerlink" href="#the-cfg-repository" title="Permalink to this headline">¶</a></h2>
<p>The Cfg plugin is enabled by including <strong>Cfg</strong> on the <strong>plugins</strong> line of
the <strong>[server]</strong> section of your Bcfg2 server config file. The repository
itself lives in <tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg</span></tt>, assuming you are using the default
repository location of <tt class="docutils literal"><span class="pre">/var/lib/bcfg2</span></tt>. The contents of this directory
are a series of directories corresponding to the real-life locations of
the files on your clients, starting at the root level. For example:</p>
<div class="highlight-python"><pre>% ls Cfg
bin/  boot/  etc/  opt/  root/  usr/  var/</pre>
</div>
<p>Specific config files go in like-named directories in this
heirarchy.  For example the password file, <tt class="docutils literal"><span class="pre">/etc/passwd</span></tt>, goes
in <tt class="docutils literal"><span class="pre">Cfg/etc/passwd/passwd</span></tt>, while the ssh pam module config file,
<tt class="docutils literal"><span class="pre">/etc/pam.d/sshd</span></tt>, goes in <tt class="docutils literal"><span class="pre">Cfg/etc/pam.d/sshd/sshd</span></tt>. The reason for
the like-name directory is to allow multiple versions of each file to
exist, as described below. Note that these files are exact copies of what
will appear on the client machine (except when using Genshi or Cheetah
templating &#8211; see below).</p>
</div>
<div class="section" id="group-specific-files">
<h2>Group-Specific Files<a class="headerlink" href="#group-specific-files" title="Permalink to this headline">¶</a></h2>
<p>It is often the case that you want one version of a config file for
all of your machines except those in a particular group. For example,
<tt class="docutils literal"><span class="pre">/etc/fstab</span></tt> should look alike on all of your desktop machines, but
should be different on your file servers. Bcfg2 can handle this case
through use of group-specific files.</p>
<p>As mentioned above, all Cfg entries live in like-named directories
at the end of their directory tree. In the case of fstab, the file at
<tt class="docutils literal"><span class="pre">Cfg/etc/fstab/fstab</span></tt> will be handed out by default to any client that
asks for a copy of <tt class="docutils literal"><span class="pre">/etc/fstab</span></tt>. Group-specific files are located in
the same directory and are named with the following syntax:</p>
<div class="highlight-python"><pre>/path/to/filename/filename.GNN_groupname</pre>
</div>
<p><strong>NN</strong> is a priority number where <strong>00</strong> is lowest and <strong>99</strong>
is highest, and <strong>groupname</strong> is the name of a group defined in
<tt class="docutils literal"><span class="pre">Metadata/groups.xml</span></tt>. Back to our fstab example, we might have a
<tt class="docutils literal"><span class="pre">Cfg/etc/fstab/</span></tt> directory that looks like this:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">fstab</span>
<span class="n">fstab</span><span class="o">.</span><span class="n">G50_server</span>
<span class="n">fstab</span><span class="o">.</span><span class="n">G99_fileserver</span>
</pre></div>
</div>
<p>By default, clients will receive the plain fstab file when they request
<tt class="docutils literal"><span class="pre">/etc/fstab</span></tt>. Any machine that is in the <strong>server</strong> group, however, will
instead receive the <tt class="docutils literal"><span class="pre">fstab.G50_server</span></tt> file. Finally, any machine that
is in the <strong>fileserver</strong> group will receive the <tt class="docutils literal"><span class="pre">fstab.G99_fileserver</span></tt>
file, even if they are also in the <strong>server</strong> group.</p>
</div>
<div class="section" id="host-specific-files">
<h2>Host-Specific Files<a class="headerlink" href="#host-specific-files" title="Permalink to this headline">¶</a></h2>
<p>Similar to the case with group-specific files, there are cases where
a specific machine should have a different version of a file than all
others. This can be accomplished with host-specific files. The format
of a host-specific file name is:</p>
<div class="highlight-python"><pre>/path/to/filename/filename.H_host.example.com</pre>
</div>
<p>Host-specific files have a higher priority than group specific
files. Again, the fstab example:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">fstab</span>
<span class="n">fstab</span><span class="o">.</span><span class="n">G50_server</span>
<span class="n">fstab</span><span class="o">.</span><span class="n">G99_fileserver</span>
<span class="n">fstab</span><span class="o">.</span><span class="n">H_host</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span>
</pre></div>
</div>
<p>In this case, <em>host.example.com</em> will always get the host-specific
version, even if it is part of the <strong>server</strong> or <strong>fileserver</strong> (or both)
classes.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">If you have the ability to choose between using a group-specific and a
host-specific file, it is almost always best to use a group-specific
one. That way if a hostname changes or an extra copy of a particular
client is built, it will get the same changes as the original.</p>
</div>
</div>
<div class="section" id="templates">
<h2>Templates<a class="headerlink" href="#templates" title="Permalink to this headline">¶</a></h2>
<div class="section" id="genshi-templates">
<span id="server-plugins-generators-cfg-genshi"></span><h3>Genshi Templates<a class="headerlink" href="#genshi-templates" title="Permalink to this headline">¶</a></h3>
<p>Genshi templates allow you to use the <a class="reference external" href="http://genshi.edgewall.org">Genshi</a> templating system.  This is similar to
the deprecated <a class="reference internal" href="tgenshi.html#server-plugins-generators-tgenshi-index"><em>TGenshi</em></a> plugin.
Genshi templates should be named with a <tt class="docutils literal"><span class="pre">.genshi</span></tt> extension, e.g.:</p>
<div class="highlight-python"><pre>% ls Cfg/etc/motd
info.xml  motd.genshi</pre>
</div>
<p>See the genshi <a class="reference external" href="http://genshi.edgewall.org/wiki/Documentation">documentation</a> for examples of
Genshi syntax.</p>
<div class="section" id="troubleshooting">
<h4>Troubleshooting<a class="headerlink" href="#troubleshooting" title="Permalink to this headline">¶</a></h4>
<p>When developing a template, you can see what the template would
generate on a client with <a class="reference internal" href="../../bcfg2-info.html#server-bcfg2-info"><em>bcfg2-info</em></a>:</p>
<div class="highlight-python"><pre>bcfg2-info buildfile &lt;path&gt; &lt;hostname&gt;</pre>
</div>
<p>E.g.:</p>
<div class="highlight-python"><pre>bcfg2-info buildfile /etc/foo.conf foo.example.com</pre>
</div>
<p>To generate a file with an <a class="reference internal" href="../structures/altsrc.html#server-plugins-structures-altsrc"><em>altsrc</em></a> attribute, you can run:</p>
<div class="highlight-python"><pre>bcfg2-info buildfile /etc/foo/foo.conf --altsrc=/etc/foo.conf \
    foo.example.com</pre>
</div>
<p>Sometimes, it&#8217;s useful to be able to do more in-depth troubleshooting
by running the template manually. To do this, run <tt class="docutils literal"><span class="pre">bcfg2-info</span>
<span class="pre">debug</span></tt>, and, once in the Python interpreter, run:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">metadata</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">build_metadata</span><span class="p">(</span><span class="s">&quot;&lt;hostname&gt;&quot;</span><span class="p">)</span>
<span class="n">source_path</span> <span class="o">=</span> <span class="s">&quot;&lt;full path to template&gt;&quot;</span>
<span class="n">name</span> <span class="o">=</span> <span class="n">source_path</span><span class="p">[</span><span class="nb">len</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">setup</span><span class="p">[</span><span class="s">&#39;repo&#39;</span><span class="p">]):]</span>
</pre></div>
</div>
<p>Then, run:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="kn">import</span> <span class="nn">os</span>
<span class="kn">from</span> <span class="nn">genshi.template</span> <span class="kn">import</span> <span class="n">TemplateLoader</span><span class="p">,</span> <span class="n">NewTextTemplate</span>
<span class="n">template</span> <span class="o">=</span> <span class="n">TemplateLoader</span><span class="p">()</span><span class="o">.</span><span class="n">load</span><span class="p">(</span><span class="n">source_path</span><span class="p">,</span> <span class="n">cls</span><span class="o">=</span><span class="n">NewTextTemplate</span><span class="p">)</span>
<span class="n">data</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">(</span><span class="n">metadata</span><span class="o">=</span><span class="n">metadata</span><span class="p">,</span>
            <span class="n">source_path</span><span class="o">=</span><span class="n">source_path</span><span class="p">,</span>
            <span class="n">path</span><span class="o">=</span><span class="n">source_path</span><span class="p">,</span>
            <span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">,</span>
            <span class="n">repo</span><span class="o">=</span><span class="bp">self</span><span class="o">.</span><span class="n">setup</span><span class="p">[</span><span class="s">&#39;repo&#39;</span><span class="p">])</span>
