clockd.conf - Clockwork Master configuration file
clockd(1) reads its configuration from /etc/clockwork/clockd.conf (unless a different file is specified with the -c option).
Valid configuration directives, and their meanings, are as follows:
This specifies what interfaces/addresses clockd should bind to, for inbound connections from cogd agents. The default port is 2314, and most of the time you'll want to listen on any available interface. This is the default, \fI*:2314\fB.
The manifest contains all of the policy definitions, and what clients they should be given to.
Clients connecting to clockd start their configuration runs by performing a COPYDOWN, in which they copy static files (usually gatherer scripts) locally.
This setting determines what files are included in the copydown archive. Paths will be relative to the client's copydown setting.
Defaults to /etc/clockwork/gather.d.
When clients connect, clockd will always check that they have a secured channel (thus validating their public/private keypair). For production sites, it is also a good idea to check that the client has been pre-authenticated, by checking against a list of trusted public key fingerprints, the so-called trust database, or trustdb.
Setting security.strict to yes (the default) engages this behavior.
Environments (usually not mission-critical, like testbeds and experimental labs) can bypass this extra security by setting security.strict to no. This is not recommended for production deployments!
Under strict mode, the trust database is consulted to ensure that remote clients are trusted to receive policy and file data, which could contain sensitive and/or privileged information.
The trust database can be managed by hand, or by cw-trust(1).
Defaults to /etc/clockwork/certs/trusted.
This certificate is used to identify this clockd instance to connecting clients. It must contain both the public and private keys.
Defaults to /etc/clockwork/certs/clockd.
This configuration option lets you size the connection cache to the infrastructure. For each client that connects, clockd keeps an entry in the connection cache to keep track of the generated policy, known facts, etc. Cache entries are purged regularly, pursuant to ccache.expiration, to make room for new client connections.
The value chosen for the connection cache size depends on the number of concurrent clients you expect clockd to service. For most environments the default size of 2048 entries should be sufficient.
This value is specified in seconds.
Defaults to /var/run/clockd.pid.
Defaults to clockd.
Defaults to daemon.
Valid values are:
Fatal issues that cause immediate termination.
Non-fatal issues that prevent proper system operation.
Minor problems that do not hinder system operation.
Informational messages that assist in system diagnostics.
More in-depth informational messages, for troubleshooting.
Messages for chasing down bugs.
Each level includes all "more important" levels. warning will log critical and error messages. notice is everything but debugging messages, etc.
A good starting point is warning; default is error.
Here is the default configuration, made explicit:
listen *:2314 pidfile /var/run/clockd.pid manifest /etc/clockwork/manifest.pol copydown /etc/clockwork/gather.d security.strict yes security.trusted /etc/clockwork/certs/trusted security.cert /etc/clockwork/certs/clockd ccache.connections 2048 ccache.expiration 600 syslog.ident clockd syslog.facility daemon syslog.level error
Clockwork was designed and written by James Hunt.
The Clockwork website is licensed under the Creative Commons Attribution-NoDerivs 3.0 United States License