Automate Linux Configuration with cfengine - page 3
Configuration For Everybody
You can copy and use these files, making sure to use your own filepaths and domain name. I don't have space to describe all the options; anything that doesn't make sense is explained in the Tutorial or Reference Manual. Let's start with cfservd.conf. This controls the main server daemon, cfservd. The example is from a Debian Sarge installation:
#################################
# /var/lib/cfengine2/cfservd.conf
#################################
control:
domain = ( carla.com )
# use the full path
cfrunCommand = ( "/var/lib/cfengine2/bin/cfagent" )
any::
IfElapsed = ( 1 )
ExpireAfter = ( 15 )
MaxConnections = ( 50 )
MultipleConnections = ( true )
#################################
grant:
# Grant access to all hosts at carla.com
# Files should be world readable
/var/lib/cfengine2/inputs *.carla.com
# Allow remote systems to execute the cfagent command using cfrun
/var/lib/cfengine2/bin/cfagent *.carla.com
#################################
First, a couple of syntax notes. Whitespace is mostly irrelevant, except that parentheses must be surrounded by spaces, except when they enclose variables like in update.conf. Comments are indicated by the customary hash marks.
Digg
del.icio.us
Slashdot
DZone
Reddit
StumbleUpon
Facebook
FriendFeed
Furl
Newsvine
Google
LinkedIn
MySpace
Technorati
Twitter
Windows Live
YahooBuzzThe control section defines global variables and default values. A control section is required, or else cfengine won't run. All hosts on carla.com are allowed to download the master cfengine configuration files using cfagent.
any:: is our introduction to cfengine's classes. The double colon indicates that whatever follows applies only to the named class. "Any", of course, means all hosts. Cfengine has a number of built-in classes, such as linux, solaris, and redhat (see the Reference manual), and users can define their own classes.
IfElapsed limits the maximum number of times a command can be run; in this example, no more than once per minute. cfengine is very polite and has many safeguards against overloading its own network. (See the "Spamming and Security" section of the cfengine tutorial.) ExpireAfter limits how long a particular cfengine action can last. MaxConnections is the maximum number of threads allowed.
Next up is update.conf. This makes no changes to anything; it specifies which files cfengine is to push out to clients and prepares the working environment:
#################################
# /var/lib/cfengine2/update.conf
#################################
control:
actionsequence = ( copy tidy )
domain = ( carla.com )
# name the master server
policyhost = ( windbag.carla.com )
master_cfinput = ( /inputs )
workdir = ( /var/lib/cfengine2 )
cf_install_dir = ( /usr/sbin )
# Avoid server contention
SplayTime = ( 5 )
copy:
$(master_cfinput) dest=$(workdir)/inputs
r=inf
mode=700
type=binary
exclude=*.lst
exclude=*~
exclude=#*
server=$(policyhost)
$(cf_install_dir)/cfagent dest=$(workdir)/bin/cfagent
mode=755
backup=false
type=checksum
$(cf_install_dir)/cfservd dest=$(workdir)/bin/cfservd
mode=755
backup=false
type=checksum
$(cf_install_dir)/cfexecd dest=$(workdir)/bin/cfexecd
mode=755
backup=false
type=checksum
tidy:
# keep this directory from overflowing
$(workdir)/outputs pattern=* age=7
#################################
And finally, the workhorse of cfengine, the cfagent.conf file. This is a very simple example, we'll get into this in detail next week. For testing purposes I created a file called testfile.txt, pasted some random text in it, owned by nobody, and made it mode 777. cfagent.conf will correct the ownership and mode:
#################################
# /var/lib/cfengine2/cfagent.conf
#################################
control:
actionsequence = ( files )
files:
/home/carla/testfile.txt owner=carla group=carla mode=0700 action=fixall
#################################
Ready to make a test drive? The following command turns on verbosity and does a dry-run only:
# cfagent -vn
When you want to run it for real, leave off the n switch. If it worked, you'll see it reported in the output, and testfile.txt will now have the correct ownership and permissions:
# ls -al testfile.txt -rwx------ 1 carla carla 37 Sep 1 11:00 testfile.txt
That's all the cfengine fun I can take for this week. Come back next week to learn how to use encryption keys, connect clients, and to how to make cfagent rules for every occasion.
Resources
- Skip Ahead
- 1. Configuration For Everybody
- 2. Configuration For Everybody
- 3. Configuration For Everybody
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.