<span class="k">print</span><span class="p">(</span><span class="n">template</span><span class="o">.</span><span class="n">generate</span><span class="p">(</span><span class="o">**</span><span class="n">data</span><span class="p">)</span><span class="o">.</span><span class="n">render</span><span class="p">())</span>
</pre></div>
</div>
<p>This gives you more fine-grained control over how your template is
rendered.  E.g., you can tweak the values of the variables passed to
the template, or evaluate the template manually, line-by-line, and so
on.</p>
<p>You can also use this approach to render templates that depend on
<a class="reference internal" href="../structures/altsrc.html#server-plugins-structures-altsrc"><em>altsrc</em></a> tags by setting
<tt class="docutils literal"><span class="pre">source_path</span></tt> to the path to the template, and setting <tt class="docutils literal"><span class="pre">name</span></tt> to the path
to the file to be generated, e.g.:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">metadata</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">build_metadata</span><span class="p">(</span><span class="s">&quot;foo.example.com&quot;</span><span class="p">)</span>
<span class="n">source_path</span> <span class="o">=</span> <span class="s">&quot;/Cfg/etc/sysconfig/network-scripts/ifcfg-template/ifcfg-template.genshi&quot;</span>
<span class="n">name</span> <span class="o">=</span> <span class="s">&quot;/etc/sysconfig/network-scripts/ifcfg-bond0&quot;</span>
</pre></div>
</div>
</div>
<div class="section" id="error-handling">
<h4>Error handling<a class="headerlink" href="#error-handling" title="Permalink to this headline">¶</a></h4>
<p>Situations may arise where a templated file cannot be generated due to
missing or incomplete information.  A TemplateError can be raised to
force a bind failure and prevent sending an incomplete file to the
client.  For example, this template:</p>
<div class="highlight-python"><pre>{% python
    from genshi.template import TemplateError
    grp = None
    for g in metadata.groups:
        if g.startswith('ganglia-gmond-'):
            grp = g
            break
    else:
        raise TemplateError, "Missing group"
%}\</pre>
</div>
<p>will fail to bind if the client is not a member of a group starting with
&#8220;ganglia-gmond-&#8221;.  The syslogs on the server will contain this message:</p>
<div class="highlight-python"><pre>bcfg2-server[5957]: Genshi template error: Missing group
bcfg2-server[5957]: Failed to bind entry: Path /etc/ganglia/gmond.conf</pre>
</div>
<p>...indicating the bind failure and message raised with the TemplateError.</p>
</div>
<div class="section" id="handling-dollar-signs">
<h4>Handling Dollar Signs<a class="headerlink" href="#handling-dollar-signs" title="Permalink to this headline">¶</a></h4>
<p>In a Genshi template, <tt class="docutils literal"><span class="pre">$</span></tt> is a special character and must be escaped
by doubling, i.e., <tt class="docutils literal"><span class="pre">$$</span></tt>.  For instance, to embed the Subversion
<tt class="docutils literal"><span class="pre">$Id$</span></tt> keyword in a Genshi template, you would have to do <tt class="docutils literal"><span class="pre">$$Id$$</span></tt>.</p>
</div>
<div class="section" id="examples">
<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4>
<div class="toctree-wrapper compound">
<ul>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/bcfg2-cron.html">bcfg2-cron</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/clientsxml.html">clients.xml</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/ganglia.html">ganglia</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/grubconf.html">grub.conf</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/hosts.html">hosts</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/iptables.html">iptables</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/motd.html">motd</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/mycnf.html">my.cnf</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/genshi/test.html">test</a></li>
</ul>
</div>
</div>
</div>
<div class="section" id="cheetah-templates">
<span id="server-plugins-generators-cfg-cheetah"></span><h3>Cheetah Templates<a class="headerlink" href="#cheetah-templates" title="Permalink to this headline">¶</a></h3>
<p>Cheetah templates allow you to use the <a class="reference external" href="http://www.cheetahtemplate.org/">cheetah templating system</a>.  This is similar to
the deprecated <a class="reference internal" href="tcheetah.html#server-plugins-generators-tcheetah"><em>TCheetah</em></a> plugin.
Cheetah templates should be named with a <tt class="docutils literal"><span class="pre">.cheetah</span></tt> extension, e.g.:</p>
<div class="highlight-python"><pre>% ls Cfg/etc/motd
info.xml  motd.cheetah</pre>
</div>
<div class="section" id="id1">
<h4>Examples<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h4>
<div class="toctree-wrapper compound">
<ul>
<li class="toctree-l1"><a class="reference internal" href="examples/cheetah/crontab.html">Writing crontab with Cheetah</a></li>
<li class="toctree-l1"><a class="reference internal" href="examples/cheetah/simple.html">Basic Cheetah Templates</a></li>
</ul>
</div>
</div>
<div class="section" id="comments-and-cheetah">
<h4>Comments and Cheetah<a class="headerlink" href="#comments-and-cheetah" title="Permalink to this headline">¶</a></h4>
<p>As Cheetah processes your templates it will consider hash &#8220;#&#8221; style
comments to be actual comments in the template and will strip them
from the final config file.  If you would like to preserve the comment
in the final config file you need to escape the hash character &#8216;#&#8217;
which will tell Cheetah (and Python) that you do in fact want the
comment to appear in the final config file.:</p>
<div class="highlight-python"><pre># This is a comment in my template which will be stripped when it's processed through Cheetah
\# This comment will appear in the generated config file.</pre>
</div>
</div>
</div>
<div class="section" id="inside-templates">
<h3>Inside Templates<a class="headerlink" href="#inside-templates" title="Permalink to this headline">¶</a></h3>
<p>Several variables are pre-defined inside templates:</p>
<table border="1" class="docutils">
<colgroup>
<col width="19%" />
<col width="81%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>metadata</td>
<td><a class="reference internal" href="../grouping/metadata.html#server-plugins-grouping-metadata-clientmetadata"><em>Client metadata</em></a></td>
</tr>
<tr class="row-odd"><td>name</td>
<td>The value of the <tt class="docutils literal"><span class="pre">name</span></tt> attribute as specified in
the Path entry in Bcfg2.  If an <a class="reference internal" href="../structures/altsrc.html#server-plugins-structures-altsrc"><em>altsrc</em></a> attribute is used,
then <tt class="docutils literal"><span class="pre">name</span></tt> will be the value of that attribute.</td>
</tr>
<tr class="row-even"><td>source_path</td>
<td>The path to the template file on the filesystem</td>
</tr>
<tr class="row-odd"><td>repo</td>
<td>The path to the Bcfg2 repository on the filesystem</td>
</tr>
<tr class="row-even"><td>path</td>
<td>In Genshi templates, <tt class="docutils literal"><span class="pre">path</span></tt> is a synonym for
<tt class="docutils literal"><span class="pre">source_path</span></tt>.  In Cheetah templates, it&#8217;s a synonym
for <tt class="docutils literal"><span class="pre">name</span></tt>.  For this reason, use of <tt class="docutils literal"><span class="pre">path</span></tt> is
discouraged, and it may be deprecated in a future
release.</td>
</tr>
</tbody>
</table>
<p>To access these variables in a Genshi template, you can simply use the
name, e.g.:</p>
<div class="highlight-python"><pre>Path to this file: ${name}</pre>
</div>
<p>In a Cheetah template, the variables are properties of <tt class="docutils literal"><span class="pre">self</span></tt>,
e.g.:</p>
<div class="highlight-python"><pre>Path to this file: $self.name</pre>
</div>
</div>
<div class="section" id="notes-on-using-templates">
<h3>Notes on Using Templates<a class="headerlink" href="#notes-on-using-templates" title="Permalink to this headline">¶</a></h3>
<p>Templates can be host and group specific as well.  Deltas will not be
processed for any Genshi or Cheetah base file.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p>If you are using templating in combination with host-specific
or group-specific files, you will need to ensure that the <tt class="docutils literal"><span class="pre">.genshi</span></tt>
or <tt class="docutils literal"><span class="pre">.cheetah</span></tt> extension is at the <strong>end</strong> of the filename. Using the
examples from above for <em>host.example.com</em> and group <em>server</em> you would
have the following:</p>
<div class="last highlight-python"><div class="highlight"><pre><span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fstab</span><span class="o">/</span><span class="n">fstab</span><span class="o">.</span><span class="n">H_host</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">genshi</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fstab</span><span class="o">/</span><span class="n">fstab</span><span class="o">.</span><span class="n">G50_server</span><span class="o">.</span><span class="n">cheetah</span>
