Automate Linux with cfengine

Using cfengine, you can keep tabs on system files and push out configuration changes without running from host to host.

By Carla Schroder | Posted Sep 13, 2005
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Last week we installed, configured and tested a cfengine server. Today we'll set up clients and use cfengine to monitor key system files, run unattended and push out changes to the client hosts.

We need one more server configuration file, /var/lib/cfengine2/inputs/cfrun.hosts. This file does not need to be copied to clients, so don't put a copy in /masterfiles/input. This file is simple: your domain name, and a list of clients that the server will push out changes to. Remember to double-check your filepaths, this example is on Debian:

##################
#/var/lib/cfengine2/inputs/cfrun.hosts
##################
domain = carla.com
# Clients
stinkpad.carla.com

Client Configuration
Now it's time to install cfengine on a client machine and configure it. The easy way is to copy cfagent.conf, cfservd.conf and update.conf from the server into /var/lib/cfengine2/inputs on the client.

Syntax Checker
You can run the syntax checker anytime:

# cfagent -p

If there are no errors it exits silently. Add the -v switch to generate voluminous output.

Now fire up the cfengine daemons on server and client. On Debian:

# /etc/init.d/cfengine2 start

On Red Hat/Fedora/et al:

# /etc/init.d/cfservd start

Distributing Keys
cfengine works on a two-way trust: Keys must be exchanged from the client to the server, and the server to the client. If you installed from RPMs or apt-get, the installer created two encryption keys and stored them in /var/[whatever]/ppkeys. Exchanging keys is as simple as connecting manually from the server:

# cfrun stinkpad.carla.com
cfrun(0): .......... [ Hailing stinkpad.carla.com ] ..........
Connecting to server stinkpad.carla.com to port 0 with options
Loaded /var/lib/cfengine2/ppkeys/root-192.168.1.10.pub
Connect to stinkpad.carla.com = 192.168.1.10 on port cfengine
Updating last-seen time for stinkpad.carla.com
Loaded /var/lib/cfengine2/ppkeys/root-192.168.1.10.pub
...............................................................
cfrun:windbag.carla.com: Strong authentication of server=stinkpad.carla.com connection confirmed

You may also automate the key exchange by adding this line to the control section of cfservd.conf:

TrustKeysFrom = ( 192.168.1.0/24 )

Or connect manually from the client:

# cfagent -qv

You may need to run cfrun several times to make everything happen, because it always checks update.conf on the server first and downloads any changed or new files. Then it executes cfagent.conf, which may also need a couple of runs, depending on what actions are taken. Running cfrun again looks something like this:

# cfrun stinkpad.carla.com
cfrun(0): .......... [ Hailing stinkpad.carla.com ] ..........

cfengine::
    Update of image /var/lib/cfengine2/cfagent.conf from master
    /var/lib/cfengine2/masterfiles/inputs/cfagent.conf on windbag.carla.com
cfengine:stinkpad: Object /tmp/testfile had permission 777, changed it to 600

And Now, the Fun Stuff
Ok, that was a bit of work to get going. Now it's all gravy. All you have to do is edit files in the /masterfiles/input directory on the server, and all changes will be copied out to the clients and the server as well. cfagent.conf is where the action is; let's add some rules to it to make our lives easier. These rules monitor file permissions and ownership on files, and change them back if someone messes with them. This is very handy for things like key system files, and for Web files, which won't display if they are not world-readable:

files:
    /etc/passwd mode=644 owner=root group=root action=fixall
    /etc/shadow mode=640 owner=root group=shadow action=fixall
    /var/lib/http mode=644 r=4 owner=httpadmin group=httpadmins action=fixall

Use the files: for monitoring existing files and directories. The directories keyword is for creating new directories. The r=4 directive means "recurse no more than four levels in the /var/lib/http directory". r=0 means "no recursion", so it pays attention only to the top-level directory, and r=inf means keep going until you hit bottom. Specifying a number is a simple safety precaution.

You can run shell commands, like this one for updating the locate database:

shellcommands:
    "/usr/bin/updatedb"

You can create and enforce symlinks, using the syntax linkname -> object to link to:

links:
    /var/cfengine -> /var/lib/cfengine
    /var/http/homefiles -> /var/lib/http/public/home

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter