CFengine

CFengine

From Consultancy.EdVoncken.NET

Jump to: navigation, search

CFengine has been around for many years. We've been using version 2, and it is time to start looking at version 3.

Contents

Installation

Cfengine 2 RPMs for RedHat/CentOS systems are available from EPEL. The Cfengine 3 "Community" RPMs can be downloaded from the cfengine website (registration required).

Installation was easy - download cfengine-community-3.0.5p1-1.el5.x86_64.rpm (64-bit systems) and install it using rpm:

 [root@policyserver]# rpm -Uvh cfengine-community-3.0.5p1-1.el5.x86_64.rpm 
 Preparing...                ########################################### [100%]
    1:cfengine-community     ########################################### [100%]

Configuration

Configuration files are normally kept on a 'Policy Server', in /var/cfengine/masterfiles/. Clients then cache these files in /var/cfengine/inputs/.

I use a Subversion repository to host my masterfiles, and "svn export" them into the /var/cfengine/masterfiles directory on the Policy Server.

Configuration file layout

Cfengine checks for configuration files in /var/cfengine/inputs/. The most important files are:

promises.cf
Main Cfengine configuration file.
failsafe.cf
Used when your promises.cf cannot be loaded, e.g. due to syntax errors. Get this file right once, then leave it alone. You will need it, trust me ;-)

I have created a more elaborate setup with "main" and "additional" configuration files:

Main configuration files

cfengine-stdlib.cf
Standard library, developed and maintained by the Cfengine community. Included by promises.cf.
library.cf
Local library with reusable components. Included by promises.cf.
site.cf
Configuration settings for this site. Included by promises.cf.
promises.cf
Main Cfengine configuration file.
failsafe.cf
Failsafe and updates rolled into one file.

Additional configuration files

Additional configuration files (for example, per service):

ssh.cf
Secure Shell service
ntp.cf
Network Time Protocol service

failsafe.cf

See CFengine - failsafe.cf

Bootstrapping a client

  1. Install the RPM
  2. Configure the IP-address of your Policy Server
  3. Fetch the "failover.cf" file from your policy host
  4. Start CFengine
 [root@client]# rpm -Uvh cfengine-community-3.0.5p1-1.el5.x86_64.rpm 
 Preparing...                ########################################### [100%]
    1:cfengine-community     ########################################### [100%]
 
 [root@client]# echo "192.168.1.1" > /var/cfengine/policy_server.dat
 
 [root@client]# scp policyserver:/var/cfengine/masterfiles/failsafe.cf /var/cfengine/inputs/
 failsafe.cf                                         100% 2926     2.9KB/s   00:00
 
 [root@client]# service cfengine3 start
 Starting Cfengine 3 ...
 Can't stat file "/var/cfengine/inputs/promises.cf" for parsing
  !!! System error for stat: "No such file or directory"
 Can't stat file "/var/cfengine/inputs/promises.cf" for parsing
  !!! System error for stat: "No such file or directory"
 cf-agent was not able to get confirmation of promises from cf-promises, so going to failsafe
 Can't stat file "/var/cfengine/inputs/promises.cf" for parsing
  !!! System error for stat: "No such file or directory"
 cf-agent was not able to get confirmation of promises from cf-promises, so going to failsafe

CFengine notices that the /var/cfengine/inputs/promises.cf file is missing, and goes into failsafe mode. It now reads /var/cfengine/inputs/failsafe.cf and tries to recover.

References

Navigation