</pre></div>
</div>
</div>
<p>Genshi templates take precence over cheetah templates.  For example, if
two files exist named:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fstab</span><span class="o">/</span><span class="n">fstab</span><span class="o">.</span><span class="n">genshi</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fstab</span><span class="o">/</span><span class="n">fstab</span><span class="o">.</span><span class="n">cheetah</span>
</pre></div>
</div>
<p>The Cheetah template is ignored.  Exploiting this fact is probably a
pretty bad idea in practice.</p>
<p>You can mix Genshi and Cheetah when using different host-specific or
group-specific files.  For example:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fstab</span><span class="o">/</span><span class="n">fstab</span><span class="o">.</span><span class="n">H_host</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">genshi</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fstab</span><span class="o">/</span><span class="n">fstab</span><span class="o">.</span><span class="n">G50_server</span><span class="o">.</span><span class="n">cheetah</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="encrypted-files">
<span id="server-plugins-generators-cfg-encryption"></span><h2>Encrypted Files<a class="headerlink" href="#encrypted-files" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.3.0.</span></p>
<p>Bcfg2 allows you to encrypt files stored in <tt class="docutils literal"><span class="pre">Cfg/</span></tt> to protect the
data in them from other people who need access to the repository.  See
also <a class="reference internal" href="../connectors/properties.html#server-plugins-connectors-properties-encryption"><em>Encrypted Properties data</em></a> for
information on encrypting elements in Properties files, which is often
more friendly for tracking changes in a VCS.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">This feature is <em>not</em> intended to secure the files against a
malicious attacker who has gained access to your Bcfg2 server, as
the encryption passphrases are held in plaintext in
<tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>.  This is only intended to make it easier to use a
single Bcfg2 repository with multiple admins who should not
necessarily have access to each other&#8217;s sensitive data.</p>
</div>
<p>See <a class="reference internal" href="../../encryption.html#server-encryption"><em>Bcfg2 Data Encryption</em></a> for more details on encryption in Bcfg2
in general.</p>
<div class="section" id="encrypting-files">
<h3>Encrypting Files<a class="headerlink" href="#encrypting-files" title="Permalink to this headline">¶</a></h3>
<p>An encrypted file should end with <tt class="docutils literal"><span class="pre">.crypt</span></tt>, e.g.:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">crypt</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">G10_foo</span><span class="o">.</span><span class="n">crypt</span>
</pre></div>
</div>
<p>Encrypted Genshi or Cheetah templates can have the extensions in
either order, e.g.:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">crypt</span><span class="o">.</span><span class="n">genshi</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">G10_foo</span><span class="o">.</span><span class="n">genshi</span><span class="o">.</span><span class="n">crypt</span>
<span class="n">Cfg</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">conf</span><span class="o">.</span><span class="n">H_bar</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">crypt</span><span class="o">.</span><span class="n">cheetah</span>
</pre></div>
</div>
<p>To encrypt or decrypt a file, use <a class="reference internal" href="../../encryption.html#bcfg2-crypt"><em>bcfg2-crypt</em></a>.</p>
</div>
</div>
<div class="section" id="ssh-keys">
<span id="server-plugins-generators-cfg-sshkeys"></span><h2>SSH Keys<a class="headerlink" href="#ssh-keys" title="Permalink to this headline">¶</a></h2>
<p class="versionadded">
<span class="versionmodified">New in version 1.3.0.</span></p>
<p>Cfg can also be used to automatically create and distribute SSH key
pairs and the <tt class="docutils literal"><span class="pre">authorized_keys</span></tt> file.</p>
<p>Keys can be created one of two ways:</p>
<ul class="simple">
<li>Host-specific keys, where each client has its own key pair.  This is
the default.</li>
<li>Group-specific keys.  To do this, you must set <tt class="docutils literal"><span class="pre">category</span></tt> in
either <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> (see &#8220;Configuration&#8221; below) or in
<tt class="docutils literal"><span class="pre">privkey.xml</span></tt>.  Keys created for a given client will be specific
to that client&#8217;s group in the specified category.</li>
</ul>
<p>Group-specific keys are useful if, for instance, you have multiple
distinct environments (development, testing, production, for example)
and want to maintain separate keys for each environment.</p>
<p>This feature actually creates static keys, much like the
<a class="reference internal" href="sshbase.html#server-plugins-generators-sshbase"><em>SSHbase</em></a> plugin creates SSH
certificates.  It doesn&#8217;t generate them on the fly for each request;
it generates the key once, then saves it to the filesystem.</p>
<div class="section" id="creating-key-pairs">
<h3>Creating key pairs<a class="headerlink" href="#creating-key-pairs" title="Permalink to this headline">¶</a></h3>
<p>To create an SSH key pair, you need to define how the private key will
be created in <tt class="docutils literal"><span class="pre">privkey.xml</span></tt>.  For instance, to create
<tt class="docutils literal"><span class="pre">/home/foo/.ssh/id_rsa</span></tt>, you would create
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa/privkey.xml</span></tt>.</p>
<p>This will create <em>both</em> the private key and the public key; the latter
is created by appending <tt class="docutils literal"><span class="pre">.pub</span></tt> to the private key filename.  It is
not possible to change the public key filename.</p>
<p>You may <em>optionally</em> also create a corresponding <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt>, which
will allow the key pair to be created when the public key is
requested.  (For the example above, you&#8217;d create
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa.pub/pubkey.xml</span></tt>. This can
speed up the propagation of SSH keys throughout your managed systems,
particularly if you use the <tt class="docutils literal"><span class="pre">authorized_keys</span></tt> generation feature.</p>
<div class="section" id="privkey-xml">
<h4><tt class="docutils literal"><span class="pre">privkey.xml</span></tt><a class="headerlink" href="#privkey-xml" title="Permalink to this headline">¶</a></h4>
<p><tt class="docutils literal"><span class="pre">privkey.xml</span></tt> contains a top-level <tt class="docutils literal"><span class="pre">PrivateKey</span></tt> element, and is
structured as follows:</p>
<dl class="element" id="element:PrivateKey">
<dt id="element:PrivateKey">
<!--[element:PrivateKey]--><em>element</em> <strong>PrivateKey</strong><a class="headerlink" href="#element:PrivateKey" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Top-level tag for describing a generated SSH key pair.</div></blockquote>
<dl class="last docutils" id="complexType:PrivateKey">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:PrivateKey:category"></span><tt class="docutils literal"><span class="pre">category</span></tt></td>
<td><blockquote class="first last">
<div>Create keys specific to the given category, instead of
specific to the category given in <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>.</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:PrivateKey:decrypt"></span><tt class="docutils literal"><span class="pre">decrypt</span></tt></td>
<td><blockquote class="first last">
<div>Override the global strict/lax decryption setting in
<tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>.</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">strict</span></tt> | <tt class="docutils literal"><span class="pre">lax</span></tt></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-even"><td><span class="target" id="attribute:PrivateKey:perhost"></span><tt class="docutils literal"><span class="pre">perhost</span></tt></td>
<td><blockquote class="first last">
<div>Create keys on a per-host basis (rather than on a per-group
basis).</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:PrivateKey:priority"></span><tt class="docutils literal"><span class="pre">priority</span></tt></td>
<td><blockquote class="first last">
<div>Create group-specific keys with the given priority.</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#positiveInteger"><tt class="docutils literal"><span class="pre">positiveInteger</span></tt></a></td>
<td>No</td>
<td><tt class="first last docutils literal"><span class="pre">50</span></tt></td>
</tr>
</tbody>
</table>
</dd>
<dt>Child elements:</dt>
<dd><ul class="first last">
<li><dl class="element" id="element:Passphrase">
<dt id="element:Passphrase">
<!--[element:Passphrase]--><em>element</em> <strong>Passphrase</strong><a class="headerlink" href="#element:Passphrase" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:PassphraseType"><tt class="docutils literal"><span class="pre">PassphraseType</span></tt></a></p>
</dd>
</dl>

