Automate Linux Configuration with cfengine - Page 2

Continued From Page 1

First, a couple of syntax notes. Whitespace is mostly irrelevant, except that parentheses must be surrounded by spaces, except when they enclose variables like in update.conf. Comments are indicated by the customary hash marks.

The control section defines global variables and default values. A control section is required, or else cfengine won't run. All hosts on carla.com are allowed to download the master cfengine configuration files using cfagent.

any:: is our introduction to cfengine's classes. The double colon indicates that whatever follows applies only to the named class. "Any", of course, means all hosts. Cfengine has a number of built-in classes, such as linux, solaris, and redhat (see the Reference manual), and users can define their own classes.

IfElapsed limits the maximum number of times a command can be run; in this example, no more than once per minute. cfengine is very polite and has many safeguards against overloading its own network. (See the "Spamming and Security" section of the cfengine tutorial.) ExpireAfter limits how long a particular cfengine action can last. MaxConnections is the maximum number of threads allowed.

Next up is update.conf. This makes no changes to anything; it specifies which files cfengine is to push out to clients and prepares the working environment:

#################################
# /var/lib/cfengine2/update.conf
#################################
control:
  actionsequence = ( copy tidy )
  domain = ( carla.com )

  # name the master server
  policyhost = ( windbag.carla.com )

  master_cfinput = ( /var/lib/cfengine2/masterfiles/inputs )
  workdir = ( /var/lib/cfengine2 )
  cf_install_dir = ( /usr/sbin )

# Avoid server contention
SplayTime = ( 5 )

copy:

  $(master_cfinput)    dest=$(workdir)/inputs
    r=inf
    mode=700
    type=binary
    exclude=*.lst
    exclude=*~
    exclude=#*
    server=$(policyhost)

  $(cf_install_dir)/cfagent dest=$(workdir)/bin/cfagent
    mode=755
    backup=false
    type=checksum

  $(cf_install_dir)/cfservd    dest=$(workdir)/bin/cfservd
    mode=755
    backup=false
    type=checksum

  $(cf_install_dir)/cfexecd    dest=$(workdir)/bin/cfexecd
    mode=755
    backup=false
    type=checksum

tidy:

  # keep this directory from overflowing
  $(workdir)/outputs pattern=* age=7
#################################

And finally, the workhorse of cfengine, the cfagent.conf file. This is a very simple example, we'll get into this in detail next week. For testing purposes I created a file called testfile.txt, pasted some random text in it, owned by nobody, and made it mode 777. cfagent.conf will correct the ownership and mode:

#################################
# /var/lib/cfengine2/cfagent.conf
#################################
control:

  actionsequence = ( files )
files:
   /home/carla/testfile.txt owner=carla group=carla mode=0700 action=fixall
#################################

Ready to make a test drive? The following command turns on verbosity and does a dry-run only:

# cfagent -vn

When you want to run it for real, leave off the n switch. If it worked, you'll see it reported in the output, and testfile.txt will now have the correct ownership and permissions:

# ls -al testfile.txt
-rwx------ 1 carla carla 37 Sep 1 11:00 testfile.txt

That's all the cfengine fun I can take for this week. Come back next week to learn how to use encryption keys, connect clients, and to how to make cfagent rules for every occasion.

Resources

• Cfengine.org
  
• the cfengine Wiki