Cfengine

cfengine is the configuration management tool used in New World. Its main job on managed hosts is to install configuration files in /etc and CSE-specific files and CSE-specific software under /usr/local. Installation of standard Debian packages is handled by apt-get from lists installed by cfengine.

Here is cfengine's website where you can find full documentation. Importantly, this is where you can find out about "promises".

cfengine is a standard Debian package so it is auto-updated (see unattended-upgrades) along with all other packages on New World systems.

Differences with conform

The main differences between cfengine and Old World's conform are:

• cfengine, as used in New World, does not install software packages. Instead, it mainly installs configuration and other files (mostly in /etc and under /usr/local) and installs lists of desired Debian packages on each host which are then subsequently installed by separate scripts.

• cfengine is a well- and widely-supported set of tools, rather than a custom CSE-only jobbie.

• cfengine works on what could be described as a successive-approximation model, where each run gradually moves a host towards a fully-convergent state in line with a CSG-supplied set of "promises" (of what the host's state needs to be). Implicit in this is that some individual promises may not necessarily be kept straight away but that cfengine will keep trying to fulfill them each time it is run.

• cfengine runs every five minutes rather than nightly (as does conform).

cfengine components

Rather than being one single program, as is conform, cfengine consists of a number of components or tools.

Generally speaking, when we refer to "running cfengine" we're actually talking about running the cf-agent component of cfengine.

Configuration of cfengine

cfengine lives (for want of a better term) on a host called nw-syd-cfengine-hub. This is where component promise files are created and edited, and which are then merged into a single promises.cf file for cf-agent, cf-execd and cf-serverd to read.

These "master" promise component files are located in:

/var/lib/cfengine3/masterfiles

cf-agent itself looks for promises.cf in:

/var/lib/cfengine3/inputs

The component promise files are checked and then "compiled" into the final promises.cf file by the script:

/usr/local/administration/bin/check_and_install_promises

cf-agent on each host will then download the updated promises.cf file the next time it runs.

It is worth noting that the standard cfengine package includes a large library of common/standard promises which can be used by promise developers. These libraries are discussed in the cfengine documentation mentioned above but ARE NOT USED in CSE's implementation. This is solely to reduce the footprint and impact of cfengine on CSE systems.

CSE promises

As mentioned above, CSE's source promises component files are located in /var/lib/cfengine3/masterfiles.

• m4 is used to combine the individual promise file components into the file. The m4 source file is promises.m4 and the individual promise files are all named *.inc.
• cfexecdconf.inc contains configuration for cf-execd which controls when cf-agent is run.
• cfserverdconf.inc contains configuration for cf-serverd. This mostly has to do with access control — which client hosts can access the cfengine promises file and can download files from the warehouse.
• defjson.inc downloads the per-host configuration file (defs.json used to individually tailor cfengine's operation on each host.
• config.inc contains general host class configuration applicable fleet-wide.
• utility.inc is a small library of CSE-specific utility promises and constructs which can be used in other promises.