</li>
<li><dl class="element" id="element:Params">
<dt id="element:Params">
<!--[element:Params]--><em>element</em> <strong>Params</strong><a class="headerlink" href="#element:Params" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:PrivateKeyParamsType"><tt class="docutils literal"><span class="pre">PrivateKeyParamsType</span></tt></a></p>
</dd>
</dl>

</li>
<li><dl class="element" id="element:Group">
<dt id="element:Group">
<!--[element:Group]--><em>element</em> <strong>Group</strong><a class="headerlink" href="#element:Group" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:PrivateKeyGroupType"><tt class="docutils literal"><span class="pre">PrivateKeyGroupType</span></tt></a></p>
</dd>
</dl>

</li>
<li><dl class="element" id="element:Client">
<dt id="element:Client">
<!--[element:Client]--><em>element</em> <strong>Client</strong><a class="headerlink" href="#element:Client" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:PrivateKeyGroupType"><tt class="docutils literal"><span class="pre">PrivateKeyGroupType</span></tt></a></p>
</dd>
</dl>

</li>
</ul>
</dd>
</dl>
</dd>
</dl>

<dl class="complexType" id="complexType:PassphraseType">
<dt id="complexType:PassphraseType">
<!--[complexType:PassphraseType]--><em>complexType</em> <strong>PassphraseType</strong><a class="headerlink" href="#complexType:PassphraseType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Specify the private key passphrase.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:PassphraseType:encrypted"></span><tt class="docutils literal"><span class="pre">encrypted</span></tt></td>
<td><blockquote class="first last">
<div>The name of the passphrase to use to encrypt this
private key on the filesystem (in Bcfg2).</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
<dt>Text content:</dt>
<dd><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></dd>
</dl>
</dd>
</dl>

<dl class="complexType" id="complexType:PrivateKeyParamsType">
<dt id="complexType:PrivateKeyParamsType">
<!--[complexType:PrivateKeyParamsType]--><em>complexType</em> <strong>PrivateKeyParamsType</strong><a class="headerlink" href="#complexType:PrivateKeyParamsType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Specify parameters for creating the private key</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:PrivateKeyParamsType:bits"></span><tt class="docutils literal"><span class="pre">bits</span></tt></td>
<td><blockquote class="first last">
<div>Number of bits in the key.  See <em class="manpage">ssh-keygen(1)</em> for
defaults.</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#positiveInteger"><tt class="docutils literal"><span class="pre">positiveInteger</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:PrivateKeyParamsType:type"></span><tt class="docutils literal"><span class="pre">type</span></tt></td>
<td><blockquote class="first last">
<div>Key type to create.</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">rsa</span></tt> | <tt class="docutils literal"><span class="pre">dsa</span></tt></td>
<td>No</td>
<td><tt class="first last docutils literal"><span class="pre">rsa</span></tt></td>
</tr>
</tbody>
</table>
</dd>
</dl>
</dd>
</dl>

<dl class="complexType" id="complexType:PrivateKeyGroupType">
<dt id="complexType:PrivateKeyGroupType">
<!--[complexType:PrivateKeyGroupType]--><em>complexType</em> <strong>PrivateKeyGroupType</strong><a class="headerlink" href="#complexType:PrivateKeyGroupType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>An <strong>PrivateKeyGroupType</strong> is a tag used to provide logic.
Child entries of a PrivateKeyGroupType tag only apply to
machines that match the condition specified &#8211; either
membership in a group, or a matching client name.
<a class="reference internal" href="#attribute:PrivateKeyGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> can be set to
negate the sense of the match.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:PrivateKeyGroupType:name"></span><tt class="docutils literal"><span class="pre">name</span></tt></td>
<td><blockquote class="first last">
<div>The name of the client or group to match on.  Child entries
will only apply to this client or group (unless
<a class="reference internal" href="#attribute:PrivateKeyGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> is set).</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:PrivateKeyGroupType:negate"></span><tt class="docutils literal"><span class="pre">negate</span></tt></td>
<td><blockquote class="first last">
<div>Negate the sense of the match, so that child entries only
apply to a client if it is not a member of the given group
or does not have the given name.</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
<dt>Child elements:</dt>
<dd><ul class="first last simple">
<li><a class="reference internal" href="#element:Passphrase"><tt class="docutils literal"><span class="pre">Passphrase</span></tt></a></li>
<li><a class="reference internal" href="#element:Params"><tt class="docutils literal"><span class="pre">Params</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Group"><tt class="docutils literal"><span class="pre">Group</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Client"><tt class="docutils literal"><span class="pre">Client</span></tt></a></li>
</ul>
</dd>
</dl>
</dd>
</dl>

<p>See <a class="reference internal" href="../../encryption.html#server-encryption"><em>Bcfg2 Data Encryption</em></a> for more details on encryption in Bcfg2
in general.</p>
</div>
<div class="section" id="pubkey-xml">
<h4><tt class="docutils literal"><span class="pre">pubkey.xml</span></tt><a class="headerlink" href="#pubkey-xml" title="Permalink to this headline">¶</a></h4>
<p><tt class="docutils literal"><span class="pre">pubkey.xml</span></tt> only ever contains a single line:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt">&lt;PublicKey/&gt;</span>
</pre></div>
</div>
<dl class="element" id="element:PublicKey">
<dt id="element:PublicKey">
<!--[element:PublicKey]--><em>element</em> <strong>PublicKey</strong><a class="headerlink" href="#element:PublicKey" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Top-level tag for flagging a generated SSH public key.</div></blockquote>
<dl class="last docutils" id="complexType:PublicKey">
</dl>
</dd>
</dl>

<p>It acts only as a flag to Bcfg2 that a key pair should be generated, if
none exists, using the associated <tt class="docutils literal"><span class="pre">privkey.xml</span></tt> file.  The path to
<tt class="docutils literal"><span class="pre">privkey.xml</span></tt> is determined by removing <tt class="docutils literal"><span class="pre">.pub</span></tt> from the directory
containing <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt>.  I.e., if you create
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa.pub/pubkey.xml</span></tt>, then Bcfg2
will use <tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa/privkey.xml</span></tt> to
create the key pair.</p>
<p>Use of <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt> is optional, but is recommended.  If you do not
use <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt> files, you may encounter two problems:</p>
<ul class="simple">
<li>On the first Bcfg2 client run on a given client, the private keys
may be present but the public keys may not be.  This will be fixed
by running <tt class="docutils literal"><span class="pre">bcfg2</span></tt> again.</li>
<li>If you are including an automatically created public key in
<tt class="docutils literal"><span class="pre">authorized_keys</span></tt>, it will not be created until the client the key
is for requests the key pair.</li>
</ul>
<p>As an example of this latter scenario, suppose that your
<tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt> allows access to foo.example.com from
<tt class="docutils literal"><span class="pre">/root/.ssh/id_rsa.pub</span></tt> for bar.example.com.  If bar.example.com has
not run the Bcfg2 client, then no key pair will have been generated,
and generating the foo.example.com <tt class="docutils literal"><span class="pre">authorized_keys</span></tt> file will
create a warning.  But if you create
<tt class="docutils literal"><span class="pre">Cfg/root/.ssh/id_rsa.pub/pubkey.xml</span></tt>, then building
<tt class="docutils literal"><span class="pre">authorized_keys</span></tt> for foo.example.com will create root&#8217;s keypair for
bar.example.com.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">In order to use <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt>, there <em>must</em> be a corresponding
<tt class="docutils literal"><span class="pre">privkey.xml</span></tt>.  You cannot, for instance, populate a directory
with manually-generated private SSH keys, drop <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt> in
the related public key directory, and expect Bcfg2 to generate the
public keys.  It will not.</p>
</div>
</div>
<div class="section" id="id2">
<h4>Examples<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h4>
<p><tt class="docutils literal"><span class="pre">privkey.xml</span></tt> can, at its simplest, be very simple indeed:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt">&lt;PrivateKey/&gt;</span>
</pre></div>
</div>
<p>This will create a private key with all defaults.  Or it can be more
complex:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt">&lt;PrivateKey</span> <span class="na">category=</span><span class="s">&quot;environment&quot;</span><span class="nt">/&gt;</span>
  <span class="nt">&lt;Params</span> <span class="na">bits=</span><span class="s">&quot;1024&quot;</span> <span class="na">type=</span><span class="s">&quot;dsa&quot;</span><span class="nt">/&gt;</span>
  <span class="nt">&lt;Group</span> <span class="na">name=</span><span class="s">&quot;secure&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;Passphrase</span> <span class="na">encrypted=</span><span class="s">&quot;secure&quot;</span><span class="nt">&gt;</span>U2FsdGVkX19xACol83uyPELP94s4CmngD12oU6PLLuE=<span class="nt">&lt;/Passphrase&gt;</span>
  <span class="nt">&lt;/Group&gt;</span>
<span class="nt">&lt;/PrivateKey&gt;</span>
</pre></div>
</div>
<p>This creates a 1024-bit DSA key for each group in the <tt class="docutils literal"><span class="pre">environment</span></tt>
category, and keys for clients in the <tt class="docutils literal"><span class="pre">secure</span></tt> group will be
protected with the given (encrypted) passphrase.</p>
<p>To complete the example, assume that this file was saved at
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa/privkey.xml</span></tt>.  If a client
in the <tt class="docutils literal"><span class="pre">development</span></tt> group, which is a group in the <tt class="docutils literal"><span class="pre">environment</span></tt>
category, requests the private key, then the following files would be
created:</p>
<div class="highlight-python"><pre>/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa/id_rsa.G50_development
/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa.pub/id_rsa.pub.G50_development</pre>
</div>
<p><tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/home/foo/.ssh/id_rsa.pub</span></tt> would be created if it
did not exist.</p>
<p>Subsequent clients that were also members of the <tt class="docutils literal"><span class="pre">development</span></tt>
environment would get the keys that have already been generated.</p>
<p><tt class="docutils literal"><span class="pre">pubkey.xml</span></tt> always contains a single empty tag:</p>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt">&lt;PublicKey/&gt;</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="generating-authorized-keys">
<h3>Generating <tt class="docutils literal"><span class="pre">authorized_keys</span></tt><a class="headerlink" href="#generating-authorized-keys" title="Permalink to this headline">¶</a></h3>
<p><tt class="docutils literal"><span class="pre">authorized_keys</span></tt> can be automatically generated from public SSH
keys that exist in the Cfg tree.  The keys in question can be
generated from <tt class="docutils literal"><span class="pre">privkey.xml</span></tt>, or they can be manually created.</p>
<p>If a key doesn&#8217;t exist when <tt class="docutils literal"><span class="pre">authorized_keys</span></tt> is generated, the key
will only be created if <tt class="docutils literal"><span class="pre">pubkey.xml</span></tt> exists.  If that is not the
case, a warning will be produced.</p>
<p>To generate <tt class="docutils literal"><span class="pre">authorized_keys</span></tt>, create <tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt>, e.g.:
<tt class="docutils literal"><span class="pre">/var/lib/bcfg2/Cfg/root/.ssh/authorized_keys/authorized_keys.xml</span></tt>.</p>
<div class="section" id="authorized-keys-xml">
<h4><tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt><a class="headerlink" href="#authorized-keys-xml" title="Permalink to this headline">¶</a></h4>
<p><tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt> is structured as follows:</p>
<dl class="element" id="element:AuthorizedKeys">
<dt id="element:AuthorizedKeys">
<!--[element:AuthorizedKeys]--><em>element</em> <strong>AuthorizedKeys</strong><a class="headerlink" href="#element:AuthorizedKeys" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Top-level tag for describing a generated SSH key pair.</div></blockquote>
<dl class="last docutils" id="complexType:AuthorizedKeys">
<dt>Child elements:</dt>
<dd><ul class="first last">
<li><dl class="element" id="element:Allow">
<dt id="element:Allow">
<!--[element:Allow]--><em>element</em> <strong>Allow</strong><a class="headerlink" href="#element:Allow" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:AllowType"><tt class="docutils literal"><span class="pre">AllowType</span></tt></a></p>
</dd>
</dl>

</li>
<li><dl class="element" id="element:Group">
<dt id="element:Group">
<!--[element:Group]--><em>element</em> <strong>Group</strong><a class="headerlink" href="#element:Group" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:AuthorizedKeysGroupType"><tt class="docutils literal"><span class="pre">AuthorizedKeysGroupType</span></tt></a></p>
</dd>
</dl>

</li>
<li><dl class="element" id="element:Client">
<dt id="element:Client">
<!--[element:Client]--><em>element</em> <strong>Client</strong><a class="headerlink" href="#element:Client" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:AuthorizedKeysGroupType"><tt class="docutils literal"><span class="pre">AuthorizedKeysGroupType</span></tt></a></p>
</dd>
</dl>

</li>
</ul>
</dd>
</dl>
</dd>
</dl>

<dl class="complexType" id="complexType:AllowType">
<dt id="complexType:AllowType">
<!--[complexType:AllowType]--><em>complexType</em> <strong>AllowType</strong><a class="headerlink" href="#complexType:AllowType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Allow access from a public key, given either as text content,
or described by the attributes.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:AllowType:from"></span><tt class="docutils literal"><span class="pre">from</span></tt></td>
<td><blockquote class="first last">
<div>The path of the public key to allow.</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:AllowType:group"></span><tt class="docutils literal"><span class="pre">group</span></tt></td>
<td><blockquote class="first last">
<div>Use a public key specific to the given group, instead of the
public key specific to the appropriate category group of the
current client.</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-even"><td><span class="target" id="attribute:AllowType:host"></span><tt class="docutils literal"><span class="pre">host</span></tt></td>
<td><blockquote class="first last">
<div>Use a public key specific to the given host.</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
<dt>Child elements:</dt>
<dd><ul class="first last">
<li><dl class="element" id="element:Params">
<dt id="element:Params">
<!--[element:Params]--><em>element</em> <strong>Params</strong><a class="headerlink" href="#element:Params" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><p class="first"></p>
<p class="last">Type: <a class="reference internal" href="#complexType:AuthorizedKeysParamsType"><tt class="docutils literal"><span class="pre">AuthorizedKeysParamsType</span></tt></a></p>
</dd>
</dl>

</li>
</ul>
</dd>
<dt>Text content:</dt>
<dd>Any</dd>
</dl>
</dd>
</dl>

<dl class="complexType" id="complexType:AuthorizedKeysGroupType">
<dt id="complexType:AuthorizedKeysGroupType">
<!--[complexType:AuthorizedKeysGroupType]--><em>complexType</em> <strong>AuthorizedKeysGroupType</strong><a class="headerlink" href="#complexType:AuthorizedKeysGroupType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>An <strong>AuthorizedKeysGroupType</strong> is a tag used to provide logic.
Child entries of an AuthorizedKeysGroupType tag only apply to
machines that match the condition specified &#8211; either
membership in a group, or a matching client name.
<a class="reference internal" href="#attribute:AuthorizedKeysGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> can be set to
negate the sense of the match.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><span class="target" id="attribute:AuthorizedKeysGroupType:name"></span><tt class="docutils literal"><span class="pre">name</span></tt></td>
<td><blockquote class="first last">
<div>The name of the client or group to match on.  Child entries
will only apply to this client or group (unless
<a class="reference internal" href="#attribute:AuthorizedKeysGroupType:negate"><tt class="xref xml xml-attribute docutils literal"><span class="pre">negate</span></tt></a> is set).</div></blockquote>
</td>
<td><a class="reference external" href="http://www.w3.org/TR/xmlschema-2/#string"><tt class="docutils literal"><span class="pre">string</span></tt></a></td>
<td>No</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><span class="target" id="attribute:AuthorizedKeysGroupType:negate"></span><tt class="docutils literal"><span class="pre">negate</span></tt></td>
<td><blockquote class="first last">
<div>Negate the sense of the match, so that child entries only
apply to a client if it is not a member of the given group
or does not have the given name.</div></blockquote>
</td>
<td><tt class="docutils literal"><span class="pre">true</span></tt> | <tt class="docutils literal"><span class="pre">false</span></tt></td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
<dt>Child elements:</dt>
<dd><ul class="first last simple">
<li><a class="reference internal" href="#element:Allow"><tt class="docutils literal"><span class="pre">Allow</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Group"><tt class="docutils literal"><span class="pre">Group</span></tt></a></li>
<li><a class="reference internal" href="../../info.html#element:Client"><tt class="docutils literal"><span class="pre">Client</span></tt></a></li>
</ul>
</dd>
</dl>
</dd>
</dl>

<dl class="complexType" id="complexType:AuthorizedKeysParamsType">
<dt id="complexType:AuthorizedKeysParamsType">
<!--[complexType:AuthorizedKeysParamsType]--><em>complexType</em> <strong>AuthorizedKeysParamsType</strong><a class="headerlink" href="#complexType:AuthorizedKeysParamsType" title="Permalink to this definition">¶</a></dt>
</dt>
<dd><blockquote class="first">
<div>Specify parameters for public key authentication and
connection.  See <em class="manpage">sshd(8)</em> for details on allowable
parameters.</div></blockquote>
<dl class="last docutils">
<dt>Attributes:</dt>
<dd><table border="1" class="first last docutils">
<colgroup>
<col width="10%" />
<col width="50%" />
<col width="20%" />
<col width="10%" />
<col width="10%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Name</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Required</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>*</td>
<td></td>
<td>Any</td>
<td>No</td>
<td>None</td>
</tr>
</tbody>
</table>
</dd>
</dl>
</dd>
</dl>

</div>
<div class="section" id="example">
<h4>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h4>
<div class="highlight-xml"><div class="highlight"><pre><span class="nt">&lt;AuthorizedKeys&gt;</span>
  <span class="nt">&lt;Group</span> <span class="na">name=</span><span class="s">&quot;some_group&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;Allow</span> <span class="na">from=</span><span class="s">&quot;/root/.ssh/id_rsa.pub&quot;</span><span class="nt">/&gt;</span>
    <span class="nt">&lt;Allow</span> <span class="na">from=</span><span class="s">&quot;/root/.ssh/id_rsa.pub&quot;</span> <span class="na">group=</span><span class="s">&quot;test&quot;</span><span class="nt">/&gt;</span>
  <span class="nt">&lt;/Group&gt;</span>
  <span class="nt">&lt;Allow</span> <span class="na">from=</span><span class="s">&quot;/root/.ssh/id_rsa.pub&quot;</span> <span class="na">host=</span><span class="s">&quot;foo.example.com&quot;</span><span class="nt">/&gt;</span>
  <span class="nt">&lt;Allow</span> <span class="na">from=</span><span class="s">&quot;/home/foo_user/.ssh/id_rsa.pub&quot;</span><span class="nt">&gt;</span>
    <span class="nt">&lt;Params</span> <span class="na">command=</span><span class="s">&quot;/home/foo_user/.ssh/ssh_command_filter&quot;</span><span class="nt">/&gt;</span>
  <span class="nt">&lt;/Allow&gt;</span>
  <span class="nt">&lt;Allow&gt;</span>
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDw/rgKQeARRAHK5bQQhAAe1b+gzdtqBXWrZIQ6cIaLgxqj76TwZ3DY4A6aW9RgC4zzd0p4a9MfsScUIB4+UeZsx9GopUj4U6H8Vz7S3pXxrr4E9logVLuSfOLFbI/wMWNRuOANqquLYQ+JYWKeP4kagkVp0aAWp7mH5IOI0rp0A6qE2you4ep9N/nKvHDrtypwhYBWprsgTUXXMHnAWGmyuHGYWxNYBV9AARPdAvZfb8ggtuwibcOULlyK4DdVNbDTAN1/BDBE1ve6WZDcrc386KhqUGj/yoRyPjNZ46uZiOjRr3cdY6yUZoCwzzxvm5vle6mEbLjHgjGEMQMArzM9 vendor@example.com
  <span class="nt">&lt;/Allow&gt;</span>
<span class="nt">&lt;/AuthorizedKeys&gt;</span>
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p><tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt> allows you to specify the group whose
public key should be allowed.  This retrieves the public key
specific to that group (if it exists), <em>not</em> the public key for
all hosts in that group.  This is due to the performance penalties
that would be imposed by that approach.</p>
<p>Similarly, it is not possible to allow access from all keys for a
given user (i.e., at a given path).</p>
<p class="last">Hopefully, the performance concerns can be resolved in a future
release and these features can be added.</p>
</div>
</div>
</div>
<div class="section" id="configuration">
<h3>Configuration<a class="headerlink" href="#configuration" title="Permalink to this headline">¶</a></h3>
<p>In addition to <tt class="docutils literal"><span class="pre">privkey.xml</span></tt> and <tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt>, described
above, the behavior of the SSH key generation feature can be
influenced by several options in the <tt class="docutils literal"><span class="pre">[sshkeys]</span></tt> section of
<tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>:</p>
<table border="1" class="docutils">
<colgroup>
<col width="15%" />
<col width="53%" />
<col width="21%" />
<col width="11%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Option</th>
<th class="head">Description</th>
<th class="head">Values</th>
<th class="head">Default</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><tt class="docutils literal"><span class="pre">passphrase</span></tt></td>
<td>Use the named passphrase to encrypt private keys on the
filesystem. The passphrase must be defined in the
<tt class="docutils literal"><span class="pre">[encryption]</span></tt> section. See <a class="reference internal" href="../../encryption.html#server-encryption"><em>Bcfg2 Data Encryption</em></a>
for more details on encryption in Bcfg2 in general.</td>
<td>String</td>
<td>None</td>
</tr>
<tr class="row-odd"><td><tt class="docutils literal"><span class="pre">category</span></tt></td>
<td>Generate keys specific to groups in the given category.
It is best to pick a category that all clients have a
group from.</td>
<td>String</td>
<td>None</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="deltas">
<h2>Deltas<a class="headerlink" href="#deltas" title="Permalink to this headline">¶</a></h2>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">In Bcfg2 1.3 and newer, deltas are deprecated.  It is recommended
that you use templates instead.  The
<a class="reference internal" href="../connectors/templatehelper.html#server-plugins-connectors-templatehelper"><em>TemplateHelper plugin</em></a> comes with an example
helper that can be used to include other files easily, a subset of
cat file functionality.  <tt class="docutils literal"><span class="pre">bcfg2-lint</span></tt> checks for deltas and
warns about them.</p>
</div>
<p>Bcfg2 has finer grained control over how to deliver configuration
files to a host. Let&#8217;s say we have a Group named file-server. Members
of this group need the exact same <tt class="docutils literal"><span class="pre">/etc/motd</span></tt> as all other hosts except
they need one line added. We could copy motd to <tt class="docutils literal"><span class="pre">motd.G01_file-server</span></tt>,
add the one line to the Group specific version and be done with it,
but we&#8217;re duplicating data in both files. What happens if we need to
update the motd? We&#8217;ll need to remember to update both files then. Here&#8217;s
where deltas come in. A delta is a small change to the base file. There
are two types of deltas: cats and diffs. The cat delta simply adds or
removes lines from the base file. The diff delta is more powerful since
it can take a unified diff and apply it to the base configuration file
to create the specialized file. Diff deltas should be used very sparingly.</p>
<div class="section" id="cat-files">
<h3>Cat Files<a class="headerlink" href="#cat-files" title="Permalink to this headline">¶</a></h3>
<p>Continuing our example for cat files, we would first create a file named
<tt class="docutils literal"><span class="pre">motd.G01_file-server.cat</span></tt>. The .cat suffix designates that the file is
a diff. We would then edit that file and add the following line:</p>
<div class="highlight-python"><pre>+This is a file server</pre>
</div>
<p>The <strong>+</strong> at the begining of the file tells Bcfg2 that the line should be
appended to end of the file. You can also start a line with <strong>-</strong> to tell
Bcfg2 to remove that exact line wherever it might be in the file. How do
we know what base file Bcfg2 will choose to use to apply a delta? The
same rules apply as before: Bcfg2 will choose the highest priority,
most specific file as the base and then apply deltas in the order of
most specific and then increasing in priority. What does this mean in
real life. Let&#8217;s say our machine is a web server, mail server, and file
server and we have the following configuration files:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">motd</span>
<span class="n">motd</span><span class="o">.</span><span class="n">G01_web</span><span class="o">-</span><span class="n">server</span>
<span class="n">motd</span><span class="o">.</span><span class="n">G01_mail</span><span class="o">-</span><span class="n">server</span><span class="o">.</span><span class="n">cat</span>
<span class="n">motd</span><span class="o">.</span><span class="n">G02_file</span><span class="o">-</span><span class="n">server</span><span class="o">.</span><span class="n">cat</span>
<span class="n">motd</span><span class="o">.</span><span class="n">H_foo</span><span class="o">.</span><span class="n">example</span><span class="o">.</span><span class="n">com</span><span class="o">.</span><span class="n">cat</span>
</pre></div>
</div>
<p>If our machine <strong>isn&#8217;t</strong> <em>foo.example.com</em> then here&#8217;s what would happen:</p>
<p>Bcfg2 would choose <tt class="docutils literal"><span class="pre">motd.G01_web-server</span></tt> as the base file. It is
the most specific base file for this host. Bcfg2 would apply the
<tt class="docutils literal"><span class="pre">motd.G01_mail-server.cat</span></tt> delta to the <tt class="docutils literal"><span class="pre">motd.G01_web-server</span></tt>
base file. It is the least specific delta. Bcfg2 would then apply the
<tt class="docutils literal"><span class="pre">motd.G02_file-server.cat</span></tt> delta to the result of the delta before
it. If our machine <strong>is</strong> <em>foo.example.com</em> then here&#8217;s what would happen:</p>
<p>Bcfg2 would choose <tt class="docutils literal"><span class="pre">motd.G01_web-server</span></tt> as the base file. It
is the most specific base file for this host. Bcfg2 would apply the
<tt class="docutils literal"><span class="pre">motd.H_foo.example.com.cat</span></tt> delta to the <tt class="docutils literal"><span class="pre">motd.G01_web-server</span></tt> base
file. The reason the other deltas aren&#8217;t applied to <em>foo.example.com</em>
is because a <strong>.H_</strong> delta is more specific than a <strong>.G##_</strong> delta. Bcfg2
applies all the deltas at the most specific level.</p>
</div>
</div>
<div class="section" id="content-validation">
<span id="server-plugins-generators-cfg-validation"></span><h2>Content Validation<a class="headerlink" href="#content-validation" title="Permalink to this headline">¶</a></h2>
<p>To ensure that files with invalid content are not pushed out, you can
provide a content validation script that will be run against each
file.  Create a file called <tt class="docutils literal"><span class="pre">:test</span></tt> inside the directory for the
file you want to test.  For example:</p>
<div class="highlight-python"><pre>Cfg/etc/sudoers/:test</pre>
</div>
<p>You can also create host- and group-specific validators:</p>
<div class="highlight-python"><pre>Cfg/etc/sudoers/:test.G80_foogroup
Cfg/etc/sudoers/:test.H_bar.example.com</pre>
</div>
<p>A validator script has the following attributes:</p>
<ul class="simple">
<li>It must be executable, or specify a valid bangpath;</li>
<li>The entire content of the file is passed to the validator on
stdin;</li>
<li>The validator is not called with any flags or arguments;</li>
<li>The validator must return 0 on success and non-zero on failure; and</li>
<li>The validator must output a sensible error message on failure.</li>
</ul>
<p>For <tt class="docutils literal"><span class="pre">sudoers</span></tt>, a very simple validator is:</p>
<div class="highlight-python"><pre>#!/bin/sh
visudo -cf -</pre>
</div>
<p>This uses the <tt class="docutils literal"><span class="pre">visudo</span></tt> command&#8217;s built-in validation.</p>
<p>If you wish to disable validation, this can be done with the following
setting in <tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt>:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="p">[</span><span class="n">cfg</span><span class="p">]</span>
<span class="n">validation</span><span class="o">=</span><span class="n">no</span>
</pre></div>
</div>
<p>If you have a very large number of validators, you may wish to disable
validation by default to avoid slowing down the generation of
configurations on the server, and use <tt class="docutils literal"><span class="pre">bcfg2-test</span></tt> (for instance, as
a post-commit hook or as part of a code review process) to run
validation.  You can do this by setting <tt class="docutils literal"><span class="pre">validation=no</span></tt> in
<tt class="docutils literal"><span class="pre">bcfg2.conf</span></tt> as described above, and then calling <tt class="docutils literal"><span class="pre">bcfg2-test</span></tt>
with the <tt class="docutils literal"><span class="pre">--cfg-validation</span></tt> flag.</p>
</div>
<div class="section" id="file-permissions">
<h2>File permissions<a class="headerlink" href="#file-permissions" title="Permalink to this headline">¶</a></h2>
<p>File permissions for entries handled by Cfg are controlled via the use
of <a class="reference internal" href="../../info.html#server-info"><em>info.xml</em></a> files. Note that you <strong>cannot</strong> use both a
Permissions entry and a Path entry to handle the same file.</p>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../../../index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Cfg</a><ul>
<li><a class="reference internal" href="#the-cfg-repository">The Cfg Repository</a></li>
<li><a class="reference internal" href="#group-specific-files">Group-Specific Files</a></li>
<li><a class="reference internal" href="#host-specific-files">Host-Specific Files</a></li>
<li><a class="reference internal" href="#templates">Templates</a><ul>
<li><a class="reference internal" href="#genshi-templates">Genshi Templates</a><ul>
<li><a class="reference internal" href="#troubleshooting">Troubleshooting</a></li>
<li><a class="reference internal" href="#error-handling">Error handling</a></li>
<li><a class="reference internal" href="#handling-dollar-signs">Handling Dollar Signs</a></li>
<li><a class="reference internal" href="#examples">Examples</a><ul>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#cheetah-templates">Cheetah Templates</a><ul>
<li><a class="reference internal" href="#id1">Examples</a><ul>
</ul>
</li>
<li><a class="reference internal" href="#comments-and-cheetah">Comments and Cheetah</a></li>
</ul>
</li>
<li><a class="reference internal" href="#inside-templates">Inside Templates</a></li>
<li><a class="reference internal" href="#notes-on-using-templates">Notes on Using Templates</a></li>
</ul>
</li>
<li><a class="reference internal" href="#encrypted-files">Encrypted Files</a><ul>
<li><a class="reference internal" href="#encrypting-files">Encrypting Files</a></li>
</ul>
</li>
<li><a class="reference internal" href="#ssh-keys">SSH Keys</a><ul>
<li><a class="reference internal" href="#creating-key-pairs">Creating key pairs</a><ul>
<li><a class="reference internal" href="#privkey-xml"><tt class="docutils literal"><span class="pre">privkey.xml</span></tt></a></li>
<li><a class="reference internal" href="#pubkey-xml"><tt class="docutils literal"><span class="pre">pubkey.xml</span></tt></a></li>
<li><a class="reference internal" href="#id2">Examples</a></li>
</ul>
</li>
<li><a class="reference internal" href="#generating-authorized-keys">Generating <tt class="docutils literal"><span class="pre">authorized_keys</span></tt></a><ul>
<li><a class="reference internal" href="#authorized-keys-xml"><tt class="docutils literal"><span class="pre">authorized_keys.xml</span></tt></a></li>
<li><a class="reference internal" href="#example">Example</a></li>
</ul>
</li>
<li><a class="reference internal" href="#configuration">Configuration</a></li>
</ul>
</li>
<li><a class="reference internal" href="#deltas">Deltas</a><ul>
<li><a class="reference internal" href="#cat-files">Cat Files</a></li>
</ul>
</li>
<li><a class="reference internal" href="#content-validation">Content Validation</a></li>
<li><a class="reference internal" href="#file-permissions">File permissions</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="account.html"
                        title="previous chapter">Account</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="examples/genshi/bcfg2-cron.html"
                        title="next chapter">bcfg2-cron</a></p>
  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../../../_sources/server/plugins/generators/cfg.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../../../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../../genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="../../../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="examples/genshi/bcfg2-cron.html" title="bcfg2-cron"
             >next</a> |</li>
        <li class="right" >
          <a href="account.html" title="Account"
             >previous</a> |</li>
	<li><a href="../../../index.html">home</a> |&nbsp;</li>
	<!--<li><a href="../../../search.html">search</a> |&nbsp;</li>-->
	<li><a href="../../../help/index.html">help</a> |&nbsp;</li>
	<li><a href="../../../contents.html">documentation </a> &raquo;</li>

          <li><a href="../../../contents.html" >Bcfg2 documentation 1.3.0</a> &raquo;</li>
          <li><a href="../../index.html" >The Bcfg2 Server</a> &raquo;</li>
          <li><a href="../index.html" >Plugins</a> &raquo;</li> 
      </ul>
    </div>
    <div class="footer">
        &copy; Copyright 2009-2013, Narayan Desai.
      Last updated on Mar 20, 2013.
      Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
    </div>
  </body>
</html>